Most intrusion detection systems deployed today apply misuse detection as analysis method. Misuse detection searches for attack traces in the recorded audit data using predefined patterns. The matching rules are called signatures. The definition of signatures is up to now an empirical process based on expert knowledge and experience. The analysis success and accordingly the acceptance of intrusion detection systems in general depend essentially on the topicality of the deployed signatures. Methods for a systematic development of signatures have scarcely been reported yet, so the modeling of a new signature is a time-consuming, cumbersome, and errorprone process. The modeled signatures have to be validated and corrected to improve their quality. So far only signature testing is applied for this. Signature testing is still a rather empirical and time-consuming process to detect modeling errors. In this paper we present the first approach for verifying signature specifications using the SPIN model checker. The signatures are modeled in the specification language EDL which leans on colored Petri nets. We show how the signature specification is transformed into a PROMELA model and how characteristic specification errors can be found by SPIN.
Keywords:Computer Security, Intrusion Detection, Misuse Detection, Attack Signatures, Signature Verification, PROMELA, SPIN model checker
MotivationThe increasing dependence of human society on information technology (IT) systems requires appropriate measures to cope with their misuse. The enlarging technological complexity of IT systems increases the range of threats to endanger them. Besides traditional preventive security measures, such as encryption, authentication, access control mechanisms, etc, reactive approaches are more and more applied to counter these threats. Reactive approaches allow responses and counter-measures to security violations to prevent further damage. Intrusion detection systems (IDSs) have proved as one of the most important means to protect IT-systems. A wide range of commercial intrusion detection products is available, especially for misuse detection. Intrusion detection is based on the monitoring of IT-systems to detect security violations. The decision which activities are considered as security violations in a given context is defined by the used security policy. Two main complementary approaches are applied: anomaly and misuse detection. Anomaly detection aims at the exposure of abnormal user behavior. It requires a comprehensive set of data describing the normal user behavior. Although much research has been done in this area, it has still