SlideShare a Scribd company logo

A Stream-Based Approach to Intrusion Detection

Sylvain Hallé, profile picture
Sylvain Hallé

1) The document proposes an approach to intrusion detection based on runtime verification by running monitors on every suffix of an event stream to detect multiple instances of patterns. 2) It describes techniques to prune redundant monitors by discarding those that remain in the initial state after the first event or reach the same state at the same step. 3) Retaining only the "progressing subsequence" of the stream that visits each new state in order further reduces the number of matches.

Technology
Related topics:
Information SecurityIntrusion Detection
1 of 77
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
S. Hallé Sylvain Hallé Université du Québec à Chicoutimi CANADA A Stream-Based Approach to Intrusion Detection CRSNG NSERC CHAPTER 9 November 26th, 2023
S. Hallé $ $$$$$ $$$$$ $$$$$ update of a stock price sensor reading link state of a video game user visi�ng a web page parcel being delivered / move in a chess game Events The expected behavior of an information system can be evaluated through the observation and analysis of events.
S. Hallé A stream is an ordered sequence of events of a given type. Streams ... ... Formally, if Σ is a set of events, a stream is a sequence σ ∈ Σ*. A stream processing calculation is a function: π : (Σ1* × ... ×Σm*) → (Σ1* × ... ×Σn*)
Z Z Z S. Hallé expected normal rou�ne nominal "ok" surprising out of the ordinary strange different "not ok" Anomaly / intrusion detection
S. Hallé Approaches A taxonomy of existing approaches classifies detection systems into three broad categories: Anomaly-based approaches: detect uncommon events, outliers, etc. Multi-agent-based approaches: cooperating units observe and interact with an environment Knowledge-based approaches: a priori information about expected behavior is compared with observations 1. 2. 3.
S. Hallé Dealing with volume Common issue with many approaches: high volume of alarms and related information
S. Hallé Dealing with volume Two possible ways to reduce volume: 1. Decrease false positive rate 2. Identify relevant information about the occurrence of an alarm 1 2 3 4 5 1 2 3 4 5 ... + + + +
S. Hallé Dealing with volume Two possible ways to reduce volume: 1. Decrease false positive rate 2. Identify relevant information about the occurrence of an alarm 1 2 3 4 5 1 2 3 4 5 ... + + + + this chapter
S. Hallé Enter RV Proposed approach: intrusion/attack detection as a form of Runtime Verification
S. Hallé Enter RV Proposed approach: intrusion/attack detection as a form of Runtime Verification System
S. Hallé Enter RV Proposed approach: intrusion/attack detection as a form of Runtime Verification System Instrumentation
S. Hallé Enter RV Proposed approach: intrusion/attack detection as a form of Runtime Verification System Trace Events Instrumentation
S. Hallé Enter RV Proposed approach: intrusion/attack detection as a form of Runtime Verification System Monitor Trace Events Instrumentation
S. Hallé Enter RV Proposed approach: intrusion/attack detection as a form of Runtime Verification System Monitor Trace Events Instrumentation Formal spec.
S. Hallé Pattern monitor The monitor is a process that updates a 3-valued verdict: ⊤ if the input stream contains the pattern ⊥ if the input stream can never* contain the pattern ? otherwise Example: "a eventually followed by b, then c" c a b a b a c b c ? ? ? ? ? ? ⊤ ⊤ ⊤
S. Hallé Shortcomings c a b a b a c b c ? ? ? ? ? ? ⊤ ⊤ ⊤
S. Hallé Shortcomings c a b a b a c b c ? ? ? ? ? ? ⊤ ⊤ ⊤ A monitor "stops" at the first occurrence of the pattern (i.e. cannot detect multiple instances) found! !
S. Hallé Shortcomings c a b a b a c b c ? ? ? ? ? ? ⊤ ⊤ ⊤ A monitor "stops" at the first occurrence of the pattern (i.e. cannot detect multiple instances) found! ! Limited feedback: location of last element of the pattern + everything that precedes ! all this may be relevant
S. Hallé Solution Run one instance of on every suffix of the input
S. Hallé Solution Run one instance of on every suffix of the input c a b a b a c b c
S. Hallé Solution Run one instance of on every suffix of the input c a b a b a c b c 1 ? ? ? ? ? ? ⊤ ⊤ ⊤
S. Hallé Solution Run one instance of on every suffix of the input c a b a b a c b c 1 ? ? ? ? ? ? ⊤ ⊤ ⊤ 2 ? ? ? ? ? ⊤ ⊤ ⊤
S. Hallé Solution Run one instance of on every suffix of the input c a b a b a c b c 1 ? ? ? ? ? ? ⊤ ⊤ ⊤ 2 ? ? ? ? ? ⊤ ⊤ ⊤ 3 ? ? ? ? ⊤ ⊤ ⊤
S. Hallé Solution Run one instance of on every suffix of the input c a b a b a c b c 1 ? ? ? ? ? ? ⊤ ⊤ ⊤ 2 ? ? ? ? ? ⊤ ⊤ ⊤ 3 ? ? ? ? ⊤ ⊤ ⊤ 4 ? ? ? ⊤ ⊤ ⊤
S. Hallé Solution Run one instance of on every suffix of the input c a b a b a c b c 1 ? ? ? ? ? ? ⊤ ⊤ ⊤ 2 ? ? ? ? ? ⊤ ⊤ ⊤ 3 ? ? ? ? ⊤ ⊤ ⊤ 4 ? ? ? ⊤ ⊤ ⊤ 5 ? ? ⊤ ? ?
S. Hallé Solution Run one instance of on every suffix of the input c a b a b a c b c 1 ? ? ? ? ? ? ⊤ ⊤ ⊤ 2 ? ? ? ? ? ⊤ ⊤ ⊤ 3 ? ? ? ? ⊤ ⊤ ⊤ 4 ? ? ? ⊤ ⊤ ⊤ 5 ? ? ⊤ ? ? 6 7 8 9 ? ⊤ ? ? ? ? ? ? ? ?
S. Hallé Solution Run one instance of on every suffix of the input c a b a b a c b c 1 ? ? ? ? ? ? ⊤ ⊤ ⊤ 2 ? ? ? ? ? ⊤ ⊤ ⊤ 3 ? ? ? ? ⊤ ⊤ ⊤ 4 ? ? ? ⊤ ⊤ ⊤ 5 ? ? ⊤ ? ? 6 7 8 9 ? ⊤ ? ? ? ? ? ? ? ? Multiple matches for what is essentially the "same" pattern
S. Hallé Monitor state Access to the monitor's internal state opens the door to pruning tactics. * * * * a b c ? ? ? ⊤
