Lecture Notes in Computer Science 2212 EditedbyG.Goos,J.Hartmanis,andJ.vanLeeuwen 3 Berlin Heidelberg NewYork Barcelona HongKong London Milan Paris Tokyo Wenke Lee Ludovic Mé Andreas Wespi (Eds.) Recent Advances in Intrusion Detection 4th International Symposium, RAID 2001 Davis, CA, USA, October 10-12, 2001 Proceedings 1 3 SeriesEditors GerhardGoos,KarlsruheUniversity,Germany JurisHartmanis,CornellUniversity,NY,USA JanvanLeeuwen,UtrechtUniversity,TheNetherlands VolumeEditors WenkeLee GeorgiaInstituteofTechnology,CollegeofComputing 801AtlanticDrive,Atlanta,Georgia30332-0280,USA E-mail:[email protected] LudovicMé SUPELEC BP28,35511CessonSevigneCedex,France E-mail:[email protected] AndreasWespi IBMResearch,ZurichResearchLaboratory Säumerstr.4,8803Rüschlikon,Switzerland E-mail:[email protected] Cataloging-in-PublicationDataappliedfor DieDeutscheBibliothek-CIP-Einheitsaufnahme Recentadvancesinintrusiondetection:4thinternationalsymposium; proceedings/RAID2001,Davis,CA,USA,October10-12,2001. WenkeLee...(ed.).-Berlin;Heidelberg;NewYork;Barcelona;HongKong; London;Milan;Paris;Tokyo:Springer,2001 (Lecturenotesincomputerscience;Vol.2212) ISBN3-540-42702-3 CRSubjectClassification(1998):K.6.5,K.4,E.3,C.2,D.4.6 ISSN0302-9743 ISBN3-540-42702-3Springer-VerlagBerlinHeidelbergNewYork Thisworkissubjecttocopyright.Allrightsarereserved,whetherthewholeorpartofthematerialis concerned,specificallytherightsoftranslation,reprinting,re-useofillustrations,recitation,broadcasting, reproductiononmicrofilmsorinanyotherway,andstorageindatabanks.Duplicationofthispublication orpartsthereofispermittedonlyundertheprovisionsoftheGermanCopyrightLawofSeptember9,1965, initscurrentversion,andpermissionforusemustalwaysbeobtainedfromSpringer-Verlag.Violationsare liableforprosecutionundertheGermanCopyrightLaw. Springer-VerlagBerlinHeidelbergNewYork amemberofBertelsmannSpringerScience+BusinessMediaGmbH http://www.springer.de ©Springer-VerlagBerlinHeidelberg2001 PrintedinGermany Typesetting:Camera-readybyauthor,dataconversionbyPTP-Berlin,StefanSossna Printedonacid-freepaper SPIN:10840834 06/3142 543210 Preface On behalf of the program committee, it is our pleasure to present to you the proceedings of the fourth Recent Advances in Intrusion Detection Symposium. The RAID 2001 program committee received 55 paper submissions from 13 countries. All submissions were carefully reviewed by several members of the program committee on the criteria of scientific novelty, importance to the field, andtechnicalquality.FinalselectiontookplaceatameetingheldonMay16-17 in Oakland, California. Twelve papers were selected for presentation and publi- cation in the conference proceedings. In addition, nine papers, presenting work in progress, were selected for presentation. The program included both fundamental research and practical issues: log- ging and IDS integration, attack modeling, anomaly detection, specification- based IDS, IDS assessment, IDS cooperation, intrusion tolerance, and legal as- pects. RAID 2001 also hosted two panels, one on “The Present and Future of IDS Testing Methodologies,” a subject of major concern for all IDS users and desi- gners,andoneon“IntrusionTolerance,”anemergingresearchareaofincreasing importance. Dr.BillHancock,SeniorVicePresidentandChiefSecurityOfficerofExodus Communications, Inc., delivered a keynote speech “Real world intrusion detec- tion or how not to become a deer in the headlights of an attacker’s car on the information superhighway”. The slides presented by the authors, the 9 papers which are not in the pro- ceedings, and the slides presented by the panelists are available on the website of the RAID