Using Constraints for Intrusion Detection: The NeMODe System

Salgueiro, Pedro; Díaz, Daniel; Brito, Isabel Sofía; Abreu, Salvador

doi:10.1007/978-3-642-18378-2_11

Cited by 11 publications

(4 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In contrast, our approach allows defining the partial-order patterns on the required set of packets without the need to specify any time window. In a related effort of using a DSL to express network constraints, Salgueiro et al [19] present a DSL to describe common attacks on TCP/IP protocols that can generate solution code. However, the DSL was not designed to handle the kind of multi-packet constraints that we needed for the DDS networks.…”

Section: Results and Evaluationmentioning

confidence: 99%

Generating a Real-Time Constraint Engine for Network Protocols

Rakha

Imam

Dean

2019

Information Security Theory and Practice

View full text Add to dashboard Cite

In this paper, we present a practical approach to generate the constraint engine for an effective constraint-based intrusion detection system (IDS). The IDS framework was designed for safety-sensitive networks that involve limited-access closed networks such as the networks for the command and control systems or the Air Traffic Control (ATC) systems. The constraint engine generated by the framework supports real-time performance while ensuring the intended, normal behaviour of its target networks. We present the IDS framework in terms of its internal DSL representation as well as its transformation mechanisms to generate the constraint engine code. Comparing the autogenerated version against a manually implemented, optimized version of the constraint engine indicates no significant difference in terms of their performance.

show abstract

Section: Results and Evaluationmentioning

confidence: 99%

Generating a Real-Time Constraint Engine for Network Protocols

Rakha

Imam

Dean

2019

Information Security Theory and Practice

View full text Add to dashboard Cite

show abstract

“…Since these languages do not use a declarative approach, thus making them less expressive. In literature, the NeMODe system [6] is an example of network intrusion detection systems that provides a declarative and expressive domain specific language for describing intrusion signatures that could spread across network packets. Simply stating constraints over network packets in the script, the desired intrusions will be recognized by Constraint Programming paradigm used as the backend detection mechanism.…”

Section: Domain Specific Language (Dsl)mentioning

confidence: 99%

isDSL - A Domain Specific Language for Intrusion Signature Declaration

Chotvorrarak

Limpiyakorn

2013

Interdisciplinary Research Theory and Technology

View full text Add to dashboard Cite

This paper presents a signature-based network intrusion detection system. The intrusions are detected using their signatures defined as a set of rules contained in DSL scripts. A domain specific language is created, called isDSL, of which the syntax aligns with the TCP/ IP stack and the encoding of GA chromosomes. Genetic algorithm is the technique used for searching malicious states on network traffics. The attack is defined as a combination of properties and values that could be across the packets, matches with the conditions defined in a particular rule described in DSL scripts. The presented approach is promising for several reasons. A domain specific language is a declarative approach for describing intrusion signatures that could spread across network packets. Additionally, the rules are expressive that could tune out false positives. Moreover, the use of genetic algorithm would reduce the number of packet combinations being investigated for signs of the intrusions.

show abstract

“…Exploit languages [21,10] are used to describe how an attack is performed and the stages of the attack. Knowledge languages [16,8] have a global expertise of described attacks and know the implications of a single event.…”

Section: Introductionmentioning

confidence: 99%

“…Detection languages [17,20] describe the detection of an attack according to a number of occurrences of events. Response languages [21,12] describe how to react when an attack is detected.…”

Section: Introductionmentioning

confidence: 99%

Discus: A massively distributed IDS architecture using a DSL-based configuration

Riquet

Grimaud

Hauspie

2014

2014 International Conference on Information Science, Electronics and Electrical Engineering

View full text Add to dashboard Cite

Abstract-Nowadays, cloud computing becomes quite popular and a lot of research is done on services it provides. Most of security challenges induced by this new architecture are not yet tackled. In this work, we propose a new security architecture, based on a massively distributed network of security solutions, to address these challenges. Current solutions, like IDS or firewalls, were not formerly designed to detect attacks that draw profit from the cloud structure. Our solution DISCUS is based on a distributed architecture using both physical and virtual probes, along with former security solutions (IDS and firewalls). This paper describes DISCUS SCRIPT, a dedicated language that provides an easy way to configure the components of our solution.

show abstract

Using Constraints for Intrusion Detection: The NeMODe System

Cited by 11 publications

References 11 publications

Generating a Real-Time Constraint Engine for Network Protocols

Generating a Real-Time Constraint Engine for Network Protocols

isDSL - A Domain Specific Language for Intrusion Signature Declaration

Discus: A massively distributed IDS architecture using a DSL-based configuration

Contact Info

Product

Resources

About