SpringerLink - Book Chapter

From Declarative Signatures to Misuse IDS

Book Series

Lecture Notes in Computer Science

Publisher

Springer Berlin / Heidelberg

ISSN

0302-9743 (Print) 1611-3349 (Online)

Volume

Volume 2212/2001

Book

Recent Advances in Intrusion Detection

DOI

10.1007/3-540-45474-8

2001

ISBN

978-3-540-42702-5

DOI

10.1007/3-540-45474-8_1

Pages

1-21

Subject Collection

Computer Science

SpringerLink Date

Monday, January 01, 2001

From Declarative Signatures to Misuse IDS

Jean-Philippe Pouzol⁷ and Mireille Ducasé⁷

(7)	IRISA/INSA de Rennes - Campus Universitaire de Beaulieu, 35042 Rennes Cedex, France

Abstract

In many existing misuse intrusion detection systems, intrusion signatures are very close to the detection algorithms. As a consequence, they contain too many cumbersome details. Recent work have proposed declarative signature languages that raise the level of abstraction when writing signatures. However, these languages do not always come with operational support. In this article, we show how to transform such declarative signatures into operational ones. This process points out several technical details which must be considered with care when performing the translation by hand, but which can be systematically handled.

A signature specification language named Sutekh is proposed. Its declarative semantics is precisely described. To produce rules for existing rule-based IDS from Sutekh signatures, an algorithm, based on the construction of a state-transition diagram, is given.

Jean-Philippe Pouzol
Email: pouzol@irisa.fr

Mireille Ducasé
Email: ducasse@irisa.fr

From Declarative Signatures to Misuse IDS

Fulltext Preview (Small, Large)