ontology-based model of network and computer attacks for security assessment
TRANSCRIPT
J. Shanghai Jiaotong Univ. (Sci.), 2013, 18(5): 554-562
DOI: 10.1007/s12204-013-1439-5
Ontology-Based Model of Network and Computer Attacks forSecurity Assessment
GAO Jian-bo1 (���), ZHANG Bao-wen1∗ (���), CHEN Xiao-hua2 (���), LUO Zheng3 (� �)(1. School of Information Security Engineering, Shanghai Jiaotong University, Shanghai 200240, China;
2. General Office, China Information Security Certification Center, Beijing 100020, China;3. Information Classified Security Protection Evaluation Center, Third Institute of
Ministry of Public Security of China, Shanghai 201204, China)
© Shanghai Jiaotong University and Springer-Verlag Berlin Heidelberg 2013
Abstract: With increased cyber attacks over years, information system security assessment becomes more andmore important. This paper provides an ontology-based attack model, and then utilizes it to assess the informationsystem security from attack angle. We categorize attacks into a taxonomy suitable for security assessment.The proposed taxonomy consists of five dimensions, which include attack impact, attack vector, attack target,vulnerability and defense. Afterwards we build an ontology according to the taxonomy. In the ontology, attackrelated concepts included in the five dimensions and relationships between them are formalized and analyzed indetail. We also populate our attack ontology with information from national vulnerability database (NVD) aboutthe vulnerabilities, such as common vulnerabilities and exposures (CVE), common weakness enumeration (CWE),common vulnerability scoring system (CVSS), and common platform enumeration (CPE). Finally we propose anontology-based framework for security assessment of network and computer systems, and describe the utilizationof ontology in the security assessment and the method for evaluating attack effect on the system when it is underattack.Key words: security assessment, formal analysis, taxonomy, ontology, attack effectCLC number: TP 309 Document code: A
0 Introduction
With the rapid growth of the Internet, attacks areno longer limited in computers alone. They have cre-ated a global threat, causing great damages in individu-als, communities and national security. Attacks are be-coming more sophisticated, distributed and thus spreadvery fast, even in a matter of seconds. It is necessaryto find and classify those attacks. So we need to knowthe attacks. And the first step in understanding at-tacks is to classify them into a taxonomy based on theircharacteristics. A taxonomy classifies attacks into welldefined and easily understood categories. Such classifi-cation can be used for performing a systematic securityassessment of a system. Much work on attacks taxon-omy has been done recently. An introduction of them
Received date: 2012-09-07Foundation item: the National Basic Research Program
(973) of China (No. 2010CB731403), the InformationNetwork Security Key Laboratory Open Project of theMinistry of Public Security of China (No. C09603), andthe Shanghai Key Scientific and Technological Project(No. 11511504302)
∗E-mail: [email protected]
can be found in Ref. [1]. Howard and Longstaff[2] clas-sified attacks based on the attack process. Accordingto Howard’s methodology, Alvarez and Petrovic[3] pro-posed a taxonomy of Web attacks suitable for efficientencoding. Hansman and Hunt[4] categorized networkand computer attacks to improve security. And Sim-mons et al.[5] proposed an attack taxonomy to identifyand defend against cyber attacks. We synthesize theirwork and propose our taxonomy of attacks suitable forsecurity assessment.
Applications of semantic Web, knowledge base (KB)and ontologies in information system are popular re-cently. A knowledge base is a special kind of databasefor knowledge management. It provides a means to col-lect, share, search and utilize information. Here we con-cern description logic (DL) KB whose core of knowledgerepresentation systems is description logic language.An ontology defines the basic terms and relations com-prising the vocabulary of a topic area as well as the rulesfor combining terms and relations to define extensionsto the vocabulary. And ontology provides powerful con-structs that include machine interpretable definitions ofthe concepts within a specific domain and the relationsbetween them. As Raskin et al.[6] argued in their paper
J. Shanghai Jiaotong Univ. (Sci.), 2013, 18(5): 554-562 555
that a security ontology could organize and systematizeall the security phenomena such as computer attacksand support attack prediction, it has been applied in in-formation system for different purposes. For example,Beitollahi and Deconinck[7] analyzed countermeasuresagainst distributed denial of service (DDoS) attacks.Simmonds et al.[8] built a security attack ontology andmade clearly understanding of the linkages between dif-ferent components of a network security system. Wanget al.[9] built an ontology for vulnerability and proposedan ontological approach to computer system security.Ontology has been widely used in information security,and we believe it can be used in security assessmenttoo.
