Modeling multistep cyber attacks for scenario recognition

Proceedings - DARPA Information Survivability Conference and Exposition, DISCEX 2003

Volumn 1, Issue , 2003, Pages 284-292

  Cheung, S ^a   Lindqvist, U ^a   Fong, M W ^a  

^a SRI INTERNATIONAL   (United States)

Author keywords

Engines; Libraries; Prototypes; Security; Vocabulary

Indexed keywords

COMPUTATIONAL LINGUISTICS; COMPUTER CRIME; CRIME; ENGINES; LIBRARIES;

AUTOMATED DETECTION; MULTI-STEP ATTACKS; MULTI-STEP SCENARIOS; PROTOTYPE IMPLEMENTATIONS; PROTOTYPES; SCENARIO RECOGNITION; SECURITY; VOCABULARY;

MODELING LANGUAGES;

EID: 84860495162     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/DISCEX.2003.1194892     Document Type: Conference Paper

References (28)

1. J. F. Allen. Maintaining knowledge about temporal intervals. Communications of the ACM, 26(11):832-843, 1983.
2. Australian Computer Emergency Response Team. Denial of Service (DoS) attacks using the Domain Name System (DNS), Aug. 13, 1999. AusCERT Advisory AL-1999.004.
3. CERT Coordination Center. Smurf IP Denial-of-Service Attacks, Jan. 5, 1998. CERT Advisory CA-1998-01.
4. CERT Coordination Center. Distributed Denial of Service Tools, Nov. 18, 1999. CERT Incident Note IN-99-07.
5. CERT Coordination Center, "mstream" Distributed Denial of Service Tool, May 2, 2000. CERT Incident Note IN-2000-05.
6. CERT Coordination Center. Buffer Overflow In IIS Indexing Service DLL, June 27, 2001. CERT Advisory CA-2001-13.
7. F. Cuppens and R. Ortalo. LAMBDA: A language to model a database for detection of attacks. In H. Debar, L. Mé, and S. F. Wu, editors, Recent Advances in Intrusion Detection (RAID 2000), volume 1907 of LNCS, pages 197-216, Toulouse, France, Oct. 2-4, 2000. Springer-Verlag.
8. D. Curry and H. Debar, Intrusion Detection Message Exchange Format: Data Model and Extensible Markup Language (XML) Document Type Definition. Intrusion Detection Working Group, June 20, 2002. Work in progress, IETF Internet-Draft draft-ietf-idwg-idmef-xml-07.txt.
9. H. Debar and A. Wespi. Aggregation and correlation of intrusion-detection alerts. In W. Lee, L. Mé, and A. Wespi, editors, Recent Advances in Intrusion Detection (RAID 2001), volume 2212 of LNCS, pages 85-103, Davis, California, Oct. 10-12, 2001. Springer-Verlag.
10. S. T. Eckmann, G. Vigna, and R. A, Kemmerer. STATL: An attack language for state-based intrusion detection. Journal of Computer Security, 10:71-103, 2002.
11. E. Gamma, R. Helm, R. Johnson, and J. Vlissides. Design Patterns: Elements of Reusable Object-Oriented Software. Addison-Wesley, 1995.
12. R. P. Goldman, W. Heimerdinger, S. A. Harp, C. W. Geib, V. Thomas, and R. L. Carter. Information modeling for intrusion report aggregation. In DARPA Information Survivability Conference and Exposition (DISCEX II), volume 1, pages 329-342, Anaheim, California, June 12-14, 2001.
13. K. Julisch. Mining alarm clusters to improve alarm handling efficiency. In Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC 2001), pages 12-21, New Orleans, Louisiana, Dec. 10-14, 2001.
14. U. Lindqvist. The inquisitive sensor: A tactical tool for system survivability. In Supplement of the 2001 International Conference on Dependable Systems and Networks, pages C-14-C-16, Göteborg, Sweden, July 1-4, 2001.
15. U. Lindqvist and P. A. Porras. Detecting computer and network misuse through the production-based expert system toolset (P-BEST). In Proceedings of the 1999 IEEE Symposium on Security and Privacy, pages 146-161, Oakland, California, May 9-12, 1999.
16. C. Michel and L. Mé. ADeLe: An attack description language for knowledge-based intrusion detection. In M. Dupuy and P. Paradinas, editors, Trusted Information: The New Decade Challenge: IFIP TC11 16th International Conference on Information Security (IFIP/SEC'01), pages 353-368, Paris, France, June 11-13, 2001.
17. P. G. Neumann and P. A. Porras. Experience with EMERALD to date. In Proceedings of the Workshop on Intrusion Detection and Network Monitoring, Santa Clara, California, Apr. 9-12, 1999.
18. P. Ning, S. Jajodia, and X. S. Wang. Abstraction-based intrusion detection in distributed environments. ACM Transactions on Information and System Security, 4(4):407-452, Nov. 2001.
19. P. A. Porras, M. W. Fong, and A. Valdes. A mission-impact-based approach to INFOSEC alarm correlation. In A. Wespi, G. Vigna, and L. Deri, editors, Recent Advances in Intrusion Detection (RAID 2002), volume 2516 of LNCS, pages 95-114, Zurich, Switzerland, Oct. 16-18, 2002.
20. P. A. Porras and P. G. Neumann. EMERALD: Event monitoring enabling responses to anomalous live disturbances. In Proceedings of the 20th National Information Systems Security Conference, pages 353-365, Baltimore, Maryland, Oct. 7-10, 1997.
21. C. R. Ramakrishnan and R. Sekar. Model-based analysis of configuration vulnerabilities. Journal of Computer Security, 10(12):189-209, 2002.
22. R. W. Ritchey and P. Ammann. Using model checking to analyze network vulnerabilities. In Proceedings of the 2001 IEEE Symposium on Security and Privacy, pages 156-165, Oakland, California, May 14-16, 2001.
23. O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J. M. Wing. Automated generation and analysis of attack graphs. In Proceedings of the 2002 IEEE Symposium on Security and Privacy, pages 273-284, Oakland, California, May 12-15, 2002.
24. S. Staniford, J. A. Hoagland, and J. M. McAlerney. Practical automated detection of stealthy portscans. Journal of Computer Security, 10:105-136, 2002.
25. S. J. Templeton and K. Levitt. A requires/provides model for computer attacks. In Proceedings of the 2000 New Security Paradigms Workshop, pages 31-38, Ballycotton Co., Cork, Ireland, Sept. 18-21, 2000.
26. A. Valdes and K. Skinner. Probabilistic alert correlation. In W. Lee, L. Mé, and A. Wespi, editors, Recent Advances in Intrusion Detection (RAID 2001), volume 2212 of LNCS, pages 54-68, Davis, California, Oct. 10-12, 2001. Springer-Verlag.
27. P. H. Winston. Artificial Intelligence. Addison-Wesley, 1977.
28. D. Zerkle and K. Levitt. NetKuang-a multi-host configuration vulnerability checker. In Proceedings of the Sixth USENIX Security Symposium, pages 195-204, San Jose, California, July 22-25, 1996.