690 likes | 792 Views
Taxonomies of Attacks and Vulnerabilities in Computer Systems. Igure, V.M.; Williams, R.D. IEEE Communications Surveys & Tutorials, Volume: 10 Issue: 1 (2008). R96725034 林昕彥 R96725036 陳政彥. Why do we need taxonomy?.
E N D
Taxonomies of Attacks and Vulnerabilities in Computer Systems Igure, V.M.; Williams, R.D. IEEE Communications Surveys & Tutorials, Volume: 10 Issue: 1 (2008) R96725034 林昕彥 R96725036 陳政彥
Why do we need taxonomy? • Their main goal was to organize information about known vulnerabilities or attacks, so that designers could use that information to build more secure systems or defense systems • If the classification is based on the actual vulnerability exploited by the attack, the dimension of classification can be considered as the cause of flaw • The taxonomy provides useful information to find unknown vulnerabilities as well as to avoid introducing similar vulnerabilities in future designs. • They provide a classification of testing techniques based on the vulnerability the test is meant to discover. Each test class discovers all the vulnerabilities that have similar characteristics
Introduction • Security assessment of a system is the process of determining the system’s capability to resist attacks • This process typically involves probing the system to detect the presence of known vulnerabilities • most attacks typically exploit known vulnerabilities • This process is limited because it only searches for known vulnerabilities • Security assessment is an objective process only as long as it is limited to searching for known weaknesses • Probing a system to detect previously unidentified flaws is still a very subjective process
Introduction • Prior work has attempted to gain an understanding of the characteristics and nature of known vulnerabilities to support the prediction of vulnerabilities in new systems • The first step in understanding vulnerabilities is to classify them into a taxonomy based on their characteristics • A taxonomy classifies the large number of vulnerabilities into a few well defined and easily understood categories • Such classification can serve as a guiding framework for performing a systematic security assessment of a system • This article provides a state-of-the-art survey of existing security related taxonomies • The survey covers papers published between 1974 and 2006
Taxonomies and Security Assessment • A taxonomy is formally defined as “the study of the general principles of scientific classification” • This classification is done according to the relationships between the characteristics of the objects • A good taxonomy also provides a common language for the study of the field
Taxonomies and Security Assessment • taxonomies of vulnerabilities and attacks might be useful in the security assessment process • can also be useful for system designers • can also provide a way to explore unknown attacks • Many taxonomies of attacks and vulnerabilities have been published over the years, but there is still no standard or universally accepted taxonomy • Our primary interest is in the development and use of attack and vulnerability taxonomies in the security assessment process
Types of Computer Crimes [17] The six classes of users are not distinct • Two-dimensional matrix of computer attacks • First dimension: Users • Operators, programmers, data entry, internal users, outside users, and intruders • Second dimension: Computer crimes • Physical destruction, information destruction, data diddling, theft of services, browsing, and theft of information
Types of Computer Misuse [18] • Level One: • Theft of computer resources • Disruption of computer resources • Unauthorized disclosure of information • Unauthorized modification of information • Level Two: • Human error • User abuse of authority • Direct probing • Probing with malicious software • Direct penetration • Subversion of security mechanism
Information System Attacks [19] • First attempts at developing a taxonomy to help the security assessment process • put all possible attacks under a single taxonomy • could be used to predict future attacks in existing systems • The biggest drawback of [19] is that it is not a classification • It is merely a long list of all known attacks • The article lists 94 different attacks on information systems
Computer Attack [24] • In [24] Neumann identified 26 different kinds of computer attacks and classified them into nine categories: • External • Hardware misuse • Masquerading • Pest programs • Bypasses • Active misuse • Passive misuse • Inactive misuse • Indirect misuse • This can be considered a hierarchical taxonomy because it has two levels of classification
Classify Computer Security Intrusions [7] • Lindquist and Jonsson’s taxonomy [7, 26] is a very good example of one that is suitable for a security assessment process • the first to introduce the notion of dimension of classification • they extended three of Neumann and Parker’s categories into multiple subdivisions: • Bypass of intended controls • Active misuse of resources • Passive misuse of resources