We combine ontology with security assessment. Agood taxonomy benefits the ontology construction andsecurity assessment; ontology is machine readable andcan make inferences, querying and consistence checking;ontology specifies semantic relationships between di-verse concepts, and information related with the targetcan be gathered easily and quickly; ontology shares acommon understanding of structured information, andcan be shared among different agents to solve interop-erability problems. In this paper, we classify attacks infive dimensions; they are attack impact, attack vector,attack target, vulnerability and defense. We reorga-nize contents in each dimension and try to make themup to date. We implement our ontology into Web on-tology language (OWL), and make inferences by OWLreasoners and DL query languages. Finally, we give aframework for ontology-based security assessment, andillustrate the use of ontology for evaluating the attackeffect on the system by a use case.
1 Related Work
1.1 Related Work in the Area of TaxonomiesHoward and Longstaff[2] described attacks as the fol-
lowing process. By using a tool, attackers exploitedvulnerabilities in a target and attack for an unautho-rized access. They organized a taxonomy of attacks,including five dimensions: attackers, tools used, access,targets chosen, and results achieved. The same idea waslater used in Alvarez’s classification of Web attacks[3].They proposed a taxonomy with eight dimensions: en-try point, vulnerability, service, action, input length,target, scope and privileges. We use some of Howardand Alvarez’s ideas in the first and fourth dimensionsof our taxonomy.
Hansman and Hunt[4] proposed four taxonomies ofattacks based on four different dimensions of classifi-cation covering network and computer attacks. Thefour dimensions are: attack vector used to classify theattack, target of the attack, vulnerability base on com-mon vulnerabilities exposures (CVE) or criteria fromHoward’s taxonomy, payload or effects involved. They
mentioned the need of future research on correlationbetween attacks within the taxonomy and the utiliza-tion of KB. We try to use KB to analyze attacks bybuilding an attack ontology, and describe relationshipsbetween different components in the five dimensions.
Venter and Eloff[10] provided a taxonomy of informa-tion security technologies. Their goal was to provideknowledge about security technologies. They dividedsecurity technologies into two categories: proactive andreactive. The proactive (reactive) part is subdividedinto nine (seven) subcategories. Meanwhile, proactiveand reactive technologies are classified by their levelof interaction: network, host or application level. Weuse their taxonomy for reference in our classification ofdefense.1.2 Related Work in the Area of Ontologies
Simmonds et al.[8] built a security attack ontology.They improved understanding of the relationship be-tween different components included in a network secu-rity system. The classes of his network security attacksontology are: access, actor, attack, impact, informa-tion, intangible, motive, outcome, systems administra-tor and threat. Main properties include: “assessing”,“causing loss of”, “gaining”, etc. And their relationsare presented as follows. An actor has his motive, anduses threat to implement attack; if the attack is suc-ceeded, then the actor gains information and outcome,causing lose of the system. And systems administratorwill report access, impact and outcome of the system.
Herzog et al.[11] used OWL to develop an ontology forinformation security. The ontology includes the classiccomponents of risk assessment: assets, threats, coun-termeasures, vulnerabilities and their relations to eachother. Figure 1 shows a simplified overview of the se-curity ontology. An asset is connected to the conceptvulnerability through “hasVulnerability” relation. Anasset is threatened by threats and protected by counter-measures. A countermeasure is also an asset; it protectssecurity goal and asset by defence strategy. We adoptsome of Herzog’s ideas in our proposed ontology, espe-cially in the attack vector, defense and attack impact.
Wang et al.[9] presented an ontology focused on
Asset
hasVulnerability
Threats
Threats Threat
Ena
bled
by
Securitygoal
Protects
Pro
tect
s
ProtectsCounter-measure
Defencestrategy Vulnerability
Fig. 1 Overview of the security ontology
556 J. Shanghai Jiaotong Univ. (Sci.), 2013, 18(5): 554-562
vulnerability management which includes all thevulnerabilities published by national vulnerabilitydatabase (NVD). Top level concepts of the ontology in-clude vulnerability, IT product, attacker, attack, conse-quence and countermeasure. Concretely, a vulnerabil-ity that exists in an IT product can be exploited by anattacker, and the attacker conducts an attack with theobjective of compromising the IT product and causing
a consequence. Countermeasures can be used to protectthe IT product through mitigation of the vulnerability.
2 Taxonomy of Attacks
The proposed taxonomy uses dimensions for classifi-cation. Dimensions are a way of classifying attacks as awhole. Figure 2 provides an overview of the taxonomy.
Attacks
Attackimpact
Attackvector
Attacktarget Vulnerability Defense
Authentication
Authorization
Confidentiality
Integrity
Availability
Auditing
DoS
Human behavi-oural attack
Informationgathering
Malformedinput
Maliciouscode
Networkattack
Passwordattack
Physicalattack
Hardware
Software
Application
Network
Operatingsystem
Location
Motivation
Resource-specific
weaknesses
Weaknessesintroduced
during design
Weaknessesintroduced
duringimplementation
Security networkcommunication
Standard
Technologymistakenly
used ascountermeasure
Encryption,cryptography
Memoryprotection
Accesscontrol
Source codeanalysis
Monitoring
Securityhardware
Emissionssecurity
Backup
Messagedigest
checksum
Trustmanagement
Vulnerabilityscanner
Login system
Honey pot
Sanitizer Keymanagement
Computer
Networkequipment
Peripheraldevice
Weaknesses inOWASP top ten
Human
Receiver
Sender
Fig. 2 Overview of attack taxonomy
Our taxonomy proposes five dimensions for attackclassification, because these dimensions are major fac-tors in attack effect evaluation. The attack impact de-picts what kind of security property an attack will in-fluence. While the attack vector describes how attacksreach their targets. The attack target is the object ofan attack. The fourth dimension, vulnerability, meansthe vulnerabilities in the targets exploited by an attack.Meanwhile the purpose of security assessment is to de-fend attacks and assure security of the systems, so weinclude defense as one of the attack dimensions. AndHerzog’s classification of countermeasure is accepted inour defense dimension. With these dimensions, our tax-onomy is suitable for security assessment.
2.1 Attack ImpactWe use security property to model the impact of
threats. Those properties include confidentiality, in-tegrity, availability, authentication, authorization andauditing. The following are details about them.
Confidentiality is to prevent the information of sys-tems from being disclosed or revealed to unauthorizedentities. The information may be contained in all typesof files and in database. Protection of confidentialityforms the cornerstone of information security in today’scorporations. The most frequent attack against con-fidentiality is dictionary attack, scanning attack andpassword sniffing. Integrity is to prevent informationof systems from interruption, interception, modification
J. Shanghai Jiaotong Univ. (Sci.), 2013, 18(5): 554-562 557
and fabrication. In most cases, integrity is defined asthe ability to guard against information modification.Availability is to guarantee that users are able to accessto information and resources. The main attack againstavailability is denial of service (DoS) and DDoS. With-out warning in advance, the computing and communi-cation resources of a system can easily be exhausted bya DDoS attack in a short time. So the availability of thesystem is influenced. Authentication is the act of con-firming the truth of an attribute of a datum or entity. Ininformation security, this might include confirming theidentity of a person, or assuring the computer programtrustable. The common way to implement authentica-tion is to use passwords or biometric recognition, likefingerprint recognition, iris recognition and voice recog-nition. While buffer overflows, SQL injection and crosssite scripting are the most common authorization at-tacks. The auditing presents record of security relevantinformation to the system administrator, which can beused to evaluate the attacks.2.2 Attack Vector
An attack vector is defined as a path by which anattacker can gain access to a host. It is the most im-portant characteristic of the attack. This definition alsoincludes vulnerabilities, as it may require several vul-nerabilities to launch a successful attack. Sometimesit is hard to classify an attack into any one of attackvectors, such as blended attacks, because those attacksuse several means to reach their targets. However, theycan be expressed in ontology easily as we describe inSubsection 3.3. The following are major attack vectorswe classify in network and computer systems.
DoS attacks An attack prevents legitimate usersfrom accessing or using a host or network. They aredivided into: stopping service and exhausting service.And then stopping service is subdivided into: processkilling, system reconfiguration, process crashing, andmalformed packet. Exhausting service is subdividedinto: packet floods, forking process, and filling up thewhole system.
Human behavioral attacks It is a damagecaused by or related with human behavioral. Theyare subcategorized into: dumpster diving, inappropri-ate system use, social engineering, and unintentionalfile sharing.
Information gathering attacks They are at-tacks in which no physical or digital damage is car-ried out and no subversion occurs, but in which im-portant information is gained by the attacker, possiblyto be used in a further attack. They are subdividedinto: eavesdropping, exploiting implementation, map-ping, scanning attacks, security scanning, sniffing, andtraffic analysis. And again eavesdropping is subdividedinto: active eavesdropping, and passive eavesdropping.
Malformed input They are attacks caused by in-valid input in order to cause buffer overflow or bypass
the access control of the system. If successful, thethreat may lead to the additional threats of maliciouscode or usurpation. It is subdivided into: buffer over-flow, code injection and format string attack. Bufferoverflow is subdivided into: Heap, Lib and Stack. Codeinjection is subdivided into: cross site scripting, PHPinjection, SQL injection, and shell injection.
