The Benefits of the Proposed System

Chapter 5. Temporal Stream Intrusion Detection System (TeStID) 53

• It provides a concise and unambiguous way to formally write the attack specifica- tions or protocol specifications (details in Chapters 5 and 8).

• It is extensible as in case of new attacks all that is needed is to add the attacks formula in the formulae files and run the translator again.

• It is scalable.

• The experiments results in Chapter 7 shows that it is a promising solution even though that we used a development version of StreamBase engine as the server deployment engine provides much powerful execution speed.

5.4

Summary

This chapter presented the proposed systemTeStID. In building the proposed system in this research we use Many Sorted First Order Metric Temporal Logic (MSFOMTL). The syntax and semantics of this logic was given. MSFOMTL is very expressive and allows the specification of complex temporal patterns of events in concise and unambiguous way. We presented here several syntactic attack patterns and showed how to use them to represent some known attacks. This chapter also presented TeStID system architec- ture, descriptions of the tools and utility used for the development, and highlighted the benefits of the proposed system.

The next chapter provides some background of using temporal logic to query databases. Also, it presents the mappings of the MSFOMTL syntactical forms defined for attack patterns into SSQL, the correctness of the approach, and the translation process.

Chapter 6

Temporal Logic to Stream

Queries

In Chapter 5 we proposed the use of Many Sorted First Order Metric Temporal Logic MSFOMTL to specify complex temporal patterns of events. Also, we presented several syntactic attack patterns using a fragment of the proposed logic which are sufficient to express many known attacks. In Chapter 4 we introduced the stream data processing and its features in handling complex stream of events through in memory processing of stream queries. Specific details about StreamBase were given as we selected it as the stream processing engine to develop TeStID.

In this chapter we will present how to map and translate the temporal logic formulae into SSQL. The outcome of the translation is the efficient stream queries that use the practically defined temporal patterns in MSFOMTL. The translations here cover the misuse based detection part ofTeStID and the anomaly based detection will be covered in Chapter 8.

Section 6.1 provides a historical background of using temporal logic to query databases. In Section 6.2, we explain the view of time in the temporal logic and the temporal database. Section 6.3 is about the mapping of MSFOMTL intoSSQL. The correctness of this approach is given in Section 6.4. The detail of how the translator is built is given in 6.5. Finally, a summary is presented in 6.6.

6.1

Background

Time is an important aspect of the real world. Events occur in specific points of time and time is used to relate their occurrences. Thus, modelling the temporal aspect of the real world is very important in real-time computer systems. These temporal events are stored in temporal databases. Temporal databases hold all the information required by applications where the timing properties are an essential part of the processing. Early research started more than 30 years ago and temporal logic was seen as the natural choice for querying temporal databases [14, 75, 86]. This research mainly took three directions. In the first direction, the research concentrated on extending the existing SQL language

Chapter 6. Temporal Logic to Stream Queries 56

with temporal handling capabilities [63, 81]. So, they believed and tried to show that extending the capabilities of these well known SQL language is sufficient to express the temporal processing requirements. The researchers in the second directions believed in developing a temporal logic-based high level query language for temporal specification and reasoning. This approach attempted to take full advantage of the mathematical and temporal expressiveness properties of the logic to build an optimized system [29, 104]. The third directions is actually between the two earlier mentioned directions. In this approach, a high level temporal queries written by the user is translated into temporal SQL. The work done by Chomicki et al.[14] is the earliest work in this direction in which temporal logic formulae were translated into a subset of ATSQL, a temporal extension to SQL-92. The advantage of the approach is that it provides the user with a high level abstraction to write queries against the temporal database. Practically, these queries are translated into the equivalent ATSQL language and then executed.

In temporal databases there are different time aspects that could be used. These are valid time,transaction time, andbitemporal time (the temporal database contains both thevalid time and thetransaction time). These times were initially defined in the work of Snodgrass and Ilsoo [86]. Thevalid time is defined as the time period where the data is considered true with respect to the real world. The transaction time is the time in which the database fact is/was stored. For instance, in a student registration database, a student (e.g., Abdul) is registered to study from 24/09/2011 till 24/09/2012. So, this reflects thevalid timefor the student registration data. This student registration data is entered on the 01/09/2011 into the database and represents the start of the transaction time. Both the valid time and thetransaction time have a start time and an end time. If the end time of the valid time is unknown, then it would be filled with infinity (∞) in the database. Also, the end time can be infinite in the transaction time and it means that there is no record supersedes the current record. Obviously, the data manipulation requirements of the application with respect to time, specify the choice of the timing that will be used.

Stream databases involve a move from static to data streams. Unlike conventional and temporal databases they are characterized by the requirements of continuous pro- cessing over flows of data (i.e., streams). The data model is transient (stored in memory) and not persistent (stored in the database files). Queries are continuously evaluated as the data flows which are potentially unbounded. When data items arrive, they can be processed with stream SQL queries and are implicitly ordered by their arrival time or explicitly by time stamps. These time stamps are allocated or mapped to each arrived tuple. Chapter 4 of this thesis presented more historical and detailed information about the stream management systems.

As it was presented in in Section 5.3, in the proposed system the MSFOMTL formulae will be mapped intoSSQLwhich is the language that can run directly on theStreamBase server. This mapping will be used to develop the translator. The rest of this chapter presents the translation process in detail.

Chapter 6. Temporal Logic to Stream Queries 57