IDS Related Taxonomies • Two main types of IDSs: • Signature-based system • Anomaly-based system • The primary motivation for this classification was to provide a defense-centric taxonomy to help network defenders
Signature-based system • Every attack manifests itself as some kind of event or sequence of events in a network • These unique events are called the signatures of the attack • Every known attack is given a signature based on its characteristics • Attack taxonomy can ensure that all known attacks are represented in the database
Signature-based system • In [27] Kumar presents a taxonomy signatures to help build an effective IDS • Attack signatures are classified into five categories: • Existence • Sequence • Partial order • Duration • Interval
Anomaly-based system • Looking for any network activity that deviates from the norm • Killourhy et al. [28] developed a taxonomy of attacks based on their manifestation as anomalies in IDS sensor data • Every attack manifests itself either as a: • Foreign symbol • Minimal foreign sequence • Dormant sequence • Non-anomalous sequence
DoS Attack Related Taxonomies • Attacker can carry out a successful attack without penetrating the target network • In [29] Neumann lists three types of DoS attacks based on the source of the attack • no network penetration and can be carried out remotely over the Internet • attacker exploits some known vulnerability to penetrate the network and then carries out resource exhaustion attacks • distributed DoS (DDoS) attacks, attackers penetrate or compromise many third party computers and use them to launch a DoS attack against the target network
DoS Attack Related Taxonomies • Mirkovic and Reiher [8] intended to build a taxonomy that would provide a complete overview of the field of DDoS attacks and defenses • Each attack has multiple characteristics, and Mirkovic and Reiher classify attacks along multiple dimensions • This classification is not mutually exclusive • Eight dimensions: • Degree of automation • Exploited weakness • Source address validity • Attack rate dynamics • Possibility of characterization (based on packet content) • Persistence of agent set • Victim type • Impact on the victim
DoS Attack Related Taxonomies • In [35] Campbell uses a novel dance metaphor to characterize DoS attacks • He characterizes a DoS attacker as a third person interrupting two dancing partners • He groups all DoS attacks under four classes that represent the attacker’s strategy for success: • Partner -> spoofing • Flood -> flooding • Trip -> shutting down • Intervene -> interception
Web Attack Taxonomies • Alvarez and Petrovic [34] analyzed and classified Web attacks, their goal was to extract useful information for application developers to build more secure systems
Specialized Attack Taxonomies • There are many attack taxonomies that cover only certain specific applications • Man and Wei [42] developed a taxonomy of attacks againstmobile agents • The goal of the work was to understand allpossible attacks against mobile agents and then use thisunderstanding to develop appropriate protection mechanisms • The first level of classification in [42] dividesattacks into two categories based on the intentions of theattack • hierarchical, and this characteristic is useful forsecurity assessment
Taxonomies for Security Assessment • Lough presents an exhaustive survey of computer attack and vulnerability taxonomies in [15] • Classifies all attacks under four categories: • Incorrect validation • Incorrect exposure • Incorrect randomness • Incorrect deallocation • This classification is made on the cause of attack dimension • Lough’s taxonomy is not application-specific
Taxonomies for Security Assessment • In [25] Hansman and Hunt aim to develop a “pragmatic taxonomy that is useful to those dealing with attacks on a regular basis.” • They conclude that it is difficult to develop an effective tree-structure taxonomy of attacks • Four dimension: • Attack vector • Attack target • Vulnerabilities and exploits • Attacks with payloads • If the taxonomy were application-specific instead of trying to incorporate all possible kinds of attacks, it might not be very difficult to develop a single tree-structure taxonomy of attacks
Vulnerability Taxonomy • One of the earliest works on this topic was done by McPhee. • McPhee’s paper was published in 1974, and since then there has been much research done on computer security. • McPhee lists seven class of integrity flaws in operating systems:
Vulnerability Taxonomy • Attanasio described the methodology and results of penetration testing experiments. • The penetration analysts had three goals: • The paper does not provide a taxonomy, as that was not their goal, but it makes the important contribution of listing operations system characteristics that are likely to have flaws.
Vulnerability Taxonomy • After the penetration testing experiment, Attanasio et al. Listed 16 OS features that are likely to have flaws:
Taxonomy of Software Program Flaws • The Research in Secured Operating Systems (RISOS) project and the Protection Analysis (PA) project were two of the earliest efforts at producing taxonomies of vulnerabilities in computer software. • Both of the projects examined the vulnerabilities in different operating systems.
Taxonomy of Software Program Flaws • The seven classes of vulnerabilities in the RISOS project were:
Taxonomy of Software Program Flaws • The ten classes from the PA project were:
Taxonomy of Software Program Flaws • The categories of both the RISOS and PA classifications indicate that the dimension of classification was by operations. • This means that the categories represent operations of the OS which can be misused to cause attacks. • The RISOS and PA categories would be greatly beneficial in a larger taxonomy.
Taxonomy of Software Program Flaws • Bishop analyzed the RISOS and PA taxonomies, and showed that these classes could be mapped onto each other. • Bishop classified each vulnerability along six axes:
Taxonomy of Software Program Flaws • After the PA project, the most influential work on taxonomies of flaws was done by Landwehr et al. • They did not limit their taxonomy to operating systems but provided a more general taxonomy of flaws in computer programs. • They classified their flaws in three different dimensions: • Genesis • Time of introduction • location
Taxonomy of Software Program Flaws • Jiwnani et al. used Landwehr’s taxonomy to aid security testing. • They adapted Landwehr’s three dimensions to build a matrix that related the cause of the vulnerability. • To be effective, the taxonomy must be used in conjunction with all the dimensions of the classification. • The assessment process can be more systematic if these dimensions are arranged hierarchically.
Taxonomy of Software Program Flaws • All the work we have seen so far classified attacks or vulnerabilities based on some inherent characteristic of the attack or vulnerability itself. • Krsul departed from this norm. • He developed a taxonomy based on the observation that most of the vulnerabilities were introduced into programs because of mistaken assumptions by the programmer. • He classified flaws according to the assumption that led to their introduction into the software.
Taxonomy of Software Program Flaws • Aslam focused only on the UNIX operating system. • Aslam’s taxonomy is hierarchical, and the first level had three main categories: • Configuration flaws • Environment flaws • Coding flaws • The dimension of classification for these three classes is the cause of the flaw.
Taxonomy of Software Program Flaws • Du and Mathur described each flaw with multiple attributes. They classify flaws along three axes: • Cause • Impact • Fix • Landwehr’s original genesis class had two main subclasses: intentional and inadvertent flaws. • Du and Mathur ignore the intentional flaws. Instead, they focused on the inadvertent flaws in the software. • Since the taxonomy provides details about the flaws, it could be effective in a security assessment process.
Taxonomy of Software Program Flaws • Kamara et al. successfully use Du and Mathur’s taxonomy for analyzing vulnerabilities in Internet firewalls. • They break down a firewall into its constituent components, and its operations and data flow. • They analyze some of the well-known firewall vulnerabilities, and map them to both Du and Mathur’s taxonomy and the specific operations and parts of the firewalls. • The result is a matrix that identifies which operations and parts of a firewall are likely to produce flaws. • This is very useful in future security assessments of other firewalls as well as in preventing the same kinds of flaws in new products.
Taxonomy of Software Program Flaws • Gray’s aim was to develop a taxonomy of vulnerabilities that would be useful to people in various positions in a software development organization. • Gray combined the work of Landwehr, Bishop, and Wang into an extended and multi-perspective taxonomy.
Taxonomy of Software Program Flaws • The taxonomy had ten classes of program flaws:
Taxonomy of Software Program Flaws • Gray’s approach of combining all the perspectives within one taxonomy is not very efficient. • Gray does not offer any subclasses for any of these classes. • Such a single-level taxonomy does not provide adequate information about the flaws. • This ineffectiveness shows that taxonomies are most useful when they are developed for a particular application from a specific perspective.