S. Hallé First step Pruning tactic #1 Discard monitors that remain in their initial state after consuming the first event c a b a b a c b c 1 * * * * a b c ? ? ? ⊤ ? ? ? ? ? ? ⊤ ⊤ ⊤
S. Hallé First step Pruning tactic #1 Discard monitors that remain in their initial state after consuming the first event c a b a b a c b c 1 * * * * a b c ? ? ? ⊤
S. Hallé First step Pruning tactic #1 Discard monitors that remain in their initial state after consuming the first event c a b a b a c b c 1 * * * * a b c ? ? ? ⊤
S. Hallé First step Pruning tactic #1 Discard monitors that remain in their initial state after consuming the first event c a b a b a c b c 1 * * * * a b c ? ? ? ⊤ Intuition: if the monitor does not change state after reading σ, then a stream σ is a match if and only if σ · σ is a match
S. Hallé Unique state Pruning tactic #2 Discard monitors that reach the same state at the same step c a b a b a c b c 2 * * * * a b c ? ? ? ⊤ 4 ? ? ? ? ? ⊤ ⊤ ⊤ ? ? ? ⊤ ⊤ ⊤
S. Hallé Unique state Pruning tactic #2 Discard monitors that reach the same state at the same step c a b a b a c b c 2 * * * * a b c ? ? ? ⊤ 4
S. Hallé Unique state Pruning tactic #2 Discard monitors that reach the same state at the same step c a b a b a c b c 2 * * * * a b c ? ? ? ⊤ 4
S. Hallé Unique state Pruning tactic #2 Discard monitors that reach the same state at the same step c a b a b a c b c 2 * * * * a b c ? ? ? ⊤ 4 Intuition: if monitor i is in state s after reading σ · σ', and monitor j is in state s after reading σ', then σ' is a match iff σ · σ' is a match
S. Hallé Progressing subsequence Pruning tactic #3 Retain only the progressing sub-sequence of the input c a b a b a c b c 2 * * * * a b c ? ? ? ⊤ ⇒ all loops in the state space are removed ? ? ? ? ? ⊤ ⊤ ⊤
S. Hallé Progressing subsequence Pruning tactic #3 Retain only the progressing sub-sequence of the input c a b a b a c b c 2 * * * * a b c ? ? ? ⊤ ⇒ all loops in the state space are removed
S. Hallé Progressing subsequence Pruning tactic #3 Retain only the progressing sub-sequence of the input c a b a b a c b c 2 * * * * a b c ? ? ? ⊤ ⇒ all loops in the state space are removed
S. Hallé Progressing subsequence Pruning tactic #3 Retain only the progressing sub-sequence of the input c a b a b a c b c 2 * * * * a b c ? ? ? ⊤ ⇒ all loops in the state space are removed * ?
S. Hallé Progressing subsequence Pruning tactic #3 Retain only the progressing sub-sequence of the input c a b a b a c b c 2 * * * * a b c ? ? ? ⊤ ⇒ all loops in the state space are removed
S. Hallé Progressing subsequence Pruning tactic #3 Retain only the progressing sub-sequence of the input c a b a b a c b c 2 * * * * a b c ? ? ? ⊤ ⇒ all loops in the state space are removed Intuition: if σ is a match, the progressing sub- sequence is the shortest subset of σ visiting each new state in the same order
S. Hallé Comparison c a b a b a c b c 1 2 3 4 5 6 7 8 9 ? ? ? ? ? ? ⊤ ⊤ ⊤ ? ? ? ? ? ⊤ ⊤ ⊤ ? ? ? ? ⊤ ⊤ ⊤ ? ? ? ⊤ ⊤ ⊤ ? ? ⊤ ? ? ? ⊤ ? ? ? ? ? ? ? ?
S. Hallé Comparison c a b a b a c b c 1 2 3 4 5 6 7 8 9
S. Hallé Comparison c a b a b a c b c 1 2 3 4 5 6 7 8 9 1 2 3 4 5 6 7 8 9 first-step
S. Hallé Comparison c a b a b a c b c 1 2 3 4 5 6 7 8 9 1 2 3 4 5 6 7 8 9 first-step same state +
S. Hallé Comparison c a b a b a c b c 1 2 3 4 5 6 7 8 9 1 2 3 4 5 6 7 8 9 first-step same state progressing + +
S. Hallé Pros and cons Pros Expects to be a (finite) state machine Limiting in terms of possible patterns that can be expressed Cons Pattern to look for can be any monitor Drastically reduces number of matches (and events retained in each match) Produces results that correspond to intuition
S. Hallé Pros and cons Pros Expects to be a (finite) state machine Limiting in terms of possible patterns that can be expressed Cons Pattern to look for can be any monitor Drastically reduces number of matches (and events retained in each match) Produces results that correspond to intuition does it?
S. Hallé Monitor state (revisited) A "state" can be deduced even for processes that are not expressed as state machines. Given a monitor 𝜋 : Σ* → Σ'*, a function 𝜄𝜋 : Σ* → 𝑆 is said to be a state function if, for every 𝜎1, 𝜎2 ∈ Σ*: 𝜄𝜋(𝜎1) = 𝜄𝜋(𝜎2) implies 𝜋(𝜎1 · 𝜎') = 𝜋(𝜎2 · 𝜎') for every 𝜎' ∈ Σ*.
S. Hallé Monitor state (revisited) A "state" can be deduced even for processes that are not expressed as state machines. Given a monitor 𝜋 : Σ* → Σ'*, a function 𝜄𝜋 : Σ* → 𝑆 is said to be a state function if, for every 𝜎1, 𝜎2 ∈ Σ*: 𝜄𝜋(𝜎1) = 𝜄𝜋(𝜎2) implies 𝜋(𝜎1 · 𝜎') = 𝜋(𝜎2 · 𝜎') for every 𝜎' ∈ Σ*. Intuition: two instances of 𝜋 are in the "same state" if they have identical behavior for any future events they read
S. Hallé Introducing BeepBeep is an open source library written in Java and developed at UQAC since 2015. Centered on the notion of processor, a computation unit that ingests input events and produces output events: h�ps://liflab.github.io/beepbeep-3 P processor input pipe event output pipe
S. Hallé Introducing Complex calculations can be achieved through composition (i.e. passing the output of a processor to the input of another). Doing so creates processor chains or "pipelines":
S. Hallé ,φ ψ f π ⊻ ⊻ n { π π Sequence Eventual disjunction Eventual conjunction Eventual occurrence Existential window Existential slice Monitors in BeepBeep has been extended with a set of processors acting as monitors. Recognize an elementary pattern of events Provide a state function Can identify their progressing sub-sequence
