Information Technology Reference
In-Depth Information
reach a system state where the security policy is violated, i.e where the intrusion
objective is reached.
We assume that we have a set of actions that an intruder can execute, and
a set of intrusion objectives to be protected. Intrusion detection systems (IDSs)
produce alerts which correspond to instanciated attacks.
Our aim is to see if there are sequences of instanciated attacks, called sce-
narios, which allows to reach an intrusion objective.
The following subsections first gives the representation of actions and in-
trusion objectives, then defines the notions of action correlation and intrusion
scenarios.
2.1 Representing Actions
In [1], actions are represented by their pre and post conditions. Pre conditions
of an action represent the state the system must satisfy in order to be able to
execute the action. Post condition expresses the effects of the action over the
system state.
Discovering correlation links among a set of actions often involve the time
where these actions are detected. Indeed, in practice we deal with
time-stamped
alerts, associated with attacks, that are totally ordered. The order over a set of
alerts is imposed by the intruder who is doing the intrusion.
We propose to augment the action model by adding the time-stamp which
represents the time where the action has been detected.
Definition 1: Action Modelisation.
An action
A
is modelled using four fields:
-
Name
(
Param
1
, P aram
2
, ..., P aram
n
): a functionnal expression represent-
ing the name of the action and its parameters
-
DetectTime: the timestamp at which the action has been detected
-
Pre condition: conjunction of predicates the system's state must satisfy in
order to be able to execute the action.
-
Post condition: conjunction of predicates expressing the effects of the action
over the system's state.
From now
DetectT ime
(
Action
i
) designates the timestamp of an action's in-
stance.
Pre
(
Action
i
) and
P ost
(
Action
i
) designate respectively the action's pre
conditions and post conditions.
Fig. 1 shows examples of action modelisations, which will be used later to
define scenarios.
2.2 Representing Intrusion Objectives
Intrusion objectives are modelled by a condition over the system's state.
Definition 2: Intrusion Objective Modelisation.
An intrusion objective
O
is mod-
elled using two fields:
