Employing attack graphs for intrusion detection

Frank Capobianco, Rahul George, Kaiming Huang, Trent Jaeger, Srikanth Krishnamurthy, Zhiyun Qian, Mathias Payer, Paul Yu

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Intrusion detection systems are a commonly deployed defense that examines network traffic, host operations, or both to detect attacks. However, more attacks bypass IDS defenses each year, and with the sophistication of attacks increasing as well, we must examine new perspectives for intrusion detection. Current intrusion detection systems focus on known attacks and/or vulnerabilities, limiting their ability to identify new attacks, and lack the visibility into all system components necessary to confirm attacks accurately, particularly programs. To change the landscape of intrusion detection, we propose that future IDSs track how attacks evolve across system layers by adapting the concept of attack graphs. Attack graphs were proposed to study how multi-stage attacks could be launched by exploiting known vulnerabilities. Instead of constructing attacks reactively, we propose to apply attack graphs proactively to detect sequences of events that fulfill the requirements for vulnerability exploitation. Using this insight, we examine how to generate modular attack graphs automatically that relate adversary accessibility for each component, called its attack surface, to flaws that provide adversaries with permissions that create threats, called attack states, and exploit operations from those threats, called attack actions. We evaluate the proposed approach by applying it to two case studies: (1) attacks on file retrieval, such as TOCTTOU attacks, and (2) attacks propagated among processes, such as attacks on Shellshock vulnerabilities. In these case studies, we demonstrate how to leverage existing tools to compute attack graphs automatically and assess the effectiveness of these tools for building complete attack graphs. While we identify some research areas, we also find several reasons why attack graphs can provide a valuable foundation for improving future intrusion detection systems.

Original languageEnglish (US)
Title of host publicationNew Security Paradigms Workshop, NSPW 2019 - Proceedings
PublisherAssociation for Computing Machinery
Pages16-30
Number of pages15
ISBN (Electronic)9781450376471
DOIs
StatePublished - Sep 23 2019
Event2019 New Security Paradigms Workshop, NSPW 2019 - San Carlos, Costa Rica
Duration: Sep 23 2019Sep 26 2019

Publication series

NameACM International Conference Proceeding Series

Conference

Conference2019 New Security Paradigms Workshop, NSPW 2019
CountryCosta Rica
CitySan Carlos
Period9/23/199/26/19

    Fingerprint

All Science Journal Classification (ASJC) codes

  • Software
  • Human-Computer Interaction
  • Computer Vision and Pattern Recognition
  • Computer Networks and Communications

Cite this

Capobianco, F., George, R., Huang, K., Jaeger, T., Krishnamurthy, S., Qian, Z., Payer, M., & Yu, P. (2019). Employing attack graphs for intrusion detection. In New Security Paradigms Workshop, NSPW 2019 - Proceedings (pp. 16-30). (ACM International Conference Proceeding Series). Association for Computing Machinery. https://doi.org/10.1145/3368860.3368862