S. Hallé Monitors in ,φ ψ ,φ ψ f B 1 =? f C 1 =? f A 1 =? 2 1 2 3 4 6 7 5 "a eventually followed by b, then c" Complex monitors can be obtained by freely composing these processors
S. Hallé Explainability in BeepBeep allows processors to define associations between output events and input events —a feature called explainability.* P 1 P 2 S. Hallé. (2020). Explainable Queries over Event Logs. Proc. EDOC 2020. IEEE Computer Society. DOI: 10.1109/EDOC49727.2020.00029 * Monitors associate their verdict to the progressing sub-sequence of their input.
S. Hallé Monitors in ,φ ψ ,φ ψ f B 1 =? f C 1 =? f A 1 =? 2 1 2 3 4 6 7 5 "a eventually followed by b, then c" The progressing sub-sequence of each processor can be propagated upstream AbABbC AbABbC AbABbC AbABbC ⊤⊤⊤⊤⊤⊤ ???⊤⊤⊤ ?????⊤ ???⊤⊤⊤ AabcAaBabbCa ?????⊤
S. Hallé Usage Sample script in Java: CountDecimate d = new CountDecimate(2); Fork f = new Fork(3); SomeEventually a = new SomeEventually( new ApplyFunction(new Equals("a"))); SomeEventually b = new SomeEventually( new ApplyFunction(new Equals("b"))); SomeEventually c = new SomeEventually( new ApplyFunction(new Equals("c"))); Sequence s1 = new Sequence(); Sequence s2 = new Sequence(); EventTracker t = new IndexEventTracker(); Connector con = new Connector(t); con.connect(d, 0, f, 0).connect(f, 0, a, 0) .connect(f, 1, b, 0).connect(f, 2, c, 0) .connect(a, 0, s1, 0).connect(b, 0, s1, 1) .connect(s1, 0, s2, 0).connect(c, 0, s2, 1); ,φ ψ ,φ ψ f B 1 =? f C 1 =? f A 1 =? 2 1 2 3 4 6 7 5
S. Hallé Usage FindPattern fp = new FindPattern(g); Connector.connect(fp, new Print()); for (char e : "AabcAaBabbCa".toCharArray()) fp.getPushableInput().push(e); ,φ ψ ,φ ψ f B 1 =? f C 1 =? f A 1 =? 2 1 2 3 4 6 7 5 Detecting the pattern and producing the witness: Produces the output: {(1,1), (1,7), (1,11)}
S. Hallé Usage FindPattern fp = new FindPattern(g); Connector.connect(fp, new Print()); for (char e : "AabcAaBabbCa".toCharArray()) fp.getPushableInput().push(e); ,φ ψ ,φ ψ f B 1 =? f C 1 =? f A 1 =? 2 1 2 3 4 6 7 5 Detecting the pattern and producing the witness: Produces the output: {(1,1), (1,7), (1,11)}
S. Hallé Examples Pattern monitors have been implemented to detect "distilled" versions of real-world attacks and intrusions
S. Hallé Examples Pattern monitors have been implemented to detect "distilled" versions of real-world attacks and intrusions Linear sequence Declare a match when n successive events are observed ptrace exploit
S. Hallé ,φ ψ ,φ ψ f B 1 =? f C 1 =? f A 1 =? 2 1 2 3 4 6 7 5 Linear sequence
S. Hallé Examples Pattern monitors have been implemented to detect "distilled" versions of real-world attacks and intrusions Linear sequence Declare a match when n successive events are observed Combined Declare a match when n other patterns have been observed GandCrab attack ptrace exploit
S. Hallé f B 1 =? f A 1 =? ⊻ ,φ ψ f D 1 =? f C 1 =? ,φ ψ f F 1 =? f E 1 =? ,φ ψ ⊻ Combined
S. Hallé Examples Pattern monitors have been implemented to detect "distilled" versions of real-world attacks and intrusions Incomplete Declare a match when more than n instances of a sequential pattern are incomplete SYN flooding Linear sequence Declare a match when n successive events are observed Combined Declare a match when n other patterns have been observed GandCrab attack ptrace exploit
S. Hallé f A =? ,φ ψ f f =? 1 ? 0 1 f B B =? B A 1 f > 1 k 4 ↑ Σ ⊻ ? 2 3 5 Incomplete
S. Hallé Examples Pattern monitors have been implemented to detect "distilled" versions of real-world attacks and intrusions Incomplete Declare a match when more than n instances of a sequential pattern are incomplete Threshold Declare a match when more than n instances of a pattern have been observed Remote Access Trojan SYN flooding Linear sequence Declare a match when n successive events are observed Combined Declare a match when n other patterns have been observed GandCrab attack ptrace exploit
S. Hallé A f f # > 1 k Σ B { } ∪ 1 2 3 4 5 ∨ Σ Threshold
S. Hallé Results Do the pruning strategies reduce the number of matches?
S. Hallé Results Do the pruning strategies reduce the number of matches? Linear sequence Combined Incomplete Threshold 0 50 100 150 200 250 300 None First step Distinct states Progressing Matches
S. Hallé Results Do the pruning strategies reduce the number of events included as witnesses?
S. Hallé Results Do the pruning strategies reduce the number of events included as witnesses? Linear sequence Combined Incomplete Threshold 0 0.2 0.4 0.6 0.8 1 1.2 None First step Distinct states Progressing Fraction of events included
S. Hallé Results What is the impact of the pruning strategies on processing time?
S. Hallé Results What is the impact of the pruning strategies on processing time? Linear sequence Combined Incomplete Threshold 0 200 400 600 800 1000 1200 1400 None First step Distinct states Progressing Time (ms)
S. Hallé Take-home points Attack/intrusion patterns can be formalized as runtime monitors Stream processing pipelines allow the expression of complex monitors Reducing the volume of data produced by pattern matches can be done using simple state-based pruning strategies on these monitors A proof-of-concept implementation of these notions in a stream processing engine shows that intuitive incident reports can be produced automatically
S. Hallé For more information https://liflab.ca https://liflab.github.io/beepbeep-3

