Formal Specification of Intrusion Signatures and Detection Rules By Jean-Philippe Pouzol and Mireille Ducassé 15 th IEEE Computer Security Foundations

Formal Specification of Formal Specification of Intrusion Signatures and Intrusion Signatures and

Detection RulesDetection RulesBy Jean-Philippe Pouzol and Mireille DucassBy Jean-Philippe Pouzol and Mireille Ducasséé

1515thth IEEE Computer Security Foundations Workshop IEEE Computer Security Foundations Workshop20022002

Presented by Brian KelloggPresented by Brian Kellogg

CSE914: Formal Methods for Software DevelopmentCSE914: Formal Methods for Software DevelopmentMichigan State UniversityMichigan State University

Introduction to Misuse Intrusion Introduction to Misuse Intrusion Detection Systems (IDS)Detection Systems (IDS)

Two categoriesTwo categories Single event IDSSingle event IDS

Each event is compared with each known signatureEach event is compared with each known signature Specifying signatures simpleSpecifying signatures simple

Multi-event IDSMulti-event IDS Do not have a uniform abstract algorithm because they Do not have a uniform abstract algorithm because they

do not propose the same operators to combine eventsdo not propose the same operators to combine events Can be further split in to two categories (next slide)Can be further split in to two categories (next slide)

Multi-event IDS CategoriesMulti-event IDS Categories Transition basedTransition based

WhatWhat are the significant traces of attacks is hidden by are the significant traces of attacks is hidden by howhow they should be detectedthey should be detected

Very tricky to write signaturesVery tricky to write signatures DeclarativeDeclarative

Signatures only contain Signatures only contain what what are the significant traces of are the significant traces of attacksattacks

How How they are detected is addressed by an alogorithmthey are detected is addressed by an alogorithm Easier to write signaturesEasier to write signatures Problem: algorithm is a black box an detects all instances Problem: algorithm is a black box an detects all instances

of an attack, allowing attackers to choke the IDS by of an attack, allowing attackers to choke the IDS by launching many incomplete instances of an attacklaunching many incomplete instances of an attack

Focus of PaperFocus of Paper

Refine the declarative approachRefine the declarative approach Formally specify the algorithm in two stagesFormally specify the algorithm in two stages

Classify the signature instancesClassify the signature instances Give a set of detection rules which detects in an audit trail a Give a set of detection rules which detects in an audit trail a

representative of each classrepresentative of each class Rules are formally specified using a “parsing schemata”Rules are formally specified using a “parsing schemata” Algorithm defined by the rules are proved sound and Algorithm defined by the rules are proved sound and

completecomplete What What and the and the how how still separated, but security officer can still separated, but security officer can

parameterize the detection by choosing a class for each parameterize the detection by choosing a class for each signaturesignature

Contribution of PaperContribution of Paper

Two main contributionsTwo main contributions Less instances of signatures are trackedLess instances of signatures are tracked

More resistant to choking attacksMore resistant to choking attacks

Detection algorithm is specified in a high level Detection algorithm is specified in a high level formal wayformal way

Easy to understand and reason aboutEasy to understand and reason about Essential operation features are made explicitEssential operation features are made explicit

Specification of SignaturesSpecification of Signatures

Intrusion signatures describe combinations of Intrusion signatures describe combinations of eventsevents

A A filterfilter is a signature on one event is a signature on one event

Complex signatures can be focused on two Complex signatures can be focused on two waysways SequenceSequence ConjunctionConjunction


Definition 1 (Event): An Definition 1 (Event): An event is a collection of event is a collection of values identified by values identified by field names. We field names. We represent an event as a represent an event as a set of pairs (field_name, set of pairs (field_name, value). We assume that value). We assume that in an event, a field name in an event, a field name belongs to one pair.belongs to one pair.


Definition 2 (Trail): A trail is a totally ordered Definition 2 (Trail): A trail is a totally ordered sequence of events. Given a trail T, we note sequence of events. Given a trail T, we note T[i] the iT[i] the ith th event in the trail.event in the trail.


Definition 3 (Filter): A filter Definition 3 (Filter): A filter is a set of constraints is a set of constraints between event field names, between event field names, constant values and variable constant values and variable names. In this paper, we names. In this paper, we consider that constraints consider that constraints involving variable names involving variable names can only be equality can only be equality constraints.constraints.


