150 likes | 455 Views
Taxonomy of Computer Security Incidents. Yashodhan Fadnavis. How does it help?. Taxonomy gives common names to event Security against a ‘class’ of attacks. Satisfying Taxonomy. Mutually Exclusive Exhaustive Unambiguous Repeatable Accepted Useful. Listing Terms.
E N D
Taxonomy of Computer Security Incidents YashodhanFadnavis
How does it help? • Taxonomy gives common names to event • Security against a ‘class’ of attacks
Satisfying Taxonomy • Mutually Exclusive • Exhaustive • Unambiguous • Repeatable • Accepted • Useful
Listing Terms • E.g. Password sniffing, Brute force attacks, Eavesdropping, Harassment, Covert Channels, Viruses, Logic Bombs, Software loopholes, WEP loopholes, Source address spoofing, Software piracy, Degradation of services, Session hijacking • Failed six satisfying properties = Bad Taxonomy. • Lists can be never ending.
Listing categories Stealing Social passwords Engineering Cheswick and Bellovin List Bugs and backdoors Authentication Failures Protocol Failures Info Leakage DoS • Password sniffing • Brute force • Eavesdropping • Harassment • Covert • channels • Viruses • Logic Bombs • Software • loopholes • WEP • Loopholes • Source • Address • spoofing • Software • Piracy • Degradation • Of Service • Session • Hijacking
Other taxonomies • Result categories • Empirical categories • Matrices
Incident Taxonomy • Events: An action directed at a target which is intended to result in change of the state of the target. • Action: Step taken by a user or a process to achieve a result. • Target: A computer or a network logical entity.
Action + Target = Event Event
Attack Attack Event
Incident • Incident: A group of attacks that can be distinguished from other attacks because of the uniqueness of the attackers, objectives, sites and timing. Attackers Attack Objectives
Incident Taxonomy Incident
Federal Incident Reporting Guidelines • Agency name • Point of contact information including name, telephone, and email address • Incident Category Type (e.g., CAT 1, CAT 2, etc.) • Incident Timestamp • Source IP, Destination IP, port, and protocol • Operating System, including version, patches, etc. • System Function (e.g., DNS/web server, workstation, etc.) • Antivirus software installed, including version, and latest updates • Location of the system(s) involved in the incident (e.g. Clemson) • Method used to identify the incident (e.g., IDS, audit log analysis, system administrator) • Impact to agency • Resolution