Logic induction of valid behavior specifications for intrusion detection

This paper introduces an automated technique for constructing valid behavior specifications of programs (at the system call level) that are independent of system vulnerabilities and are highly effective in identifying intrusions. The technique employs a machine learning method, inductive logic programming (ILP), for synthesizing first order logic formulas that describe the valid operations of a program from the normal runs of the program. ILP backed by theories and techniques extended from computational logic, allows the use of complex domain-specific background knowledge in the learning process to produce sound and consistent knowledge. A specification induction engine has been developed by extending an existing ILP tool and has been used to construct specifications for several (>10) privileged programs in Unix. Coupling with rich background knowledge in systems and security, the prototype induction engine generates human understandable and analytable specifications that are as good as those specified by a human. Preliminary experiments with existing attacks show that the generated specifications are highly effective in detecting attacks that subvert privileged programs to gain unauthorized accesses to resources