Upon discovery, security administrators must determine how computer system intrusions were accomplished to prevent their reoccurrence. This paper describes an automated diagnosis system designed to focus investigation on the evidence most likely to reveal a hacker’s method. The system takes as input victim configuration and vulnerability information and a description of the unauthorized access gained by the attacker. With this information and templates describing hacker exploits and computer actions the system generates possible attack sequences. Because it is impossible to know everything the attacker might be aware of or have done, attack hypotheses can include assumptions where there is no apparent action to accomplish part of an attack. The hypothetical attacks are next simulated on a model of the victim network. Successful simulation indicates a feasible means of accomplishing the unauthorized access. The simulation generates representative log entries that a pattern matching subsystem compares to system records. Close matches are indicators that the associated hypothesis was the means of attack.
[1]
Raymond Reiter,et al.
A Theory of Diagnosis from First Principles
,
1986,
Artif. Intell..
[2]
Deborah A. Frincke,et al.
Planning, Petri Nets, and Intrusion Detection
,
1998
.
[3]
Craig A. Knoblock,et al.
PDDL-the planning domain definition language
,
1998
.
[4]
Dean Allemang,et al.
The Computational Complexity of Abduction
,
1991,
Artif. Intell..
[5]
Edward H. Shortliffe,et al.
Computer-based medical consultations, MYCIN
,
1976
.
[6]
Karl N. Levitt,et al.
NetKuang - A Multi-Host Configuration Vulnerability Checker
,
1996,
USENIX Security Symposium.
[7]
J. M. Larrazabal,et al.
Reasoning about change
,
1991
.
[8]
Leonard J. Seligman,et al.
Decision-Centric Information Monitoring
,
2000,
Journal of Intelligent Information Systems.
[9]
Christopher C. Roberts.
Plan-Based Simulation of Malicious Intruders on a Computer System.
,
1995
.
[10]
H. Brachinger,et al.
Decision analysis
,
1997
.
[11]
Brian C. Williams,et al.
Diagnosing Multiple Faults
,
1987,
Artif. Intell..