A defense-centric taxonomy based on attack manifestations

Many classifications of attacks have been tendered, often in taxonomic form, A common basis of these taxonomies is that they have been framed from the perspective of an attacker - they organize attacks with respect to the attacker's goals, such as privilege elevation from user to root (from the well known Lincoln taxonomy). Taxonomies based on attacker goals are attack-centric; those based on defender goals are defense-centric. Defenders need a way of determining whether or not their detectors will detect a given attack. It is suggested that a defense-centric taxonomy would suit this role more effectively than an attack-centric taxonomy. This paper presents a new, defense-centric attack taxonomy, based on the way that attacks manifest as anomalies in monitored sensor data. Unique manifestations, drawn from 25 attacks, were used to organize the taxonomy, which was validated through exposure to an intrusion-detection system, confirming attack detect ability. The taxonomy's predictive utility was compared against that of a well-known extant attack-centric taxonomy. The defense-centric taxonomy is shown to be a more effective predictor of a detector's ability to detect specific attacks, hence informing a defender that a given detector is competent against an entire class of attacks.

[1]  R.K. Cunningham,et al.  Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[2]  Kymie M. C. Tan,et al.  "Why 6?" Defining the operational limits of stide, an anomaly-based intrusion detector , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[3]  Marc Dacier,et al.  A revised taxonomy for intrusion-detection systems , 2000, Ann. des Télécommunications.

[4]  John D. Howard,et al.  An analysis of security incidents on the Internet 1989-1995 , 1998 .

[5]  Carl E. Landwehr,et al.  A taxonomy of computer program security flaws , 1993, CSUR.

[6]  Alan S. Perelson,et al.  Self-nonself discrimination in a computer , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[7]  Kymie M. C. Tan,et al.  Undermining an Anomaly-Based Intrusion Detection System Using Common Exploits , 2002, RAID.

[8]  Sandeep Kumar,et al.  Classification and detection of computer intrusions , 1996 .

[9]  Biswanath Mukherjee,et al.  A Methodology for Testing Intrusion Detection Systems , 1996, IEEE Trans. Software Eng..

[10]  Erland Jonsson,et al.  How to systematically classify computer security intrusions , 1997, S&P 1997.

[11]  Dong Xiang,et al.  Information-theoretic measures for anomaly detection , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[12]  D. L. Lough,et al.  A taxonomy of computer attacks with applications to wireless networks , 2001 .

[13]  Thomas A. Longstaff,et al.  A common language for computer security incidents , 1998 .

[14]  George Gaylord Simpson,et al.  Principles of Animal Taxonomy , 1961 .

[15]  Kymie M. C. Tan,et al.  Determining the operational limits of an anomaly-based intrusion detector , 2003, IEEE J. Sel. Areas Commun..

[16]  Richard Lippmann,et al.  Analysis and Results of the 1999 DARPA Off-Line Intrusion Detection Evaluation , 2000, Recent Advances in Intrusion Detection.

[17]  Stephanie Forrest,et al.  Intrusion Detection Using Sequences of System Calls , 1998, J. Comput. Secur..

[18]  Carl E. Landwehr,et al.  A Taxonomy of Computer Program Security Flaws, with Examples , 1993 .

[19]  Kymie M. C. Tan,et al.  Anomaly Detection in Embedded Systems , 2002, IEEE Trans. Computers.

[20]  Gonzalo Álvarez,et al.  A new taxonomy of Web attacks suitable for efficient encoding , 2003, Comput. Secur..

[21]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[22]  John McHugh,et al.  Hiding Intrusions: From the Abnormal to the Normal and Beyond , 2002, Information Hiding.

[23]  Eugene H. Spafford,et al.  Software vulnerability analysis , 1998 .

[24]  Daniel James Weber,et al.  A taxonomy of computer intrusions , 1998 .