Model-driven, network-context sensitive intrusion detection

Frederic Massicotte; Mathieu Couture; Lionel Briand; Yvan Labiche

doi:10.1007/978-3-540-75209-7_5

Model-driven, network-context sensitive intrusion detection

Frederic Massicotte, Mathieu Couture, Lionel Briand, Yvan Labiche

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Intrusion Detection Systems (IDSs) have the reputation of generating many false positives. Recent approaches, known as stateful IDSs, take the state of communication sessions into account to address this issue. A substantial reduction of false positives, however, requires some correlation between the state of the session, known vulnerabilities, and the gathering of more network context information by the IDS than what is currently done (e.g., configuration of a node, its operating system, running applications). In this paper we present an IDS approach that attempts to decrease the number of false positives by collecting more network context and combining this information with known vulnerabilities. The approach is model-driven as it relies on the modeling of packet and network information as UML class diagrams, and the definition of intrusion detection rules as OCL expressions constraining these diagrams. The approach is evaluated using real attacks on real systems, and appears to be promising.

Original language	English
Title of host publication	Model Driven Engineering Languages and Systems - 10th International Conference, MODELS 2007, Proceedings
Publisher	Springer Verlag
Pages	61-75
Number of pages	15
ISBN (Print)	9783540752080
DOIs	https://doi.org/10.1007/978-3-540-75209-7_5
Publication status	Published - 2007
Externally published	Yes
Event	10th International Conference on Model Driven Engineering Languages and Systems, MODELS 2007 - Nashville, TN, United States Duration: 30 Sep 2007 → 5 Oct 2007

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	4735 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	10th International Conference on Model Driven Engineering Languages and Systems, MODELS 2007
Country/Territory	United States
City	Nashville, TN
Period	30/09/07 → 5/10/07

Keywords

Intrusion detection
OCL constraints
UML modeling

Access to Document

10.1007/978-3-540-75209-7_5

Cite this

Massicotte, F., Couture, M., Briand, L., & Labiche, Y. (2007). Model-driven, network-context sensitive intrusion detection. In Model Driven Engineering Languages and Systems - 10th International Conference, MODELS 2007, Proceedings (pp. 61-75). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 4735 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-540-75209-7_5

Massicotte, Frederic ; Couture, Mathieu ; Briand, Lionel et al. / Model-driven, network-context sensitive intrusion detection. Model Driven Engineering Languages and Systems - 10th International Conference, MODELS 2007, Proceedings. Springer Verlag, 2007. pp. 61-75 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{890643e61dad4c31b9c4fba44a9abec3,

title = "Model-driven, network-context sensitive intrusion detection",

abstract = "Intrusion Detection Systems (IDSs) have the reputation of generating many false positives. Recent approaches, known as stateful IDSs, take the state of communication sessions into account to address this issue. A substantial reduction of false positives, however, requires some correlation between the state of the session, known vulnerabilities, and the gathering of more network context information by the IDS than what is currently done (e.g., configuration of a node, its operating system, running applications). In this paper we present an IDS approach that attempts to decrease the number of false positives by collecting more network context and combining this information with known vulnerabilities. The approach is model-driven as it relies on the modeling of packet and network information as UML class diagrams, and the definition of intrusion detection rules as OCL expressions constraining these diagrams. The approach is evaluated using real attacks on real systems, and appears to be promising.",

keywords = "Intrusion detection, OCL constraints, UML modeling",

author = "Frederic Massicotte and Mathieu Couture and Lionel Briand and Yvan Labiche",

year = "2007",

doi = "10.1007/978-3-540-75209-7_5",

language = "English",

isbn = "9783540752080",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Verlag",

pages = "61--75",

booktitle = "Model Driven Engineering Languages and Systems - 10th International Conference, MODELS 2007, Proceedings",

note = "10th International Conference on Model Driven Engineering Languages and Systems, MODELS 2007 ; Conference date: 30-09-2007 Through 05-10-2007",

}

Massicotte, F, Couture, M, Briand, L & Labiche, Y 2007, Model-driven, network-context sensitive intrusion detection. in Model Driven Engineering Languages and Systems - 10th International Conference, MODELS 2007, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 4735 LNCS, Springer Verlag, pp. 61-75, 10th International Conference on Model Driven Engineering Languages and Systems, MODELS 2007, Nashville, TN, United States, 30/09/07. https://doi.org/10.1007/978-3-540-75209-7_5

Model-driven, network-context sensitive intrusion detection. / Massicotte, Frederic; Couture, Mathieu; Briand, Lionel et al.
Model Driven Engineering Languages and Systems - 10th International Conference, MODELS 2007, Proceedings. Springer Verlag, 2007. p. 61-75 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 4735 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Model-driven, network-context sensitive intrusion detection

AU - Massicotte, Frederic

AU - Couture, Mathieu

AU - Briand, Lionel

AU - Labiche, Yvan

PY - 2007

Y1 - 2007

N2 - Intrusion Detection Systems (IDSs) have the reputation of generating many false positives. Recent approaches, known as stateful IDSs, take the state of communication sessions into account to address this issue. A substantial reduction of false positives, however, requires some correlation between the state of the session, known vulnerabilities, and the gathering of more network context information by the IDS than what is currently done (e.g., configuration of a node, its operating system, running applications). In this paper we present an IDS approach that attempts to decrease the number of false positives by collecting more network context and combining this information with known vulnerabilities. The approach is model-driven as it relies on the modeling of packet and network information as UML class diagrams, and the definition of intrusion detection rules as OCL expressions constraining these diagrams. The approach is evaluated using real attacks on real systems, and appears to be promising.

AB - Intrusion Detection Systems (IDSs) have the reputation of generating many false positives. Recent approaches, known as stateful IDSs, take the state of communication sessions into account to address this issue. A substantial reduction of false positives, however, requires some correlation between the state of the session, known vulnerabilities, and the gathering of more network context information by the IDS than what is currently done (e.g., configuration of a node, its operating system, running applications). In this paper we present an IDS approach that attempts to decrease the number of false positives by collecting more network context and combining this information with known vulnerabilities. The approach is model-driven as it relies on the modeling of packet and network information as UML class diagrams, and the definition of intrusion detection rules as OCL expressions constraining these diagrams. The approach is evaluated using real attacks on real systems, and appears to be promising.

KW - Intrusion detection

KW - OCL constraints

KW - UML modeling

UR - http://www.scopus.com/inward/record.url?scp=38049070220&partnerID=8YFLogxK

U2 - 10.1007/978-3-540-75209-7_5

DO - 10.1007/978-3-540-75209-7_5

M3 - Conference contribution

AN - SCOPUS:38049070220

SN - 9783540752080

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 61

EP - 75

BT - Model Driven Engineering Languages and Systems - 10th International Conference, MODELS 2007, Proceedings

PB - Springer Verlag

T2 - 10th International Conference on Model Driven Engineering Languages and Systems, MODELS 2007

Y2 - 30 September 2007 through 5 October 2007

ER -

Massicotte F, Couture M, Briand L, Labiche Y. Model-driven, network-context sensitive intrusion detection. In Model Driven Engineering Languages and Systems - 10th International Conference, MODELS 2007, Proceedings. Springer Verlag. 2007. p. 61-75. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-540-75209-7_5

Model-driven, network-context sensitive intrusion detection

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this