Table of Contents Author Guidelines Submit a Manuscript
Mathematical Problems in Engineering
Volume 2013 (2013), Article ID 621203, 10 pages
Research Article

A Novel Algorithm for Intrusion Detection Based on RASL Model Checking

1School of Information Engineering, Zhengzhou University, Zhengzhou, Henan 450001, China
2MOE Key Laboratory of Grain Information Technology & Control, Henan University of Technology, Zhengzhou, Henan 450001, China
3School of Computer Science, Xidian University, Xi'an, Shaanxi 710071, China

Received 29 November 2012; Revised 6 February 2013; Accepted 15 February 2013

Academic Editor: Jitao Sun

Copyright © 2013 Weijun Zhu et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.


The interval temporal logic (ITL) model checking (MC) technique enhances the power of intrusion detection systems (IDSs) to detect concurrent attacks due to the strong expressive power of ITL. However, an ITL formula suffers from difficulty in the description of the time constraints between different actions in the same attack. To address this problem, we formalize a novel real-time interval temporal logic—real-time attack signature logic (RASL). Based on such a new logic, we put forward a RASL model checking algorithm. Furthermore, we use RASL formulas to describe attack signatures and employ discrete timed automata to create an audit log. As a result, RASL model checking algorithm can be used to automatically verify whether the automata satisfy the formulas, that is, whether the audit log coincides with the attack signatures. The simulation experiments show that the new approach effectively enhances the detection power of the MC-based intrusion detection methods for a number of telnet attacks, p-trace attacks, and the other sixteen types of attacks. And these experiments indicate that the new algorithm can find several types of real-time attacks, whereas the existing MC-based intrusion detection approaches cannot do that.