More Related Content

PDF
Event Stream Processing with BeepBeep 3
Sylvain Hallé
 
PDF
AI Lesson 04
Assistant Professor
 
PDF
A formalization of complex event stream processing
Sylvain Hallé
 
PPTX
Compiler Design_Code Optimization tech.pptx
RushaliDeshmukh2
 
PPT
Chapter3 Search
Khiem Ho
 
PPT
m3-searchAbout AI About AI About AI1.ppt
RaghuBR9
 
PPTX
Complete and Interpretable Conformance Checking of Business Processes
Marlon Dumas
 
PDF
Approximation Data Structures for Streaming Applications
Debasish Ghosh
 
Event Stream Processing with BeepBeep 3
Sylvain Hallé
 
AI Lesson 04
Assistant Professor
 
A formalization of complex event stream processing
Sylvain Hallé
 
Compiler Design_Code Optimization tech.pptx
RushaliDeshmukh2
 
Chapter3 Search
Khiem Ho
 
m3-searchAbout AI About AI About AI1.ppt
RaghuBR9
 
Complete and Interpretable Conformance Checking of Business Processes
Marlon Dumas
 
Approximation Data Structures for Streaming Applications
Debasish Ghosh
 

Similar to A Stream-Based Approach to Intrusion Detection (20)

PPT
Ch10
kinnarshah8888
 
PDF
Ay4201347349
IJERA Editor
 
PDF
Mining Adaptively Frequent Closed Unlabeled Rooted Trees in Data Streams
Albert Bifet
 
KEY
Verification with LoLA
Universität Rostock
 
PDF
Basics of Dynamic programming
Yan Xu
 
KEY
Defense
Luca Foschini
 
PDF
Actors for Behavioural Simulation
ClarkTony
 
PDF
Low-Cost Approximate and Adaptive Techniques for the Internet of Things
Demetris Trihinas
 
PDF
Introduction to Artificial Intelligence with Python, CS50 Approach - GDG on C...
Google Developer Group On Campus European Universities in Egypt
 
PPTX
Artificial intelligence searches
rida mariam
 
PDF
Mining event streams with BeepBeep 3
Sylvain Hallé
 
PDF
Efficient Offline Monitoring of LTL with Bit Vectors (Talk at SAC 2021)
Sylvain Hallé
 
PPTX
FPPM algorithm
Ashis Kumar Chanda
 
PPTX
An efficient approach to mine flexible periodic patterns in time series datab...
Ashis Chanda
 
PPT
03 search blind
Nour Zeineddine
 
PDF
Test Sequence Generation with Cayley Graphs (Talk @ A-MOST 2021)
Sylvain Hallé
 
PPTX
CS2303-TOC.pptx
PEzhumalai
 
PPTX
Lec#2
Ali Shah
 
PDF
An AsmL model for an Intelligent Vehicle Control System
infopapers
 
PPT
Different Search Techniques used in AI.ppt
jayrajsinghkardam
 
Ch10
kinnarshah8888
 
Ay4201347349
IJERA Editor
 
Mining Adaptively Frequent Closed Unlabeled Rooted Trees in Data Streams
Albert Bifet
 
Verification with LoLA
Universität Rostock
 
Basics of Dynamic programming
Yan Xu
 
Defense
Luca Foschini
 
Actors for Behavioural Simulation
ClarkTony
 
Low-Cost Approximate and Adaptive Techniques for the Internet of Things
Demetris Trihinas
 
Introduction to Artificial Intelligence with Python, CS50 Approach - GDG on C...
Google Developer Group On Campus European Universities in Egypt
 
Artificial intelligence searches
rida mariam
 
Mining event streams with BeepBeep 3
Sylvain Hallé
 
Efficient Offline Monitoring of LTL with Bit Vectors (Talk at SAC 2021)
Sylvain Hallé
 
FPPM algorithm
Ashis Kumar Chanda
 
An efficient approach to mine flexible periodic patterns in time series datab...
Ashis Chanda
 
03 search blind
Nour Zeineddine
 
Test Sequence Generation with Cayley Graphs (Talk @ A-MOST 2021)
Sylvain Hallé
 
CS2303-TOC.pptx
PEzhumalai
 
Lec#2
Ali Shah
 
An AsmL model for an Intelligent Vehicle Control System
infopapers
 
Different Search Techniques used in AI.ppt
jayrajsinghkardam
 
Ad

More from Sylvain Hallé (20)

PDF
A Tree-Based Definition of Business Process Conformance (Talk @ EDOC 2024)
Sylvain Hallé
 
