1、A Structural Framework for Modeling Multi-Stage Network AttacksDaley,Larson,DawkinsUniversity of Tulsa2002 IEEEOutlineIntroductionStratified Node TopologylAttack Node CorrelationlContext Sensitive NodesExample Attack ScenariosApplicationsRelated WorkConclusionsIntroductionAttack trees represent goal
2、-oriented attack behaviors lmultistagelcasual relationships between events or statesl“AND”,“OR”lnodes can be weighted to reflect the likelihood of success for a particular attackIntroduction(cont.)Disadvantageldo not provide a comprehensive model for the analysis of network vulnerabilityExtended att
3、ack tree paradigmlintroduce functionality to allow for a comprehensive representation of attacklstratified node topologyevent-level,state-level,top-level nodesStratified Node Topology(SNT)Stratified Node TopologyThree layers partition attack tree based on functionality and allow for a more precise p
4、ortrayal of the mechanics of an attack.Event-Levelldirect activities of an attackerlnodes correspond directly to intrusion detection system alertsStratified Node Topology(cont.)State-Levellgeneralized intermediate objectives in an attacklconceptual steps(abstract goals)lfairly constantlex:“execute a
5、rbitrary code”,“modify protected file”Top-Levellultimate intentions of an attackerltop-level nodes may also be starting points for other attacksAttack Node Correlationrelationship between nodeslimplicit linkallow individual nodes in the tree to imply another nodeex:perform a buffer overflow exploit
6、to execute arbitrary codelexplicit linkwhen an attack provides a capability to execute additional nodes but does not actually invoke an instance of a new nodeex:obtain root access,next to compromise additional systems or steal informationContext Sensitive NodesAssign parameter values to attack nodel
7、bound the search space of attackslreduce the likelihood of false positivesExample Attack ScenariosExample Attack Scenarios(cont.)The composable goal-oriented behavior of the Stratified Node Topology lends the ability to describe the events that enable an attack.ApplicationsTo express this model,two
8、languages have been designed:lAttack Modeling Language(AML)express requirements and results of attackrelationships between attackslNetwork Modeling Language(NML)An analytical vulnerability engine utilizes NML specifications in conjunction with AML definitions to construct vulnerability attack trees.
9、Related WorkIDIOT project ladaptation of Colored Petri Netslview a single attack as a pattern of states rather than linking multiple attacks togetherlthis tool was not meant for attack correlation across a networkConclusionsThe modeling framework classify multistage network attacks in a composable,functional structureThe approach provides a method for correlating attacks and expressing the capabilities they permit
