BP-IDS: Using business process specification to leverage intrusion detection in critical infrastructures

Intrusion detection systems typically suffer from effectiveness problems, of being incapable of detecting new threats, or generating too many false alarms to be of any usefulness. Specification-based intrusion detection systems tackle these problems, exhibiting low false alarm rates and being able to detect new threats, however, they have been seldom used, because they require to completely specify every acceptable action of the monitored system. On the other hand, safety-critical systems would greatly benefit from effective intrusion detection systems, as they are often well specified from a business process point of view, which makes them specially suited for these systems, provided that one translates high-level business process specifications into intrusion detection rules. This paper proposes BP-IDS, a specification-based intrusion detection system that automatically performs this translation. BP-IDS was tested on a critical transportation infrastructure and was able to exhibit good detection results.