Intrusion Detection using ASTDs

by   LionelTidjon, et al.

In this paper, we show the application of ASTDs to intrusion detection. ASTD is an executable, modular and graphical notation that allows for the composition of hierarchical state machines with process algebra operators to model complex attack phases. We first define an ASTD specification methodology using attack pattern databases. Next, we specify a case study of ransomwares using Snort, Zeek, ASTD, and other intrusion detection languages in the literature. After that, we execute the languages using recent datasets and a real-time testbed on ransomwares, compare and discuss results. Overall, ASTD attack specifications are more concise than industrial tools like Snort, Zeek, and other attack languages in the literature. For intrusion detection, iASTD (the ASTD interpreter) and Zeek provided similar results. iASTD produced less false positives and a smaller number of true positives per attack than Snort, which is an important factor to deal with huge amounts of events. The processing time of iASTD on the real-time testbed is slower than Snort and Zeek, but it can be improved by compiling ASTD specifications into Zeek scripts.


page 1

page 2

page 3

page 4


Provenance-based Intrusion Detection: Opportunities and Challenges

Intrusion detection is an arms race; attackers evade intrusion detection...

Base-Rate Fallacy Redux and a Deep Dive Review in Cybersecurity

This paper examines the current state of the science underlying cybersec...

A Real-Time Remote IDS Testbed for Connected Vehicles

Connected vehicles are becoming commonplace. A constant connection betwe...

Integrating Real-Time Analysis With The Dendritic Cell Algorithm Through Segmentation

As an immune inspired algorithm, the Dendritic Cell Algorithm (DCA) has ...

Maintainable Log Datasets for Evaluation of Intrusion Detection Systems

Intrusion detection systems (IDS) monitor system logs and network traffi...

Two-stage Deep Stacked Autoencoder with Shallow Learning for Network Intrusion Detection System

Sparse events, such as malign attacks in real-time network traffic, have...

A Dual-Port 8-T CAM-Based Network Intrusion Detection Engine for IoT

This letter presents an energy- and memory-efficient pattern-matching en...