Skip to main content
SpringerLink
Log in

A Stream-Based Specification Language for Network Monitoring

  • Conference paper
  • First Online:
Runtime Verification (RV 2016)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 10012))

Included in the following conference series:

Abstract

We introduce Lola 2.0, a stream-based specification language for the precise description of complex security properties in network traffic. The language extends the specification language Lola with two new features: template stream expressions, which allow input data to be carried along the stream, and dynamic stream generation, where new monitors can be invoked during the monitoring process for the monitoring of new subtasks on their own time scale. Lola 2.0 is simple and expressive: it combines the ease-of-use of rule-based specification languages like Snort with the expressiveness of heavy-weight scripting languages or temporal logics previously needed for the description of complex stateful dependencies and statistical measures. Lola 2.0 specifications are monitored by incrementally constructing output streams from input streams, while maintaining a store of partially evaluated expressions. We demonstrate the flexibility and expressivity of Lola 2.0 using a prototype implementation on several practical examples.

This work was partially supported by the German Research Foundation (DFG) in the Collaborative Research Center 1223 and by the Deutsche Telekom Foundation.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://suricata-ids.org.

  2. 2.

    In Fig. 1 the extension stream of badHttpRequestInvoke is defined explicitly in the output stream. This could also have been defined separately by a declaration of another boolean output stream with the same condition.

  3. 3.

    http://www.wireshark.org.

  4. 4.

    http://mcfp.weebly.com.

References

  1. Ahmed, A., Lisitsa, A., Dixon, C.: A misuse-based network intrusion detection system using temporal logic and stream processing. In: 2011 5th International Conference on Network and System Security (NSS), pp. 1–8, September 2011

    Google Scholar 

  2. Ahmed, A., Lisitsa, A., Dixon, C.: TeStID: a high performance temporal intrusion detection system. In: Proceedings of the ICIMP, pp. 20–26 (2013)

    Google Scholar 

  3. Barringer, H., Falcone, Y., Havelund, K., Reger, G., Rydeheard, D.: Quantified event automata: towards expressive and efficient runtime monitors. In: Giannakopoulou, D., Méry, D. (eds.) FM 2012. LNCS, vol. 7436, pp. 68–84. Springer, Heidelberg (2012). doi:10.1007/978-3-642-32759-9_9

    Chapter  Google Scholar 

  4. Barringer, H., Rydeheard, D.E., Havelund, K.: Rule systems for run-time monitoring: from eagle to ruler. J. Log. Comput. 20(3), 675–706 (2010). http://dx.doi.org/10.1093/logcom/exn076

    Google Scholar 

  5. Berry, G.: Proof, Language, and Interaction: Essays in Honour of Robin Milner, Chap. The Foundations of Esterel, pp. 425–454. MIT Press, Cambridge (2000)

    Google Scholar 

  6. Bozzelli, L., Sánchez, C.: Foundations of boolean stream runtime verification. In: Bonakdarpour, B., Smolka, S.A. (eds.) RV 2014. LNCS, vol. 8734, pp. 64–79. Springer, Heidelberg (2014). doi:10.1007/978-3-319-11164-3_6

    Google Scholar 

  7. D’Angelo, B., Sankaranarayanan, S., Sánchez, C., Robinson, W., Finkbeiner, B., Sipma, H.B., Mehrotra, S., Manna, Z.: Lola: runtime monitoring of synchronous systems. In: 12th International Symposium on Temporal Representation and Reasoning (TIME 2005), pp. 166–174. IEEE Computer Society Press, June 2005

    Google Scholar 

  8. Debar, H., Becker, M., Siboni, D.: A neural network component for an intrusion detection system. In: Proceedings of 1992 IEEE Computer Society Symposium on Research in Security and Privacy, pp. 240–250, May 1992

    Google Scholar 

  9. Faymonville, P., Finkbeiner, B., Peled, D.: Monitoring parametric temporal logic. In: McMillan, K.L., Rival, X. (eds.) VMCAI 2014. LNCS, vol. 8318, pp. 357–375. Springer, Heidelberg (2014). doi:10.1007/978-3-642-54013-4_20

