Information Technology Reference
In-Depth Information
An
attack task specification
(or a top-level attack goal) is specified by the follow-
ing quad: <
Network (host) address, Malefactor's intention, Known data, Attack ob-
ject
>. The task specification has to determine the class of scenarios that lead to the
intended result.
Known data
specifies the information about attacked computer net-
work (host) known for a malefactor.
Attack object
corresponds to the optional variable
in attack goal specification defining more exactly the attack target.
The developed problem domain ontology “
Computer network attacks
” comprises a
hierarchy of notions specifying activities of malefactors directed to implementation of
attacks of various classes in different levels of detail. In this ontology, the hierarchy
of nodes representing notions splits into two subsets according to the
macro-
and
micro-levels
of the
domain
specifications. All nodes of the ontology of attacks are
divided into the
intermediate
and
terminal
.
Being based on explanation of the attack modeling strategy [7], definition of basic
notions of attack specification, structure of the basic malefactors' intentions and ac-
tions, the following basic assumptions and statements used for formal attack specifi-
cation were determined: (1) Each attack intention can be considered as a
sequence of
symbols
in terms of lower-level intentions and actions. These sequences can be for-
mally considered as “words” of a language, which can be generated by a formal
grammar. Thus, each node of the ontology “
Computer network attacks
” can be speci-
fied in terms of a formal grammar generating more detailed attack specification; (2)
Specification of uncertainties inherent to the attack development can be done in prob-
abilistic terms through attributes and functions given over them. Thus, the resulting
framework for attack specification can be restricted to a stochastic attribute grammar;
(3) Each node (grammar) of the ontology is interconnected with the upper level node
(grammar) and this interconnection can be specified through “grammar substitution”
operation in which a terminal symbol of the parent node is considered as the axiom of
the grammar corresponding to its child node; (4) Each malefactor's action has to be
followed by an attacked network response.
Thus, mathematical model of attack intentions was determined in terms of a set of
formal grammars
specifying particular intentions interconnected through “
substitu-
tion
” operations:
M
A
=<
{
G
i
}
,
{
Su
}
>
, where {
G
i
} — the formal grammars, {
Su
} — the
“substitution” operations. Every formal grammar is specified by quintuple
G=<V
N
,
V
T
, S, P, A >
, where
G
is the grammar name,
V
N
is the set of non-terminal symbols
associated with the upper and the intermediate levels of an attack scenario,
V
T
is the
set of its terminal symbols representing “simple ” attacks (exploits),
S
∈
V
N
is an ini-
tial symbol of an attack scenario,
P
is the set of productions that specify the speciali-
zation operations for the intention through the substitution of the symbols of an upper-
level node by the symbols of the lower-level nodes, and
A
is the set of attributes and
algorithms of their computation.
Attribute component
of each grammar serves for two main purposes. The first of
them is to specify
randomized choice of a production
at the current inference step if
several productions have the equal left part non-terminals coinciding with the “active”
non-terminal in the current sequence under inference. Also the attribute component is
used to check
conditions determining the admissibility of using a production
at the
current step of inference. These conditions may depend on compatibility of malefac-
tor's actions and attacked network or host properties, e.g., OS type and version, run-
ning services, security parameters, etc.
