Generating IDS Detectors based on Protocol Specifications

Current approaches to Intrusion Detection are not able to cope with previously unknown protocols, e.g. protocols defined through protocol negotiation. While methods are available to automate the process of describing and even building rudimentary detectors, the resulting systems do not reach far enough. Solutions like GAPAL [1] and binpac [2] rely on manually embedded code blocks and do not allow for fully automated generation of complete detectors. We propose an approach to better automate the generation of detectors by defining an SDL-based XML protocol specification language and a detection framework. Protocols specified in our lan-guage are abstract parameterizations for this framework and generate its specific instances. The specification language and the detection framework include the following main aspects of protocol specification: header format, static constraints, and state machines. The specification of the header format is required to parse data units of the protocol. Using the static constraints malformed data units can be de-tected - finally, the state machine specification allows to detect illegal messages and state transitions associated with them.