Intrusion Detection Using AspectJ

1
Intrusion Detection Using AspectJ

• Ivan Vargas
• David Flores

2
Outline

• Proposal Overview
• Goals
• Intrusion Detection Models
• Implementation and Program Demo
• Issues
• Future Work
• Conclusions

3
Proposal Overview

• Confidentiality consists in ensuring that
  information is accessible only to those
  authorized to have access.
• Authentication and authorization are not enough
  to guarantee confidentiality.
• Intrusion detection can deem an action as
  suspicious even if the user is authenticated and
  authorized.
• Intrusion detection systems might be built using
  aspect-oriented programming.

4
Goals

• Build a system that can detect when an
  unauthorized user is in a system.
• Apply Intrusion Detection techniques within a
  Java system using AspectJ.
• Take advantage of aspects to detect when an
  unusual event occurred.
• Show that Intrusion Detection techniques can be
  done in a well-modularized and maintainable way
  using aspects.

5
Intrusion Detection Models

• Anomaly Modeling
• Analyzes a set of characteristics of the system
  and compares their behavior with a set of
  expected values.
• Threshold Model
• Markov Model
• Misuse Modeling
• Specification Modeling

6
Threshold Model

• A minimum of m and a maximum of n events are
  expected to occur.
• If, over a specific period of time, fewer than m
  or more than n events occur, the behavior is
  deemed anomalous.
• Most system logins use this model

7
BankJ
8
Markov Model

• System is always in a particular state based on
  previous user actions (events).
• When the next event occurs, the system
  transitions into a new state.
• A set of probabilities of transition can be
  developed over time.
• When an event occurs that causes a transition
  with low probability, the event is deemed
  anomalous.

9
Example

• Previous actions
• open read write open mmap write
  fchmod close
• Database (trace length 4)
• open read write open
• open mmap write fchmod
• read write open mmap
• write open mmap write
• write fchmod close
• mmap write fchmod close
• fchmod close
• close

10
Example (Continued)

• What happens with the following sequence?
• open read read open mmap write
  fchmod close
• of mismatches 5
• Maximum of pairwise mismatches 18
• Mismatch rate 28

11
AgendaJ
12
Issues

• If attempted sequence is x y z and the database
  is w y z, should mismatches be 1 or 2?
• If attempted sequence is x y and the database
  is x z, should mismatch rate be 100?

13
Future Work

• Use other Intrusion Detection models (such as
  statistical moments) to determine which method is
  more accurate and efficient.
• Investigate the found issues in order to
  determine which approach yields more accurate
  results.

14
Conclusions

• AspectJ is a powerful tool to implement Intrusion
  Detection Models
• Aspects implementing these models are
  understandable, well-modularized, and
  maintainable.

15
References

• 1 Wikipedia
• http//en.wikipedia.org/wiki/Confidentiality
• 2 Matt Bishop. Computer Security Art and
• Sciences, Addison-Wesley Professional
• 1st edition (December 2, 2002)