PDF
Monitoring Business Process Compliance Across Multiple Executions with Stream...
Sylvain Hallé
 
PDF
Smart Contracts-Enabled Simulation for Hyperconnected Logistics
Sylvain Hallé
 
PDF
Test Suite Generation for Boolean Conditions with Equivalence Class Partitioning
Sylvain Hallé
 
PDF
Synthia: a Generic and Flexible Data Structure Generator (Long Version)
Sylvain Hallé
 
PDF
A Generic Explainability Framework for Function Circuits
Sylvain Hallé
 
PDF
Detecting Responsive Web Design Bugs with Declarative Specifications
Sylvain Hallé
 
PDF
Streamlining the Inclusion of Computer Experiments in Research Papers
Sylvain Hallé
 
PDF
Writing Domain-Specific Languages for BeepBeep
Sylvain Hallé
 
PDF
Real-Time Data Mining for Event Streams
Sylvain Hallé
 
PDF
Technologies intelligentes d'aide au développement d'applications web (WAQ 2018)
Sylvain Hallé
 
PDF
LabPal: Repeatable Computer Experiments Made Easy (ACM Workshop Talk)
Sylvain Hallé
 
PDF
A "Do-It-Yourself" Specification Language with BeepBeep 3 (Talk @ Dagstuhl 2017)
Sylvain Hallé
 
PDF
Event Stream Processing with Multiple Threads
Sylvain Hallé
 
PDF
A Few Things We Heard About RV Tools (Position Paper)
Sylvain Hallé
 
PDF
Solving Equations on Words with Morphisms and Antimorphisms
Sylvain Hallé
 
PDF
Runtime monitoring de propriétés temporelles par (streaming) XML
Sylvain Hallé
 
PDF
La quantification du premier ordre en logique temporelle
Sylvain Hallé
 
PDF
When RV Meets CEP (RV 2016 Tutorial)
Sylvain Hallé
 
PDF
Decentralized Enforcement of Artifact Lifecycles
Sylvain Hallé
 
A Tree-Based Definition of Business Process Conformance (Talk @ EDOC 2024)
Sylvain Hallé
 
Monitoring Business Process Compliance Across Multiple Executions with Stream...
Sylvain Hallé
 
Smart Contracts-Enabled Simulation for Hyperconnected Logistics
Sylvain Hallé
 
Test Suite Generation for Boolean Conditions with Equivalence Class Partitioning
Sylvain Hallé
 
Synthia: a Generic and Flexible Data Structure Generator (Long Version)
Sylvain Hallé
 
A Generic Explainability Framework for Function Circuits
Sylvain Hallé
 
Detecting Responsive Web Design Bugs with Declarative Specifications
Sylvain Hallé
 
Streamlining the Inclusion of Computer Experiments in Research Papers
Sylvain Hallé
 
Writing Domain-Specific Languages for BeepBeep
Sylvain Hallé
 
Real-Time Data Mining for Event Streams
Sylvain Hallé
 
Technologies intelligentes d'aide au développement d'applications web (WAQ 2018)
Sylvain Hallé
 
LabPal: Repeatable Computer Experiments Made Easy (ACM Workshop Talk)
Sylvain Hallé
 
A "Do-It-Yourself" Specification Language with BeepBeep 3 (Talk @ Dagstuhl 2017)
Sylvain Hallé
 
Event Stream Processing with Multiple Threads
Sylvain Hallé
 
A Few Things We Heard About RV Tools (Position Paper)
Sylvain Hallé
 
Solving Equations on Words with Morphisms and Antimorphisms
Sylvain Hallé
 
Runtime monitoring de propriétés temporelles par (streaming) XML
Sylvain Hallé
 
La quantification du premier ordre en logique temporelle
Sylvain Hallé
 
When RV Meets CEP (RV 2016 Tutorial)
Sylvain Hallé
 
Decentralized Enforcement of Artifact Lifecycles
Sylvain Hallé
 
Ad

Recently uploaded (20)

PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPT
Teaching material agriculture food technology
LiaRayya
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
KodekX | Application Modernization Development
KodekX
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Cloud computing and distributed systems.
kkkkkhan
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Teaching material agriculture food technology
LiaRayya
 

A Stream-Based Approach to Intrusion Detection

  • 1. S. Hallé Sylvain Hallé Université du Québec à Chicoutimi CANADA A Stream-Based Approach to Intrusion Detection CRSNG NSERC CHAPTER 9 November 26th, 2023
  • 2. S. Hallé $ $$$$$ $$$$$ $$$$$ update of a stock price sensor reading link state of a video game user visi�ng a web page parcel being delivered / move in a chess game Events The expected behavior of an information system can be evaluated through the observation and analysis of events.
  • 3. S. Hallé A stream is an ordered sequence of events of a given type. Streams ... ... Formally, if Σ is a set of events, a stream is a sequence σ ∈ Σ*. A stream processing calculation is a function: π : (Σ1* × ... ×Σm*) → (Σ1* × ... ×Σn*)
  • 4. Z Z Z S. Hallé expected normal rou�ne nominal "ok" surprising out of the ordinary strange different "not ok" Anomaly / intrusion detection
  • 5. S. Hallé Approaches A taxonomy of existing approaches classifies detection systems into three broad categories: Anomaly-based approaches: detect uncommon events, outliers, etc. Multi-agent-based approaches: cooperating units observe and interact with an environment Knowledge-based approaches: a priori information about expected behavior is compared with observations 1. 2. 3.
  • 6. S. Hallé Dealing with volume Common issue with many approaches: high volume of alarms and related information
  • 7. S. Hallé Dealing with volume Two possible ways to reduce volume: 1. Decrease false positive rate 2. Identify relevant information about the occurrence of an alarm 1 2 3 4 5 1 2 3 4 5 ... + + + +
  • 8. S. Hallé Dealing with volume Two possible ways to reduce volume: 1. Decrease false positive rate 2. Identify relevant information about the occurrence of an alarm 1 2 3 4 5 1 2 3 4 5 ... + + + + this chapter
  • 9. S. Hallé Enter RV Proposed approach: intrusion/attack detection as a form of Runtime Verification
  • 10. S. Hallé Enter RV Proposed approach: intrusion/attack detection as a form of Runtime Verification System
  • 11. S. Hallé Enter RV Proposed approach: intrusion/attack detection as a form of Runtime Verification System Instrumentation
  • 12. S. Hallé Enter RV Proposed approach: intrusion/attack detection as a form of Runtime Verification System Trace Events Instrumentation
  • 13. S. Hallé Enter RV Proposed approach: intrusion/attack detection as a form of Runtime Verification System Monitor Trace Events Instrumentation
  • 14. S. Hallé Enter RV Proposed approach: intrusion/attack detection as a form of Runtime Verification System Monitor Trace Events Instrumentation Formal spec.
  • 15. S. Hallé Pattern monitor The monitor is a process that updates a 3-valued verdict: ⊤ if the input stream contains the pattern ⊥ if the input stream can never* contain the pattern ? otherwise Example: "a eventually followed by b, then c" c a b a b a c b c ? ? ? ? ? ? ⊤ ⊤ ⊤
  • 16. S. Hallé Shortcomings c a b a b a c b c ? ? ? ? ? ? ⊤ ⊤ ⊤
  • 17. S. Hallé Shortcomings c a b a b a c b c ? ? ? ? ? ? ⊤ ⊤ ⊤ A monitor "stops" at the first occurrence of the pattern (i.e. cannot detect multiple instances) found! !
  • 18. S. Hallé Shortcomings c a b a b a c b c ? ? ? ? ? ? ⊤ ⊤ ⊤ A monitor "stops" at the first occurrence of the pattern (i.e. cannot detect multiple instances) found! ! Limited feedback: location of last element of the pattern + everything that precedes ! all this may be relevant
  • 19. S. Hallé Solution Run one instance of on every suffix of the input
  • 20. S. Hallé Solution Run one instance of on every suffix of the input c a b a b a c b c
  • 21. S. Hallé Solution Run one instance of on every suffix of the input c a b a b a c b c 1 ? ? ? ? ? ? ⊤ ⊤ ⊤
  • 22. S. Hallé Solution Run one instance of on every suffix of the input c a b a b a c b c 1 ? ? ? ? ? ? ⊤ ⊤ ⊤ 2 ? ? ? ? ? ⊤ ⊤ ⊤
  • 23. S. Hallé Solution Run one instance of on every suffix of the input c a b a b a c b c 1 ? ? ? ? ? ? ⊤ ⊤ ⊤ 2 ? ? ? ? ? ⊤ ⊤ ⊤ 3 ? ? ? ? ⊤ ⊤ ⊤
  • 24. S. Hallé Solution Run one instance of on every suffix of the input c a b a b a c b c 1 ? ? ? ? ? ? ⊤ ⊤ ⊤ 2 ? ? ? ? ? ⊤ ⊤ ⊤ 3 ? ? ? ? ⊤ ⊤ ⊤ 4 ? ? ? ⊤ ⊤ ⊤
  • 25. S. Hallé Solution Run one instance of on every suffix of the input c a b a b a c b c 1 ? ? ? ? ? ? ⊤ ⊤ ⊤ 2 ? ? ? ? ? ⊤ ⊤ ⊤ 3 ? ? ? ? ⊤ ⊤ ⊤ 4 ? ? ? ⊤ ⊤ ⊤ 5 ? ? ⊤ ? ?
  • 26. S. Hallé Solution Run one instance of on every suffix of the input c a b a b a c b c 1 ? ? ? ? ? ? ⊤ ⊤ ⊤ 2 ? ? ? ? ? ⊤ ⊤ ⊤ 3 ? ? ? ? ⊤ ⊤ ⊤ 4 ? ? ? ⊤ ⊤ ⊤ 5 ? ? ⊤ ? ? 6 7 8 9 ? ⊤ ? ? ? ? ? ? ? ?
  • 27. S. Hallé Solution Run one instance of on every suffix of the input c a b a b a c b c 1 ? ? ? ? ? ? ⊤ ⊤ ⊤ 2 ? ? ? ? ? ⊤ ⊤ ⊤ 3 ? ? ? ? ⊤ ⊤ ⊤ 4 ? ? ? ⊤ ⊤ ⊤ 5 ? ? ⊤ ? ? 6 7 8 9 ? ⊤ ? ? ? ? ? ? ? ? Multiple matches for what is essentially the "same" pattern
  • 28. S. Hallé Monitor state Access to the monitor's internal state opens the door to pruning tactics. * * * * a b c ? ? ? ⊤
  • 29. S. Hallé First step Pruning tactic #1 Discard monitors that remain in their initial state after consuming the first event c a b a b a c b c 1 * * * * a b c ? ? ? ⊤ ? ? ? ? ? ? ⊤ ⊤ ⊤
  • 30. S. Hallé First step Pruning tactic #1 Discard monitors that remain in their initial state after consuming the first event c a b a b a c b c 1 * * * * a b c ? ? ? ⊤
  • 31. S. Hallé First step Pruning tactic #1 Discard monitors that remain in their initial state after consuming the first event c a b a b a c b c 1 * * * * a b c ? ? ? ⊤
