Detection of Back Attack based on Interval Temporal Logic

Contrasted with other detection methods, based on temporal logic the intrusion detection method can deal with complex network attacks actively. However, due to the lack of network attacks temporal logic formula, common back attack cannot use the above methods of detection. Therefore, the Propositional Interval Temporal Logic (ITL) is used to establish temporal logic formulas for back attack. Firstly, the attack principle of back attack was analyzed. Secondly, the critical steps of the attack were break up into atomic actions and the atomic proposition was defined. Finally, the temporal logic formula for the attack was established based on the logical relationship between the atomic propositions. According to the principle of model checking, the obtained temporal logic formula can be used as the input for the model checker (intrusion detector). The automaton was utilized to model the log library as another input to the model checker. And the intrusion detection method for these three attacks was given. and it proved the validityof the novel method by some Simulation experiments


Introduction
As one of the important network security technologies, Intrusion Detection (ID) used to be classified into misuse detection and anomaly detection. cauesd the anomaly detection has the high false alarm rate, the misuse detection genarally is adopted internationally in deploying intrusion detection systems (IDS). However, based on pattern matching the misuse detection has its own faults. due to the rapid increase of complex attack patterns in the network, the technologies of based on pattern matching lack of detection ability seriously.base on the background, the model-based detection methods have been proposed [1][2][3].
Compared with the pattern matching method, the model-based detection method can effectively describe the variation of attack patterns [1][2][4][5]. Pattern matching is usually used to detect inconsistencies between data, while the model detection of automata, temporal logic formulas and model detection techniques are used to detect inconsistencies in behavior. As a result, model-based methods have stronger detection capabilities than pattern-based methods because of the complex behavior in intrusion attacks [5]. The basic principle of model detection [6] can be summarized as follows: (1) describe the attack pattern and noted the attack process in audit log library automaticly by using the temporal logic formula , (2) detect whether meet the formula automaticly and whether the note in the library matches the attack pattern by using the model detection algorithm. The logical operators in timing formulas provide the flexibility to describe the various logical relationships between attack actions.
However, there are still some problems that need to be solved based on model detection of the present intrusion detection method. First of all, it cannot be fully tested for 39 attacks of the common  [7]. The reason is that there is no temporal logic formula for describing these attacks. In order to solve this problem, the researchers have established for the 39 kinds of attacks in 24 kinds of temporal logic formula. There is still no established temporal logic formula for the remaining 15 attack types so far, so it's still cannot be used to test. Based on this, we use Interval temporal logic (ITL) in temporal logic to model temporal logical, and temporal attacks on the back attack of the remaining 15 classes, which will lay the foundation for intrusion detection based on model detection.

Principles
apache web server is launched by the back attack ,it contained a large number of requests of front slash characters (/) in URL descriptions . it can not deal with noraml request when server is attack by these request and it will reject the request service to its customers [12].

Details of back attack
The attacker sends much requests to the server with a pre-character (/) in the URL's address description. The server attempts to process the large number of requests so that legitimate services cannot be served. The critical steps can be formulated as follows: (1) The Apache Web server received an invalid web request from the attacker; (2) and the network host sends a legitimate http request to the Apache Web server. (3) The Apache web server receives a valid http request; (4) but the network host can not receive a packet that requests a reply.

Atomic sequence of back attack
In line with the key steps and the rules, inclue the atomic requests for atomic actions in back attack, as shown in Table 1. i.receive.ApacheWebserver The network host receives the packet from the Apache Web server.

The formula for back attack
In line with key steps, the reules and the temporal relationships between the atomic requests, include the following ITL formula for Back attack:

Back attack detection method based on ITL
Accroding to the formula (1), The intrusion detection method based on ITL model checking for back attack as shown in Figure 1.

Conclusion
temporal logic formula model for back attack is proposed in this paper. Generally, MC intrusion detection method can be used to detect such attacks. Do many simulation experiments by using MATLAB, And the experiment results are shown in table 2. contrastd with Linear temporal logic (LTL), Computation Tree Logic(CTL)and Time interval temporal logic (TITL), Just ITL method can detected this kind of attacks, which has the comparative advantages from new method. Caused intrusion detection method based on MC was stronger than (Pattern Matching) PM, the new method can effectively detect back attack with variable patterns. That is the main contribution of this paper.