Harmut Konig du 01/03/09 AU 31/07/09 – Professeur à Cottbus University
Most intrusion detection systems deployed today apply misuse detection as analysis method.
Misuse detection searches for attack traces in the recorded audit data using predefined patterns. The matching rules are called signatures.
The definition of signatures is up to now an empirical process based on expert knowledge and experience.
The analysis success and accordingly the acceptance of intrusion detection systems in general depend essentially on the topicality of the deployed signatures.
Methods for a systematic development of signatures have scarcely been reported yet, so the modelling of a new signature is a time-consuming, cumbersome, and error-prone process. The modelled signatures have to be validated and corrected to improve their quality. So far only signature testing is applied for this.
Signature testing is still a rather empirical and time-consuming process to detect modelling errors.
We then present the first approach for verifying signature specifications using the Spin model checker.