A Temporal Logic Based Framework for Intrusion Detection - PowerPoint PPT Presentation

1 / 18
About This Presentation
Title:

A Temporal Logic Based Framework for Intrusion Detection

Description:

A Temporal Logic Based Framework for Intrusion Detection ... Smurf Attack ... Absence of Smurf Attack. X. Cookie-Stealing Scenario ... – PowerPoint PPT presentation

Number of Views:41
Avg rating:3.0/5.0
Slides: 19
Provided by: koush4
Category:

less

Transcript and Presenter's Notes

Title: A Temporal Logic Based Framework for Intrusion Detection


1
A Temporal Logic Based Framework for Intrusion
Detection
  • Prasad Naldurg, Koushik Sen, Prasanna Thati
  • naldurg,ksen,thati_at_cs.uiuc.edu
  • Department of Computer Science
  • University of Illinois at Urbana-Champaign, USA

2
Intrusion Detection
  • Security flaws in complex computer systems and
    network seem to be inevitable
  • Intrusion detection Monitor the system execution
    for security violations and take corrective
    measures when a violation is detected
  • Two approaches
  • Signature based Look for known attack patterns
  • Cant detect previously unknown attacks
  • Anomaly based Look for anomalous behaviors
  • High false alarm rates

3
A Temporal Logic Based Approach
  • Attack patterns are typically temporal relations
    between different system events
  • Specify an attack safe executions as a formula F
    in a variant of Linear Temporal Logic (LTL)
  • System execution provides a trace on which the
    formula F is interpreted
  • Enrich LTL to express real-time constraints and
    statistical properties of the expected system
    behavior
  • Use an online monitoring algorithm that monitors
    each system events as they occur, and raise an
    alarm as soon as a formula is violated

4
Related Work Signature Based Intrusion Detection
  • Transition systems and grammars
  • Colored Petri Nets by Kumar et al.
  • Parallel Grammars by Ko et al.
  • Finite Transition Diagrams by Ilgun et al.
  • Such descriptions are often cumbersome
  • Temporal Logic approach by Roger et al.
  • A propositional logic in which one cannot express
    real-time constraints and statistical properties
  • We use a richer logic equipped with data and
    relations on them. Useful for specifying
    statistical properties.

5
Monid A framework for intrusion detection
6
Eagle By Example
  • Monitoring formulas are evaluated over a given
    input trace, state by state, checking facts about
    the past and generating obligations about the
    future.
  • max Always(Formula F) F AND Next Always(F)
  • min Eventually(Formula F) F OR Next
    Eventually(F)
  • min Previously(Formula F) F OR Prev
    Previously(F)
  • Monitor If there is a login then eventually
    there is a logout
  • mon M1 Always((actionlogin) then
    Eventually(actionlogout)) .

7
Data Binding
  • Monitor Whenever there is a login by any user x
    then eventually x logs out.
  • In LTL with data bindings
  • ?((actionlogin) then let k uid in
    (actionlogout AND uidk))
  • In Eagle
  • min Bind(string k) Eventually(actionlogout AND
    uidk)
  • mon M2 Always((actionlogin) then Bind(uid))

Each state contains int action string uid
8
Real Time
  • Monitor Whenever there is a login by any user x
    then eventually x logs out within 100 units of
    time.
  • min TimedLogout(string k,double t,double ?)
    (time-t LEQ ?) AND ((actionlogout AND uidk)
    OR
  • Next
    TimedLogout(k,t,?))
  • mon M3 Always((actionlogin) then
    TimedLogout(uid,time,100))

Each state contains int action string
uid double time
9
Syntax
10
Semantics
11
Monitoring Algorithm Example Execution
mon M Always(x gt 0 ? NextNext(x 0)).
Trace x1 x2 x0 x3
12
Trace Evaluation
13
Smurf Attack
  • An attacker sends a forged ICMP echo request
    with victims name as sender and sets destination
    IP to a broadcast IP address
  • Monitor log obtained by tcpdump
  • max Attack() (typeICMP) AND isBroadcast(ip)
  • mon SmurfSafety Always(NOT Attack())

Each state contains int32 ip string type
Absence of Smurf Attack
isBroadcast(ip)true ICMP
X
14
Cookie-Stealing Scenario
  • A malicious user hijacks a session by reusing an
    old cookie issued to a different IP address
  • Monitor web-server log
  • min SafeUse(string c,int i) ((namec) ! (ipi))
    AND Prev SafeUse(c,i)
  • mon CookieSafe Always(SafeUse(name,ip))
  • Also include
  • Multi-domain buffer overflow attack which
    illustrates our ability to collect statistics at
    runtime anomaly detection
  • Port sweep attack remember finite history and
    statistics
  • Evaluation on DARPA data set
  • Explore overheads and expressive power

15
Performance Overhead Port Sweep Attack
16
Performance Overhead Password-Guess Attack
17
Conclusion
  • Have proposed a framework for intrusion detection
    based on a temporal logic approach
  • Experimentally evaluated the framework using real
    data
  • Some directions for future research
  • Predicting security attacks from otherwise
    successful system executions. Useful for
    detecting concurrency related attacks.
  • Distributed monitoring to detect attacks the
    involve multiple hosts.

18
Thank You!
  • Contact Information
  • Email
  • Prasad naldurg_at_cs.uiuc.edu
  • Koushik ksen_at_cs.uiuc.edu
  • Prasannaa thati_at_cs.cmu.edu
  • Address
  • Department of Computer Science, University of
    Illinois at Urbana, Champaign, Urbana IL 61801,
    USA
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "A Temporal Logic Based Framework for Intrusion Detection" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!