Model-Based Scenario Intrusion Correlation

Research Goal

Traditionally computer attacks are described in terms of the single vulnerability exploited in the attack: a buffer overflow in sendmail, a race condition in rdist, a denial-of-service by sending pings to a broadcast IP address, etc. While such single-point attacks are a frequent occurrence, in isolation they are of little significance. Today's serious attacks are complex, multi-stage scenarios that coordinate the effects of various single-point attacks to reach goals not otherwise attainable. Such attacks can involve bypassing multiple security mechanisms and the use of numerous computer systems. The complexity and sophistication of these attacks indicate highly motivated adversaries and suggest the high value of the attackers' goals. Consequently, methods to understand, predict and identify these scenario attacks are important challenges for computer security research.

Typically, scenario attacks are described using the specific sequence of actions the attack uses to reach some specific goal. Such descriptions are useful for communicating the details of a specific attack or building specialized signatures for use in attack detection, but lack the ability to generalize beyond the stated scenario or to be utilized as a sub-goal in more complex attacks. As an alternative to describing attacks using explicit signatures we will model attacks based upon their abstract features.


We will use attack modeling to:

1) Describe how single point attacks combine to accomplish higher-level attacker objectives. Single point attacks are used to gain a set of capabilities that are in turn used to gain additional capabilities until a specific goal has been met. We can easily extend the model by identifying the capabilities obtained by previously unseen attacks and linking those into our existing model.

2) Control the correlation of information from multiple intrusion sensors in order to reduce the number of trivial attack reports presented to an operator. Probes and scans not leading to further exploit are less of a priority than probes that are followed by more malicious break-in attempts. Scenario attack modeling provides a way to rank attack activity based upon the adversary's degree of success.

3) Configure a live intrusion correlation system. Our model will not only be an abstract attack description, but will be specified in a language suitable to configure a rule-based intrusion correlation engine responding to live sensor feeds. The corrrelator will prioritize incoming attack reports based upon their placement in attack scenarios.

Expected Results

We will build upon our preliminary modeling to develop a model based scenario attack correlator. To this end we will complete the following tasks:




Contact person:
Jeff Rowe

last modified 4/1/02