Information Technology Reference
In-Depth Information
perform visualization of the attack development. Network Agent Kernel contains the
standard set of functions for processing the application domain ontology and the state
machine model, as well as the functions used for specification of network configura-
tion through user interface, for the firewall model initialization, and for computation
of the network's response to an attacking action.
Attack scenario visualization component is used for the visualization of the attack
generation process. The component allows for graphic, “real-time” visualization of
the “unfolding” of attack scenario. The example of the main demonstration window
showing the development of attack on macro-level is represented in Fig. 3. It depicts
the fragment of attack development for the intention 8 (“Escalating Privileges (EP)”),
where the hacker's IP-address is 161.43.201.148 and the host IP-address is
210.122.25.0. In the figure the attack information is divided on the four groups: (1)
the
attack task specification
units are mapped in the left top of the screen; (2) to the
right of them the
attack generation tree
is visualized; (3) the strings of
generated
malefactor's actions
are placed in the left part of the screen below the attack task
specification; (4) on the right of each malefactor's action a
tag of success (failure)
and
data obtained from an attacked host (a host response)
are depicted.
The
Attack task specification section
contains the information generated by the
component of the attack task specification. The graph showing the
Attack generation
tree
represents a hierarchy of the malefactor's intentions and actions of different lev-
els which correspond to non-terminal and terminal nodes. The non-terminal high level
nodes are depicted by white ellipses. The terminal nodes of the attack model corre-
spond to blue nodes. The brown node is the node of the current step of an attack sce-
nario execution. The transcriptions of the blue nodes can be seen in the section “Cur-
rent non-terminal node”.
When the attack scenario is developing the strings with the following elements are
appeared in the white window. Braun strings in left part of the diagram are descrip-
tions of the
generated terminal
malefactor's actions
. The result of each malefactor's
action may be positive or negative. If the result is positive, the square block (designat-
ing the
tag of success
) is green, and green comments are printed from the right of the
square block. The negative result means that the action was done unsuccessfully. The
negative result is possible in two cases: if the attack is blocked by a firewall (in that
case, the indicator and the comment are red); if the network response is negative (the
indicator is grey, the comment is absent). When the string “END: Attack is over” is
appeared, this means that a scenario realization is finished.
As shown in Fig. 3, in the network attack implementation, each terminal action is
performed on each host of the network, and in case of success or the attack being
blocked by the firewall, right after the square block is the IP address of the host at
which that terminal attack action was directed.
In case of success, the comment contains the decoding of the result obtained
through that terminal action of Hacker Agent, and the information obtained from
Network Agent as a result of the attacker's action (that information may be absent).
In case of the hacker's attack being blocked, the comment contains information on
the reasons of the attack being blocked, as well as the name of the firewall. If the
attack was blocked on the level of the network firewall, then the IP address of the
network is placed at the start of the comment.
