isDSL− A Domain Specific Language for Intrusion Signature Declaration Kanin Chotvorrarak and Yachai Limpiyakorn, Department of Computer Engineering, Chulalongkorn University, Bangkok 10330, Thailand Kanin.C@student.chula.ac.th, Yachai.L@chula.ac.th Abstract. This paper presents a signature-based network intrusion detection system. The intrusions are detected using their signatures defined as a set of rules contained in DSL scripts. A domain specific language is created, called isDSL, of which the syntax aligns with the TCP/ IP stack and the encoding of GA chromosomes. Genetic algorithm is the technique used for searching mali- cious states on network traffics. The attack is defined as a combination of prop- erties and values that could be across the packets, matches with the conditions defined in a particular rule described in DSL scripts. The presented approach is promising for several reasons. A domain specific language is a declarative ap- proach for describing intrusion signatures that could spread across network packets. Additionally, the rules are expressive that could tune out false positives. Moreover, the use of genetic algorithm would reduce the number of packet combinations being investigated for signs of the intrusions. Keywords: domain specific language, intrusion detection system, genetic algo- rithm, network security. 1 Introduction Intrusion detection is a type of security management system for computers and net- works. In computer security, it is one of the important technologies for identifying possible security breaches, which include both intrusions (attacks from outside the organization) and misuse (attacks from within the organization). An intrusion detec- tion system, IDS, is a device or software application that gathers and analyzes infor- mation from various areas within a computer or a network to assess the signs of intru- sions defined as attempts to compromise the confidentiality, integrity and availability, or to bypass the security mechanisms of the network system. Various commercial products in the market include Snort, STAT, and Real Secure, etc. Network intrusion detection has been an active field of research for a long time. In 1980, Anderson introduced the concept of intrusion detection, and defined a threat from the unauthorized access [1]. Denning published “An Intrusion Detection Model” in 1987, presenting intrusion detection methods which include profiles, anomalies and rules [2]. During 1990s, the Internet growth had led to the major concern of network security. To maintain the security of computer networks and the integrity of the user data, some aspects or conditions must be verified as an intrusion detection task. These Advanced Science and Technology Letters Vol.29 (ASEA 2013), pp.252-257 http://dx.doi.org/10.14257/astl.2013.29.53 ISSN: 2287-1233 ASTL Copyright © 2013 SERSC