Information Technology Reference
In-Depth Information
-
expr
E
i
=
pred
-
expr
E
i
=
(
pred
)
not
where
pred
is a predicate. We also assume that
E
and
F
are not equivalent to
true
.
Definition 3: Correlation.
We say that logical expressions
E
and
F
are
correlated
if there exist
i
in
{
1
, .., m
}
and
j
in
{
1
, .., n
}
such that
expr
E
i
and
expr
F
j
are
unifiable through a most general unifier (mgu)
Θ
.
Definition 4: Action Correlation or Positive Influence.
An action
A
has a
posi-
tive influence
on an action
B
if the post condition of
A
and the pre condition of
B are correlated using definition 1.
Fig. 3 illustrates an example of attack correlation where the action mount
may have a positive influence on the action
.rhostmodification
.
action mount(User,Address,Partition)
Pre: remote_access(User,Address),
mounted_partition(Address,Partition)
Post: can_access(User,Partition)
action .rhost modification(User,Address,Partition)
Pre: remote_access(User,Address),
can_access(User,Partition),
owner(Partition,U),
userid(U,Userid)
Post: user_access(User,Address)
Fig. 3.
Example of positive influence between two attacks
Definition 5: Malicious Action.
An action
A
is a malicious action with respect
to an intrusion objective
O
, if the post condition of
A
and the state condition
of
O
are correlated.
For example the action
get
-
file
(
Agent, F ile, P rinter
) is a malicious action
because
its
post
condition
is
correlated
with
intrusion
objective
illegal file access
(
File
).
Definition 6: Initial Action.
An action
A
is said to be an initial action if either
its pre condition is equal to true, or all its pre condition predicates are satisfied
by the system's state.
For example the action
touch
(
Agent, F ile
) is an initial action, since its pre
condition is equal to true.
2.5
Intrusion Scenario
An intrusion scenario is a sequence of action which aims at modifying the sys-
tem's state in order to reach a particuliar state where the intrusion objective is
achieved.