Definition 4 (Signatures): A signature is defined by a Definition 4 (Signatures): A signature is defined by a 5-tuple (V, F, N5-tuple (V, F, NTT, S, P) , S, P) V is a set of variables V is a set of variables F is a set of filters that use variables in V, F is a set of filters that use variables in V, NNTT, is a set of non-terminal elements , is a set of non-terminal elements SSNNT T is the axiom, is the axiom, P is a set of production rules NP is a set of production rules NTTProd, where pProd, where pProd can Prod can

be:be: Filter(f) where fFilter(f) where fFF Seq(A,B) where (A,B)Seq(A,B) where (A,B) N NTTx Nx NTT

And(A,B) where (A,B)And(A,B) where (A,B) N NTTx Nx NTT

Specification of SignatureSpecification of Signature

Example of SignatureExample of Signature

Semantics of SignatureSemantics of Signature A A concrete instanceconcrete instance of a signature is a collection of of a signature is a collection of

events thatevents that Fulfill the constraints in filtersFulfill the constraints in filters With respect to the correlation specified by the logical With respect to the correlation specified by the logical

variablesvariables And are in a correct order according to temporal constraintsAnd are in a correct order according to temporal constraints

This is denoted {pThis is denoted {p11,…,p,…,pnn} where p} where pii are positions in are positions in the trailthe trail

Proposed semantics:Proposed semantics: ((ΘΘ, i, j) where , i, j) where ΘΘ is a signature valuation, i is the position of is a signature valuation, i is the position of

the first event of the instances, and j is the position of the the first event of the instances, and j is the position of the last event of the instancelast event of the instance

Semantics of SignaturesSemantics of Signatures(Signature Constraints)(Signature Constraints)

Definition 5 (Signature Definition 5 (Signature constraints): A constraints): A signature signature constraintconstraint is a set of is a set of constraints that force some constraints that force some properties on the possible properties on the possible values of the variables used values of the variables used in a signature. Can not in a signature. Can not contain reference to a field contain reference to a field name.name.

Semantics of SignaturesSemantics of Signatures(Signature Valuation)(Signature Valuation)

Definition 6 (Signature Definition 6 (Signature valuation): A signature valuation): A signature constraint is said to be a constraint is said to be a signature valuationsignature valuation if it if it forces a unique value forces a unique value for each variable that for each variable that appears in the signature.appears in the signature.

Semantics of SignaturesSemantics of Signatures(Event Matching)(Event Matching)

Definition 7 (Event Matching): Definition 7 (Event Matching): We define the predicate match(E, F, We define the predicate match(E, F, ΘΘ) where E is ) where E is

an event, F is a filter, and an event, F is a filter, and ΘΘ is a valuation of F is a valuation of F This predicate holds iff the constraint set (FThis predicate holds iff the constraint set (FEEUUΘΘ) )

admits at least one solution admits at least one solution It does not hold if an event field name used in F is It does not hold if an event field name used in F is

not present in Enot present in E

Semantics of SignatureSemantics of Signature

Semantics of the Semantics of the language given by language given by means of the relation means of the relation ‡. Given a signature ‡. Given a signature S, a trail T, and an S, a trail T, and an abstract instance abstract instance I=(I=(ΘΘ, i, j), I is an , i, j), I is an instance of S in T iff instance of S in T iff T, T, ΘΘ,I ,j ‡ S.,I ,j ‡ S.

Specification of Signature InstancesSpecification of Signature Instances

Many approaches to ID strive to be both sound and Many approaches to ID strive to be both sound and completecomplete

Authors argue that completeness is not necessary and Authors argue that completeness is not necessary and is sometimes a drawbackis sometimes a drawback

Authors propose an approach to specify what Authors propose an approach to specify what instances are relevant for detectioninstances are relevant for detection Specifications are expressed as equivalence relations Specifications are expressed as equivalence relations

between instances of each signaturebetween instances of each signature Once classified, the IDS can report only a particular Once classified, the IDS can report only a particular

instance of each classinstance of each class


Given a signature, Given a signature, equivalence relation is equivalence relation is specified by choosing an specified by choosing an element in the lattice of all element in the lattice of all the subsets of variable of the the subsets of variable of the signaturesignature

