1 / 8

Project 35: A platform for monitor definition, integration, and synthesis

Project 35: A platform for monitor definition, integration, and synthesis. Students: Hesham yassin , Sari sadiya Supervisors: Tamer salman , ronen Levy. Objectives.

gryta
Download Presentation

Project 35: A platform for monitor definition, integration, and synthesis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Project 35:A platform for monitor definition, integration, and synthesis Students: Heshamyassin, Sari sadiya Supervisors: Tamer salman, ronen Levy

  2. Objectives • Our main objective was to construct a platform in which a user could define integrate and synthesize monitors for traffic analysis purposes. This included: • Constructing a language for monitor definition: MSL prime • Creating a GUI in which the user can define monitors. • Creating an interpreter from our MSL language to compilableC++ code. • one should note that it is “purpose generic” and can support any kind of data analysis where temporal expressions are used. (financial transactions, physical interactions …) • However, In this presentation we will focus on the “traffic monitoring for security” aspects of this tool.

  3. methodology • The monitor specification language MSL prime was derived from known temporal logic languages such as PSL and SVA and modified for user convenience and functionality purposes. • JJTree was used to create an interpreter from MSL prime to an “augmented C++” files containing PSL blocks. These were in turn sent to an IBM TOOL to create clean C++ files. • SWT platform was used to create the GUI. It was edited on eclipse and compiled using Java platform se7. • The development was performed on a linux 32 bit machine. However the IBM TOOL runs only on 64 bit machines; Thus we use vmware player to simulate a 64 bit machine.

  4. deliverables • Our GUI supports all the required functionality such as adding new events actions and monitors; Moreover, we have developed a “Template” feature which allows the definition of templates enabling the “simple user” to write events in simple English without any knowledge of MSL prime. • When exporting the events actions and monitors the interpretation component produces “augmented C++” files (containing C++ code with PSL blocks) to be compiled be the script. • OurrunMonitorscript runs receives the output files of the GUI, compiles them and analyze a given traffic file.

  5. ./runMonitor Export from the GUI Traffic txt file GUI C++ files myMonitors C++ files MSL files MSL interpreter IBM TOOL Augmented C++ files Language packet

  6. Template usage Examples • Suppose you wish to monitor all traffic originating from Organization A and destined to Organization B. • An user proficient in MSL prime my write the template: • Now any user can simply define the event: • event: eventbegin: boolevent_result = false; <psl> detect<int>{ true[*]; (((ipIBM<=ip_src) && (ip_src<= ipUIBM))&& ((ipLTech<=ip_dest) && (ip_des <= ipUTech)))} ${event_result = true}$ return event_result; } // Monitor logic ctx->startCycle(); for (PropertyInstance< int >* inst = ctx->firstInstance(); inst; inst = ctx->nextInstance()) { int lv = inst->loadValue(); bool ___var_0, ___var_1; { lv = inst->loadValue(); if ( (*inst)[0] ) { A is between B and C ((B <= A) && (A<=C)) From_A_To_B {Ip_srcis between OrgAL and OrgAU} and {Ip_destis between OrgBL and OrgBU}

  7. Template usage Examples • This enables the user to define the monitor: • Without the need of any prior knowledge in MSL Prime or any other temporal logic language. • This monitor Will be able to detect when a machine with the characteristicipaddress of organization A sends a packet to a machine that belongs to organization B. monitor: A_to_B; monitorbegin if all {From_A_To_B} then {action_A_to_B} monitorend

  8. Security event example: detecting DDOS Attack • event DDOS_attack: • Logic ipVar; • Logic timeVar; • ( dummy == dummy ) , ipVar= ip_dest, timeVar = actionTime ; ( ip_dest == ipVar )[=3]; • (( ip_dest == ipVar )&&( actionTime - timeVar <= timeThreshold )) • endevent • This means that ipd_prev was requested 3 times during tThershold cycles. • Given the right values this event will be able to detect DDOS attacks.

More Related