The commonly used flaw hypothesis model (FHM) for performing penetration tests provides only limited, high level guidance for the derivation of actual penetration attempts. In this paper, a mechanism for the systematic modeling, simulation, and exploitation of complex multistage and multiagent vulnerabilities in networked and distributed systems based on stochastic and interval-timed colored Petri nets is described and analyzed through case studies elucidating several properties of Petri net variants and their suitability to modeling this type of attack
{"title":"Modeling and execution of complex attack scenarios using interval timed colored Petri nets","authors":"O. Dahl, S. Wolthusen","doi":"10.1109/IWIA.2006.17","DOIUrl":"https://doi.org/10.1109/IWIA.2006.17","url":null,"abstract":"The commonly used flaw hypothesis model (FHM) for performing penetration tests provides only limited, high level guidance for the derivation of actual penetration attempts. In this paper, a mechanism for the systematic modeling, simulation, and exploitation of complex multistage and multiagent vulnerabilities in networked and distributed systems based on stochastic and interval-timed colored Petri nets is described and analyzed through case studies elucidating several properties of Petri net variants and their suitability to modeling this type of attack","PeriodicalId":156960,"journal":{"name":"Fourth IEEE International Workshop on Information Assurance (IWIA'06)","volume":"103 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2006-04-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116193127","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Many recent computer attacks have been launched in multiple stages to evade the detection of existing intrusion detection systems (IDS). Some stages of the attack may appear innocent if checked separately. Furthermore, the intervals between these separate attack stages can be on the order of hours, days, or even months. These characteristics of multi-stage attacks make the detection task challenging for most existing IDSs that are stateless in that they perform intrusion detection by independently checking individual packets, connections or sessions. In this paper, we propose a novel approach, active event correlation (AEC), which collects and correlates suspicious network events inside a network intrusion detection system (NIDS). AEC infers the possibility of attacks in the context of security policies and blocks attacks before they are completed. We have implemented AEC on top of the Bro NIDS (Paxson, 1999). Experiments indicate that AEC can effectively recognize and correlate individual stages of multi-stage attacks, stop incomplete attack stages, and give network administrators meaningful and concise alerts
{"title":"Active event correlation in Bro IDS to detect multi-stage attacks","authors":"Bing Chen, Joohan Lee, A. Wu","doi":"10.1109/IWIA.2006.2","DOIUrl":"https://doi.org/10.1109/IWIA.2006.2","url":null,"abstract":"Many recent computer attacks have been launched in multiple stages to evade the detection of existing intrusion detection systems (IDS). Some stages of the attack may appear innocent if checked separately. Furthermore, the intervals between these separate attack stages can be on the order of hours, days, or even months. These characteristics of multi-stage attacks make the detection task challenging for most existing IDSs that are stateless in that they perform intrusion detection by independently checking individual packets, connections or sessions. In this paper, we propose a novel approach, active event correlation (AEC), which collects and correlates suspicious network events inside a network intrusion detection system (NIDS). AEC infers the possibility of attacks in the context of security policies and blocks attacks before they are completed. We have implemented AEC on top of the Bro NIDS (Paxson, 1999). Experiments indicate that AEC can effectively recognize and correlate individual stages of multi-stage attacks, stop incomplete attack stages, and give network administrators meaningful and concise alerts","PeriodicalId":156960,"journal":{"name":"Fourth IEEE International Workshop on Information Assurance (IWIA'06)","volume":"103 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2006-04-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116485010","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Specifying correct and complete access control policies is essential to secure data and ensure privacy in information systems. Traditionally, policy specification has not been an explicit part of the software development process. This isolation of policy specification from software development often results in policies that are not in compliance with system requirements and/or organizational security and privacy policies, leaving the system vulnerable to data breaches. This paper presents the results and lessons learned from a case study that employs the Requirements-based Access Control Analysis and Policy Specification (ReCAPS) method to specify access control policies for a Web-based event registration system. The ReCAPS method aids software and security engineers in specifying access control policies derived from requirements specifications and other available sources. Our case study revealed that the ReCAPS method helps identify inconsistencies across various software artifacts, such as requirements specification, database design, and organizational security and privacy policies. Had these problems not been identified and resolved, they would have crippled later phases of software development, resulted in missing or incomplete system functionality, and compromised the system's security and privacy. This case study reinforces, validates, and extends our previous recommendations that access control policy specification should be an integral part of the software development process for information systems to achieve information assurance and improve the quality of the information system
{"title":"Ensuring compliance between policies, requirements and software design: a case study","authors":"Q. He, Paul N. Otto, A. Antón, Laurie A. Jones","doi":"10.1109/IWIA.2006.7","DOIUrl":"https://doi.org/10.1109/IWIA.2006.7","url":null,"abstract":"Specifying correct and complete access control policies is essential to secure data and ensure privacy in information systems. Traditionally, policy specification has not been an explicit part of the software development process. This isolation of policy specification from software development often results in policies that are not in compliance with system requirements and/or organizational security and privacy policies, leaving the system vulnerable to data breaches. This paper presents the results and lessons learned from a case study that employs the Requirements-based Access Control Analysis and Policy Specification (ReCAPS) method to specify access control policies for a Web-based event registration system. The ReCAPS method aids software and security engineers in specifying access control policies derived from requirements specifications and other available sources. Our case study revealed that the ReCAPS method helps identify inconsistencies across various software artifacts, such as requirements specification, database design, and organizational security and privacy policies. Had these problems not been identified and resolved, they would have crippled later phases of software development, resulted in missing or incomplete system functionality, and compromised the system's security and privacy. This case study reinforces, validates, and extends our previous recommendations that access control policy specification should be an integral part of the software development process for information systems to achieve information assurance and improve the quality of the information system","PeriodicalId":156960,"journal":{"name":"Fourth IEEE International Workshop on Information Assurance (IWIA'06)","volume":"56 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2006-04-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131529644","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
We present POSEIDON, a new anomaly-based network intrusion detection system. POSEIDON is payload-based, and has a two-tier architecture: the first stage consists of a self-organizing map, while the second one is a modified PAYL system. Our benchmarks on the 1999 DARPA data set show a higher detection rate and lower number of false positives than PAYL and PHAD
{"title":"POSEIDON: a 2-tier anomaly-based network intrusion detection system","authors":"D. Bolzoni, S. Etalle, P. Hartel, E. Zambon","doi":"10.1109/IWIA.2006.18","DOIUrl":"https://doi.org/10.1109/IWIA.2006.18","url":null,"abstract":"We present POSEIDON, a new anomaly-based network intrusion detection system. POSEIDON is payload-based, and has a two-tier architecture: the first stage consists of a self-organizing map, while the second one is a modified PAYL system. Our benchmarks on the 1999 DARPA data set show a higher detection rate and lower number of false positives than PAYL and PHAD","PeriodicalId":156960,"journal":{"name":"Fourth IEEE International Workshop on Information Assurance (IWIA'06)","volume":"42 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2005-11-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114893194","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: