A formal approach to intrusion detection

入侵检测的正式方法

• 批准号: RGPIN-2019-05327
• 负责人: Frappier, Marc
• 金额: $ 2.04万
• 依托单位: Université de Sherbrooke
• 依托单位国家: 加拿大
• 项目类别: Discovery Grants Program - Individual
• 财政年份: 2021
• 资助国家: 加拿大
• 起止时间: 2021-01-01 至 2022-12-31
• 项目状态: 已结题
• 来源: https://www.nserc-crsng.gc.ca/ase-oro/Details-Detailles_eng.asp?id=738196
• 关键词: formal; approach; intrusion; detection

Cyber criminality is a flourishing industry. A recent report by Statistics Canada shows that Canadian businesses spent 14 G$ on cyber security in 2017, and 41 % of large business were impacted by a cyber security incident.  Intrusion detection systems are responsible for identifying cyber intrusions in an organisation. They monitor network traffic and host systems activity to detect malicious and abnormal behaviour.  The long-term objective of this research program is to develop a formally grounded intrusion detection approach. The idea is to explore how formal methods can help in efficiently building efficient IDS.  A first subgoal of this proposal is to design an appropriate set of notations to specify abstract intrusion detection rules.  A second subgoal is to define rules that can transform online detection rules into offline detection rules and vice-versa.  A third subgoal is to define algorithms to generate efficient intrusion detection monitor from specifications expressed in the notations proposed in the first subgoal.  A fourth subgoal is to define an approach to validate intrusion detection rules.  Our approach will be based on algebraic state-transition diagrams, an algebra that allows for the composition of state machines using process algebra operators.  This proposal lays a solid scientific foundation for the development of industrial strength tools that could efficiently protect the Canadian IT infrastructure, whose role is now essential for the proper functioning of modern society.

网络犯罪是一个蓬勃发展的行业。加拿大统计局最近的一份报告显示，2017年加拿大企业在网络安全方面的支出为14加元，41%的大型企业受到网络安全事件的影响。入侵检测系统负责识别组织中的网络入侵。它们监视网络流量和主机系统活动，以检测恶意和异常行为。本研究计划的长期目标是开发一种正式的入侵检测方法。其思想是探索形式化方法如何帮助有效地构建高效的IDS。该方案的第一个目标是设计一组适当的符号来指定抽象的入侵检测规则。第二个子目标是定义可以将在线检测规则转换为离线检测规则的规则，反之亦然。第三个子目标是定义算法，从第一个子目标中提出的符号表示的规范中生成有效的入侵检测监视器。第四个子目标是定义一种验证入侵检测规则的方法。我们的方法将基于代数状态转换图，这是一种允许使用进程代数操作符组合状态机的代数。该提案为工业实力工具的发展奠定了坚实的科学基础，这些工具可以有效地保护加拿大IT基础设施，其作用现在对现代社会的正常运作至关重要。