Malicious code It is a software program usedfor malicious attacks. It is subdivided into: Back-door, Rootkit, Spyware, Trojans, Viruses, and Worms.Viruses are subdivided into: boot viruses, file virusesand network viruses. Keylogger is a subclass of theSpyware.
Network attacks They are attacks focused on at-tacking a network or the users on the network by ma-nipulating network protocols, ranging from the data-link layer to the application layer. They are subdividedinto: bypassing intended controls, distributed, negativeacknowledgement (NAK) attacks, spoofing, Web appli-cation attacks, and password attacks. Among them,spoofing is subdivided into: IPAddressSpoofing, manin the middle, pishing, replay, and session hijacking.Web application attacks are subdivided into: cookiepoisoning, database attacks, hidden file manipulation,and parameter tampering.
Password attacks They are attacks aimed atgaining a password. They are subdivided into: bruteforce, dictionary attack, and combination of above two.
Physical attacks They are attacks based on dam-aging physical components of a network or computer.2.3 Attack Target
We adopt Hansman’s idea of classification and addhuman into the attack target. First it is divided intohardware, software and human, and then hardware issubdivided into: computer, network equipment and pe-ripheral devices. Software is subdivided into operatingsystem, application, and network; operating system in-cludes Windows family, Unix family and MacOS family;application includes server and user; network includesprotocols. The idea of flavor and version of software isinherited. Human is divided into receiver and sender.2.4 Vulnerability
We use the common weakness enumeration (CWE)as the taxonomy scheme of the vulnerability concept.CWE is a software assurance strategic initiative co-sponsored by the National Cyber Security Division ofthe U.S. Department of Homeland Security. It hasthe following categories: location, motivation, resource-specific weaknesses, weaknesses introduced during de-sign, weaknesses introduced during implementation,and weaknesses in the Open Web Application Secu-rity Project (OWASP) top ten. Location is subdividedinto: code, configuration, and environment. Motiva-tion is subdivided into: inadvertently introduced weak-ness and intentionally introduced weakness. Resource-specific weaknesses are subdivided into: weaknesses
558 J. Shanghai Jiaotong Univ. (Sci.), 2013, 18(5): 554-562
that affect files or directories, weaknesses that affectmemory, and weaknesses that affect system processes.
3 Ontology of Attacks
Our ontology is built on the base of the taxonomyin Section 2 and ontologies constructed by other re-searchers. Before we introduce our ontology of attacks,we need to make some related concepts clear. They areKB, DL, and OWL. They include components and ap-plication of ontology as well as methods for building itin this section.3.1 KB, DL and OWL
A KB is a special kind of database for knowledgemanagement. Its knowledge representation (KR) sys-tem is based on different logic languages, includingpropositional logic, first predicate logic, and descriptionlogic, etc. When description logic is used as the baseof KR system, we get DL based KB. It comprises twocomponents, TBox and ABox. The TBox introducesthe “terminology”, i.e., the vocabulary of an applica-tion domain, while the ABox contains assertions aboutnamed individuals in terms of this vocabulary.
Although there are many languages for building on-tology, we choose OWL. On the one hand, OWL isbased on XML which is popular in the Web, and thismeans that more tools are available for editing, han-dling, and documenting the ontologies. On the otherhand, KR paradigm of OWL is DL which is useful inautomatic classification and reasoning, and DL is verysuitable for construction of ontology.3.2 Ontology Overview
Main components of an ontology are:(1) classes which represent concepts;(2) relations which represent an association between
concepts;(3) functions, special case of relations in which the
nth element of the relation is unique for the n− 1 pre-ceding elements;
(4) formal axioms, model sentences that are alwaystrue;
(5) instances which represent elements or individualsin an ontology.
An ontology can be used in many ways. For ex-ample, it can be used as a KB, a basis for develop-ing software, and a tool for information search. Al-though currently there is no standard method for on-tology development[12], there are several ways and rulesfor building it[13]. For example, we can reuse old ontol-ogy, which is available in the domain. Another way forbuilding ontology is to use available taxonomy in thedomain. Since we have classified the attacks and thereare many researches about attack ontologies, we com-bine the two ways. We build our ontology according tothe DL knowledge engineering methodology describedby Baader et al.[14] and the design criteria for ontologies
proposed by Gruber[15].3.3 Our Ontology of Attacks
According to the taxonomy of attacks and ontologiesmentioned above, we build an ontology of attacks. Ourontology is implemented into OWL. So concepts areimplemented as classes, relations are implemented asproperties, and axioms are implemented as restrictions.There are two types of properties (relations): objectproperties and datatype properties. Object propertiesare defined as relations between instances belonging todifferent classes, Datatype properties are relations be-tween instances of classes and literals. Because the KBof OWL is DL, we use DL to describe the ontology.Concept in DL has the same meaning as class in OWL.Role describes binary relation between concepts. Andindividual represents instance of class.
Top level concepts of the ontology include attack im-pact, attack vector, target, vulnerability, and defense.Specifically, a vulnerability that exists in a target canbe utilized by an attack, compromising the target andcausing the lose of security property. Defense can beused to protect the target through mitigation of thevulnerability, and Herzog’s countermeasure is adoptedin our defense ontology. Following is the descriptionof the concepts and their relationships in our ontologymodel.3.3.1 Attack Impact
Attack impact ontology depicts the security proper-ties of targets threatened by attacks. There are six mainsecurity properties: confidentiality, integrity, availabil-ity, authentication, authorization, and auditing. Theyare important properties in security assessing. The ul-timate goal of attacks is not the attack target itself,but the information contained in or expressed by it, inother words, to destroy the security properties providedby the target. For example, DDoS attack exhausts orstops the resources of network or host, and prohibitsthe legitimate use of services. The attack target is hostor network, but the goal is to prevent the legitimateuser from using the resources provided by the target.3.3.2 Attack Vector
Attack vector ontology describes concepts aboutmain means by which the attack reaches its targetand associates attack vector with concepts in all sub-ontologies. An attack threatens security propertyand target, while defense protects them. For exam-ple, buffer overflow threatens the integrity of data onvolatile media, and boundary checking protects the in-tegrity of data on volatile media, so boundary checkingcan protect integrity of data by thwarting buffer over-flow attack. We use “enabledByVulnerability” to ex-press an attack enabled by one or more vulnerabilities,use “hasAttackVector” to associate attack with attackvector, and use “ifSuccessfulLeadsToThreat” to depictrelations between attack vectors.
After attacks as well as their hierarchical
J. Shanghai Jiaotong Univ. (Sci.), 2013, 18(5): 554-562 559
classification and relations about attack conceptsin the ontology have been defined, we need to defineformal axioms. And they are usually embedded inconcept or role (relation) definitions. For example,the definition of Rootkit: it is a malicious code, and ifsuccessful, the attack may cause other malicious codeattack, and threaten integrity of host. The following isthe DL description of above definition:
maliciousCode(Rootkit)∩(∀ ifSuccessfulLeadsToThreat.MaliciousCode)∩(∀ threaten.(Host ∩ Integrity)).
To complete our attack vector ontology, the last stepis to populate it with individuals (instances). We alsointegrate evaluating index into the data type propertyof attack vector concept. For example, we consider SQLslammer as an instance of worm according to the defi-nition: SQL slammer is a computer worm that causeda DoS on some Internet hosts and dramatically sloweddown general Internet traffic. And if we study the tech-nical detail of SQL slammer attack, we find if it suc-ceeds, then it will cause UDP (user datagram protocol)flood DoS attack. This kind of relation can be describedas
worm(SQL slammer)∩(∀ ifSuccessfulLeadsToThreat.(DoS ∩ UDP)).
We give another example to illustrate how to expressthe blended attack in our ontology model. The Mit-nick attack is multi-phased, consisting of DoS attack,TCP sequence number prediction and IP spoofing. Weclassify it as the instance of DoS, TrafficAnalysis, andIPAddressSpoofing at the same time. It is expressed asfollows:
DoS(Mitnick) ∩ TrafficAnalysis(Mitnick)∩IPAddressSpoofing(Mitnick).
Sometimes, an attack instance has several nicknames. SQL slammer has other names include SapphireWorm, W32.SQLExp.Worm, DDOS.SQLP1434.A,SQL HEL, W32/SQLSlammer and Helkern, and inontologies these assertions can be made by making thedifferent names as equivalent classes.3.3.3 Target
According to the classification of target describedabove, we get a whole picture of targets and their hier-archical structure. Then we define some properties todepict relationships between target and classes in eachsubontologies. We use “hasVulnerability” to express atarget has one or more vulnerabilities, use “threaten”to associate attack vector with target, use “protect”to depict relations between targets and defense, anduse “reside” to sketch relations between different tar-gets. For example, IIS6.0 is resided on the Windows
server 2003, and Windows server 2003 resides on a homecomputer.
Then we populate it with instances. At first sight,every concept in Hansman’s taxonomy of attack tar-get is a class. So we follow the rules mentioned byNoy and Mc-Guinness[12] to decide whether a conceptis an instance or a class, it depends on what the po-tential applications of the ontology are or what gran-ularity should the ontology need. For example, if anattack threatens Windows XP, then Windows family isa class, and Windows XP is an instance. But if theattack only threatens Windows XP with service pack2, then Windows XP is a class, and Windows XP SP2is an instance.3.3.4 Vulnerability
Vulnerability refers to security flaws, defects, or mis-takes in software that can be used by a hacker to gainaccess to a system or a network. We use property“hasVulnerability” and “isVulnerabilityOf” to associatevulnerability with target and use “enabledByVulnera-bility” to depict vulnerability exploited by attacks. Forexample, SQL slammer utilizes CVE-2002-0649 to at-tack MS SQL server 2000, if the attack succeeds, itwill cause UDP packet flooding DoS and lose of avail-ability of network. Such description can be formalizedas
worm(SQL slammer)∩(∀ enabledByVulnerability.CVE-2002-0649)∩(∀ threaten.(MS SQL server 2000)∩(∀ ifSuccessfulLeadsToThreat.(DoS ∩ UDP)∩∀ threaten.(network ∩ availability)).
We use CWE as the base to build our vulnerabil-ity ontology, and populate it with CVE. Because NVDalso integrates common vulnerability scoring system(CVSS) as impact metrics for CVE vulnerabilities, sothe CVSS score for each CVE vulnerability in NVD isincluded in our ontology.
4 Framework for Security Assessment
Traditional security assessment method includes vul-nerabilities discovery and risk assessment. In this pa-per, we propose an ontology-based framework to eval-uate attack effect. Through the evaluation of attackeffect, we can find out the discrepancy of the system’sperformance before and after attack happens. Thefollowing is introduction of assessing model and themethod for assessment.4.1 Our Model for Security Assessment
Figure 3 shows the ontology-based framework for se-curity assessment. The left side of the framework is theontology we built. Evaluating index is datatype prop-erty of arbitrary instance of attack target concept. Theright side is security assessment model; from bottom
560 J. Shanghai Jiaotong Univ. (Sci.), 2013, 18(5): 554-562
Defense
Attack Attackvector
Vulnerability
Attackimpact
Attacktarget
Attack effect
Securityproperty
Evaluatingindex
Attack
VulnerabilityInstance
Evaluatingindex Target
Fig. 3 Ontology-based security assessment framework
to top it is been divided into six layers: target, vul-nerability, attack, evaluating index, security property,and attack effect. Except for the attack effect layer,other layers have relationships with one of the ontol-ogy classes or properties of instances. The first stepto evaluate the security of the target is to use vul-nerability scanning tools to find vulnerabilities of thetarget, and then use ontology to get what attacks willbe enabled by the vulnerabilities, after that evaluat-ing index reflecting the attack effect is obtained byquerying the ontology. After we get the evaluatingindex, analytic hierarchy process (AHP)[16] methodis used to evaluate the attack effect. Figure 4 de-scribes the details of the AHP model for securityassessment.
Attack effect
Integrity Availability AuthenticaitonConfidentiality Authorization
Attack effect layer
Security property layer
Index layerIndex 1 Index 2 Index 3 Index n−1 Index n…
Auditing
Fig. 4 Attack effect assessing model for a node
The model has been divided into 3 layers. The toplayer means result of attack effect assessment. Theresult of assessment is a number between 0 and 1.When the attack effect is 0, it means attacks have noor subtle influence on the target; when it is 1, thatmeans a strong influence on the target. The middlelayer is the “attack impact” mentioned in our ontol-ogy, while the third layer “index layer” represents thefactors of the assessment. It can be extracted fromvarious security databases (NVD, snort rules database,etc.) through data mining; common evaluating in-dex includes: CPU consumption, memory consump-tion, network delay, network delay jitter, network ornode throughput, packet-drop, update cycle of routingtable, system server response time, and system recovertime, etc.
We use AHP[16] method to measure attack effect. Itcan be calculated by
z =n∑
i=1
wiIi, (1)
where z represents attack effect on the system, wi rep-resents the weight of each evaluating index, Ii is nor-malized value of evaluating index in a measuring, andn is the number of evaluating indexes.
4.2 Feasibility Analysis of Our ApproachOur approach is divided into five major phases iden-
tified throughout the evaluating process, i.e., establish-ment of security ontology for the security assessment,vulnerability scanning, querying and reasoning by theontology, assessing the weight of each security propertyand evaluating index by AHP method, and measuringvalue of evaluating index.
We discuss now viability of each phase in theapproach.
