Log auditing through model-checking

Roger, Muriel; Goubault-Larrecq, Jean

doi:10.1109/csfw.2001.930148

Cited by 65 publications

(80 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Roger and Goubault-Larreq [26] have used linear temporal logic and associated model-checking algorithms for log auditing. The work is related although their application is quite different.…”

Section: Resultsmentioning

confidence: 99%

A framework for concrete reputation-systems with applications to history-based access control

Krukow

Nielsen

Sassone

2005

Proceedings of the 12th ACM Conference on Computer and Communications Security

View full text Add to dashboard Cite

In a reputation-based trust-management system, agents maintain information about the past behaviour of other agents. This information is used to guide future trust-based decisions about interaction. However, while trust management is a component in security decision-making, few existing reputation-based trustmanagement systems aim to provide any formal security-guarantees. We describe a mathematical framework for a class of simple reputationbased systems. In these systems, decisions about interaction are taken based on policies that are exact requirements on agents' past histories. We present a basic declarative language, based on purepast linear temporal logic, intended for writing simple policies. While the basic language is reasonably expressive, we extend it to encompass more practical policies, including several known from the literature. A naturally occurring problem becomes how to efficiently re-evaluate a policy when new behavioural information is available. Algorithms for the various languages are presented along with complexity analyses.

show abstract

Section: Resultsmentioning

confidence: 99%

A framework for concrete reputation-systems with applications to history-based access control

Krukow

Nielsen

Sassone

2005

Proceedings of the 12th ACM Conference on Computer and Communications Security

View full text Add to dashboard Cite

show abstract

“…In contrast to other such temporal logic based approaches [16], we use an expressively rich logic in which one can express both signature based and simple anamoly based attack specifications. We automatically monitor such attack specifications with respect to the system execution.…”

Section: Resultsmentioning

confidence: 99%

Section: Background and Motivationmentioning

confidence: 99%

“…Roger et al in [16] used temporal logic and model-checking based approach to detect intrusion. This work is closely related to ours; however, unlike [16] we can express more sophisticated signatures involving statistics and real-time by using powerful monitoring logic Eagle. Ilgun et al [10] propose the use of finite state transition diagrams to specify sequences of actions that would lead the system from a secure initial state to a compromised final state.…”

Section: Background and Motivationmentioning

confidence: 99%

“…One can naturally specify the absence of a known attack pattern as a safety formula φ in a suitable temporal logic [5]. Such a temporal logic based approach was considered in [16] using a variant of linear temporal logic (LTL) with first order variables. However we consider a more expressive logic in which one can also express attack signatures involving real-time constraints and statistical properties.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

A Temporal Logic Based Framework for Intrusion Detection

Naldurg

Sen

Thati

2004

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. We propose a framework for intrusion detection that is based on runtime monitoring of temporal logic specifications. We specify intrusion patterns as formulas in an expressively rich and efficiently monitorable logic called Eagle. Eagle supports data-values and parameterized recursive equations, and allows us to succinctly express security attacks with complex temporal event patterns, as well as attacks whose signatures are inherently statistical in nature. We use an online monitoring algorithm that matches specifications of the absence of an attack, with system execution traces, and raises an alarm whenever the specification is violated. We present our implementation of this approach in a prototype tool, called Monid and report our results obtained by applying it to detect a variety of security attacks in log-files provided by DARPA.

show abstract

The Orchids Intrusion Detection Tool

Olivain

Goubault-Larrecq

2005

Computer Aided Verification

View full text Add to dashboard Cite

Abstract. ORCHIDS is an intrusion detection tool based on techniques for fast, on-line model-checking. Temporal formulae are taken from a temporal logic tailored to the description of intrusion signatures. They are checked against merged network and system event flows, which together form a linear Kripke structure.Introduction: Misuse Detection as Model-Checking. ORCHIDS is a new intrusion detection tool, capable of analyzing and correlating events over time, in real time. Its purpose is to detect, report, and take countermeasures against intruders. The core of the engine is originally based on the language and algorithm in the second part of the paper by Muriel Roger and Jean Goubault-Larrecq [6]. Since then, the algorithm evolved: new features (committed choices, synchronization variables), as well as extra abstract interpretation-based optimizations, and the correction of a slight bug in op.cit., appear in the unpublished report [1]. Additional features (cuts, the "without" operator) were described in the unpublished deliverable [2]. Finally, contrarily to the prototype mentioned in [6], ORCHIDS scales up to real-world, complex intrusion detection.The starting point of the ORCHIDS endeavor is that intrusion detection, and specifically misuse detection, whereby bad behavior (so-called attacks) is specified in some language and alerts are notified when bad behavior is detected, is essentially a modelchecking task. The Kripke model to be analyzed is an event flow (collected from various logs, and other system or network sources), and complex attack signatures are described in an application-specific temporal logic.

show abstract

Log auditing through model-checking

Cited by 65 publications

References 6 publications

A framework for concrete reputation-systems with applications to history-based access control

A framework for concrete reputation-systems with applications to history-based access control

A Temporal Logic Based Framework for Intrusion Detection

The Orchids Intrusion Detection Tool

Contact Info

Product

Resources

About