Information Technology Reference
In-Depth Information
3 Behavioral Intrusion Detection Model, Which Uses State
Machine-Based Formal Grammars
As a result of conducted researches in the field of protection against network attacks a
new behavioral intrusion detection model was developed. This model combines the
functional capabilities of other models, based on expert systems and state transition
analysis. The model is designed for the detection of anomalous network traffic that is
used for informational attack realization. The developed model allows to detect the
following types of potentially dangerous network packets:
−
packets with syntax and semantics, that doesn't correspond to RFC-standards,
−
packets, that addressed to non-existent informational resources,
−
packets, which length exceeds the specified restrictions,
−
packets with commands, which are not supported by computer system applications,
−
other types of packets that violate the template of normal computer system traffic.
The developed model is based on finite state language
L
which describes the
template of normal network traffic that is transmitted in computer system. Language
L
consists of strings, each string corresponds to normal network packet that can be
correctly processed by computer system applications. Language
L
is specified by
means of state machine-based grammar of the following type:
A
= <
S
,
X
,
Y
,
s
0
,
f
t
,
f
s
,
F
,
s
a
>, where
S
- the set of states,
X
- the set of input symbols,
Y
- the set of semantic
operators that analyze the semantics of input data,
s
0
∈
S
- the initial state,
f
t
:
S
x
X
→
S
- the state transition function,
f
s
:
S
x
X
→
Y
- the semantic operator choice function,
F
S
- the set of terminal states which indicate the correct recognition of input string
as a element of language
L
,
s
a
⊆
S
- the terminal state which indicate that the input
string is not the element of language
L
.
The algorithm of work of state machine
A
, that specifies language
L
, can be
presented as follows. The state machine
A
processes the input string, which
corresponds to an incoming data packet that must be processed by the protected
computer system. If the state machine will reach one of the terminal states of set
F
it
will mean that analyzed data packet doesn't pose any danger to the computer system
and can be passed through. Otherwise, reaching the state
s
a
corresponds to the
detection of network attack. In this case the data packet, which corresponds to the
analyzed input string, should be blocked.
The practical usage of behavioral model can be illustrated with the example of state
machine-based grammar
A
HTTP
, which was developed according to the described
approach. This state machine is designed for the detection of network attacks on Web-
servers, that interact with users by means of Hypertext Transfer Protocol (HTTP). The
state-machine
A
HTTP
specifies the language
L
HTTP
which consists of strings, where
each string corresponds to a normal HTTP-request, that can be correctly processed by
the application software of Web-server. The state machine
A
HTTP
consists of the
following modules (Fig. 1): the module of HTTP-method analysis, the module of
Uniform Resource Locator (URL) analysis, the module of HTTP query analysis, the
module of HTTP version analysis and the module of HTTP-headers analysis. Each of
these modules provides the processing of a particular part of the HTTP-request.
∈
