STATL: An Attack Language for State-based Intrusion Detection (2000) [73 citations — 10 self]

Download:

by Steven T. Eckmann, Giovanni Vigna, Richard A. Kemmerer

Journal of Computer Security

http://www.cs.ucsb.edu/~vigna/pub/eckmann_vigna_kemmerer_statl.ps.gz

Add To MetaCart

Popular Tags

No tags have been applied to this document.

BibTeX | Add To MetaCart

@ARTICLE{Eckmann00statl:an,
    author = {Steven T. Eckmann and Giovanni Vigna and Richard A. Kemmerer},
    title = {STATL: An Attack Language for State-based Intrusion Detection},
    journal = {Journal of Computer Security},
    year = {2000},
    volume = {10},
    pages = {2002}
}

Years of Citing Articles

Abstract:

STATL is an extensible state/transition-based attack description language designed to support intrusion detection. The language allows one to describe computer penetrations as sequences of actions that an attacker performs to compromise a computer system. A STATL description of an attack scenario can be used by an intrusion detection system to analyze a stream of events and detect possible ongoing intrusions. Since intrusion detection is performed in different domains (i.e., the network or the hosts) and in different operating environments (e.g., Linux, Solaris, or Windows NT) it is important to have an extensible language that can be easily tailored to different target environments. STATL defines domain-independent features of attack scenarios and provides constructs for extending the language to describe attacks in particular domains and environments. The STATL language has been successfully used in describing both networkbased and host-based attacks, and it has been tailored to very different environments, e.g., Sun Microsystems ' Solaris and Microsoft's Windows NT. An implementation of the runtime support for the STATL language has been developed and a toolset of intrusion detection systems based on STATL has been implemented. The toolset was used in a recent intrusion detection evaluation effort, delivering very favorable results. This paper presents the details of the STATL syntax and semantics. Real examples from both the host and network-based extensions of the language are also presented.

Citations

590	Transmission control protocol – Postel - 1981
348	BRO: A System for Detecting Network Intruders in Real Time – Paxson - 1998
189	State transition analysis: A rule-based intrusion detection approach – Ilgun, Kemmerer, et al. - 1995
110	Execution Monitoring of Security-critical Programs in Distributed Systems: A Specification-based Approach – Ko, Fink, et al. - 1997
107	Classification and Detection of Computer Intrusions – Kumar - 1995
100	ªThe NIDES Statistical Component Description of Justification,º – Javitz, Valdes - 1994
98	USTAT - A Real-time Intrusion Detection System for UNIX – Ilgun - 1992
87	NetSTAT: A Network-based Intrusion Detection System – Vigna, Kemmerer - 1999
83	Intrusion detection message exchange format data model and extensible markup language (XML) document type defi nition – Curry, Debar
58	NetSTAT: A network-based intrusion detection approach – Vigna, Kemmerer - 1998
49	Implementing a generalized tool for network monitoring – Ranum, Landfield, et al. - 1997
39	Detecting Anomalous and Unknown Intrusions Against Programs – Ghosh, Wanken, et al. - 1998
38	Testing and Evaluating Computer Intrusion Detection Systems – Durst, Champion, et al. - 1999
35	Languages and Tools for Rule-Based Distributed Intrusion Detection – Mounji - 1997
30	STAT – A State Transition Analysis Tool for Intrusion Detection – Porras - 1992
30	Shanbhag A HighPerformance Network Intrusion Detection System – Sekar, Guang, et al. - 1999
28	The STAT tool suite – Vigna, Eckmann, et al.
20	Detecting Computer and Network Misuse with the Production-Based Expert System Toolset (P-BEST – Lindqvist, Porras - 1999
17	A standard audit trail format – Bishop - 1995
13	Computer Security Threat Monitoring and – Anderson - 1980
13	NetRanger Intrusion Detection System – Cisco - 1999
13	Synthesizing Fast Intrusion Detection/Prevention Systems from High-Level Specifications – Sekar - 1999
12	Using the Basic Security Module – Installing - 1991
12	Web Consortium (W3C). Extensible – Wide - 2000
11	DARPA Intrusion Detection Evaluation”, http:// www.ll.mit.edu/IST/ideval/index.html – Laboratory, MIT - 1999
8	An approach to sensor correlation – Valdes, Skinner - 2000
7	Writing Snort Rules: How To write Snort rules and keep your sanity. http://www.snort.org – Roesch
6	The Nessus Attack Scripting Language Reference Guide – Deraison - 2000
4	Intrusion Detection Framework Working Group. A CISL Tutorial. http://www.gidos.org/tutorial.html – Common - 2000
3	Addendum to "Testing and Evaluating Computer Intrusion Detection Systems – Durst, Champion, et al. - 1999
2	STATL Definition – Eckmann, Vigna, et al. - 2000

View or Download | Add to My Collection | Correct Errors