Directed by Noy’ guide and according to the securityontology built, we get a whole picture of the ontologyfor security assessment. All concepts in five dimensionsof attack ontology can be got in various database andtaxonomies of related researches. For example, we col-lect vulnerability information in CVE, CWE and CVSS.We get target information in common attack patternenumeration and classification (CAPEC). We extractevaluating index in NVD, or snort rules database.
Meanwhile many vulnerability scanning tools [17] canbe used to determine what threats and vulnerabilitiesexist in computer and network systems; many method-ologies for identifying vulnerabilities in the systems ex-ist. Examples of such tools are automated vulnerabilitydetection system (AVDS), Nessus and core impact, etc.
Once an ontology for the research area is built, it canbe used for reasoning and querying as Herzog described.
J. Shanghai Jiaotong Univ. (Sci.), 2013, 18(5): 554-562 561
And ontologies have the ability to reason and queryby letting a reasoner (FaCT, Racer, Pellet, etc.) infersubsumption relationships between concepts.
Through the AHP method, the weights of securityproperty and evaluating index can be calculated. TheAHP approach pairwise compares factors (in our ex-periment, they are elements’ weights with respect todifferent security properties) influencing the ultimateresult, and calculates subjective evaluation of elements’weights based on experts’ judgments and opinion. Afterwe get the weights of evaluating indexes and securityproperty, attack effect can be calculated by Eq. (1).
Measuring of evaluating index was studied in earlierresearches. For example, Hu et al.[18] designed a modelof DoS attack effect evaluation. It shows the viability ofcalculating the DoS attack effect. In fact the scheme ofevaluation could be expanded to a more general attackeffect evaluation system.4.3 Case Study
The following example illustrates the utility of ourontology within a security assessment system and howto use AHP method to calculate the attack effect.
Suppose we are interested in assessing security of apersonal computer with IIS6.0 and Windows 2003 SP2operating system installed on it. To achieve this, we usevulnerability scanning tools to find the vulnerabilitiesin the system. Then we get several vulnerabilities, wechoose vulnerabilities discovered in recent years withhigh CVSS score, such as CVE-2011-3414, CVE-2010-1256 and CVE-2011-0654. After that we query the on-tology what attack will be enabled by the vulnerabilitiesmentioned above:
(enabledByVulnerability some CVE-2011-3414) or(enabledByVulnerability some CVE-2010-1256) or(enabledByVulnerability some CVE-2011-0654).
So we obtain attack vector: BufferOverflow, CodeIn-jection and DoS; then we associate the attacks withrelated evaluating index: CPU consumption, memoryconsumption, and system server response time. Afterthat, we use AHP method to assess the attack effecton the system. The AHP model is implemented usingthe tool “SuperDecisions”. In the example, the secu-rity property layer includes two elements: availabilityand authorization (the properties are threatened mostby the attacks). Suppose the weights of availability andauthorization evaluated by the experts are 0.6 and 0.4,respectively. Next the elements in evaluating index arepairwise with respect to each of the security properties.The judgments and the derived priorities are shown inTables 1—3.
After we get the weights of elements of evaluatingindex, Eq. (1) is used to calculate the attack effect onthe system:
z = 0.211 4I1 + 0.205 7I2 + 0.582 9I3.
Table 1 Element’s weights with respect to avail-ability
WeightPriority/%
CPU
consumption
Memory
consumption
System server
response time
1 2 1/2 28.57
1/2 1 1/4 14.29
2 4 1 57.14
Table 2 Element’s weights with respect to autho-rization
WeightPriority/%
CPU
consumption
Memory
consumption
System server
response time
1 1/3 1/6 10
3 1 1/2 30
6 2 1 60
Table 3 Overall priorities for elements of evaluat-ing index
Evaluating indexPriority/% Overall
priority/%Availability Authorization
CPU consumption 28.57 10 21.14
Memory consumption 14.29 30 20.57
System server
response time
57.14 60 58.29
IT security assessment is an explicit study to locate ITsecurity vulnerabilities and risks. The goal of a securityassessment is to ensure that necessary security controlsare integrated into the design and implementation of aproject. From the process of calculating attack effect,we believe that the evaluation of attack effect benefitsthe security assessment in the following two ways.
Firstly, because our method uses vulnerability scan-ners to find vulnerabilities in the system, and then uti-lizes our ontology to reason relationships between vul-nerabilities and attacks, thus the two dimensions in fiveof attacks interconnect with each other. The use of on-tology can categorize vulnerabilities found in the sys-tem, so we can find quickly the tree of vulnerabilities.
