Information Technology Reference
In-Depth Information
To build the tool mentioned above, there are two problems that need to be solved.
The first one is how to recognize events related to a particular attack to group them
together. And the second one is how to display these events in an intuitive and com-
prehensible way. In this paper, we call the first problem “attack scenario construc-
tion”, and the second problem “attack scenario visualization”.
The attack scenario construction problem has been studied extensively in the past
by network security researchers. Previous works proposed methods to construct attack
scenarios using cause and effect relationships between events. That is, they define
some conditions (called pre-conditions) that must be true for a particular attack to be
valid, and they assume that when an attack is successful, it will make some other con-
ditions (called consequences) to become true. The outputs of these works are attack
scenarios that contain individual but related events in some orders. However, these
approaches require that the administrators must define in advance all the cause and
effect relationships between events, which is a difficult and time consuming task.
Instead of doing so, in this paper, we focus on the security of web applications, and
hence we are able to exploit the linking nature between web pages to propose an at-
tack scenario construction technique without the need of cause and effect relation-
ships pre-definition by a human user.
For the attack scenario visualization problem, although there are some studies
about using information visualization techniques to present attacks, most of them
focus on displaying these attacks separately. In other words, despite the attacks are
displayed at the same time and on the same screen, usually no relationship infor-
mation between the attacks (and other related events) is shown. And to the best of
our knowledge, there is no published work about attack scenario visualization for
web application domain yet. Thus, our hope is that the contributions of this work
can provide some initial perspectives and ideas based on which further studies can
be performed. To make our work more persuasive, we also develop a prototype
implementation to demonstrate our proposal and use it to experiment with different
attack scenarios. The experiment results show that our work can reveal some infor-
mation that is not easy to see by using a traditional web application intrusion detec-
tion system.
To summarize, the contributions of this paper are as follow:
•
Propose a technique to construct web-based attack scenarios by exploiting
linking nature between web pages
•
Propose an information visualization and user interaction technique to
display attack scenarios to security administrators
•
Implement a prototype for the above proposals and use it to experiment
with attacks from both automatic tools and human attackers
The rest of the paper is structured as follow: in section 2, we review some related
works; in section 3, we describe the architecture of our proposal; section 4 is about
the visualization design to present attack scenarios; our experiments are reported in
section 5; and section 6 concludes this paper with some plans for future works.
Search WWH ::
Custom Search