Information Technology Reference
In-Depth Information
ond (lower) level each low-level action is specified by corresponding packets of the
network, transport and applied level of the Internet protocols stack.
Network interface
provides: (1) in case of operation with the model of analyzed
system
transferring identifiers and parameters of attacks (or network packets under
more detailed modeling and simulation), and also receiving attacks results and system
reactions; (2) in case of interaction with a computer network
−
transferring, capturing
and the preliminary analysis of network traffic. The preliminary analysis includes: (1)
parsing of packets according to connections and delivery of information about packets
(including data on exposed flags, payload, etc.) and connections; (2) acquisition of
data about attack results and system reactions, and also values of some statistics re-
flecting actions of SAS at the level of network packets and connections.
The module of security level assessment
is based on developed taxonomy of secu-
rity metrics. It is a main module which calculates security metrics based on results of
attack actions.
The module of database and knowledge repository update
downloads the open
vulnerability databases [30] (for example, OSVDB - open source vulnerability data-
base [24]) and translates them into KB of operation (functionality) rules of low level.
−
4 Generalized Attack Model
Functioning of SAS is specified by the attack model implemented in the module of
malefactor's model realization. The model is defined as hierarchical structure that
consists of several levels (fig.3). Three higher levels of the attack model correspond to
an attacks scriptset, a script and script stages. The
scriptset level
defines a set of gen-
eral malefactor's intentions (high level goals). This level corresponds to realization of
series of scenarios which can be implemented by a group of malefactors. The
script
level
defines only one malefactor's intention. The set of
script stages
can contain the
following elements: reconnaissance, implantation (initial access to a host), gaining
privileges, threat realization, covering tracks and backdoors creation. Lower levels
serve for malefactor subgoals refinement. The lowest level describes the malefactor's
low level actions directly executing different exploits.
Two main methods of malefactor's goal achievement are used in the attack model:
(1) forward and (2) backward inference. Both of these methods use database of function-
ality rules selecting an item in the hierarchy of a general attack model.
Forward inference
makes exhaustive or limited search of actions available on a current hierarchy level. Exe-
cuting this inference method, SAS realizes all or limited number of available malefac-
tor's low level actions for every script stage beginning from the first stage.
Backward in-
ference
implies generation of optimized chain of actions based on definition of
malefactor intention (goal) beginning from the last action in the line to the first action.
After definition of one or set of malefactor's intentions SAS goes to next level of
generalized attack model and generates needed scenarios and attack actions.
The malefactor behavior strategy is defined by his model. In this model the male-
factors are classified by knowledge and an experience level into three groups: (1) a
low level (“novice”); (2) a middle level; (3) a high level (“professional”). “Novice”
utilizes for goal achievement the exhaustive forward inference method, middle level
malefactor
−
limited forward inference method and “professional”
−
the backward in-
ference method.
