An interval temporal logic-based matching framework for finding occurrences of multi-event attack signatures

Temporal logic has the potential to become a powerful mechanism for both modeling and detection of attack signatures. But, although recently some very expressive attack representations and on-line monitoring tools have been proposed, such tools still suffer from a lack of sufficiently precise detection mechanisms. In particular, they can report only the existence of an attack instance and cannot locate precisely its occurrence in a monitored event stream. Precise location is a key to enabling proper verification and identification of an attack. In this paper, we propose a formal framework for multi-event attack signature detection, based on Interval Temporal Logic. Our framework formalizes the problem of finding the localizations of a number types of attack signature occurrences: the first, all, k-insertion and the shortest one. In our approach, we use the existing run-time monitoring mechanism developed for the EAGLE specification, and extend it by special rules to enable such localization tasks. Our approach works on-line, and our initial results demonstrate the effectiveness and efficiency of the proposed approach.