The Diamond Model of Intrusion Analysis

Abstract : This paper presents a novel model of intrusion analysis built by analysts, derived from years of experience, asking the simple question, What is the underlying method to our work? The model establishes the basic atomic element of any intrusion activity, the event, composed of four core features: adversary, infrastructure, capability, and victim. These features are edge-connected representing their underlying relationships and arranged in the shape of a diamond, giving the model its name: the Diamond Model. It further defines additional meta-features to support higher-level constructs such as linking events together into activity threads and further coalescing events and threads into activity groups. These elements, the event, thread, and group all contribute to a foundational and comprehensive model of intrusion activity built around analytic processes. It captures the essential concepts of intrusion analysis and adversary operations while allowing the model flexibility to expand and encompass new ideas and concepts. The model establishes, for the first time, a formal method applying scientific principles to intrusion analysis - particularly those of measurement, testability, and repeatability - providing a comprehensive method of activity documentation, synthesis, and correlation. This scientific approach and simplicity produces improvements in analytic effectiveness, efficiency, and accuracy. Ultimately, the model provides opportunities to integrate intelligence in real-time for network defense, automating correlation across events, classifying events with confidence into adversary campaigns, and forecasting adversary operations while planning and gaming mitigation strategies.

[1]  Frédéric Cuppens,et al.  LAMBDA: A Language to Model a Database for Detection of Attacks , 2000, Recent Advances in Intrusion Detection.

[2]  Giovanni Vigna,et al.  STATL: An Attack Language for State-Based Intrusion Detection , 2002, J. Comput. Secur..

[3]  Susan W. Brenner Organized Cybercrime? How Cyberspace May Affect the Structure of Criminal Relationships , 2003 .

[4]  Frederick B. Cohen,et al.  Protection and Security on the Information Superhighway , 1995 .

[5]  Steven M. Bellovin,et al.  There Be Dragons , 1992, USENIX Summer.

[6]  Wenke Lee,et al.  Detecting Malware Domains at the Upper DNS Hierarchy , 2011, USENIX Security Symposium.

[7]  John D. Howard,et al.  Using a Common Language for Computer Security Incident Information , 2015 .

[8]  Sushil Jajodia,et al.  An Attack Graph-Based Probabilistic Security Metric , 2008, DBSec.

[9]  Fred Cohen,et al.  Information system attacks: A preliminary classification scheme , 1997, Comput. Secur..

[10]  Douglas M. Hawkins,et al.  The Problem of Overfitting , 2004, J. Chem. Inf. Model..

[11]  Austin Troy,et al.  The relationship between tree canopy and crime rates across an urban–rural gradient in the greater Baltimore region - nrs_2012_troy_001 , 2013 .

[12]  Richards J. Heuer,et al.  Psychology of Intelligence Analysis , 1999 .

[13]  Eric Michael Hutchins,et al.  Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains , 2010 .

[14]  Tomas Olovsson,et al.  Detection of malicious traffic on back‐bone links via packet header analysis , 2008 .

[15]  Xinming Ou,et al.  A scalable approach to attack graph generation , 2006, CCS '06.

[16]  Richard P. Lippmann,et al.  An Annotated Review of Past Papers on Attack Graphs , 2005 .

[17]  Eric Chien,et al.  W32.Duqu: The Precursor to the Next Stuxnet , 2012, LEET.

[18]  Sergio Caltagirone,et al.  ADAM: Active Defense Algorithm and Model , 2004 .

[19]  Steven J. Templeton,et al.  A requires/provides model for computer attacks , 2001, NSPW '00.

[20]  Thomas A. Longstaff,et al.  A common language for computer security incidents , 1998 .

[21]  Stephen Northcutt,et al.  Intrusion Signatures and Analysis , 2001 .

[22]  Wim van Eck,et al.  Electromagnetic radiation from video display units: An eavesdropping risk? , 1985, Comput. Secur..

[23]  Ludovic Mé,et al.  ADeLe: An Attack Description Language for Knowledge-Based Intrusion Detection , 2001, SEC.

[24]  Duane Wessels,et al.  Passive Monitoring of DNS Anomalies , 2007, DIMVA.

[25]  B. Cheswick An Evening with Berferd In Which a Cracker is Lured, Endured, and Studied , 1997 .

[26]  Leo Obrst,et al.  Developing an Ontology of the Cyber Security Domain , 2012, STIDS.

[27]  Robin Sommer,et al.  A Lone Wolf No More: Supporting Network Intrusion Detection with Real-Time Intelligence , 2012, RAID.

[28]  George Kurtz,et al.  Hacking Exposed , 2005 .

[29]  Jose Nizario,et al.  Georgia DDoS Attacks—A Quick Summary of Observations , 2008 .

[30]  Christoph Meinel,et al.  Using vulnerability information and attack graphs for intrusion detection , 2010, 2010 Sixth International Conference on Information Assurance and Security.

[31]  Lance Spitzner,et al.  The Honeynet Project: Trapping the Hackers , 2003, IEEE Secur. Priv..

[32]  Richard Lippmann,et al.  Practical Attack Graph Generation for Network Defense , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[33]  Xinming Ou,et al.  Improving Attack Graph Visualization through Data Reduction and Attack Grouping , 2008, VizSEC.

[34]  Clifford Stoll,et al.  Stalking the wily hacker , 1988, CACM.

[35]  Ron Kohavi,et al.  Feature Selection for Knowledge Discovery and Data Mining , 1998 .

[36]  S. Caltagirone Evolving Active Defense Strategies , 2005 .

[37]  Matthias Vallentin,et al.  The Gh 0 st in the Shell : Network Security in the Himalayas , 2009 .