R. Sekar, Y. Cai, and M. Segal. A specification-based approach for building survivable systems. In Proceedings of National Information Systems Security Conference, Oct 1998.  Home/Search   Document Details and Download   Summary   Related Articles   Check

.... in Network Flight Recorder [55] P BEST used in SRI s EMERALD [36] RUSSEL used in ASAX [20] SNP L [68] GASSATA [43] the language used in IDIOT [9, 34, 33] the language used in Bro [51] the language used in Snort [56, 62] parallel environment grammars [32] JIGSAW [67] REE [59, 60] and ASL [58]. Correlation languages describe the relations among separate events, possibly detected by a detection language, and attempt to reason abstract meaningful events from them. Examples of correlation languages are Honeywell s ARGUS [2] SRI s eBayes [69] STATL [13] SRI s P BEST [36] MuSigs [35] ....

R. Sekar, Y. Cai, and M. Segal. A Specification-Based Approach for Building Survivable Systems. In Proc. 21st NIST-NCSC National Information Systems Security Conference, pages 338--347, 1998.

....in the operating environments. At the policy enforcement level, it is often difficult, if not impossible, to construct the set of enforced security policies given a set of attack signatures (as in misuse detection) or low level system call traces (as in specification based intrusion detection [31, 32, 61]) Moreover, it is difficult to determine if an existing security policy is enforced based on attack signatures and low level system call traces. The testing based methodology is a very useful means to evaluate intrusion detection systems. However, a more formal methodology is needed to complement ....

R. Sekar, Y. Cai, and M. Segal, "A Specification-Based Approach for Building Survivable Systems." Proc. 21 st National Information Systems Security Conference, Arlington, Virginia, October 6-9, 1998.

....communicate over the network with cryptographic functionality. Still other efforts focus on adding instrumentation to COTS operating systems and server applications to support intrusion detection [17, 23, 20, 21, 11, 12, 22] maintain synthetic jail environments to contain intruders [9] or both [32]. Each of the efforts listed above provides a useful solution in its own problem domain, but is generally limited in scope to a single kind of security augmentation, be it access controls, authentication protocols, or intrusion detection. In order to provide security, developers seeking to ....

....proxies [1] Wietse Venema s TCP Wrappers [25] and the Janus project [15] Several projects use (or propose to use) mechanisms which are similar to those employed in Generic Software Wrappers. Specifically, the use of system call interception proposed in Sekar s intrusion detection approach [32] is similar to our use of the same mechanism. Also, other intrusion detection efforts [16, 23] have included Petri net based mechanisms as state machines to keep track of events in series. We have employed the WDL sequence mechanism to accomplish the same task. While WDL sequences are not ....

R. Sekar, Y. Cai, and M. Segal. A Specification-Based Approach for Building Survivable Systems. In Proceedings of the 21st National Computer Security Conference, October 1998.

....the three algorithms, we first present related work in programbased intrusion detection. 2 Analyzing Program Behavior for Anomaly Detection Analyzing program behavior profiles for intrusion detection has recently emerged as a viable alternative to user based approaches to intrusion detection (see [7, 21, 12, 5, 3, 6, 14] for other program based approaches) Program behavior profiles are built by capturing system calls made by the program under analysis under normal operational conditions. If the captured behavior represents a compact and adequate signature of normal behavior, then the profile can be used to ....

....of the program behavior could lead to a state explosion problem. In a similar vein as the work of [12] in creating finite state automata, a group from Iowa State is implementing a program based intrusion detection approach that analyzes system calls using state machine models of program behavior [21]. However, their approach is not concerned with detecting anomalies, as much as detecting violations of specified behavior. As a result, the approach of the Iowa State group requires the development of specification models for acceptable program behavior, where the work of [12, 14, 5, 6] used ....

R. Sekar, Y. Cai, and M. Segal. A specificationbased approach for building survivable systems. In Proceedings of the 1998 National Information Systems Security Conference (NISSC'98), pages 338--347, October 1998.

No context found.

R. Sekar, Y. Cai, and M. Segal. A specification-based approach for building survivable systems. In Proceedings of National Information Systems Security Conference, Oct 1998.

No context found.

R. Sekar, Y. Cai, and M. Segal. A specification-based approach for building survivable systems. In National Information Systems Security Conference, Oct 1998.

No context found.

R. Sekar, Y. Cai, and M. Segal. A specification-based approach for building survivable systems. In National Information Systems Security Conference, Oct 1998.

....but infrequently exhibited behavior is observed. Thus, we can continue to retain the precision of misuse detection and can therefore initiate defensive actions as soon as any violations are detected. An overview of our specification based approach for improving survivability was presented in [Sekar98]. Our approach comprises a specification language, a compiler for the specification language, and a runtime execution environment. This paper provides a more indepth treatment of our specification language, and outlines an approach for compiling the specifications into executable modules for ....

....deception depends upon enticing the attacker to use phony versions of the attacked service. The real service is no longer available at the DTK server, which contrasts with our approach, where standard server functionality is still present for legitimate uses. As compared to our earlier work in [Sekar98], this paper presents a significantly improved version of ASL. It also outlines an approach for compiling the high level specifications into finite state automata that perform efficient runtime monitoring of process behavior. Improvements to ASL described in this paper are as follows. We have ....

[Article contains additional citation context not shown here]

R. Sekar, Y. Cai and M. Segal, A Specification -Based approach for Building Survivable Systems, 21st National Information Systems Security Conference.

....fast enough to be invoked on every system call. 1.1 Summary of Results ffl In Section 2 we present a new and expressive language for capturing patterns of normal or abnormal behaviors of processes in terms of sequences of system calls and their arguments. As compared to the language described in [SCS98, SBS99], this paper focuses on a core language that we call regular expressions for events (REE) REEs extend regular expressions to model system calls that are characterized by a name as well as argument values. Response actions can be associated with patterns, and these will be launched automatically ....

R. Sekar, Y. Cai and M. Segal, A SpecificationBased Approach for Building Survivable Systems, NISSC, October 1998.

.... Technologies (formerly Bellcore) 445 South Street, Morristown NJ 07960 6438 USA Email: jjli bellcore.com; Phone: 973)829 4753; Fax: 973)829 5981 Abstract We have designed a specification based intrusion detection and prevention infrastructure for building survivable information systems[1]. In that work, we specify security related behaviors declaratively in a high level language called Auditing Specification Language (ASL) This specification is then compiled into optimized programs for efficient detection and prevention of computer and network intrusions. Our method is efficient ....

R. Sekar, Y. Cai, and M. Segal, "A Specification-Based Approach for Building Survivable Systems", NISSC98, pp338-347.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC