Sebastian Schmerl

Improving the efficiency of misuse detection

In addition to preventive mechanisms intrusion detection systems (IDS) are an important instrument to protect computer systems. Most IDSs used today realize the misuse detection approach. These systems analyze monitored events for occurrences of defined patterns (signatures), which indicate security violations. Up to now only little attention has been paid to the analysis efficiency of these systems. In particular for systems that are able to detect complex, multi-step attacks not much work towards performance optimizations has been done. This paper discusses analysis techniques of IDSs used today and introduces a couple of optimizing strategies, which exploit structural properties of signatures to increase the analyze efficiency. A prototypical implementation has been used to evaluate these strategies experimentally and to compare them with currently deployed misuse detection techniques. Measurements showed that significant performance improvements can be gained by using the proposed optimizing strategies. The effects of each optimization strategy on the analysis efficiency are discussed in detail.

Model-driven protocol design based on component oriented modeling

Due to new emerging areas in the communication field there is a constant need for the design of novel communication protocols. This demands techniques for a rapid and efficient protocol design and development. Systematic protocol designs using formal description techniques (FDTs), such as SDL, LOTOS, etc., have proven a successful way to develop correct protocols. FDTs enforce, however, a semantic-oriented description which makes it difficult to reuse parts of the specification of other FDTs. A general-purpose modeling language like the UML may help to easily bridge between different description techniques. In contrast to the standardized FDTs, UML lacks a formal semantics. A model-driven protocol design, which aims at supporting the reuse of designs, makes only sense, when the designs of basic protocol mechanisms fit in reusable design patterns or components with a formally defined semantics. In this paper, we propose a component based protocol development approach with UML. Typical structures and behaviors of protocols are pre-defined as components using UML diagrams. The semantics of the UML diagrams is formally defined using the compositional Temporal Logic of Actions (cTLA). Based on this formalization, transformation into other presentations, e.g. PROMELA for verification, are supported. We demonstrate the approach for an example transfer protocol.

Explorative Visualization of Log Data to Support Forensic Analysis and Signature Development

Today’s growing number of security threats to computers and networks also increase the importance of log inspections to support the detection of possible breaches. The investigation and assessment of security incidents becomes more and more a daily business. Further, the manual log analysis is essentially in the context of developing signatures for intrusion detection systems (IDS), which allow for an automated defense against security attacks or incidents. But the analysis of log data in the context of fo-rensic investigations and IDS signature development is a tedious and time-consuming task, due to the large amount of textual data. Moreover, this task requires a skilled knowledge to differentiate between the important and the non-relevant information. In this paper, we propose an approach for log resp. audit data representation, which aims at simplifying the analysis process for the security officer. For this purpose audit data and existing relations between audit events are represented graphically in a three-dimensional space. We describe a general approach for analyzing and exploring audit or log data in the context of this presentation paradigm. Further, we introduce our tool, which implements this approach and demonstrate the strengths and benefits of this presentation and exploration form.

Modeling a distributed intrusion detection system using collaborative building blocks

Developing complex distributed systems is a non-trivial task. It is even more difficult when the systems need to dynamically reconfigure the distributed functionalities or tasks. Not only do we need to deal with the application-specific functionalities that are intricate, but we also have to handle the complex logic of coordinating the distribution and relocation of tasks. In this paper, we model an intrusion detection system that distributes its analysis units to a number of hosts and assigns fine-grained analysis tasks to these hosts in order to cope with the rapid increase of audit data from todays IT systems. The system is further capable to react to overload situations and to shift tasks to other hosts. To develop this complex system, we apply the model-based engineering method SPACE. In particular, we show that the collaborative specification style of the method can significantly reduce the development effort. Also, the formal semantics of SPACE ensures the correctness of important design properties.

