Abstraction-based misuse detection: high-level specifications and adaptable strategies

A typical misuse detection system contains: (1) a language for describing known techniques (called misuse signatures) used by attackers to penetrate the target system, and (2) monitoring programs for detecting the presence of an attack based on the given misuse signatures. In most of the systems appearing in the literature, however, the description of misuses is often in terms of a low level language (i.e. in terms of audit records of the target system), that either has limited expressiveness or is difficult to use. Moreover the monitoring algorithms are often fixed and do not adapt to a changing operating environment or to objectives of the site security officer. To overcome these limitations, the paper defines a high level language for abstract misuse signatures (MuSigs). Due to the use of high level concepts, a MuSig can represent misuses in a simple form and yet with high expressiveness. The paper also introduces a set of system directives provided by the system designer in support of high level concepts. The paper then discusses ways to translate MuSigs into monitoring program with the help of the system directives. The adaptability of the system is obtained by the ability for the site security officer to add or delete system directives to change the behavior of the monitoring program