Information Technology Reference
In-Depth Information
Definition 7: Intrusion Scenario.
An intrusion scenario is a sequence
S
(
A
1
,A
2
, ..., A
n
,O
) where
A
i
's are attacks instances,
A
1
is an initial action and
O
is an intrusion objective instance such that:
-
∀i, j ∈{
1
, .., n}
,if
i>j
then
Detectime
(
A
i
)
≥ Detectime
(
A
j
)
-
j<i
such that
A
i
has an influence over
A
j
.
-
A
n
is a malicious attack with respect to
O
∀
i
∈{
1
, .., n
}
,
∃
Note that other actions (than
A
n
) in scenario
S
can also have an influence
over
O
.
3 Example and Limitations
The definition of correlation used in this paper is quite weak. Actually two
actions are correlated as soon as they have one predicate in common in their
post condition and pre condition. As a side effect, given a set of actions we can
build a high number of scenarios leading to an intrusion objective. We illustrate
this with a scenario example leading to an illegal access to a protected file.
Let us consider an intruder,
bad guy
, and a confidential file
secret file
.
Let us say that
bad guy
wants to reach the intrusion objective
illegal file access
(
secret file
). The intruder and the system start in the fol-
lowing system's state
K
:
-
file
(
secret
file
)
-
not(
read access
(
bad guy, read, secret file
))
-
printer
(
ppt
)
-
physical access
(
bad guy, ppt
)
-
not(
blocked
(
ppt
)
This means that
secret file
is a file,
bad guy
does not have the rights to read
it and
ppt
is a printer that
bad guy
can reach physically.
bad guy
wants to reach
a system state where the following conditions are achieved:
-
read access
(
bad guy, read, secret file
))
-
not(
authorized
((
bad guy, read, secret file
))
That is,
bad guy
can read the sensible file
secret file
while he is not allowed
to do so.
Let us assume that the following actions are detected:
-
A
=
touch
(
bad guy, guy file
) with
Detectime
(
A
)=
t
1
-
B
=
block
(
bad guy, ppt
) with
Detectime
(
B
)=
t
2
-
C
=
lpr
-
s
(
bad guy, ppt, guy file
) with
Detectime
(
C
)=
t
3
-
D
=
remove
(
bad guy, guy file
) with
Detectime
(
D
)=
t
4
-
E
=
ln
-
s
(
bad guy, guy file, secret file
) with
Detectime
(
E
)=
t
5
-
F
=
unblock
(
bad guy, ppt
) with
Detectime
(
F
)=
t
6
-
G
=
print
−
process
(
ppt, guy file
) with
Detectime
(
G
)=
t
7
-
H
=
get
file
(
bad guy, secret file
) with
Detectime
(
H
)=
t
8
The timestamps are such that
t
1
<t
2
<t
3
<t
4
<t
5
<t
6
<t
7
<t
8
.
−