Intrusion Detection using ASTDs
share
In this paper, we show the application of ASTDs to intrusion detection. ASTD is an executable, modular and graphical notation that allows for the composition of hierarchical state machines with process algebra operators to model complex attack phases. We first define an ASTD specification methodology using attack pattern databases. Next, we specify a case study of ransomwares using Snort, Zeek, ASTD, and other intrusion detection languages in the literature. After that, we execute the languages using recent datasets and a real-time testbed on ransomwares, compare and discuss results. Overall, ASTD attack specifications are more concise than industrial tools like Snort, Zeek, and other attack languages in the literature. For intrusion detection, iASTD (the ASTD interpreter) and Zeek provided similar results. iASTD produced less false positives and a smaller number of true positives per attack than Snort, which is an important factor to deal with huge amounts of events. The processing time of iASTD on the real-time testbed is slower than Snort and Zeek, but it can be improved by compiling ASTD specifications into Zeek scripts.
READ FULL TEXT