To map the syntactical anomaly formulae defined in the previous section, we use the negation of the formula entered by the user.
Single Packet Anomaly: The negated forms we are going to map are the negations of formula 8.1:
(ϕ∧(ψ∧ ¬π)) and
(ϕ∧ ¬π) where:
• ϕis a first order predicate.
• ψ andπ is conjunction or disjunction of Boolean formulae built of the terms of ϕ. For the mapping we are concerned with mapping a subset of MSFOMTL (∆) into a subset of SSQL(Θ), the mapping function (M) is:
M : ∆−→Θ
We use the same definition for schema, tuple, input stream, output stream, and stream as in Section 6.3. The basic elements of the mapping function is defined as before:
∈ {=, <>, >, <, >=, <=} // represents a relational operator
∈ {+,−,∗, /} // represents a mathematical operator
M1 :P(x1, x2, ..., xn)7→“ SELECTx1, x2, ..., xn FROMinput stream”
M1 :∧ 7→“WHERE ” //the first conjunction M1 :ci7→ci// where c is constant M1 :xi 7→xi// where x is variable M1 :xihcj|xji 7→xihcj|xji M1 :¬(xihcj|xji)7→(xi¯hcj|xji) M1 :xi(xjhxk|cki)7→xi(xjhxk|cki) M1 : (¬(xi(xjhxk|cki))7→(xi¯(xjhxk|cki))
M :¬(BFi∧BFj)7→(¬BFi or¬BFj) // BF=Boolean formula of terms
M :¬(BFi∨BFj)7→(¬BFi and ¬BFj)
Chapter 8. Potential Use of The new System in Anomaly Based IDS 125
As an example for mapping, we take the the example 7.1 from Section 7.2.1, and its negation form is as follows:
P(x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12)
∧ ¬(((x2>0)∧(x2 <65535))∧((x4>0)∧(x4 <65535)))
Following the above rules, the mapping is as follows: P(x1, ..., x12)7→SELECTx1, ..., x12 FROM inputstream
∧ 7→ WHERE /∗this is the first conjunction in the form
¬(((x2>0)∧(x2 <65535))∧((x4 >0)∧(x4 <65535)))7→
(¬((x2>0)∧(x2 <65535)) or¬((x4 >0)∧(x4<65535)))7→
((¬(x2>0) or¬(x2 <65535) or ¬(x4>0) or¬(x4 <65535)))7→
(((x2 <= 0) or (x2 >= 65535) or (x4 <= 0) or (x4>= 65535)))
The final mapping orSSQL code is:
SELECT x_1,...,x_12 FROM inputstream
WHERE (((x_2 = 0) or (x2 >= 65535) or (x4 <= 0) or (x4 >= 65535)));
Multiple Steps Anomaly: The negation form of this syntactical form (formula 8.6) is similar to what has been defined for the forward multiple packet attacks (Section 6.3). The pattern operator(s) will be used and the mapping function basic elements are the same.
8.4
Correctness
In this chapter, three syntactical forms have been proposed for specification of normal behaviour. The correctness of the translations of these forms follows from the proof of correctness presented in Section 6.4 of other syntactical forms used for misuse based intrusion detection. Here, for the translation, we use the negation form of the syntactical formula. So, we need to show the correctness of the translations of these negation forms. The first syntactical form is the single step anomaly (formulae 8.2, 8.3). These syntactical forms have a predicate and some constraints on some of its arguments. This will be mapped to the filter operator exactly as the first syntactical form defined for misuse formula 5.1. The formula 5.1 has the same structure, that is, a predicate and some constraints on its arguments. So, the correctness of the syntactical form (formulae 8.2, 8.3) follows from the proof in Section 6.4 for formula 5.1.
The second syntactical form (formula 8.6) is for multiple step weak normal behaviour requirements. This form will be translated into the pattern operator exactly as the forward multiple packet attacks (formula 5.4). Thus the proof follows the proof in Section 6.4 for formula 5.4.
Chapter 8. Potential Use of The new System in Anomaly Based IDS 126
The last syntactical form is for the multiple step strong requirements (formula 8.8). This form is implemented by using formula 8.6 for weak normal behaviour requirements repeatedly. For example, if this formula is used for three steps specification, then formula 8.6 will be used twice (i.e., reporting the second and third steps failures). This syntax was proposed to make it easier for the user, that is, if he wants to report the failure of each step. The proof of correctness follows from the proof for the formula 8.6.
8.5
Summary
This chapter explored the potential use of the proposed approach of using temporal logic and stream data processing in anomaly based network intrusion detection. A basic overview of anomaly based network intrusion detection is presented. Specifically, the use of the proposed system for protocol anomaly based detection is considered. In protocol anomaly based intrusion detection, deviations from protocol normal specifications are considered suspicious activities. Parts of protocol specifications is normally used. The specifications can be from RFCs, or from proprietary or vendor specific protocol such as Microsoft DCOM protocol. Some syntactical forms for normal specifications are provided with examples. The mapping of these syntactical form into SSQL presented and explained. Finally, the correctness of the translations of the syntactical forms are given.
Chapter 9
Conclusion
In this chapter a summary of the research conducted is presented in Section 9.1. The scientific contributions of the research and the significance of the proposed novel ap- proach to develop network based intrusion detection system are presented in Section 9.2. Finally, future work and further research opportunities are suggested in 9.3.
9.1
Summary
An intrusion detection system is one of the security mechanisms that must exist in any IT infrastructure to protect connected systems and networks. The current network intrusion detection systems can not keep up with the constant increase of network speed. The buffers in these systems are filled up with packets very quickly and are dropped before they can be processed. To address this issue of IDS in high volume networks, the research of this thesis has used a combination of temporal logic and stream data processing to develop network based IDS. The main research question is: “Can stream data processing technology be utilised in conjunction with temporal logic to develop a system that works efficiently and accurately in high volume networks?” How the proposed system efficiently uses the available resources and accurately detects all attacks (coverage rate) were addressed in this research.
The research to develop TeStID involves the use of temporal logic for specifications of attacks in misuse based method and for specifications of the normal behaviour in the anomaly based method, the process of mapping logical specifications intoSSQL, and the use of SDP as the attack (or normal behaviour) detection engine. As part of the system an automated translator was built to parse MSFOMTL formulae and then translate into SSQL.
The abstract view and modelling of the system presented in Chapter 5. Also, the syntax and semantics of Many Sorted First Order Metric Logic which is used to specify attack patterns or normal behaviour of parts of protocols was defined in this chapter. Chapter 4 presented an overview of SDP technology and the proposed system architec- ture. The mapping of temporal logic into stream queries and developing the translator were explained in Chapter 6. The experimental setup and results were presented in
Chapter 9. Conclusion 128
Chapter 7. Finally, potential use of the system in anomaly based intrusion detection was given in Chapter 8. In the next section, the contributions of the thesis and findings are presented.