Skip to main content
SpringerLink
Log in

Using model checking to identify errors in intrusion detection signatures

  • SPIN 2009
  • Published:
International Journal on Software Tools for Technology Transfer Aims and scope Submit manuscript

Abstract

Most intrusion detection systems deployed today apply misuse detection as analysis method. Misuse detection searches for attack traces in the recorded audit data using predefined patterns. The matching rules are called signatures. The definition of signatures is up to now an empirical process based on expert knowledge and experience. The analysis success and accordingly the acceptance of intrusion detection systems in general depend essentially on the topicality of the deployed signatures. Methods for a systematic development of signatures have scarcely been reported yet, so the modeling of a new signature is a time-consuming, cumbersome, and error-prone process. The modeled signatures have to be validated and corrected to improve their quality. So far only signature testing is applied for this. Signature testing is still a rather empirical and time-consuming process to detect modeling errors. In this paper, we present the first approach for verifying signature specifications using the Spin model checker. The signatures are modeled in the specification language EDL, which leans on colored Petri nets. We show how the signature specification is transformed into a Promela model and how characteristic specification errors can be found by Spin.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Ranum, M.J.: Challenges for the future of intrusion detection. Invited Talk, 5th International Symposium on Recent Advances in Intrusion Detection (RAID), Zürich (2002)

  2. Liang, Z., Sekar, R.: Fast and automated generation of attack signatures: a basis for building self-protecting servers. In: Proceedings of 12th ACM Conference on Computer and Communications Security (CCS), Alexandria, VA (2005)

  3. Nanda, S., Chiueh, T.: Execution trace-driven automated attack signature generation. In: Proceedings of 24th Annual Computer Security Applications Conference (ACSAC), pp. 195–204, Anaheim, CA, USA. IEEE Computer Society (2008)

  4. Vigna, G., Eckmann, S.T., Kemmerer, R.A.: The STAT tool suite. In: Proceedings of DARPA Information Survivability Conference and Exposition (DISCEX) 2000, vol. 2, pp. 46–55. IEEE Computer Society Press, Hilton Head (2000)

  5. Eckmann S.T., Vigna G., Kemmerer R.A.: STATL: an attack language for state-based intrusion detection. J. Comput. Secur. 10(1/2), 71–104 (2002)

    Google Scholar 

  6. Paxson V.: Bro—a system for detecting network intruders in real-time. Comput. Netw. 31, 23–24 (1999)

    Google Scholar 

  7. Kumar, S.: Classification and detection of computer intrusions. PhD Thesis, Department of Computer Science, Purdue University, West Lafayette, IN, USA (1995)

  8. Meier, M., Schmerl, S.: Improving the efficiency of misuse detection. In: Proceedings of the Second Conference on “Detection of Intrusions & Malware and Vulnerability Assessment” (DIMVA 2005), Vienna, Austria. LNCS, vol. 3548, pp. 188–205. Springer, Heidelberg (2005)

  9. Schmerl, S., König, H.: Towards systematic signature testing. In: Proceedings of the Testing of Software and Communicating Systems, 19th IFIP TC6/WG6.1 International Conference, TestCom 2007. LNCS, vol. 4581, pp. 276-291, Tallinn, Estonia. Springer, Berlin (2007)

  10. Schmerl, S., Vogel, M, Koenig, H.: Identifying modeling errors in signatures by model checking. In: Proceedings of the 16th International SPIN Workshop on Model Checking of Software (SPIN 2009). Lecture Notes In Computer Science; vol. 5578, pp. 205–222, Grenoble, France (2009)

  11. Meier, M.: A model for the semantics of attack signatures in misuse detection systems. In: Proceedings of the 7th International Information Security Conference (ISC 2004), Palo Alto, CA, USA, Sept. 2004. LNCS, vol. 3225, pp. 158–169. Springer, Heidelberg (2004)

  12. Holzmann J.G.: The SPIN Model Checker: Primer and Reference Manual. Addison-Wesley, New York (2003)

    Google Scholar 

  13. Jensen, K., Kristensen, L.M., Wells, L.: Coloured Petri nets and CPN tools for modelling and validation of concurrent systems. In: International Journal on Software Tools for Technology Transfer (STTT), vol. 9, no. 3–4 (2007)

  14. Abt K., Wallace M.: Constraint Logic Programming using Eclipse. Cambridge University Press, Cambridge (2006)

    Google Scholar 

  15. The ECLiPSe constraint programming system, http://www.eclipse-clp.org/ (2009)

  16. Baker A., Beale J., Caswell B., Poore M.: Snort 2.1 Intrusion Detection. Syngress Publishing, USA (2004)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Computer Science Department, Brandenburg University of Technology Cottbus, P.O. Box 101344, 03013, Cottbus, Germany

    Sebastian Schmerl, Michael Vogel & Hartmut König

Authors
  1. Sebastian Schmerl
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Michael Vogel
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Hartmut König
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Sebastian Schmerl.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Schmerl, S., Vogel, M. & König, H. Using model checking to identify errors in intrusion detection signatures. Int J Softw Tools Technol Transfer 13, 89–106 (2011). https://doi.org/10.1007/s10009-010-0166-6

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10009-010-0166-6

Keywords

Search

Navigation