Programming Research Group
Research Report RR-02-03
Applying ILP to the learning of intrusion strategies
Steve Moyle, and
John Heasman
October 2002, 20pp.
Abstract
Intrusion detection is the identification of potential breaches in
computer security policy. The objective of an attacker is often to gain
access to a system that they are not authorised to use. The attacker
achieves this by exploiting a (known) software vulnerability by sending
the system a particular input. Current intrusion detection systems
examine input for syntatic signatures of known intrusions. This work
demonstrates that logic programming is a suitable formalism for specifying
the semantics of attacks. Logic programs can then be used as a means of
detecting attacks in previously unseen inputs. Furthermore ILP can be
used to induce detection clauses
from examples of attacks. Experiments of learning ten different strategies
to exploit one particular vulnerability demonstrate that accurate theories
can be generated from very few attack examples.
This paper is available as a 245949 bytes gzipped PostScript file.
|
![[Oxford Spires]](/im/spires.gif){kind=small}
oucl