Skip to main content
SpringerLink
Log in

Using CLIPS to Detect Network Intrusions

  • Conference paper
Progress in Artificial Intelligence (EPIA 2003)

Part of the book series: Lecture Notes in Computer Science ((LNAI,volume 2902))

Included in the following conference series:

Abstract

This paper shows how to build a network intrusion detection system by slightly modifying NASA’s CLIPS source code, introducing features such as single and multiple string pattern matching, certainty factors and time-stamp operators. Several Snort functions and plugins were adapted and used for packet decoding and preprocessing to provide the basic requirements for such a system. The integration of CLIPS and Snort features allows the specification of complex stateful network intrusion detection heuristics which can model abstract attack scenarios. The results show that CLIPS can be useful to follow and correlate intruder activities by monitoring network traffic.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Kumar, S.: Classification and Detection of Computer Intrusions. PhD thesis, Purdue, IN (1995)

    Google Scholar 

  2. Roesch, M.: Snort - lightweight intrusion detection for networks. In: Proceedings of LISA 1999: 13th Systems Administration Conference (1999)

    Google Scholar 

  3. Riley, G.: CLIPSAtool for building expert systems, http://www.ghg.net/clips/CLIPS.html

  4. Sebring, M.M., Shellhouse, E., Hanna, M.E., Whitehurst, R.A.: Expert systems in intrusion detection: A case study. In: Proceedings of 11th National Computer Security Conference, Baltimore, Maryland, National Institute of Standards and Technology/ National Computer Security Center, pp. 74–81 (1988)

    Google Scholar 

  5. Javitz, H.S., Valdes, A.: The SRI IDES statistical anomaly detector. In: Proceedings of the 1991 IEEE Symposium on Security and Privacy, Oakland, California, pp. 316–326. IEEE Computer Society Press, Los Alamitos (1991)

    Chapter  Google Scholar 

  6. Anderson, D., Frivold, T., Valdes, A.: Next-generation intrusion detection expert system (NIDES). Technical Report SRI-CSL-95-07, Computer Science Laboratory, SRI International (1995)

    Google Scholar 

  7. Lindqvist, U., Porras, P.A.: Detecting Computer and Network Misuse Through the Production- Based Expert System Toolset (P-BEST). In: Proceedings of the 1999 IEEE Symposium on Security and Privacy, Oakland, California (1999)

    Google Scholar 

  8. Habra, N., Charlier, B.L., Mounji, A., Mathieu, I.: ASAX: Software Architecture and Rule- Based Language for Universal Audit Trail Analysis. In: Deswarte, Y., Quisquater, J.-J., Eizenberg, G. (eds.) ESORICS 1992. LNCS, vol. 648, pp. 435–450. Springer, Heidelberg (1992)

    Chapter  Google Scholar 

  9. Ilgun, K.: USTAT: A real-time intrusion detection system for UNIX. In: Proceedings of the, IEEE Symposium on Research in Security and Privacy, Oakland, CA, pp. 16–28 (1993)

    Google Scholar 

  10. Crosbie, M., Dole, B., Ellis, T., Krsul, I., Spafford, E.: IDIOT - User Guide. Technical report (September 1996)

    Google Scholar 

  11. Vaccaro, H.S., Liepins, G.E.: Detection of anomalous computer session activity. In: Proceedings of the 1989 IEEE Symposium on Security and Privacy, Oakland, California, pp. 280–289. IEEE Computer Society Press, Los Alamitos (1989)

    Chapter  Google Scholar 

  12. Jackson, K.A., DuBois, D.H., Stallings, C.A.: An expert system application for network intrusion detection. In: Proceedings of the 14th National Computer Society Conference, Washington, D.C., National Institute of Standards and Technology/National Computer Society Center, pp. 215–225 (1991)

    Google Scholar 

  13. Giarratano, J.C.: CLIPS User’s Guide, Volume I - Basic Programming Guide (2002)

    Google Scholar 

  14. Forgy, C.L.: OPS5 User’s Manual. Technical Report CMU-CS-81-135, Carnegie Mellon University, Dept. of Computer Science (1981)

    Google Scholar 

  15. Forgy, C.: Rete:A Fast Algorithm for the Many Pattern/Many Object Pattern Match Problem. Artificial Intelegence, 17–37 (1982)

    Google Scholar 

  16. Jacobson, V., Leres, C., McCanne, S.: tcpdump, http://www.tcpdump.org

  17. McCanne, S., Jacobson, V.: The BSD Packet Filter: A New Architecture for User-Level Packet Capture. In: Proceedings of the 1993 Winter USENIX Conference, San Diego, CA (1993)

    Google Scholar 

  18. Roesch, M.: Snort Users Manual. Snort release: 1.9.x edn. (2002), http://www.snort.org

  19. Boyer, R.S., Moore, J.S.: A fast string searching algorithm. Communications of the ACM 20, 762–772 (1977)

    Article  Google Scholar 

  20. Aho, A., Corasick, M.: Efficient string matching: An aid to bibliographic search. Communications of the ACM 18, 333–343 (1975)

    Article  MATH  MathSciNet  Google Scholar 

  21. Jason Coit, C., McAlerney, J., Staniford, S.: Towards Faster String Matching for Intrusion Detection or Exceeding the Speed of Snort. In: Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEX II 2001), p. 367 (2001)

    Google Scholar 

  22. Curry, D., Debar, H.: Intrusion Detection Message Exchange Format, Data Model and Extensible Markup Language, XML (2002) (work in progress), http://www.ietf.org/internet-drafts/draft-ietf-idwg-idmefxml-07.txt

  23. Feinstein, B., Matthews, G., White, J.: The Intrusion Detection Exchange Protocol (IDXP) (2002) (work in progress), http://www.ietf.org/internet-drafts/draft-ietf-idwg-beep-idxp-05.txt

Download references

Author information

Authors and Affiliations

  1. Departamento de Informática, Escola de Engenharia, Universidade do Minho, Campus de Gualtar, 4710-057, Braga, Portugal

    Pedro Alipio, Paulo Carvalho & José Neves

Authors
  1. Pedro Alipio
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Paulo Carvalho
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. José Neves
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Departamento de Informática, Universidade de Évora, Rua Romão Ramalho, 59, 7000, Évora, Portugal

    Fernando Moura Pires

  2. Universidade de Évora and CENTRIA FCT/UNL, Portugal

    Salvador Abreu

Rights and permissions

Reprints and permissions

Copyright information

© 2003 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Alipio, P., Carvalho, P., Neves, J. (2003). Using CLIPS to Detect Network Intrusions. In: Pires, F.M., Abreu, S. (eds) Progress in Artificial Intelligence. EPIA 2003. Lecture Notes in Computer Science(), vol 2902. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-24580-3_40

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-24580-3_40

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-20589-0

  • Online ISBN: 978-3-540-24580-3

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation