TY - GEN
T1 - Employing attack graphs for intrusion detection
AU - Capobianco, Frank
AU - George, Rahul
AU - Huang, Kaiming
AU - Jaeger, Trent
AU - Krishnamurthy, Srikanth
AU - Qian, Zhiyun
AU - Payer, Mathias
AU - Yu, Paul
N1 - Publisher Copyright:
© 2019 Association for Computing Machinery.
PY - 2019/9/23
Y1 - 2019/9/23
N2 - Intrusion detection systems are a commonly deployed defense that examines network traffic, host operations, or both to detect attacks. However, more attacks bypass IDS defenses each year, and with the sophistication of attacks increasing as well, we must examine new perspectives for intrusion detection. Current intrusion detection systems focus on known attacks and/or vulnerabilities, limiting their ability to identify new attacks, and lack the visibility into all system components necessary to confirm attacks accurately, particularly programs. To change the landscape of intrusion detection, we propose that future IDSs track how attacks evolve across system layers by adapting the concept of attack graphs. Attack graphs were proposed to study how multi-stage attacks could be launched by exploiting known vulnerabilities. Instead of constructing attacks reactively, we propose to apply attack graphs proactively to detect sequences of events that fulfill the requirements for vulnerability exploitation. Using this insight, we examine how to generate modular attack graphs automatically that relate adversary accessibility for each component, called its attack surface, to flaws that provide adversaries with permissions that create threats, called attack states, and exploit operations from those threats, called attack actions. We evaluate the proposed approach by applying it to two case studies: (1) attacks on file retrieval, such as TOCTTOU attacks, and (2) attacks propagated among processes, such as attacks on Shellshock vulnerabilities. In these case studies, we demonstrate how to leverage existing tools to compute attack graphs automatically and assess the effectiveness of these tools for building complete attack graphs. While we identify some research areas, we also find several reasons why attack graphs can provide a valuable foundation for improving future intrusion detection systems.
AB - Intrusion detection systems are a commonly deployed defense that examines network traffic, host operations, or both to detect attacks. However, more attacks bypass IDS defenses each year, and with the sophistication of attacks increasing as well, we must examine new perspectives for intrusion detection. Current intrusion detection systems focus on known attacks and/or vulnerabilities, limiting their ability to identify new attacks, and lack the visibility into all system components necessary to confirm attacks accurately, particularly programs. To change the landscape of intrusion detection, we propose that future IDSs track how attacks evolve across system layers by adapting the concept of attack graphs. Attack graphs were proposed to study how multi-stage attacks could be launched by exploiting known vulnerabilities. Instead of constructing attacks reactively, we propose to apply attack graphs proactively to detect sequences of events that fulfill the requirements for vulnerability exploitation. Using this insight, we examine how to generate modular attack graphs automatically that relate adversary accessibility for each component, called its attack surface, to flaws that provide adversaries with permissions that create threats, called attack states, and exploit operations from those threats, called attack actions. We evaluate the proposed approach by applying it to two case studies: (1) attacks on file retrieval, such as TOCTTOU attacks, and (2) attacks propagated among processes, such as attacks on Shellshock vulnerabilities. In these case studies, we demonstrate how to leverage existing tools to compute attack graphs automatically and assess the effectiveness of these tools for building complete attack graphs. While we identify some research areas, we also find several reasons why attack graphs can provide a valuable foundation for improving future intrusion detection systems.
UR - http://www.scopus.com/inward/record.url?scp=85078326050&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85078326050&partnerID=8YFLogxK
U2 - 10.1145/3368860.3368862
DO - 10.1145/3368860.3368862
M3 - Conference contribution
AN - SCOPUS:85078326050
T3 - ACM International Conference Proceeding Series
SP - 16
EP - 30
BT - New Security Paradigms Workshop, NSPW 2019 - Proceedings
PB - Association for Computing Machinery
T2 - 2019 New Security Paradigms Workshop, NSPW 2019
Y2 - 23 September 2019 through 26 September 2019
ER -