Steve Moyle, and John Heasman
October 2002, 20pp.
Intrusion detection is the identification of potential breaches in computer security policy. The objective of an attacker is often to gain access to a system that they are not authorised to use. The attacker achieves this by exploiting a (known) software vulnerability by sending the system a particular input. Current intrusion detection systems examine input for syntatic signatures of known intrusions. This work demonstrates that logic programming is a suitable formalism for specifying the semantics of attacks. Logic programs can then be used as a means of detecting attacks in previously unseen inputs. Furthermore ILP can be used to induce detection clauses from examples of attacks. Experiments of learning ten different strategies to exploit one particular vulnerability demonstrate that accurate theories can be generated from very few attack examples.