Temporal Data Streams for Anomaly Intrusion Detection (Extended Version)

Intrusion detection systems (IDS) aim to protect computer systems against attacks. The detection methods employed in anomalybased IDS are based, in particular, on monitoring networks for patterns of activity that differ from normal behaviour. Issues to be addressed with anomaly-based systems include deciding and representing what constitutes normal behaviour as well as being able to detect deviations from this efficiently in high speed networks. Here we describe an approach to anomaly-based intrusion detection utilising temporal logic and stream data processing. Temporal logic is used to specify the normality conditions which, after translation into data stream queries, are efficiently executed on streams of network packets. The proposed approach allows the concise representation of patterns of normal behaviour, possibly involving multiple steps, as well as being able to detect their violations over a high volume of data in high speed networks.