NSA Project - Model Based Scenario Intrusion Correlation

Model-Based Scenario Intrusion Correlation

Research Goal

Traditionally computer attacks are described in terms of the single vulnerability exploited in the attack: a buffer overflow in sendmail, a race condition in rdist, a denial-of-service by sending pings to a broadcast IP address, etc. While such single-point attacks are a frequent occurrence, in isolation they are of little significance. Today's serious attacks are complex, multi-stage scenarios that coordinate the effects of various single-point attacks to reach goals not otherwise attainable. Such attacks can involve bypassing multiple security mechanisms and the use of numerous computer systems. The complexity and sophistication of these attacks indicate highly motivated adversaries and suggest the high value of the attackers' goals. Consequently, methods to understand, predict and identify these scenario attacks are important challenges for computer security research.

Typically, scenario attacks are described using the specific sequence of actions the attack uses to reach some specific goal. Such descriptions are useful for communicating the details of a specific attack or building specialized signatures for use in attack detection, but lack the ability to generalize beyond the stated scenario or to be utilized as a sub-goal in more complex attacks. As an alternative to describing attacks using explicit signatures we will model attacks based upon their abstract features.

Approach

We will use attack modeling to:

1) Describe how single point attacks combine to accomplish higher-level attacker objectives. Single point attacks are used to gain a set of capabilities that are in turn used to gain additional capabilities until a specific goal has been met. We can easily extend the model by identifying the capabilities obtained by previously unseen attacks and linking those into our existing model.

2) Control the correlation of information from multiple intrusion sensors in order to reduce the number of trivial attack reports presented to an operator. Probes and scans not leading to further exploit are less of a priority than probes that are followed by more malicious break-in attempts. Scenario attack modeling provides a way to rank attack activity based upon the adversary's degree of success.

3) Configure a live intrusion correlation system. Our model will not only be an abstract attack description, but will be specified in a language suitable to configure a rule-based intrusion correlation engine responding to live sensor feeds. The corrrelator will prioritize incoming attack reports based upon their placement in attack scenarios.

Expected Results

We will build upon our preliminary modeling to develop a model based scenario attack correlator. To this end we will complete the following tasks:

Develop an abstract model of attack scenarios building upon our preliminary model outlined above.

Continually extend the model using published information of new attacks by identifying the capabilities obtained and linking those into our existing model. Furthermore, we will extend the model to include a description of how normally benign behavior could be suspicious when linked with multiple localized attacks across the network.

Develop a concrete specification language that can be used to automatically compile rules for our correlating intrusion detection system.

Develop a live intrusion correlation system with rules created from our formal scenario attack model. Thus, our model will not only be an abstract attack description, but will be specified in a language suitable to configure a rule-based intrusion correlation engine responding to live sensor feeds. The correlator will prioritize incoming attack reports based upon their placement in attack scenarios.

Develop a system that uses our model to automatically generate attacks. This differs from attempting to identify vulnerabilities in that it is not given complete knowledge of the system. It also differs from an IDS; rather than sensors, it must use attack scripts to interact with its environment. Such a system will probe and attack repeatedly until it finds a scenario that reaches its goal. While this tests the limits of present day planning and expert systems, limited simulations of this have been promising, and we propose using it as a tool in evaluating IDSs.

Contact person:
Jeff Rowe
rowe@cs.ucdavis.edu

last modified 4/1/02