Two instances are Two instances are equivalent if they contain equivalent if they contain the same values for the the same values for the variables in this subsetvariables in this subset


Each element e in this lattice corresponds to an equivalence R(e) between instancesEach element e in this lattice corresponds to an equivalence R(e) between instances


Two motivations:Two motivations: Want to be able to prune search paths on the flyWant to be able to prune search paths on the fly Don’t want to miss relevant instancesDon’t want to miss relevant instances


After instances are classified, must decide which instance to After instances are classified, must decide which instance to report to the IDSreport to the IDS

Three strategies (Chakravarthy et al.):Three strategies (Chakravarthy et al.): Report the instance that starts first and ends firstReport the instance that starts first and ends first Report the one that starts last among all the ones that end firstReport the one that starts last among all the ones that end first Report the shortest instance for each event that starts an instanceReport the shortest instance for each event that starts an instance

This paper selected the first strategy:This paper selected the first strategy: Finding the instance that ends first is required for analyzing an infinite Finding the instance that ends first is required for analyzing an infinite

trailtrail Easier to constrain further search as opposed to canceling previous Easier to constrain further search as opposed to canceling previous

resultsresults

First StrategyFirst Strategy

The predicate First is define asThe predicate First is define as First(S, First(S, ρρ, T, , T, αα, (i, j, , (i, j, ΘΘ))

S is a signatureS is a signature ρρ is an equivalence relation between instances of S is an equivalence relation between instances of S T is a trailT is a trail αα is a position in T is a position in T (i, j, (i, j, ΘΘ) is an instance in S) is an instance in S

Given an instance I = (Given an instance I = (ΘΘ, i, j) with , i, j) with αα ≤ I, this predicate ≤ I, this predicate holds iff, among all instances equivalent to I according to holds iff, among all instances equivalent to I according to ρρ that start after that start after αα, I is the one that starts first and ends first, I is the one that starts first and ends first

First AlgorithmFirst Algorithm

Implements the First strategyImplements the First strategy Described with a formalism called Described with a formalism called parsing schemataparsing schemata

Specifies algorithms using a set of deduction rulesSpecifies algorithms using a set of deduction rules Gives a formal framework to describe and prove propertiesGives a formal framework to describe and prove properties Modular description (i.e. one does need to know the whole Modular description (i.e. one does need to know the whole

specification to understand how a particular construct is specification to understand how a particular construct is searched for in the language)searched for in the language)

Parsing SchemataParsing Schemata

Parsing algorithm is described as set of Parsing algorithm is described as set of deduction stepsdeduction steps Hypothesis and conclusion of these steps are called Hypothesis and conclusion of these steps are called

parsing itemsparsing items Parsing items Parsing items are partial or complete parsing treesare partial or complete parsing trees

Deduction starts with an item representing an Deduction starts with an item representing an empty parsing treeempty parsing tree

Deduction ends when an item representing a Deduction ends when an item representing a complete parsing tree of the axiom grammar is complete parsing tree of the axiom grammar is producedproduced

Parsing Schemata Parsing Schemata (Defining the Domain of Items)(Defining the Domain of Items)

Uses the form:Uses the form: [i, [i, α●βα●β, j], j]ΘΘ

(i, j) are positions in the trail(i, j) are positions in the trail α●βα●β is the right hand side of a grammar production where a is the right hand side of a grammar production where a●● has been has been

insertedinserted ΘΘ is a signature constraint is a signature constraint

Description of First AlgorithmDescription of First Algorithm

Assumptions on specifications:Assumptions on specifications: Signatures that use the [] notation have to be Signatures that use the [] notation have to be

expandedexpanded Non-terminal elements can be used only once in all Non-terminal elements can be used only once in all

grammar rulesgrammar rules All filters must be labeled with the equivalence All filters must be labeled with the equivalence

relation associated to the signature (Ex. Filterrelation associated to the signature (Ex. Filterρρ(F) (F)

where where ρρ is an equivalence relation) is an equivalence relation)

Operators (Propag)Operators (Propag)

Propag operator unifies the variables in the signature Propag operator unifies the variables in the signature constraint with the values of an event (Definition 8)constraint with the values of an event (Definition 8) Denoted as Propag(E, F, Denoted as Propag(E, F, ΘΘ))

