Information Technology Reference
In-Depth Information
- scenario 3: v S 3 =(1 , 1 , 1 , 3 , 2 , 2 ) and −−−→
v σ ( S 3 ) =( 3 , 2 , 2 , 1 , 1 , 1)
- scenario 4: v S 4 =(1 , 2 , 3 , 2 , 2 ) and −−−→
v σ ( S 4 ) =( 3 , 2 , 2 , 2 , 1)
- scenario 5: v S 5 =(1 , 1 , 1 , 1 , 3 , 2 , 2 ) and −−−→
v σ ( S 5 ) =( 3 , 2 , 2 , 1 , 1 , 1 , 1)
- scenario 6: v S 6 =(1 , 1 , 1 , 1 , 2 , 3 , 2 , 2 ) and −−−→
v σ ( S 6 ) =( 3 , 2 , 2 , 2 , 1 , 1 , 1 , 1)
- scenario 7: v S 7 =(1 , 1 , 1 , 2 , 3 , 2 , 2 ) and −−−→
v σ ( S 7 ) =( 3 , 2 , 2 , 2 , 1 , 1 , 1)
Applying definition 12, the height scenarios are ranked as follow:
S 1 >S 6 >S 5 >S 7 >S 3 >S 2 >S 4
Hence, S 1 (which involves all instanciated attacks) is the most plausible sce-
nario, as expected.
6 Conclusion
Based on the observation that an intrusion scenario might be represented as
a planning activity, we suggest a model to recognize intrusion scenarios and
malicious intentions. This model does not follow previous proposals [3,4] that
require to explicitly specify a library of intrusion scenarios. Instead, our ap-
proach is based on specification of elementary attacks and intrusion objectives.
We then show how to derive correlation relations, or positive influence, between
two attack instances or between an attack instance and an intrusion objective.
Detection of complex intrusion scenario is obtained by combining these binary
correlation relations. We then define the notion of anti correlation, or negative
influence, that is useful to recognize a sequence of correlated attacks that does
no longer enable the intruder to achieve an intrusion objective. This may be
used to eliminate a category of false positives that correspond to false attacks,
that is actions that are not further correlated to an intrusion objective. Lastly
we proposed correlation weights which can be very useful to select plausible
scenarios. When the intruder did not achieved his intrusion objective yet but
there are several possible intrusion objectives consistent with a given sequence
of correlated attacks, our current strategy is to select the objective that contain
stronger correlated attacks.
A future work is to see how to integrate expert knowledge in the correlation
process. Indeed, to decide if a given intrusion scenario instance is achieved or not,
it is often necessary to combine information provided by “classical” IDS with
other information about the system monitored by the IDS: its topology, config-
uration and other data about the type and version of the operating systems and
applications installed in this system [8]. This kind of data is not provided by
classical IDS but other tools exist that may be used to collect it. Since current
IDS also provide alerts that do not allow us to distinguish between successful or
failing attacks, these additional data would be also useful for that purpose. This
problem is currently investigated in the ongoing project DICO.
Acknowledgements
This work was funded by the French Ministry of Research as part of the DICO
project. The authors would like to thank all the members of these projects,
Search WWH ::




Custom Search