• DocumentCode
    3396706
  • Title

    Modeling multistep cyber attacks for scenario recognition

  • Author

    Cheung, Steven ; Lindqvist, Ulf ; Fong, Martin W.

  • Author_Institution
    Syst. Design Lab., SRI Int., Menlo Park, CA, USA
  • Volume
    1
  • fYear
    2003
  • fDate
    22-24 April 2003
  • Firstpage
    284
  • Abstract
    Efforts toward automated detection and identification of multistep cyber attack scenarios would benefit significantly from a methodology and language for modeling such scenarios. The Correlated Attack Modeling Language (CAML) uses a modular approach, where a module represents an inference step and modules can be linked together to detect multistep scenarios. CAML is accompanied by a library of predicates, which functions as a vocabulary to describe the properties of system states and events. The concept of attack patterns is introduced to facilitate reuse of generic modules in the attack modeling process. CAML is used in a prototype implementation of a scenario recognition engine that consumes first-level security alerts in real time and produces reports that identify multistep attack scenarios discovered in the alert stream.
  • Keywords
    computer crime; computer network management; real-time systems; software libraries; software reusability; specification languages; telecommunication security; CAML; Correlated Attack Modeling Language; alert stream; attack patterns; automated detection; automated identification; events; first-level security alerts; generic module reuse; inference step; modular approach; multistep cyber attacks; predicate library; real time system; scenario recognition; scenario recognition engine; system states; vocabulary; Engines; Libraries; Prototypes; Security; Vocabulary;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    DARPA Information Survivability Conference and Exposition, 2003. Proceedings
  • Print_ISBN
    0-7695-1897-4
  • Type

    conf

  • DOI
    10.1109/DISCEX.2003.1194892
  • Filename
    1194892