E is an eventE is an event F is a filterF is a filter ΘΘ is a signature constraint is a signature constraint

This constraint is obtained by:This constraint is obtained by: Copying F in to F’ and removing all constraints with no variable in Copying F in to F’ and removing all constraints with no variable in

F’F’ Substituting all field names if F’ according to ESubstituting all field names if F’ according to E Making the union of F’ and Making the union of F’ and ΘΘ

Operators (Restrict)Operators (Restrict)

The Restrict operator creates a new constraint which The Restrict operator creates a new constraint which causes some paths in the search to be pruned causes some paths in the search to be pruned (Definition 9)(Definition 9) Denoted as Restrict(Denoted as Restrict(ρρ, , ΘΘ))

ΘΘ is a valuation of a given signature S is a valuation of a given signature S ΡΡ is an equivalence relation is an equivalence relation Defined as:Defined as:

Operators (Constraint Comparison)Operators (Constraint Comparison)

≥≥s compares signature constraintss compares signature constraints Given a signature S and two signature constraints Given a signature S and two signature constraints ΘΘ1 1 and and ΘΘ2 2

ΘΘ1 1 ≥s ≥s ΘΘ2 2 iff the set of possible values for each element of iff the set of possible values for each element of

Var(S) described by Var(S) described by ΘΘ1 1 includes the one described by includes the one described by ΘΘ2 2

Deduction Rules for FiltersDeduction Rules for Filters Rule FilterRule Filter11 specifies that if event T[i] cannot be used to match the filter, specifies that if event T[i] cannot be used to match the filter,

then the algorithm goes one step forward in the trailthen the algorithm goes one step forward in the trail

Rule FilterRule Filter22 handles the other case. The first item memorizes an instance of handles the other case. The first item memorizes an instance of F is found in position i. Propag takes in to account that some variables can F is found in position i. Propag takes in to account that some variables can be instantiated here. The second item starts the search for a new instance be instantiated here. The second item starts the search for a new instance of F in the remaining part of trail. Can be more constrained than the one of F in the remaining part of trail. Can be more constrained than the one that produced this item according to the result provided by Restrict. that produced this item according to the result provided by Restrict.

Deduction Rules for SequenceDeduction Rules for Sequence

Rule SeqRule Seq1 1 starts the search for the first part of the starts the search for the first part of the

sequencesequence Rule SeqRule Seq2 2 shows that once an instance of the first part shows that once an instance of the first part

is found, that item is replaced to find the next item. is found, that item is replaced to find the next item. The second item added starts the search for BThe second item added starts the search for B

Deduction Rules for SequenceDeduction Rules for Sequence

Rule SeqRule Seq3 3 triggers once B is found triggers once B is found Checks that B is found after A (j Checks that B is found after A (j ≤ k)≤ k) The constraint of the second part must refine The constraint of the second part must refine

the constraint of the first part the constraint of the first part Does not remove first item, because it may be needed laterDoes not remove first item, because it may be needed later Second item added showing that it found an instance of Second item added showing that it found an instance of

Seq(AB)Seq(AB)

Deduction Rules for ConjunctionDeduction Rules for Conjunction

Rule AndRule And1 1 starts the search of both parts of the starts the search of both parts of the conjunctionconjunction

Rule AndRule And2 2 states that when two parts of a conjunction states that when two parts of a conjunction are found, if their respective constraints are are found, if their respective constraints are compatible, then a new item is created to notify that compatible, then a new item is created to notify that an instance of the conjunction is foundan instance of the conjunction is found

ConclusionConclusion Described how to specify signatures with sequences and Described how to specify signatures with sequences and

conjunctions of events correlated with logical variablesconjunctions of events correlated with logical variables

Presented a declarative semantics to these signaturesPresented a declarative semantics to these signatures

Introduced signature instance classes based on the valuation of Introduced signature instance classes based on the valuation of variables of interestvariables of interest

Given a formal description of a detection algorithmGiven a formal description of a detection algorithm

Parsing schemata makes it easy to understand and reason Parsing schemata makes it easy to understand and reason about while essential features are made explicitabout while essential features are made explicit

Documents

Formal Specification of Intrusion Signatures and Detection Rules By Jean-Philippe Pouzol and Mireille Ducassé 15 th IEEE Computer Security Foundations