Exploring Specification-Based IDS
We will investigate formal mathematical approaches to specifying security requirements in the early stage of software development (where security issues are usually not well addressed, in part due to the difficulty of integrating formal security specifications with abstract models of software); and how these specifications might be used for automated intrusion detection. Our approach assumes that unwanted intrusions change the behavioral profile of a host or network. To detect any intrusion in a target system, a monitor must know "normal" system behavior. The IDS will acquire knowledge about the desired behavior of the target system from its behavioral specification. Similarly, the behavior of the monitored system, when under attack of known intrusions, can be specified. Based on observed events in the monitored host or the network, the IDS will interpret the specification and report on intrusive activities. By this anomaly-detection approach, some legitimate anomalous behaviors may be labeled as intrusions; the approach is that these behaviors will be verified for the occurrences of intrusions by using the behavioral specification of the target system when under attack.
Currently available specification languages are not completely suitable for specifying security-related aspects of network behavior. The standardized formal specification languages used in industry will be investigated and extended (if needed) for expressing security-related features of the target system. The selected specification mechanism will be used to specify both (1) the normal operational behavior of the target; and (2) the behavior of the target when under known attack. As this behavioral specification may not suffice to detect all suspicious activities on the target system, it may be supplemented by a specification in terms of statistical components of the system, users or intruders. Statistical analysis may be performed to detect additional intrusions. This sub-project builds on earlier research[1].
1. Q. Zhang, M. Zulkernine, Applying AsmL Specification for Automatic Intrusion Detection, Proc. Workshop on Specification and Automated Processing of Security Requirements - SAPS '04, within the 19th IEEE International Conf. on Automated Software Eng., pp. 221-233, Linz, Austria, Sept. 2004.