Secondly, the attack effect reflects the impact of ex-ploitation of a potential weakness of the system. Themore attack effect on the security property of the sys-tem, the more impact caused by exploitation of the vul-nerability. Risk calculation is given as
R =∑
i
PiDi, (2)
where R is the system risk, Pi means the probability of
562 J. Shanghai Jiaotong Univ. (Sci.), 2013, 18(5): 554-562
occurrence of ith weakness, and Di means the damagecaused by the ith weakness. So the evaluation of attackeffect is helpful to risk assessment.
5 Conclusion
In this paper, we propose an ontology-based frame-work for evaluating attack effect. More specifically, theframework benefits security assessment of the system bymeasuring the attack effect on it. The ontology is thebasis of our framework, which provides security infor-mation needed in the whole measuring process. WhileAHP method is used to calculate the weights of secu-rity property and evaluating index which are importantfactors in security assessment. Differing from the tradi-tional security assessment method: vulnerabilities dis-covery and risk assessment, our approach assesses thesecurity of systems by evaluating the attack effect onthe system. Attack effect is the changes of the system’sperformance before and after attack. The modificationof the system’s performance is more suitable for reflect-ing security status. The better the attack effect is, theworse security the system has. In addition, through fea-sibility analysis of our approach, the proposed frame-work is viable.
References
[1] Igure V M, Willams R D. Taxonomies of attacksand vulnerabilities in computer systems [J]. IEEECommunications Surveys, 2008, 10(1): 6-19.
[2] Howard J D, Longstaff T A. A common languagefor computer security incidents [R]. California: SandiaNational Laboratories, 1998.
[3] Alvarez G, Petrovic S. A taxonomy of Web attackssuitable for efficient encoding [J]. Computer & Secu-rity, 2003, 22(5): 435-449.
[4] Hansman S, Hunt R. A taxonomy of network andcomputer attacks [J]. Computers & Security, 2005,24(1): 31-43.
[5] Simmons C, Ellis C, Shiva S, et al. AVOIDIT: Acyber attack taxonomy [R]. Memphis: University ofMemphis, 2009.
[6] Raskin V, Hempelmann C F, Triezenberg K
E, et al. Ontology in information security: A use-ful theoretical foundation and methodological tool
[C]//Proceedings of the 2001 Workshop on New Se-curity Paradigms. New York: NSPW, 2001: 53-59.
[7] Beitollahi H, Deconinck G. Analyzing well-knowncountermeasures against distributed denial of serviceattacks [J]. Computer Communications, 2012, 35(11):1312-1332.
[8] Simmonds A, Sandilands P, Ekert L V. An ontol-ogy for network security attacks [C]//Proceedings ofSecond Asian Applied Computing Conference. Kath-mandu, Nepal: AACC, 2004: 317-323.
[9] Wang J A, Guo M M, Camargo J. An ontologicalapproach to computer system security [J]. Information
Security Journal: A Global Perspective, 2010, 19(2):61-73.
[10] Venter H S, Eloff J H P. A taxonomy for informa-tion security technologies [J]. Computers & Security,2003, 22(4): 299-307.
[11] Herzog A, Shahmehri N, Duma C. An ontology ofinformation security [J]. International Journal of In-formation Security and Privacy, 2007, 1(4): 1-23.
[12] Noy N F, Mc-Guinness D L. Ontology development101: A guide to creating your first ontology [R]. Stan-ford: Stanford Knowledge Systems Laboratory, 2001.
[13] Blanco C, Lasheras J, Fernandez-Medina E. Ba-sis for an integrated security ontology according to asystematic review of existing proposals [J]. ComputersStandards & Interfaces, 2011, 33(4): 372-388.
[14] Baader F, Calvanese D, Mc-Guinness D L, et al.Description logic handbook: Theory, implementationand application [M]. Cambridge, UK: Cambridge Uni-versity Press, 2003.
[15] Gruber T. Towards principles for the design of on-tologies used for knowledge sharing [J]. InternationalJournal of Human-Computer Studies, 1995, 43(5-6):907-928.
[16] Vargas L G, Dougherty J J. The analytic hierarchyprocess and multicriterion decision making [J]. Amer-ican Journal of Mathematical and Management Sci-ences, 1982, 19(1): 59-92.
[17] Holm H. Performance of automated network vulnera-bility scanning at remediating security issues [J]. Com-puters & Security, 2012, 31(2): 164-175.
[18] Hu Ying, Xian Ming, Xiao Shun-ping. Design of aDoS attack effect evaluation system [J]. Computer En-gineering & Science, 2005, 27(2): 15-22 (in Chinese).