A CISL Tutorial

(still under construction)

The Common Intrusion Specification Language (CISL) is a means for intrusion detection systems and components to express information about events, attacks, and responses. It is designed to be flexible and efficient in order to benefit the application programmer. In exchange for these benefits, we must put in extra effort to ensure that the language is not fraught with perilous ambiguities.

CISL uses a syntax called S-expressions. These are groupings of atoms using parentheses; Lisp expressions are an example of S-expressions. They were originally suggested by Ron Rivest as a simple way of encapsulating information about public keys. CISL does not use them in that way, nor does it make use of Rivest's encoding mechanism, which is unnecessarily general for our purposes.

We will begin with an example that will illustrate the basic principles of CISL, then follow with a discussion of the language's features.

An Introductory Example

Consider the following CISL expression, which describes a simple event:

    (Delete
        (When
            (Time '12:24 15 Mar 1999 UTC')
        )
        (Initiator
            (UserName 'joe')
            (UserID 1234)
            (HostName 'foo.example.com')
        )
        (FileSource
            (FullPathName '/etc/passwd')
            (HostName 'foo.example.com')
        )
    )

Before reading on, examine this expression and try to figure out what it is intended to say. Then continue and see if you got it right!

A CISL expression that represents an occurrence is called a sentence, in analogy to English sentences. Like many English sentences, it has a subject, a verb, and a direct object, and as with many English sentences, the verb is considered the heart of the sentence, and the remaining parts of the sentence are interpreted with respect to that verb. The placement and organization of a CISL sentence reflects this priority.

Thus, in the sentence above, the verb is Delete. It is used to express the fact that someone deleted or attempted to delete a file. To identify the someone that is doing the deleting, and the file which is being deleted, a sentence includes under the verb several role clauses, which identify and describe the entities playing various roles in the sentence. Here, Initiator identifies the entity performing the deletion and FileSource identifies the file being deleted.

In addition, CISL also includes facilities for modifying the verb by--for instance--telling when and where the event occurred. This information is placed in adverb clauses. Here, When is an adverb telling when and on what machine the deletion occurred.

We now have enough information to produce a full English interpretation of the CISL sentence above:

At 12:24 Universal Time on 15 Mar 1999, on the machine named 'foo.example.com', the user with user name 'joe' and UID 1234 deleted the file '/etc/passwd'.

Semantic Identifiers

In CISL, the tags that identify the action or entities taking part in that action are called semantic identifiers, or SIDs for short. SIDs such as Delete are called verb SIDs, since they identify an action; SIDs such as Initiator are called role SIDs, since they identify those entities taking part in that action. Finally, the When SID is an adverb SID, since it heads an adverb clause.

CISL has a few types of SIDs other than those already mentioned. Attribute SIDs are similar to role SIDs in that they describe an entity or object, but unlike role SIDs, they go only under other role SIDs, rather than under verb SIDs, as ordinary role SIDs do.

An example of an attribute SID is Owner; it might be used as in the following role clause:

    (FileSource
        (FullPathName '/etc/passwd')
        (HostName 'foo.example.com')
        (Owner
            (UserName 'root')
        )
    )

This clause indicates that the owner of the file '/etc/passwd' is the 'root' account.


Maintained by Brian Tung
Last updated 21 April 1999