Affiliations: [a] Department of Technology and Management, Athens University of Economics and Business, GR10434 Athens, Greece. E-mail: dds@aueb.gr | [b] Department of Informatics, Athens University of Economics and Business, GR10434 Athens, Greece. E-mail: dgrit@aueb.gr
Correspondence:
[*]
Corresponding author.
Abstract: We describe the use of a domain-specific language (DSL) for expressing critical design values and constraints in an intrusion detection application. Through the use of this specialised language, information that is critical to the correct operation of the software can be expressed in a form that can be easily drafted, verified, and maintained by domain experts (security officers), thus minimising the risk inherent from the mediation of software engineers. Our application, Panoptis, is a DSL-based low-cost, easy-to-use intrusion detection system using the process accounting records kept by most Unix systems. A set of database tables contain resource usage profiles for processes, terminals, users, and time intervals. Panoptis monitors new process data against the recorded profiles and reports on entities diverging from the established resource usage envelopes implying possible data security threats. We demonstrate the operation of Panoptis by a case study of a real attack and subsequent system compromise that occured on a system under our administrative control.
Keywords: Domain-specific languages, security monitoring, intrusion detection, Unix process accounting
