Skip to main content
Springer Nature Link
Log in

A Smell of Orchids

  • Conference paper
Runtime Verification (RV 2008)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 5289))

Included in the following conference series:

  • 438 Accesses

Abstract

Orchids is an intrusion detection tool based on techniques for fast, on-line model-checking. Orchids detects complex, correlated strands of events with very low overhead in practice, although its detection algorithm has worst-case exponential time complexity.

The purpose of this paper is twofold. First, we explain the salient features of the basic model-checking algorithm in an intuitive way, as a form of dynamically-spawned monitors. One distinctive feature of the Orchids algorithm is that fresh monitors need to be spawned at a possibly alarming rate.

The second goal of this paper is therefore to explain how we tame the complexity of the procedure, using abstract interpretation techniques to safely kill useless monitors. This includes monitors which will provably detect nothing, but also monitors that are subsumed by others, in the sense that they will definitely fail the so-called shortest run criterion. We take the opportunity to show how the Orchids algorithm maintains its monitors sorted in such a way that the subsumption operation is effected with no overhead, and we correct a small, but definitely annoying bug in its core algorithm, as it was published in 2001.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Clocksin, W., Mellish, C.: Programming in Prolog. Springer, Heidelberg (1981)

    MATH  Google Scholar 

  2. Manna, Z., Pnueli, A.: The Temporal Logic of Reactive and Concurrent Systems. Springer, Heidelberg (1991)

    MATH  Google Scholar 

  3. McDonald, J., A.L. Digital Ltd., The Bunker: OpenSSL SSLv2 malformed client key remote buffer overflow vulnerability (July 2002), http://www.securityfocus.com/bid/5363

  4. Morin, B., Debar, H.: Correlation of intrusion symptoms: An application of chronicles. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 94–112. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  5. Morin, B., Mé, L., Debar, H., Ducassé, M.: M2D2: A formal data model for IDS alert correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516. Springer, Heidelberg (2002)

    Google Scholar 

  6. Olivain, J.: ORCHIDS—real-time event analysis and temporal correlation for intrusion detection in information systems (2004), http://www.lsv.ens-cachan.fr/orchids/

  7. Olivain, J., Goubault-Larrecq, J.: The Orchids intrusion detection tool. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 286–290. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  8. Olivain, J., Goubault-Larrecq, J.: Detecting subverted cryptographic protocols by entropy checking. Research Report LSV-06-13, Laboratoire Spécification et Vérification, ENS Cachan, France, 19. pages (June 2006)

    Google Scholar 

  9. Pouzol, J.-P., Ducassé, M.: Formal specification of intrusion signatures and detection rules. In: Cervesato, I. (ed.) 15th IEEE Computer Security Foundations Workshop (CSFW 2002), pp. 64–76. IEEE Comp.Soc.Press, Los Alamitos (2002)

    Google Scholar 

  10. Purczyński, W.: Linux ptrace/execve race condition vulnerability. BugTraq Id 2529 (March 2001), http://www.securityfocus.com/bid/2529

  11. Purczyński, W.: Linux kernel privileged process hijacking vulnerability. BugTraq Id 7112 (March 2003), http://www.securityfocus.com/bid/7112

  12. Purczyński, W., qaaz.: Linux kernel prior to 2.6.24.2 ‘vmsplice_to_pipe()’ local privilege escalation vulnerability (February 2008), http://www.securityfocus.com/bid/27801

  13. Roger, M., Goubault-Larrecq, J.: Log auditing through model checking. In: 14th IEEE Computer Security Foundations Workshop (CSFW 2001), pp. 220–236. IEEE Computer Society Press, Los Alamitos (2001)

    Chapter  Google Scholar 

  14. Starzetz, P.: Linux kernel 2.4.22 do_brk() privilege escalation vulnerability, K-Otik ID 0446, CVE CAN-2003-0961 (December 2003), http://www.k-otik.net/bugtraq/12.02.kernel.2422.php

  15. Totel, E., Vivinis, B., Mé, L.: A language driven IDS for event and alert correlation. In: Deswarte, Y., Cuppens, F., Jajodia, S., Wang, L. (eds.) Security and Protection in Information Processing Systems, IFIP 18th World Computer Congress, TC11 19th International Information Security Conference, pp. 209–224. Kluwer, Dordrecht (2004)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. LSV, ENS Cachan, CNRS, INRIA LSV, 61 avenue du président Wilson, F-94235, Cachan Cedex

    Jean Goubault-Larrecq & Julien Olivain

  2. Above Security, Suite 203 1919 Lionel-Bertrand boulevard, Boisbriand, Québec, Canada, J7H 1N8

    Julien Olivain

Authors
  1. Jean Goubault-Larrecq
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Julien Olivain
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Institute for Informatics I4, TU Munich, Boltzmannstr. 3, 85748, Garching, Germany

    Martin Leucker

Rights and permissions

Reprints and permissions

Copyright information

© 2008 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Goubault-Larrecq, J., Olivain, J. (2008). A Smell of Orchids . In: Leucker, M. (eds) Runtime Verification. RV 2008. Lecture Notes in Computer Science, vol 5289. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-89247-2_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-89247-2_1

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-89246-5

  • Online ISBN: 978-3-540-89247-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation