Specification and Detection of TCP/IP Based Attacks Using the ADM-Logic

Abstract

Intrusion detection systems (IDS) are considered nowadays as one of the most important components in the security architecture of information systems. For misuse-based IDS also known as signature based IDS, the efficiency of detection is highly correlated to the quality of signatures. It is therefore very important to select a suitable formal language that provides both high expressiveness and simplicity when specifying attack signatures. It is also fundamental to have a user friendly and automatic tool allowing the specification and the verification of these signatures. This paper shows the efficiency and the suitability of the ADM-logic and formal language to specify a large variety of signatures characterizing attacks based on the TCP/IP protocols. A prototype of an IDS based on this logic will be also introduced