symposium series, http://www.raid-symposium.org/. Wewouldliketothankallauthorswhosubmittedpapers,aswellasthepro- gram committee members and the additional reviewers, for their efforts. Special thanks go to Felix Wu for handling the conference arrangements, Niranjan Bal- walli for maintaining the paper submission Web site, Giovanni Vigna for publi- cizing the conference, and Andreas Wespi for maintaining the RAID Web pages and preparing the conference proceedings. Finally, we thank all the RAID 2001 sponsors. October 2001 Ludovic M´e Wenke Lee Organization RAID 2001 was hosted by and gratefully acknowledges the support of the Uni- versity of California at Davis, CA. Conference Chairs Executive Committee Chair: Marc Dacier (IBM Research, Switzerland) Program Co-chairs: Ludovic M´e (Sup´elec, France) Wenke Lee (Georgia Institute of Technology, USA) Publication Chair: Andreas Wespi (IBM Research, Switzerland) Local Organization Chair: S. Felix Wu (UC Davis, USA) Publicity Chair: Giovanni Vigna (UC Santa Barbara, USA) Program Committee Matt Bishop UC Davis, USA Joachim Biskup University of Dortmund, Germany Fr´ed´eric Cuppens ONERA, France Marc Dacier IBM Research, Switzerland Herv´e Debar France T´el´ecom R&D, France Yves Deswarte LAAS-CNRS, France Deborah Frincke University of Idaho, USA Anup Ghosh Cigital, USA Tim Grance NIST, USA Ming-Yuh Huang BoeingAppliedResearchandTechnology,USA Erland Jonsson Chalmers University of Technology, Sweden Richard Kemmerer UC Santa Barbara, USA Calvin Ko Network Associates, USA Baudouin Le Charlier Universit´e de Namur, Belgium Wenke Lee Georgia Institute of Technology, USA Richard Lippmann MIT Lincoln Laboratory, USA John McHugh CERT/SEI, Carnegie Mellon University, USA Roy Maxion Carnegie Mellon University, USA George Mohay Queensland University, Australia Ludovic M´e Sup´elec, France Abdelaziz Mounji Swift, Belgium Vern Paxson ACIRI/LBNL, USA Phil Porras SRI, USA Stuart Staniford Silicon Defense, USA Al Valdes SRI, USA Giovanni Vigna UC Santa Barbara, USA VIII Organization Andreas Wespi IBM Research, Switzerland S. Felix Wu UC Davis, USA Diego Zamboni Purdue University, USA Kevin Ziese Cisco Systems, USA Additional Reviewers Magnus Almgren SRI, USA Phillip Attfield BoeingAppliedResearchandTechnology,USA Salem Benferhat IRIT, Universit´e Paul Sabatier, France Paul Brutch Network Associates, USA Steven Cheung SRI, USA Ulrich Flegel University of Dortmund, Germany Frank Hill Cigital, Inc., USA Klaus Julisch IBM Research, Switzerland Vincent Letocart Universit´e de Namur, Belgium Emilie Lundin Chalmers University of Technology, Sweden Donald Marks NIST, USA Peter Mell NIST, USA Matt Schmid Cigital, USA Kymie M.C. Tan Carnegie Mellon University, USA Table of Contents Modeling Attacks From Declarative Signatures to Misuse IDS ........................... 1 Jean-Philippe Pouzol and Mireille Ducass´e Logging and IDS Integration Application-Integrated Data Collection for Security Monitoring .......... 22 Magnus Almgren and Ulf Lindqvist Interfacing Trusted Applications with Intrusion Detection Systems ....... 37 Marc Welz and Andrew Hutchison IDS Cooperation Probabilistic Alert Correlation....................................... 54 Alfonso Valdes and Keith Skinner Designing a Web of Highly-Configurable Intrusion Detection Sensors ..... 69 Giovanni Vigna, Richard A. Kemmerer, and Per Blix Aggregation and Correlation of Intrusion-Detection Alerts............... 85 Herv´e Debar and Andreas Wespi Anomaly Detection Accurately Detecting Source Code of Attacks That Increase Privilege..... 104 Robert K. Cunningham and Craig S. Stevenson CDIS: Towards a Computer Immune System for Detecting Network Intrusions......................................................... 117 Paul D. Williams, Kevin P. Anchor, John L. Bebo, Gregg H. Gunsch, and Gary D. Lamont Intrusion Tolerance Autonomic Response to Distributed Denial of Service Attacks ........... 134 Dan Sterne, Kelly Djahandari, Brett Wilson, Bill Babson, Dan Schnackenberg, Harley Holliday, and Travis Reid X Table of Contents Legal Aspects The Impact of Privacy and Data Protection Legislation on the Sharing of Intrusion Detection Information...................................... 150 Steven R. Johnston Specification-Based IDS Experiences with Specification-Based Intrusion Detection ............... 172 Prem Uppuluri and R. Sekar System Health and Intrusion Monitoring Using a Hierarchy of Constraints ....................................................... 190 Calvin Ko, Paul Brutch, Jeff Rowe, Guy Tsafnat, and Karl Levitt Author Index................................................... 205 From Declarative Signatures to Misuse IDS Jean-Philippe Pouzol and Mireille Ducass´e IRISA/INSA de Rennes - Campus Universitaire de Beaulieu 35042 Rennes Cedex, France {pouzol,ducasse}@irisa.fr Abstract. In many existing misuse intrusion detection systems, intru- sion signatures are very close to the detection algorithms. As a conse- quence, they contain too many cumbersome details. Recent work have proposed declarative signature languages that raise the level of abstrac- tion when writing signatures. However, these languages do not always comewithoperationalsupport.Inthisarticle,weshowhowtotransform such declarative signatures into operational ones. This process points out several technical details which must be considered with care when performing the translation by hand, but which can be systematically handled. A signature specification language named Sutekh is proposed. Its declarative semantics is precisely described. To produce rules for exist- ing rule-based IDS from Sutekh signatures, an algorithm, based on the construction of a state-transition diagram, is given. 1 Introduction Many formalisms and algorithms have been proposed to specify intrusion signa- tures in order to detect misuses. Among the intrusion detection systems (IDS) briefly described by Axelsson in [1], one can cite state-transition diagrams in STAT [8], colored Petri nets in IDIOT [10], condition-action rules in ASAX [7], expert systems in EMERALD [15]. The languages proposed in these articles are strongly dedicated to the underlying search algorithm. As a consequence, the signatures are cluttered with many operational details which make them hard to specify and maintain. Morerecentapproachesproposetospecifysignaturesofintrusionsinadeclar- ative flavor, for example MuSigs defined by Lin et al. [11] and LaDAA defined by G´erard [6]. LAMBDA, defined by Cuppens and Ortalo [4], and ADeLe, pro- posed by Michel and M´e [13], are languages dedicated to describe both attacks andsignatures.Theaimofallthesehigh-levellanguagesistospecifysignatures, regardless of any detection process, by describing relations between events in an audit trail. However, either these languages ignore functionalities provided by others, or they do not offer any operational support. This article firstly proposes Sutekh, a declarative signature language provid- ing a combination of functionalities at least as complete as the union of what is offered by other declarative systems. In addition, we show how to produce operational detection rules from declarative signatures. W.Lee,L.M´e,andA.Wespi(Eds.):RAID2001,LNCS2212,pp.1–21,2001. (cid:1)c Springer-VerlagBerlinHeidelberg2001