Intrusion Detection with Hypergraph-Based Attack Models

In numerous security scenarios, given a sequence of logged activities, it is necessary to look for all subsequences that represent an intrusion, which can be meant as any "improper" use of a system, an attempt to damage parts of it, to gather protected information, to follow "paths" that do not comply with security rules, etc. In this paper we propose an hypergraph-based attack model for intrusion detection. The model allows the specification of various kinds of constraints on possible attacks and provides a high degree of flexibility in representing many different security scenarios. Besides discussing the main features of the model, we study the problems of checking the consistency of attack models and detecting attack instances in sequences of logged activities.

[1]  Robert W. Blanning,et al.  Metagraphs and Their Applications (Integrated Series in Information Systems) , 2006 .

[2]  Sushil Jajodia,et al.  Minimum-cost network hardening using attack graphs , 2006, Comput. Commun..

[3]  Robert W. Blanning,et al.  Metagraphs in workflow support systems , 1999, Decis. Support Syst..

[4]  Robert W. Blanning,et al.  Workflow analysis using attributed metagraphs , 2001, Proceedings of the 34th Annual Hawaii International Conference on System Sciences.

[5]  V. S. Subrahmanian,et al.  Fast Activity Detection: Indexing for Temporal Stochastic Automaton-Based Activity Models , 2013, IEEE Transactions on Knowledge and Data Engineering.

[6]  Cristian Molinaro,et al.  PADUA: Parallel Architecture to Detect Unexplained Activities , 2014, TOIT.

[7]  Wolter Pieters,et al.  ANKH: Information Threat Analysis with Actor-NetworK Hypergraphs , 2010 .

[8]  Sushil Jajodia,et al.  Correlating intrusion events and building attack scenarios through attack graph distances , 2004, 20th Annual Computer Security Applications Conference.

[9]  Robert W. Blanning,et al.  A Formal Approach to Workflow Analysis , 2000, Inf. Syst. Res..

[10]  Sushil Jajodia,et al.  Scalable Detection of Cyber Attacks , 2011, CISIM.

[11]  Fabrizio Baiardi,et al.  Assessing the Risk of an Information Infrastructure Through Security Dependencies , 2006, CRITIS.

[12]  Barry W. Boehm,et al.  Value Driven Security Threat Modeling Based on Attack Path Analysis , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[13]  David S. Johnson,et al.  Computers and Intractability: A Guide to the Theory of NP-Completeness , 1978 .

[14]  Robert W. Blanning,et al.  Metagraphs: a tool for modeling decision support systems , 1994 .

[15]  Giovanni Vigna,et al.  NetSTAT: a network-based intrusion detection approach , 1998, Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217).

[16]  Sushil Jajodia,et al.  Scalable Analysis of Attack Scenarios , 2011, ESORICS.

[17]  Guido Governatori,et al.  Compliance aware business process design , 2008 .

[18]  Manfred Nagl,et al.  Graph-Grammars and Their Application to Computer Science , 1986, Lecture Notes in Computer Science.

[19]  Esteban Feuerstein,et al.  Petri Nets, Hypergraphs and Conflicts (Preliminary Version) , 1992, WG.

[20]  Mathias Weske,et al.  Hypergraph-Based Modeling of Ad-Hoc Business Processes , 2008, Business Process Management Workshops.

[21]  Panki Kim,et al.  and Their Applications , 2010 .

[22]  Sushil Jajodia,et al.  An Efficient and Unified Approach to Correlating, Hypothesizing, and Predicting Intrusion Alerts , 2005, ESORICS.

[23]  Giovanni Vigna,et al.  A Topological Characterization of TCP/IP Security , 2003, FME.

[24]  Dieter Gollmann,et al.  Computer Security - ESORICS 2005, 10th European Symposium on Research in Computer Security, Milan, Italy, September 12-14, 2005, Proceedings , 2005, ESORICS.

[25]  Stefania Gnesi,et al.  FME 2003: Formal Methods: International Symposium of Formal Methods Europe, Pisa, Italy, September 8-14, 2003. Proceedings , 2003, Lecture Notes in Computer Science.

[26]  Vijay Atluri,et al.  Computer Security – ESORICS 2011 , 2011, Lecture Notes in Computer Science.

[27]  Duminda Wijesekera,et al.  Scalable, graph-based network vulnerability analysis , 2002, CCS '02.

[28]  V. S. Subrahmanian,et al.  MAGIC: A Multi-Activity Graph Index for Activity Detection , 2007, 2007 IEEE International Conference on Information Reuse and Integration.

[29]  Claude Berge,et al.  Hypergraphs - combinatorics of finite sets , 1989, North-Holland mathematical library.

[30]  Cristian Molinaro,et al.  PASS: A Parallel Activity-Search System , 2014, IEEE Transactions on Knowledge and Data Engineering.

[31]  Hervé Debar,et al.  M2D2: A Formal Data Model for IDS Alert Correlation , 2002, RAID.

[32]  Leila Ribeiro,et al.  Formal Relationship between Graph Grammars and Petri Nets , 1994, TAGT.

[33]  Domenico Saccà,et al.  Hypergraph-Based Attack Models for Network Intrusion Detection , 2014, SEBD.