Simplifying signature engineering by reuse

Most intrusion detection systems deployed today apply misuse detection as detection procedure. Misuse detection compares the recorded audit data with predefined patterns, i.e. signatures. A signature is usually empirically developed based on experience and expert knowledge. Methods for a systematic development are scarcely reported yet. Automated approaches to reusing design and modeling decisions of available signatures also do not exist. This induces relatively long development times for signatures causing inappropriate vulner ability windows. In this paper we present an approach for systematic signature derivation. It is based on the reuse of existing signatures to exploit similarities with existing attacks for deriving a new signature. The approach is based on an iterative abstraction of signatures. Based on a weighted abstraction tree it selects those signatures or signature fragments, which are similar to the novel at tack. Finally, we present a practical application of the approach using the signature description language EDL.

Using model checking to identify errors in intrusion detection signatures

Most intrusion detection systems deployed today apply misuse detection as analysis method. Misuse detection searches for attack traces in the recorded audit data using predefined patterns. The matching rules are called signatures. The definition of signatures is up to now an empirical process based on expert knowledge and experience. The analysis success and accordingly the acceptance of intrusion detection systems in general depend essentially on the topicality of the deployed signatures. Methods for a systematic development of signatures have scarcely been reported yet, so the modeling of a new signature is a time-consuming, cumbersome, and error-prone process. The modeled signatures have to be validated and corrected to improve their quality. So far only signature testing is applied for this. Signature testing is still a rather empirical and time-consuming process to detect modeling errors. In this paper, we present the first approach for verifying signature specifications using the Spin model checker. The signatures are modeled in the specification language EDL, which leans on colored Petri nets. We show how the signature specification is transformed into a Promela model and how characteristic specification errors can be found by Spin.

Towards systematic signature testing

The success and the acceptance of intrusion detection systems essentially depend on the accuracy of their analysis. Inaccurate signatures strongly trigger false alarms. In practice several thousand false alarms per month are reported which limit the successful deployment of intrusion detection systems. Most today deployed intrusion detection systems apply misuse detection as detection procedure. Misuse detection compares the recorded audit data with predefined patterns, the signatures. These are mostly empirically developed based on experience and knowledge of experts. Methods for a systematic development have been scarcely reported yet. A testing and correcting phase is required to improve the quality of the signatures. Signature testing is still a rather empirical process like signature development itself. There exists no test methodology so far. In this paper we present first approaches for a systematic test of signatures. We characterize the test objectives and present different test methods.

Efficient distributed signature analysis

Intrusion Detection Systems (IDS) have proven as valuable measure to cope reactively with attacks in the Internet. The growing complexity of IT-systems, however, increases rapidly the audit data volumes and the size of the signature bases. This forces IDS to drop audit data in high load situations thus offering attackers chances to act undetected. To tackle this issue we propose an efficient and adaptive analysis approach for multi-step signatures that is based on a dynamic distribution of analyses. We propose different optimization strategies for an efficient analysis distribution. The strengths and weaknesses of each strategy are evaluated based on a prototype implementation.

Systematic Signature Engineering by Re-use of Snort Signatures

Most intrusion detection systems deployed today apply the misuse detection approach. Misuse detection compares recorded audit data with predefined patterns denoted as signatures. A signature is usually empirically engineered based on experience and expert knowledge. This induces relatively long development times for novel signatures causing inappropriate long vulnerability windows. Methods for a systematic engineering have been scarcely reported so far. Approaches for an automated re-use of design and modeling decisions of available signatures also do not exist. In this paper we present an approach for systematic engineering of signatures which is based on the re-use of existing signatures. It exploits similarities with known attacks for the engineering process. The method applies an iterative abstraction of signatures. Based on a weighted assessment of the abstractions the signature engineer can select the most appropriate signatures or fragments of signatures for the development of the signature for a new attack. We demonstrate the usefulness of the method using Snort signatures as example.

Efficiency Issues of Rete-Based Expert Systems for Misuse Detection

This paper provides a general and comprehensive approach to implementing misuse detection on expert systems and an in-depth analysis of the effectiveness of the optimization strategies of the Rete algorithm wrt. the general implementation approach. General efficiency limits of Rete- based expert systems in the domain of misuse detection are determined analytically and validated experimentally. We conclude that expert systems may still have their merit in rapid prototyping of misuse detection IDSs, but they should not be considered for modern production systems.