Enhanced Correlation in an Intrusion Detection Process - Computer Network Security - page 163

Information Technology Reference

In-Depth Information

Definition 7: Intrusion Scenario. An intrusion scenario is a sequence

S ( A 1 ,A 2 , ..., A n ,O ) where A i 's are attacks instances, A 1 is an initial action and

O is an intrusion objective instance such that:

- ∀i, j ∈{ 1 , .., n} ,if i>j then Detectime ( A i ) ≥ Detectime ( A j )

-

j<i such that A i has an influence over A j .

- A n is a malicious attack with respect to O

∀

i

∈{

1 , .., n

}

,

∃

Note that other actions (than A n ) in scenario S can also have an influence

over O .

3 Example and Limitations

The definition of correlation used in this paper is quite weak. Actually two

actions are correlated as soon as they have one predicate in common in their

post condition and pre condition. As a side effect, given a set of actions we can

build a high number of scenarios leading to an intrusion objective. We illustrate

this with a scenario example leading to an illegal access to a protected file.

Let us consider an intruder, bad guy , and a confidential file secret file .

Let us say that bad guy wants to reach the intrusion objective

illegal file access ( secret file ). The intruder and the system start in the fol-

lowing system's state K :

- file ( secret file )

- not( read access ( bad guy, read, secret file ))

- printer ( ppt )

- physical access ( bad guy, ppt )

- not( blocked ( ppt )

This means that secret file is a file, bad guy does not have the rights to read

it and ppt is a printer that bad guy can reach physically. bad guy wants to reach

a system state where the following conditions are achieved:

- read access ( bad guy, read, secret file ))

- not( authorized (( bad guy, read, secret file ))

That is, bad guy can read the sensible file secret file while he is not allowed

to do so.

Let us assume that the following actions are detected:

- A = touch ( bad guy, guy file ) with Detectime ( A )= t 1

- B = block ( bad guy, ppt ) with Detectime ( B )= t 2

- C = lpr - s ( bad guy, ppt, guy file ) with Detectime ( C )= t 3

- D = remove ( bad guy, guy file ) with Detectime ( D )= t 4

- E = ln - s ( bad guy, guy file, secret file ) with Detectime ( E )= t 5

- F = unblock ( bad guy, ppt ) with Detectime ( F )= t 6

- G = print

−

process ( ppt, guy file ) with Detectime ( G )= t 7

- H = get

file ( bad guy, secret file ) with Detectime ( H )= t 8

The timestamps are such that t 1 <t 2 <t 3 <t 4 <t 5 <t 6 <t 7 <t 8 .

−

Next Page

Computer Network Security

Search WWH ::

Custom Search

Home