PROJECT 35: A PLATFORM FOR MONITOR DEFINITION, INTEGRATION, AND SYNTHESIS STUDENTS: HESHAM YASSIN, SARI SADIYA SUPERVISORS: TAMER SALMAN, RONEN LEVY

OBJECTIVES Our main objective was to construct a platform in which a user could define integrate and synthesize monitors for traffic analysis purposes. This included: 1.Constructing a language for monitor definition: MSL prime 2.Creating a GUI in which the user can define monitors. 3.Creating an interpreter from our MSL language to compilable C++ code. one should note that it is “purpose generic” and can support any kind of data analysis where temporal expressions are used. (financial transactions, physical interactions …) However, In this presentation we will focus on the “traffic monitoring for security” aspects of this tool.

METHODOLOGY The monitor specification language MSL prime was derived from known temporal logic languages such as PSL and SVA and modified for user convenience and functionality purposes. JJTree was used to create an interpreter from MSL prime to an “augmented C++” files containing PSL blocks. These were in turn sent to an IBM TOOL to create clean C++ files. SWT platform was used to create the GUI. It was edited on eclipse and compiled using Java platform se7. The development was performed on a linux 32 bit machine. However the IBM TOOL runs only on 64 bit machines; Thus we use vmware player to simulate a 64 bit machine.

DELIVERABLES Our GUI supports all the required functionality such as adding new events actions and monitors; Moreover, we have developed a “Template” feature which allows the definition of templates enabling the “simple user” to write events in simple English without any knowledge of MSL prime. When exporting the events actions and monitors the interpretation component produces “augmented C++” files (containing C++ code with PSL blocks) to be compiled be the script. Our runMonitor script runs receives the output files of the GUI, compiles them and analyze a given traffic file.

GUI Language packet MSL files MSL interpreter IBM TOOL C++ files Augmented C++ files Export from the GUI./runMonitor myMonitors Traffic txt file

TEMPLATE USAGE EXAMPLES Suppose you wish to monitor all traffic originating from Organization A and destined to Organization B. An user proficient in MSL prime my write the template: Now any user can simply define the event: event: A is between B and C ((B <= A) && (A<=C)) {Ip_src is between OrgAL and OrgAU} and {Ip_dest is between OrgBL and OrgBU} From_A_To_B // Monitor logic ctx->startCycle(); for (PropertyInstance * inst = ctx->firstInstance(); inst; inst = ctx->nextInstance()) { int lv = inst->loadValue(); bool ___var_0, ___var_1; { lv = inst->loadValue(); if ( (*inst)[0] ) { eventbegin: bool event_result = false; detect { true[*]; (((ipIBM<=ip_src) && (ip_src<= ipUIBM))&& ((ipLTech<=ip_dest) && (ip_des <= ipUTech)))} ${event_result = true}$ return event_result; }

TEMPLATE USAGE EXAMPLES This enables the user to define the monitor: Without the need of any prior knowledge in MSL Prime or any other temporal logic language. This monitor Will be able to detect when a machine with the characteristic ip address of organization A sends a packet to a machine that belongs to organization B. monitor: A_to_B; monitorbegin if all {From_A_To_B} then {action_A_to_B} monitorend

SECURITY EVENT EXAMPLE: DETECTING DDOS ATTACK event DDOS_attack: Logic ipVar; Logic timeVar; ( dummy == dummy ), ipVar = ip_dest, timeVar = actionTime ;( ip_dest == ipVar )[=3]; (( ip_dest == ipVar )&&( actionTime - timeVar <= timeThreshold )) endevent This means that ipd_prev was requested 3 times during tThershold cycles. Given the right values this event will be able to detect DDOS attacks.