TY - GEN
T1 - System health and intrusion monitoring using a hierarchy of constraints
AU - Ko, Calvin
AU - Brutch, Paul
AU - Rowe, Jeff
AU - Tsafnat, Guy
AU - Levitt, Karl
PY - 2001
Y1 - 2001
N2 - This paper presents a new approach to run-time security monitoring that can detect system abnormalities including attacks, faults, or operational errors. The approach, System Health and Intrusion Monitoring (SHIM), employs a hierarchy of constraints to describe correct operation of a system at various levels of abstraction. The constraints capture static behavior, dynamic behavior, and time-critical behavior of a system. A system in execution will be monitored for violation of the constraints, which may indicate potential security problems in the system. SHIM is based on specification-based intrusion detection, but it attempts to provide a systematic framework for developing the specifications/constraints. SHIM does not detect directly the intrusive actions in an attack, but their manifestations as violations of constraints. In this paper, we describe the constraint model and the methodology for developing the constraints. In addition, we present preliminary results on the constraints developed for host programs and network protocols. By bounding the behavior of various system components at different levels of abstraction, SHIM has a high chance of detecting different types of attacks and their variants.
AB - This paper presents a new approach to run-time security monitoring that can detect system abnormalities including attacks, faults, or operational errors. The approach, System Health and Intrusion Monitoring (SHIM), employs a hierarchy of constraints to describe correct operation of a system at various levels of abstraction. The constraints capture static behavior, dynamic behavior, and time-critical behavior of a system. A system in execution will be monitored for violation of the constraints, which may indicate potential security problems in the system. SHIM is based on specification-based intrusion detection, but it attempts to provide a systematic framework for developing the specifications/constraints. SHIM does not detect directly the intrusive actions in an attack, but their manifestations as violations of constraints. In this paper, we describe the constraint model and the methodology for developing the constraints. In addition, we present preliminary results on the constraints developed for host programs and network protocols. By bounding the behavior of various system components at different levels of abstraction, SHIM has a high chance of detecting different types of attacks and their variants.
UR - https://www.scopus.com/pages/publications/84947608030
U2 - 10.1007/3-540-45474-8
DO - 10.1007/3-540-45474-8
M3 - Conference proceeding contribution
AN - SCOPUS:84947608030
SN - 3540427023
SN - 9783540427025
VL - 2212
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 190
EP - 203
BT - Recent Advances in Intrusion Detection
A2 - Lee, Wenke
A2 - Mé, Ludovic
A2 - Wespi, Andreas
PB - Springer, Springer Nature
CY - Berlin
T2 - 4th International Symposium on Recent Advances in Intrusion Detection, RAID 2001
Y2 - 10 October 2001 through 12 October 2001
ER -