The attackers´ potential influence on the tactical assessments produced by standard alert correlation systems

This work shows that knowledgeable attackers can influence the tactical assessments output by INFOSEC alert correlation systems solely through manipulating the timing characteristics of their attacks. The approach taken is to assume that the defender´s goal is to thwart attackers by enact optimal tactical responses. It is then shown that, even in an idealized environment, the defender has no guarantee that the correlation system´s estimates of the enacted attacks are correct. A theoretical path always exists by which the attacker can influence the contents of the correlation system´s low-level alert clusters. As these low-level clusters form the basis of all higher level analyses, this is sufficient to show that the attacker has influence over the tactical assessments reported by correlation systems. In essence, the attackers can cause the defender to mis-correlate an attack´s generated INFOSEC alerts in a manner which can go undetected and is to the attacker´s advantage. This capability is shown to hinge on there being attacks whose identification requires the analysis of shared alerts (i.e., alerts generated by two or more distinct attacks).