ASL: A specification language for intrusion detection and network monitoring
Date
1998
Authors
Vankamamidi, Ravi Shankar
Major Professor
Advisor
Sekar, R. C.
Committee Member
Journal Title
Journal ISSN
Volume Title
Publisher
Abstract
As more and more of our critical infrastructures such as telecommunication, transportation, commerce and banking are controlled by networks of computers, it is becoming increasingly important to secure these systems against coordinated attacks. Most such attacks are based on exploiting software errors on the target systems. Since it is infeasible to eliminate all software errors that lead to vulnerabilities, research efforts have focussed on intrusion detection techniques that detect attempts to exploit these vulnerabilities. In contrast with previous research that focussed on after-the-fact detection, our project aims to develop proactive techniques that can prevent intrusions before they occur, and/or automate responses so as to contain damages due to such attacks.
Our approach is based on high-level specifications of security-related behaviors of processes and hosts. Deviations from these specifications indicate intrusions. Assuming that the different components of the system to be protected are physically secure, the only mechanism for delivering attacks are the network packets arriving at the target host. Moreover, any damage to the system must occur either because of errors in the operating system kernel or as a result of the operating system calls made by application processes running on the system. We therefore characterize system behaviors in ASL in terms of the sequence of network packets received on the system and the operating-system calls (together with their arguments) made by processes on the system. Our work in this thesis focuses on the following aspects of ASL design and implementation.
We develop the interface definition component of ASL, which decouples ASL implementation from the specifics of each interface (such as the system call, network interface) from which our system may acquire data. In order to do this without compromising the robustness of the specification language, we develop a strong type system for the language. We implement the front-end of the ASL compiler, which includes the lexical analyzer, parser, type-checker and module instantiator. The front-end of the compiler interfaces to the back-end (not developed in this thesis), which translates these rules into C++ code that can be compiled and linked with a runtime system to produce an intrusion detection/response system.
Series Number
Journal Issue
Is Version Of
Versions
Series
Academic or Administrative Unit
Type
thesis