An Approach to Represent and Transform Application Specific Constraints for an Intrusion Detection System.

Abstract

While the need for newer and more efficient network security techniques is increasing, refining the existing and proven techniques can also have potential benefits and outcomes. One of the aspects of such improvements in the existing system is making them flexible to adapt for the modification. Currently we have an intrusion detection system (IDS) that defines the normal patterns of a network behaviour using constraints. Failure of these network constraints indicates an intrusion in the network. The IDS dissects the network packets into network information to evaluate the constraints. In this research, we augment the existing IDS to validate constraints defined on application data. We augment the IDS to further dissect the data coming in the network packets. We define data constraints to find possible malicious inconsistencies in the application data of a closed network, such as in Air Traffic Control (ATC).

An ontology is defined for the domain of ATC. We use the ATC ontology for the ATC domain data representation and threat evaluation. We modify an existing air traffic system simulation which generates ATC data and use it to generate both clean and malicious data. The data is then structured using the rules and relations in the air traffic control ontology. Rules and queries are then developed for this data, representing detectable threats. The queries are then transformed into application data constraints readable by the IDS. Presently this transformation specification is manual. In the future, the IDS will be updated for the auto transformation using the sequence of steps specified in the manual transformation.

Finally, we demonstrate the working of the application constraints and queries for detecting violations. The data constraints are written in the same domain specific language (DSL), already used for the IDS. Moreover, we highlight the change required by the DSL and the transformation to generate for the constraint engine of the IDS. The research successfully produces a proof of concept for representing presence of application data attack at the network level.

In the end we conclude that by validating the domain data constraints with IDS, we assert that the ATC domain data constraints are transformed and enforced at the network level. The proposed representation and manual transformation specification demonstrate the possibility of adding and testing new changes to critical systems with much ease.