Abstract not found

Abstract. Assurance technologies for computer security have failed to have significant impacts in the marketplace, with the result that most of the computers connected to the internet are vulnerable to attack. This paper looks at the problem of malicious users from both a historical and practical standpoint. It traces the history of intrusion and intrusion detection from the early 1970s to the present day, beginning with a historical overview. The paper describes the two primary intrusion detection techniques, anomaly detection and signature-based misuse detection, in some detail and describes a number of contemporary research and commercial intrusion detection systems. It ends with a brief discussion of the problems associated with evaluating intrusion detection systems and a discussion of the difficulties associated with making further progress in the field. With respect to the latter, it notes that, like many fields, intrusion detection has been based on a combination of intuition and brute-force techniques. We suspect that these have carried the field as far as they can and that further significant progress will depend on the development of an underlying theoretical basis for the field.

Log auditing is a basic intrusion detection mechanism, whereby attacks are detected by uncovering matches of sequences of events against signatures. We argue that this problem is naturally expressed as a model-checking problem against linear Kripke models. A variant of the classic linear time temporal logic of Manna and Pnueli with first-order variables is first investigated in this framework. In passing, we show that model-checking this logic against linear models is NP-complete -- polynomial-time in the propositional case --, which contrasts with the fact that it is PSPACE-complete against general models. Despite this improvement, this logic is in dire need of refinement, as far as expressiveness and efficiency are concerned. We therefore propose a second, less standard logic consisting of flat, Wolperstyle linear-time formulae. We describe an efficient online algorithm, making the approach attractive for complex log auditing tasks. We present a few optimizations that the use of a formal semantics affords us, using abstract interpretation techniques, and report briefly on preliminary practical experience.

Abstract not found

Secure electronic communication relies on cryptography. Even with perfect encryption, communication may be compromised without effective security protocols for key exchange, authentication, etc. We are now seeing proliferation of large secure environments characterized by high volume, encrypted traffic between principals, facilitated by Public Key Infrastructures (PKI). PKIs are dependent on security protocols. Unfortunately, security protocols are susceptible to subtle errors. To date, we have relied on formal methods to tell us if security protocols are effective. These methods do not provide complete or measurable protocol security. Security protocols are also subject to the same implementation and administrative vulnerabilities as communication protocols. As a result, we will continue to operate security protocols that have flaws. In this paper, we describe a method and architecture to detect intrusions in security protocol environments such as Public Key Infrastructures. Our method is based on classic intrusion detection techniques of knowledge-based and behavior-based techniques detection. 2 Section 1.

We consider the problem of intrusion analysis and present the Kerf Toolkit, whose purpose is to provide an efficient and flexible infrastructure for the analysis of attacks. The Kerf Toolkit includes a mechanism for securely recording host and network logging information for a network of workstations, a domain-specific language for querying this stored data, and an interface for viewing the results of such a query, providing feedback on these results, and generating new queries in an iterative fashion. We describe the architecture of Kerf, present examples to demonstrate the power of our query language, and discuss the performance of our implementation of this system. 1

Abstract not found

We describe how to build a network intrusion detection sensor by slightly modifying NASA's CLIPS source code introducing some new features. An overview of the system is presented emphasizing the strategies used to inter-operate between the packet capture engine written in C and CLIPS. Some extensions were developed in order to manipulate timestamps, multiple string pattern matching and certainty factors. Several Snort functions and plugins were adapted and used for packet decoding and preprocessing. A rule translator was also built to reuse most of the Snort's attack signatures. Despite some performance drawbacks, results prove that CLIPS can be used for real-time network intrusion detection under certain conditions. Several attack signatures using CLIPS rules are showed in the appendix. By mixing CLIPS with Snort features, it was possible to introduce flexibility and expressiveness to network intrusion detection.

Abstract — The CuPIDS project is an exploration of increasing information system security by dedicating computational resources to system security tasks in a shared resource, multi-processor (MP) architecture. Our research explores ways in which this architecture offers improvements over the traditional uni-processor (UP) model of security. There are a number of areas to explore, one of which has a protected application running on one processor in a symmetric multiprocessing (SMP) system while a shadow process specific to that application runs on a different processor, monitoring its activity, ready to respond immediately if the application veers off course. This paper describes initial work into defining such an architecture and the prototype work done to validate our ideas.