1 / 23

Developing a Pragmatic Taxonomy of Network and Computer Attacks

Explore the importance of taxonomy in organizing information on vulnerabilities and attacks to enhance system security. Learn about the challenges and requirements for creating an effective attack classification schema.

lpalmer
Download Presentation

Developing a Pragmatic Taxonomy of Network and Computer Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. S. Hansman and R. Hunt, “A Taxonomy of Network and Computer Attacks,”Comp. & Sec., vol. 24, no. 1, Feb. 2005, pp. 31–43. A Taxonomy of Network and Computer Attacks Simon Hansman & Ray Hunt Computers & Security (2005) Present by Mike Hsiao, 20080613

  2. Before going to details (1/2) • Why do we need taxonomy? • Their main goal was to organize information about known vulnerabilities or attacks, so that designers could use that information to build more secure systems or defense systems. • If the classification is based on the actual vulnerability exploited by the attack, the dimension of classification can be considered as the cause of flaw.

  3. Before going to details (2/2) • Why do we need taxonomy? • The taxonomy provides useful information to find unknown vulnerabilities as well as to avoid introducing similar vulnerabilities in future designs. • They provide a classification of testing techniques based on the vulnerability the test is meant to discover. Each test class discovers all the vulnerabilities that have similar characteristics.

  4. In This Paper • The authors aim to develop a “pragmatic taxonomy that is useful to those dealing with attacks on a regular basis.” • They conclude that it is difficult to develop an effective tree-structure taxonomy of attacks. • developing a single tree-structure taxonomy incorporating all these dimensions would be cumbersome.

  5. Example: tree

  6. Outline • Introduction • [X] Requirements and existing classification methods • Proposal for a new prototype taxonomy • Classification using dimensions • Classification case study • Conclusions

  7. Introduction: Attack sophistication vs. intruder technical knowledge

  8. Introduction • The proposed taxonomy • is an attempt to provide a common classification scheme that can be shared between organizations. • allows previous knowledge to be applied to new attacks as well as providing a structured way to view such attacks. • aims to take into account all parts of the attack (from the vulnerability, to the target, to the attack itself) and talk in terms of the target being.

  9. Requirements 1 • Accepted (Amoroso, 1994; Howard, 1997): The taxonomy should be structured so that it can become generally approved. • Comprehensible (Lindqvist and Jonsson, 1997): A comprehensible taxonomy will be able to be understood by those who are in the security field, as well as those who only have an interest in it. • Completeness (Amoroso, 1994)/Exhaustive (Howard, 1997; Lindqvist and Jonsson, 1997): For a taxonomy to be complete/exhaustive, it should account for all possible attacks and provide categories accordingly. • While it is hard to prove a taxonomy that is complete or exhaustive, it can be justified through the successful categorization of actual attacks.

  10. Requirements 2 • Determinism (Krsul, 1998): The procedure of classifying must be clearly defined. • Mutually exclusive (Howard, 1997; Lindqvist and Jonsson, 1997): A mutually exclusive taxonomy will categorize each attack into, at most, one category. • Repeatable (Howard, 1997; Krsul, 1998): Classifications should be repeatable. • Terminology complying with established security terminology (Lindqvist and Jonsson, 1997)

  11. Requirements 3 • Terms well defined (Bishop, 1999): There should be no confusion as to what a term means. • Unambiguous (Howard, 1997; Lindqvist and Jonsson, 1997): Each category of the taxonomy must be clearly defined so that there is no ambiguity with respect to an attack’s classification. • Useful (Howard, 1997; Lindqvist and Jonsson, 1997): A useful taxonomy will be able to be used in the security industry and particularly by incident response teams.

  12. Taxonomy:animal kingdom’s taxonomy? • The initial approach was to create a taxonomy analogous to the animal kingdom’s taxonomy. • The resulting taxonomy would be a tree-like structure with the more general categories at the top, and specific categories at the leaves. • However, • How to deal with blended attacks? • Attacks, unlike animals, often do not have many common traits.

  13. Taxonomy:list-based (flat-list of categories)? • A flat-list with general categories could be suggested, • general categories are of limited use • or secondly, a flat-list with very specific categories could be proposed. • the list would become almost infinite, with few instances within each category

  14. Proposal for a new prototypetaxonomy: alternative • using the concept of dimensions • attack vector • the method by which an attack reaches its target • attack target • classified down to very specific targets, such as Sendmail 8.12.10 or can cover a class of targets, such as Unix-based systems. • vulnerabilities and exploits • do not have a structured classification, CVE • possibility for an attack to have a payload or effect beyond itself • For example, a virus that installs a trojan horse, is still clearly a virus, but has a trojan as a payload.

  15. 1st dimension: attack vector • the method by which an attack reaches its target • If the attack uses a single attack vector, categorise by the vector. • Otherwise find the most appropriate category, using the descriptions for each category below.

  16. 1st dimension: nine classes

  17. 2nd dimension: attack target • classified down to very specific targets • Hardware • Computer • Hard-disks • Network Equipment • Peripheral devices • Software • Operating System • Windows family • Unix family • MacOS family • Application • Server • User • Network • Protocols

  18. 3rd dimension: vulnerabilities and exploits • Common Vulnerabilities and Exposures (CVE) • Or • Vulnerability in implementation • Vulnerability in design • Vulnerability in configuration

  19. 4th dimension: payloads or effects • First dimension attack payload • Corruption of information • Disclosure of information • Theft of service • use a system’s services without authorization • Subversion • gain control over part of the target and use it for its own use

  20. other dimensions • Damage: A damage dimension would attempt to measure the amount of damage that the attack does. • Cost: Cleaning up after an attack costs money. • Propagation: The speed at which it reproduces or spreads. • Defense: The methods by which an attack has been defended against could be made into a further defense dimension.

  21. Conclusion • Attacks are easily categorized. • Some requirements have not been fully met. • The issue here is not so much the taxonomy, but how the blended attacks have been analyzed and described.

  22. Comments • All network activities conduct through the network protocols. • A communication between two hosts relies on the undergoing protocol stacks. • Attack itself is a kind of communication, however this specific communication it can exploit certain vulnerabilities • to get remote access, (many other goals, intentions, ...) • Producing a taxonomy of network protocol vulnerabilities seems an alternative to classify the attacks. • flaws caused by implementation or specification

More Related