    Chapter  Google Scholar 

  10. Gautier, T., Guernic, P., Besnard, L.: SIGNAL: a declarative language for synchronous programming of real-time systems. In: Kahn, G. (ed.) FPCA 1987. LNCS, vol. 274, pp. 257–277. Springer, Heidelberg (1987). doi:10.1007/3-540-18317-5_15

    Chapter  Google Scholar 

  11. Goubault-Larrecq, J., Olivain, J.: A smell of Orchids. In: Leucker, M. (ed.) RV 2008. LNCS, vol. 5289, pp. 1–20. Springer, Heidelberg (2008). doi:10.1007/978-3-540-89247-2_1

    Chapter  Google Scholar 

  12. Halbwachs, N., Caspi, P., Raymond, P., Pilaud, D.: The synchronous data-flow programming language lustre. Proc. IEEE 79(9), 1305–1320. citeseer.ist.psu.edu/halbwachs91synchronous.html

    Google Scholar 

  13. Havelund, K.: Rule-based runtime verification revisited. Int. J. Softw. Tools Technol. Transf. 17(2), 143–170 (2015). http://dx.doi.org/10.1007/s10009-014-0309-2

    Google Scholar 

  14. Lee, W., Park, C.T., Stolfo, S.J.: Automated intrusion detection using NFR: methods and experiences. In: Proceedings of the Workshop on Intrusion Detection and Network Monitoring, Santa Clara, 9–12 April 1999, pp. 63–72. USENIX (1999). http://www.usenix.org/publications/library/proceedings/detection99/lee.html

  15. Lee, W., Stolfo, S.J., Mok, K.W.: A data mining framework for building intrusion detection models. In: Proceedings of the 1999 IEEE Symposium on Security and Privacy, pp. 120–132 (1999)

    Google Scholar 

  16. Naldurg, P., Sen, K., Thati, P.: A temporal logic based framework for intrusion detection. In: Frutos-Escrig, D., Núñez, M. (eds.) FORTE 2004. LNCS, vol. 3235, pp. 359–376. Springer, Heidelberg (2004). doi:10.1007/978-3-540-30232-2_23

    Chapter  Google Scholar 

  17. Olivain, J., Goubault-Larrecq, J.: The Orchids intrusion detection tool. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 286–290. Springer, Heidelberg (2005). doi:10.1007/11513988_28

    Chapter  Google Scholar 

  18. Paxson, V.: Bro: a system for detecting network intruders in real-time. Comput. Netw. 31(23–24), 2435–2463. http://dx.doi.org/10.1016/S1389-1286(99)00112-7

    Google Scholar 

  19. Roesch, M.: Snort - lightweight intrusion detection for networks. In: Proceedings of the 13th USENIX Conference on System Administration. LISA 1999, USENIX Association, Berkeley, pp. 229–238 (1999). http://dl.acm.org/citation.cfm?id=1039834.1039864

  20. Roger, M., Goubault-Larrecq, J.: Log auditing through model-checking. In: Computer Security Foundations Workshop, p. 0220. IEEE (2001)

    Google Scholar 

  21. Rosu, G., Chen, F.: Semantics and algorithms for parametric monitoring. Log. Methods Comput. Sci. 8(1) (2012). http://dx.doi.org/10.2168/LMCS-8(1:9)2012

Download references

Author information

Authors and Affiliations

  1. Saarland University, Saarbrücken, Germany

    Peter Faymonville, Bernd Finkbeiner, Sebastian Schirmer & Hazem Torfah

Authors
  1. Peter Faymonville
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Bernd Finkbeiner
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Sebastian Schirmer
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Hazem Torfah
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Bernd Finkbeiner .

Editor information

Editors and Affiliations

  1. Université Grenoble Alpes, Inria, Grenoble, France

    Yliès Falcone

  2. IMDEA Software Institute, Madrid, Spain

    César Sánchez

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing AG

About this paper

Cite this paper

Faymonville, P., Finkbeiner, B., Schirmer, S., Torfah, H. (2016). A Stream-Based Specification Language for Network Monitoring. In: Falcone, Y., Sánchez, C. (eds) Runtime Verification. RV 2016. Lecture Notes in Computer Science(), vol 10012. Springer, Cham. https://doi.org/10.1007/978-3-319-46982-9_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-46982-9_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-46981-2

  • Online ISBN: 978-3-319-46982-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation