Modeling and Describing Misuse Scenarios Using Signature-Nets and Event Description Language

In the area of intrusion detection the misuse detection approach assumes that relevant activity violating security policies is known a priori and it provides for fast intrusion detection with low false alarm rate, thereby complementing the anomaly detection approach. Hence, misuse detection is an indispensable ingredient to a suitable strategy for intrusion detection. Misuse detection calls for a comprehensive framework for modeling and analysing attack activity. This contribution presents the highly expressive and modular Signature-net framework. Signature-nets allow for visual modeling and simulation of attack detection signatures, as well as for formal analysis. The framework lends itself to highly optimized implementation and may be flexibly deployed, e. g., for network-based and host-based intrusion detection or alarm correlation. und Rechnern und für die Alarmkorrelation. In the area of computer security intrusion detection systems (IDSs) play an important role for the automatic identification of attacks. In addition to preventive security mechanisms they provide post-mortem detection capabilities. A main problem for the detection of security violations using misuse detection systems is the modeling and description of misuse scenarios to be detected. In the following we consider services in the sense of a running software system that provides some service to its users. Such a service is assumed to contain an audit component that observes the service activity.