Integrating software specifications into intrusion detection

Abstract

There exist a number of Intrusion Detection Systems (IDSs) that detect computer attacks based on some defined attack scenarios. The attack scenarios or security requirements in some of these IDSs are specified in attack specification languages that are different from software specification languages. The use of two different languages for software specification and attack specification may generate redundant and conflicting requirements. The advantage of using the same language for both functional specifications and attacks specifications is that software designers can address the two different issues without learning two types of languages. We present a method of integrating Abstract State Machine Language (AsmL) and Unified Modeling Language (UML) state charts that are extended finite state machine based software specification languages, with an open source IDS Snort. This work provides AsmL and UML users an IDS that they can use without knowing how to write Snort rules. We automatically translate attack scenarios written in AsmL and UML state charts into Snort rules with context information. The original Snort is modified so that it can use the rules automatically generated by the translator. Adding context information to Snort rules improves the detection capability of Snort. To show the efficacy of the presented approach, we have built a prototype and evaluated it using a number of well-known attack scenarios.