1 / 32

A taxonomy of network and computer attacks

A taxonomy of network and computer attacks. Simon Hansman, Ray Hunt Department of Computer Science and Software Engineering, University of Canterbury, New Zealand Computer & Security (2005) 24, 31-43 Presented by Franson, C.W. Chen. Agenda. Introduction

mcarrigan
Download Presentation

A taxonomy of network and computer attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A taxonomy of network and computer attacks Simon Hansman, Ray Hunt Department of Computer Science and Software Engineering, University of Canterbury, New Zealand Computer & Security (2005) 24, 31-43 Presented by Franson, C.W. Chen

  2. Agenda • Introduction • Requirements and existing classification methods • Proposal for a new prototype taxonomy • Conclusion • Future work

  3. Introduction (1/5) • Any computer connected to the Internet is under threat from viruses, worms and attacks from hackers. • Home users, as well as business users, are attacked on a regular basis. • Many attacks are now relatively ‘‘user-friendly’’ and in-depth technical knowledge is no longer required to launch an attack.

  4. Introduction (2/5) Source from: http://www.cert.org/stats/cert_stats.html

  5. Introduction (3/5)

  6. Introduction (4/5) • Why to classify the network and computer attacks? • To provide a useful and consistent means of classifying attacks. • For example, one organization may classify an attack as a virus while another classifies it as a worm.

  7. Introduction (5/5) • The proposed taxonomy • The taxonomy also allows for previous knowledge to be applied to new attacks as well as providing a structured way to view such attacks. • The taxonomy aims to take into account all parts of the attack and talk in terms of the target being.

  8. Requirements and existing classification methods

  9. Requirements ofclassification methods • Requirements: • Accepted • Comprehensible • Completeness/ Exhaustive • Determinism • Mutually exclusive • Repeatable • Terminology complying with established security terminology • Terms well defined • Unambiguous • Useful

  10. Protection Analysis (PA) taxonomy & the Research in Secured Operating Systems (RISOS) • Focus on vulnerabilities rather than attacks. • Both focused on categorizing security flaws and both resulted in similar classification schemes. • Drawback: both taxonomies suffer from ambiguity between the classes.

  11. Landewhr’sSecurity flaw taxonomy: Flaws by Genesis – Tree- like Source from : A Taxonomy of Computer Program Security Flaws, with Examples1

  12. Bishop’s vulnerability taxonomy • Six ‘‘axes’’ are used to classify the vulnerabilities.( Nature、Time of introduction、Exploitation domain、Effect domain、Minimum number、Source) • It should assist in the decision on resource investment. Source from : A Taxonomy of UNIX System and Network Vulnerabilities

  13. Howard’s taxonomy (1/2) • Focus on attacker motivation and objectives. • The taxonomy consists of five stages: attackers, tools, access, results and objectives. • Drawback: • We are focused solely on the attacks rather than the attack process. • Howard fails to meet one of the taxonomy requirements: mutual exclusion.

  14. Howard’s taxonomy (2/2) Source from : http://www.cert.org/research/JHThesis/Chapter6.html

  15. Lough’s taxonomy – VERDICT • Four characteristics of attacks: improper validation, improper exposure, improper randomness, improper deallocation. • This taxonomy can easily and tidily classify blended attacks. • Drawback: Lough’s taxonomy is general, and does not talk about attacks in terms of worms, viruses, and trojans, which is how attacks are usually described in practice.

  16. OASIS web application security technical committee (WAS – TC) • This committee provides a classification scheme for web application vulnerabilities. • XML is being used to describe vulnerabilities so that interoperability is enhanced. • http://www.oasis-open.org/committees/ tc_home.php?wg_abbrev=was

  17. Proposal for a new prototype taxonomy

  18. Alternative strategies for a taxonomy design • Tree-like taxonomy • The more general categories at the top, and specific categories at the leaves. • Drawback : blended attacks and rarely common traits. • List-based taxonomy • With general categories – limited use • With specific categories – blended attacks

  19. New prototype taxonomy 1st dimension: attack 2nd dimension: attack target 3rd dimension: vulnerabilities and exploits 4th dimension: payload or effect Other dimension

  20. 1st dimension (1/3) • The attack reaches its target. • Classification in the first dimension consists of two options: • If the attack uses a single attack vector, categorize by the vector. • Otherwise find the most appropriate category, using the descriptions for each category below.

  21. 1st dimension (2/3) • Nine general classes: Virus、Worms、Trojans、Buffer overflow 、 Denial of service、Network attacks、Physical attacks、Password attacks、Information gathering attacks. • Ex. An attack that infects computers through a TCP network service and then installs a trojan on the infected computer, should be classified by its attack vector --which is a worm (i.e., it spreads via network services).

  22. 2nd dimension (1/2) • The target (s) of the attack. • An attack may have multiple targets, there may be multiple entries in this dimension. • Extra entries should be added in a way that conforms to how the sibling categories have been defined. • Categories: Hardware (Computer、Network、Peripheral devices)、Software (OS、Application)、Network

  23. 3rd dimension (1/2) • The vulnerabilities and exploits that the attack uses. • The CVE is designed to produce common definitions of vulnerabilities.

  24. 3rd dimension (2/2) • If no CVE entry exists, then one of Howard’s types of vulnerabilities should be selected. • Howard’s type vulnerability • Vulnerability in implementation • Vulnerability in design • Vulnerability in configuration

  25. 4th dimension • The payload may be another attack itself. • An attack may have multiple entries in this dimension. • Five categories: First dimension attack payload、Corruption of information、Disclosure of information、 Theft of service、Subversion

  26. Other dimension • The possibility for classification refinement. • They are more abstract and are not as essential as the dimensions previously described. • Four categories: Damage、Cost、Propagation、Defense.

  27. Conclusion • Attacks are easily categorized. • There is room for improvement. • The issue here is not so much the taxonomy, but how the blended attacks have been analyzed and described.

  28. Future Work • How to sift through attack descriptions would be helpful. • Research on correlation between attacks within the taxonomy would be interesting. • Knowledge base approach(AI) • Is the attack self-replicating? (Yes=worm or virus, No=other 1st dimension attack) • Does the self-replicating attack propagate through infected files? (Yes=virus, No=worm) • Does the worm spread through email? (Yes=mass-mailing worm, No=network-aware worm)

  29. Thanks for your listening.

More Related