  • 32. S. Hallé First step Pruning tactic #1 Discard monitors that remain in their initial state after consuming the first event c a b a b a c b c 1 * * * * a b c ? ? ? ⊤ Intuition: if the monitor does not change state after reading σ, then a stream σ is a match if and only if σ · σ is a match
  • 33. S. Hallé Unique state Pruning tactic #2 Discard monitors that reach the same state at the same step c a b a b a c b c 2 * * * * a b c ? ? ? ⊤ 4 ? ? ? ? ? ⊤ ⊤ ⊤ ? ? ? ⊤ ⊤ ⊤
  • 34. S. Hallé Unique state Pruning tactic #2 Discard monitors that reach the same state at the same step c a b a b a c b c 2 * * * * a b c ? ? ? ⊤ 4
  • 35. S. Hallé Unique state Pruning tactic #2 Discard monitors that reach the same state at the same step c a b a b a c b c 2 * * * * a b c ? ? ? ⊤ 4
  • 36. S. Hallé Unique state Pruning tactic #2 Discard monitors that reach the same state at the same step c a b a b a c b c 2 * * * * a b c ? ? ? ⊤ 4 Intuition: if monitor i is in state s after reading σ · σ', and monitor j is in state s after reading σ', then σ' is a match iff σ · σ' is a match
  • 37. S. Hallé Progressing subsequence Pruning tactic #3 Retain only the progressing sub-sequence of the input c a b a b a c b c 2 * * * * a b c ? ? ? ⊤ ⇒ all loops in the state space are removed ? ? ? ? ? ⊤ ⊤ ⊤
  • 38. S. Hallé Progressing subsequence Pruning tactic #3 Retain only the progressing sub-sequence of the input c a b a b a c b c 2 * * * * a b c ? ? ? ⊤ ⇒ all loops in the state space are removed
  • 39. S. Hallé Progressing subsequence Pruning tactic #3 Retain only the progressing sub-sequence of the input c a b a b a c b c 2 * * * * a b c ? ? ? ⊤ ⇒ all loops in the state space are removed
  • 40. S. Hallé Progressing subsequence Pruning tactic #3 Retain only the progressing sub-sequence of the input c a b a b a c b c 2 * * * * a b c ? ? ? ⊤ ⇒ all loops in the state space are removed * ?
  • 41. S. Hallé Progressing subsequence Pruning tactic #3 Retain only the progressing sub-sequence of the input c a b a b a c b c 2 * * * * a b c ? ? ? ⊤ ⇒ all loops in the state space are removed
  • 42. S. Hallé Progressing subsequence Pruning tactic #3 Retain only the progressing sub-sequence of the input c a b a b a c b c 2 * * * * a b c ? ? ? ⊤ ⇒ all loops in the state space are removed Intuition: if σ is a match, the progressing sub- sequence is the shortest subset of σ visiting each new state in the same order
  • 43. S. Hallé Comparison c a b a b a c b c 1 2 3 4 5 6 7 8 9 ? ? ? ? ? ? ⊤ ⊤ ⊤ ? ? ? ? ? ⊤ ⊤ ⊤ ? ? ? ? ⊤ ⊤ ⊤ ? ? ? ⊤ ⊤ ⊤ ? ? ⊤ ? ? ? ⊤ ? ? ? ? ? ? ? ?
  • 44. S. Hallé Comparison c a b a b a c b c 1 2 3 4 5 6 7 8 9
  • 45. S. Hallé Comparison c a b a b a c b c 1 2 3 4 5 6 7 8 9 1 2 3 4 5 6 7 8 9 first-step
  • 46. S. Hallé Comparison c a b a b a c b c 1 2 3 4 5 6 7 8 9 1 2 3 4 5 6 7 8 9 first-step same state +
  • 47. S. Hallé Comparison c a b a b a c b c 1 2 3 4 5 6 7 8 9 1 2 3 4 5 6 7 8 9 first-step same state progressing + +
  • 48. S. Hallé Pros and cons Pros Expects to be a (finite) state machine Limiting in terms of possible patterns that can be expressed Cons Pattern to look for can be any monitor Drastically reduces number of matches (and events retained in each match) Produces results that correspond to intuition
  • 49. S. Hallé Pros and cons Pros Expects to be a (finite) state machine Limiting in terms of possible patterns that can be expressed Cons Pattern to look for can be any monitor Drastically reduces number of matches (and events retained in each match) Produces results that correspond to intuition does it?
  • 50. S. Hallé Monitor state (revisited) A "state" can be deduced even for processes that are not expressed as state machines. Given a monitor 𝜋 : Σ* → Σ'*, a function 𝜄𝜋 : Σ* → 𝑆 is said to be a state function if, for every 𝜎1, 𝜎2 ∈ Σ*: 𝜄𝜋(𝜎1) = 𝜄𝜋(𝜎2) implies 𝜋(𝜎1 · 𝜎') = 𝜋(𝜎2 · 𝜎') for every 𝜎' ∈ Σ*.
  • 51. S. Hallé Monitor state (revisited) A "state" can be deduced even for processes that are not expressed as state machines. Given a monitor 𝜋 : Σ* → Σ'*, a function 𝜄𝜋 : Σ* → 𝑆 is said to be a state function if, for every 𝜎1, 𝜎2 ∈ Σ*: 𝜄𝜋(𝜎1) = 𝜄𝜋(𝜎2) implies 𝜋(𝜎1 · 𝜎') = 𝜋(𝜎2 · 𝜎') for every 𝜎' ∈ Σ*. Intuition: two instances of 𝜋 are in the "same state" if they have identical behavior for any future events they read
  • 52. S. Hallé Introducing BeepBeep is an open source library written in Java and developed at UQAC since 2015. Centered on the notion of processor, a computation unit that ingests input events and produces output events: h�ps://liflab.github.io/beepbeep-3 P processor input pipe event output pipe
  • 53. S. Hallé Introducing Complex calculations can be achieved through composition (i.e. passing the output of a processor to the input of another). Doing so creates processor chains or "pipelines":
  • 54. S. Hallé ,φ ψ f π ⊻ ⊻ n { π π Sequence Eventual disjunction Eventual conjunction Eventual occurrence Existential window Existential slice Monitors in BeepBeep has been extended with a set of processors acting as monitors. Recognize an elementary pattern of events Provide a state function Can identify their progressing sub-sequence
  • 55. S. Hallé Monitors in ,φ ψ ,φ ψ f B 1 =? f C 1 =? f A 1 =? 2 1 2 3 4 6 7 5 "a eventually followed by b, then c" Complex monitors can be obtained by freely composing these processors
  • 56. S. Hallé Explainability in BeepBeep allows processors to define associations between output events and input events —a feature called explainability.* P 1 P 2 S. Hallé. (2020). Explainable Queries over Event Logs. Proc. EDOC 2020. IEEE Computer Society. DOI: 10.1109/EDOC49727.2020.00029 * Monitors associate their verdict to the progressing sub-sequence of their input.
  • 57. S. Hallé Monitors in ,φ ψ ,φ ψ f B 1 =? f C 1 =? f A 1 =? 2 1 2 3 4 6 7 5 "a eventually followed by b, then c" The progressing sub-sequence of each processor can be propagated upstream AbABbC AbABbC AbABbC AbABbC ⊤⊤⊤⊤⊤⊤ ???⊤⊤⊤ ?????⊤ ???⊤⊤⊤ AabcAaBabbCa ?????⊤
  • 58. S. Hallé Usage Sample script in Java: CountDecimate d = new CountDecimate(2); Fork f = new Fork(3); SomeEventually a = new SomeEventually( new ApplyFunction(new Equals("a"))); SomeEventually b = new SomeEventually( new ApplyFunction(new Equals("b"))); SomeEventually c = new SomeEventually( new ApplyFunction(new Equals("c"))); Sequence s1 = new Sequence(); Sequence s2 = new Sequence(); EventTracker t = new IndexEventTracker(); Connector con = new Connector(t); con.connect(d, 0, f, 0).connect(f, 0, a, 0) .connect(f, 1, b, 0).connect(f, 2, c, 0) .connect(a, 0, s1, 0).connect(b, 0, s1, 1) .connect(s1, 0, s2, 0).connect(c, 0, s2, 1); ,φ ψ ,φ ψ f B 1 =? f C 1 =? f A 1 =? 2 1 2 3 4 6 7 5
  • 59. S. Hallé Usage FindPattern fp = new FindPattern(g); Connector.connect(fp, new Print()); for (char e : "AabcAaBabbCa".toCharArray()) fp.getPushableInput().push(e); ,φ ψ ,φ ψ f B 1 =? f C 1 =? f A 1 =? 2 1 2 3 4 6 7 5 Detecting the pattern and producing the witness: Produces the output: {(1,1), (1,7), (1,11)}
  • 60. S. Hallé Usage FindPattern fp = new FindPattern(g); Connector.connect(fp, new Print()); for (char e : "AabcAaBabbCa".toCharArray()) fp.getPushableInput().push(e); ,φ ψ ,φ ψ f B 1 =? f C 1 =? f A 1 =? 2 1 2 3 4 6 7 5 Detecting the pattern and producing the witness: Produces the output: {(1,1), (1,7), (1,11)}
  • 61. S. Hallé Examples Pattern monitors have been implemented to detect "distilled" versions of real-world attacks and intrusions
  • 62. S. Hallé Examples Pattern monitors have been implemented to detect "distilled" versions of real-world attacks and intrusions Linear sequence Declare a match when n successive events are observed ptrace exploit
  • 63. S. Hallé ,φ ψ ,φ ψ f B 1 =? f C 1 =? f A 1 =? 2 1 2 3 4 6 7 5 Linear sequence
  • 64. S. Hallé Examples Pattern monitors have been implemented to detect "distilled" versions of real-world attacks and intrusions Linear sequence Declare a match when n successive events are observed Combined Declare a match when n other patterns have been observed GandCrab attack ptrace exploit
  • 65. S. Hallé f B 1 =? f A 1 =? ⊻ ,φ ψ f D 1 =? f C 1 =? ,φ ψ f F 1 =? f E 1 =? ,φ ψ ⊻ Combined
  • 66. S. Hallé Examples Pattern monitors have been implemented to detect "distilled" versions of real-world attacks and intrusions Incomplete Declare a match when more than n instances of a sequential pattern are incomplete SYN flooding Linear sequence Declare a match when n successive events are observed Combined Declare a match when n other patterns have been observed GandCrab attack ptrace exploit
  • 67. S. Hallé f A =? ,φ ψ f f =? 1 ? 0 1 f B B =? B A 1 f > 1 k 4 ↑ Σ ⊻ ? 2 3 5 Incomplete
  • 68. S. Hallé Examples Pattern monitors have been implemented to detect "distilled" versions of real-world attacks and intrusions Incomplete Declare a match when more than n instances of a sequential pattern are incomplete Threshold Declare a match when more than n instances of a pattern have been observed Remote Access Trojan SYN flooding Linear sequence Declare a match when n successive events are observed Combined Declare a match when n other patterns have been observed GandCrab attack ptrace exploit
  • 69. S. Hallé A f f # > 1 k Σ B { } ∪ 1 2 3 4 5 ∨ Σ Threshold
  • 70. S. Hallé Results Do the pruning strategies reduce the number of matches?
  • 71. S. Hallé Results Do the pruning strategies reduce the number of matches? Linear sequence Combined Incomplete Threshold 0 50 100 150 200 250 300 None First step Distinct states Progressing Matches
  • 72. S. Hallé Results Do the pruning strategies reduce the number of events included as witnesses?
  • 73. S. Hallé Results Do the pruning strategies reduce the number of events included as witnesses? Linear sequence Combined Incomplete Threshold 0 0.2 0.4 0.6 0.8 1 1.2 None First step Distinct states Progressing Fraction of events included
  • 74. S. Hallé Results What is the impact of the pruning strategies on processing time?
  • 75. S. Hallé Results What is the impact of the pruning strategies on processing time? Linear sequence Combined Incomplete Threshold 0 200 400 600 800 1000 1200 1400 None First step Distinct states Progressing Time (ms)
  • 76. S. Hallé Take-home points Attack/intrusion patterns can be formalized as runtime monitors Stream processing pipelines allow the expression of complex monitors Reducing the volume of data produced by pattern matches can be done using simple state-based pruning strategies on these monitors A proof-of-concept implementation of these notions in a stream processing engine shows that intuitive incident reports can be produced automatically
  • 77. S. Hallé For more information https://liflab.ca https://liflab.github.io/beepbeep-3