A Taxonomy of Network and Computer Attacks

Simon Hansman & Ray Hunt

Computers & Security (2005)

Present by Mike Hsiao, 20080613

S. Hansman and R. Hunt, “A Taxonomy of Network and ComputerAttacks,” Comp. & Sec., vol. 24, no. 1, Feb. 2005, pp. 31–43.

2

Before going to details (1/2)

Why do we need taxonomy? Their main goal was to organize

information about known vulnerabilities or attacks, so that designers could use that information to build more secure systems or defense systems.

If the classification is based on the actual vulnerability exploited by the attack, the dimension of classification can be considered as the cause of flaw.

3

Before going to details (2/2)

Why do we need taxonomy? The taxonomy provides useful information

to find unknown vulnerabilities as well as to avoid introducing similar vulnerabilities in future designs.

They provide a classification of testing techniques based on the vulnerability the test is meant to discover. Each test class discovers all the vulnerabilities that have similar characteristics.

4

In This Paper

The authors aim to develop a “pragmatic taxonomy that is useful to those dealing with attacks on a regular basis.”

They conclude that it is difficult to develop an effective tree-structure taxonomy of attacks. developing a single tree-structure taxonom

y incorporating all these dimensions would be cumbersome.

5

Example: tree

6

Outline

Introduction [X] Requirements and existing classifica

tion methods Proposal for a new prototype taxonom

y Classification using dimensions Classification case study Conclusions

7

Introduction: Attack sophistication vs. intruder technical knowledge

8

Introduction

The proposed taxonomy is an attempt to provide a common

classification scheme that can be shared between organizations.

allows previous knowledge to be applied to new attacks as well as providing a structured way to view such attacks.

aims to take into account all parts of the attack (from the vulnerability, to the target, to the attack itself) and talk in terms of the target being.

9

Requirements 1

Accepted (Amoroso, 1994; Howard, 1997): The taxonomy should be structured so that it can become generally approved.

Comprehensible (Lindqvist and Jonsson, 1997): A comprehensible taxonomy will be able to be understood by those who are in the security field, as well as those who only have an interest in it.

Completeness (Amoroso, 1994)/Exhaustive (Howard, 1997; Lindqvist and Jonsson, 1997): For a taxonomy to be complete/exhaustive, it should account for all possible attacks and provide categories accordingly. While it is hard to prove a taxonomy that is complete or e

xhaustive, it can be justified through the successful categorization of actual attacks.

10

Requirements 2

Determinism (Krsul, 1998): The procedure of classifying must be clearly defined.

Mutually exclusive (Howard, 1997; Lindqvist and Jonsson, 1997): A mutually exclusive taxonomy will categorize each attack into, at most, one category.

Repeatable (Howard, 1997; Krsul, 1998): Classifications should be repeatable.

Terminology complying with established security terminology (Lindqvist and Jonsson, 1997)

11

Requirements 3

Terms well defined (Bishop, 1999): There should be no confusion as to what a term means.

Unambiguous (Howard, 1997; Lindqvist and Jonsson, 1997): Each category of the taxonomy must be clearly defined so that there is no ambiguity with respect to an attack’s classification.

Useful (Howard, 1997; Lindqvist and Jonsson, 1997): A useful taxonomy will be able to be used in the security industry and particularly by incident response teams.

12

Taxonomy:animal kingdom’s taxonomy?

The initial approach was to create a taxonomy analogous to the animal kingdom’s taxonomy. The resulting taxonomy would be a tree-like

structure with the more general categories at the top, and specific categories at the leaves.

However, How to deal with blended attacks? Attacks, unlike animals, often do not have

many common traits.

13

Taxonomy:list-based (flat-list of categories)?

A flat-list with general categories could be suggested, general categories are of limited use

or secondly, a flat-list with very specific categories could be proposed. the list would become almost infinite, with

few instances within each category

14

Proposal for a new prototypetaxonomy: alternative

using the concept of dimensions1. attack vector

the method by which an attack reaches its target2. attack target

classified down to very specific targets, such as Sendmail 8.12.10 or can cover a class of targets, such as Unix-based systems.

3. vulnerabilities and exploits do not have a structured classification, CVE

4. possibility for an attack to have a payload or effect beyond itself For example, a virus that installs a trojan horse, i

s still clearly a virus, but has a trojan as a payload.

15

1st dimension: attack vector

the method by which an attack reaches its target If the attack uses a single attack vector, cat

egorise by the vector. Otherwise find the most appropriate categ

ory, using the descriptions for each category below.

16

1st dimension: nine classes

17

2nd dimension: attack target

classified down to very specific targets Hardware

Computer Hard-disks Network Equipment Peripheral devices

Software Operating System

Windows family Unix family MacOS family

Application Server User

Network Protocols

18

3rd dimension: vulnerabilities and exploits

Common Vulnerabilities and Exposures (CVE)

Or Vulnerability in implementation Vulnerability in design Vulnerability in configuration

19

4th dimension: payloads or effects

1. First dimension attack payload2. Corruption of information3. Disclosure of information4. Theft of service

use a system’s services without authorization

5. Subversion gain control over part of the target and us

e it for its own use

20

other dimensions

Damage: A damage dimension would attempt to measure the amount of damage that the attack does.

Cost: Cleaning up after an attack costs money. Propagation: The speed at which it reproduc

es or spreads. Defense: The methods by which an attack ha

s been defended against could be made into a further defense dimension.

21

22

Conclusion

Attacks are easily categorized. Some requirements have not been fully

met. The issue here is not so much the taxon

omy, but how the blended attacks have been analyzed and described.

23

Comments

All network activities conduct through the network protocols.

A communication between two hosts relies on the undergoing protocol stacks.

Attack itself is a kind of communication, however this specific communication it can exploit certain vulnerabilities to get remote access, (many other goals, intentions, ...)

Producing a taxonomy of network protocol vulnerabilities seems an alternative to classify the attacks. flaws caused by implementation or specification