Analyzing Security Vulnerabilities and Attacks

Analysis of network security attacks helps us understand characteristics of application vulnerabilities, intrusion detections techniques and attacker behavior patterns established. Intrusion detection tools and signature-based approaches used in practice are helpful in detecting known attacks but are not as efficient when a new vulnerability is being exploited. Anomaly-based approaches are sometimes able to detect unknown attacks but at the cost of false alarms. Hence there is the need for human expertise intervention in attack investigation. Today, most of this investigative analysis is done more or less manually. It is our aim to propose a measurement based model to provide joint insight into attack patterns and associated vulnerability exploitation. This paper describes a novel approach that combines both vulnerability data from Mitre CVE (Common Vulnerabilities and Exposures) vulnerability database, and attack data from nearly 5000 hosts at National Center for Supercomputing Application (NCSA) located at Illinois, to create an attack model with sufficient details to assist identification of system compromises. Real data is scrutinized to find attack flow patters, which give more insight into strategies adopted by the elite attacker community today. Motivated by these findings, we create a model to capture the relationships between vulnerability exploitation and attack flow. Keyword: vulnerability, attack, real data, classification, model.

[1]  Eugene H. Spafford,et al.  Software vulnerability analysis , 1998 .

[2]  C. R. Ramakrishnan,et al.  Model-Based Vulnerability Analysis of Computer Systems , 1998 .

[3]  Erland Jonsson,et al.  How to systematically classify computer security intrusions , 1997, S&P 1997.

[4]  Frank Piessens,et al.  A Vulnerability Taxonomy Methodology applied to the Web Services , 2005 .

[5]  Matt Bishop,et al.  Protocol Vulnerability Analysis , 2005 .

[6]  Robin Berthier,et al.  A Statistical Analysis of Attack Data to Separate Attacks , 2006, International Conference on Dependable Systems and Networks (DSN'06).

[7]  Eugene H. Spafford,et al.  Use of A Taxonomy of Security Faults , 1996 .

[8]  T. Tidwell,et al.  Modeling Internet Attacks , 2022 .

[9]  Roger Grimes,et al.  Honeypots for Windows , 2005 .

[10]  Rayford B. Vaughn,et al.  Experiences with Honeypot Systems: Development, Deployment, and Analysis , 2006, Proceedings of the 39th Annual Hawaii International Conference on System Sciences (HICSS'06).

[11]  Eugene H. Spafford,et al.  An Application of Pattern Matching in Intrusion Detection , 1994 .

[12]  Ravishankar K. Iyer,et al.  A data-driven finite state machine model for analyzing security vulnerabilities , 2003, 2003 International Conference on Dependable Systems and Networks, 2003. Proceedings..

[13]  T. S. Perry,et al.  Can computer crime be stopped? The proliferation of microcomputers in today's information society has brought with it new problems in protecting both computer systems and their resident intelligence , 1984, IEEE Spectrum.

[14]  Fred Cohen,et al.  Information system attacks: A preliminary classification scheme , 1997, Comput. Secur..

[15]  Ramakrishna Thurimella,et al.  A Framework for the Application of Association Rule Mining in Large Intrusion Detection Infrastructures , 2006, RAID.

[16]  Robert A. Martin Managing Vulnerabilities in Networked Systems , 2001, Computer.

[17]  Steven J. Templeton,et al.  A requires/provides model for computer attacks , 2001, NSPW '00.

[18]  Gary McGraw,et al.  Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors , 2005, IEEE Secur. Priv..

[19]  Somesh Jha,et al.  Model-based intrusion detection system design and evaluation , 2006 .

[20]  Srikanth Kandula,et al.  Argus: A Distributed Network Intrusion Detection System , 2002 .