Model-Driven, Network-Context Sensitive Intrusion Detection | SpringerLink
Skip to main content
Springer Nature Link
Log in

Model-Driven, Network-Context Sensitive Intrusion Detection

  • Conference paper
Model Driven Engineering Languages and Systems (MODELS 2007)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 4735))

Abstract

Intrusion Detection Systems (IDSs) have the reputation of generating many false positives. Recent approaches, known as stateful IDSs, take the state of communication sessions into account to address this issue. A substantial reduction of false positives, however, requires some correlation between the state of the session, known vulnerabilities, and the gathering of more network context information by the IDS than what is currently done (e.g., configuration of a node, its operating system, running applications). In this paper we present an IDS approach that attempts to decrease the number of false positives by collecting more network context and combining this information with known vulnerabilities. The approach is model-driven as it relies on the modeling of packet and network information as UML class diagrams, and the definition of intrusion detection rules as OCL expressions constraining these diagrams. The approach is evaluated using real attacks on real systems, and appears to be promising.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Anderson, D., Frivold, T., Valdes, A.: Next-generation Intrusion Detection Expert System (NIDES): A Summary. SRI International, Technical Report SRI-CSL-95-07 (May 1995), http://www.sdl.sri.com/nides/reports/4sri.pdf

  2. Couture, M., Massicotte, F.: Systèmes et Languages de Détection d’Intrusion. CRC, Technical Report CRC-RP-2005-001 (July 2005)

    Google Scholar 

  3. Deraison, R., Gula, R., Hayton, T.: Passive Vulnerability Scanning - An Introduction to NeVO. Tenable Network Security, White Paper (2003), www.tenablesecurity.com/

  4. Distefano, D., Katoen, J.-P., Rensink, A.: On A Temporal Logic For Object-Based Systems. In: Proc. IFIP Formal Methods for Open Object-Based Distributed Systems, pp. 305–326 (2000)

    Google Scholar 

  5. Eclipse Foundation, Tutorial: Querying EMF Models with OCL, http://help.eclipse.org/

  6. Goldman, R.P., Heimerdinger, W., Geib, C.W., Thomas, V., Carter, R.L.: Information modeling for intrusion report aggregation. In: Proc. DARPA Information Survivability Conference and Exposition, pp. 329–342 (2001)

    Google Scholar 

  7. Green, C., Roesch, M.: The Snort Project: version 2.3.2., User Manual (2003), www.snort.org

  8. Kleppe, A., Warmer, J., Bast, W.: MDA Explained. Addison-Wesley, Reading (2003)

    Google Scholar 

  9. Kumar, S., Spafford, E.: A Software Architecture to Support Misuse Intrusion Detection. In: Proc. National Information Security Conference, pp. 194–204 (1995)

    Google Scholar 

  10. Lindqvist, U., Porras, P.A.: Detecting Computer and Network Misuse through the Prediction-Based Expert System Toolset (P-BEST). In: Proc. IEEE Symposium on Security and Privacy, pp. 146–161 (1999)

    Google Scholar 

  11. Massicotte, F.: Using Object-Oriented Modeling for Specifying and Designing a Network-Context Sensitive Intrusion Detection System, Masters Thesis, Carleton University, Systems and Computer Engineering (2005)

    Google Scholar 

  12. Massicotte, F., Couture, M., Briand, L.C., Labiche, Y.: Context-Based Intrusion Detection Using Snort, Nessus and Bugtraq Databases. In: Proc. Annual Conference on Privacy, Security and Trust (2005)

    Google Scholar 

  13. Massicotte, F., Gagnon, F., Labiche, Y., Briand, L., Couture, M.: Automatic Evaluation of Intrusion Detection Systems. In: Proc. Annual Computer Security Applications Conference (2006)

    Google Scholar 

  14. Morin, B., Debar, H.: Correlation of Intrusion Symptoms: an Application of Chronicles. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 94–112. Springer, Heidelberg (2003)

    Google Scholar 

  15. Morin, B., Mé, L., Debar, H., Ducassé, M.: M2d2: A formal data model for ids alert correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 177–198. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  16. Paxson, V.: BRO: A System for Detecting Network Intrusion in Real-Time. Computer Networks 31(23-24), 2435–2463 (1999)

    Article  Google Scholar 

  17. Roger, M., Goubault-Larrecq, J.: Log Auditing though Model Checking. In: Proc. IEEE Computer Security Foundations Workshop, pp. 220–236 (2001)

    Google Scholar 

  18. Security Focus, Bugtraq Homepage, http://www.securityfocus.com/

  19. Sekar, R., Guang, Y., Verma, S., Shanbhag, T.: A High-Performance Network Intrusion Detection System. In: Proc. ACM Symposium on Computer and Communication Security, pp. 8–17 (1999)

    Google Scholar 

  20. Sommer, R., Paxson, V.: Enhancing byte-level network intrusion detection signatures with context. In: Proc. ACM Conference on Computer and Communications Security (2003)

    Google Scholar 

  21. Stallings, W.: Data and Computer Communications. Addison-Wesley, Reading (1996)

    Google Scholar 

  22. Tenable Network Security, Nessus Scripts, www.nessus.org/plugins/

  23. Vigna, G.: A topological characterization of tcp/ip security. Politecnico di Milano, Technical Report TR-96.156 (1996)

    Google Scholar 

  24. Vigna, G., Kemmerer, R.A.: Netstat: A network-based intrusion detection approach. In: Proc. IEEE Annual Computer Security Applications Conference, pp. 25–34 (1998)

    Google Scholar 

  25. Vigna, G., Valeur, F., Kemmerer, R.: Designing and implementing a family of intrusion detection systems. In: Proc. ACM SIGSOFT European Software Engineering Conference, pp. 88–97 (2003)

    Google Scholar 

  26. Zhou, J., Carlson, A.J., Bishop, M.: Verify Results of Network Intrusion Alerts Using Lightweight Protocol Analysis. In: Srikanthan, T., Xue, J., Chang, C.-H. (eds.) ACSAC 2005. LNCS, vol. 3740, Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  27. Ziemann, P., Gogolla, M.: An Extension of OCL with Temporal Logic. In: Proc. Workshop on Critical Systems Development with UML, in conjunction with the UML conference (2002)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Communication Research Centre, 3701 Carling Avenue, P.O. Box 11490, Stn. H, Ottawa, ON K2H 8S2, Canada

    Frederic Massicotte & Mathieu Couture

  2. Department of Systems and Computer Eng., Carleton University, 1125 Colonel By Drive, Ottawa, ON K1S 5B6, Canada

    Lionel Briand & Yvan Labiche

Authors
  1. Frederic Massicotte
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mathieu Couture
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Lionel Briand
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Yvan Labiche
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Gregor Engels Bill Opdyke Douglas C. Schmidt Frank Weil

Rights and permissions

Reprints and permissions

Copyright information

© 2007 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Massicotte, F., Couture, M., Briand, L., Labiche, Y. (2007). Model-Driven, Network-Context Sensitive Intrusion Detection. In: Engels, G., Opdyke, B., Schmidt, D.C., Weil, F. (eds) Model Driven Engineering Languages and Systems. MODELS 2007. Lecture Notes in Computer Science, vol 4735. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-75209-7_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-75209-7_5

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-75208-0

  • Online ISBN: 978-3-540-75209-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation