Responding to the Unkown (Attacks)

Get BibTex-formatted data

Author

Yu-Sung "Hank" Wu, Bingrui Foo, Saurabh Bagchi

Entry type

misc

Abstract

Unknown security attacks, or zero-day attacks, exploit unknown or undisclosed vulnerabilities and can cause devastating damage. We approach the problem from an intrusion response system's point of view, which deploys responses to contain an ongoing attack. However, the escalation pattern, commonly represented as an attack graph, is not known a priori for a zero-day attack. Hence, current IRS can only provide ineffective or drastic responses. We present an IRS called ADEPTS that "conceptualizes" nodes in an attack graph, whereby they are generalized based on the object-oriented hierachy for components and alerts. This is done based on our insight that high level manifestations of unknown attacks bear similarity with those of previously seen attacks. Thus, ADEPTS can find similarities between attack graphs after they have been conceptualized to an appropriate level. Then ADEPTS performs Bayesian inference to determine which components have been affected and determines the optimal response combination. We evaluate ADEPTS by injecting real multi-stage attacks scenarios, not present in its knowledge base, and compare the system survivabilitiy to our prior IRS.

Date

2009 – 1 – 1

Institution

Purdue University

Key alpha

Publication Date

2009-01-01

Keywords

irs, intrusion detection, intrusion response, ADEPTS

Location

A hard-copy of this is in the Papers Cabinet

BibTex-formatted data

To refer to this entry, you may select and copy the text below and paste it into your BibTex document. Note that the text may not contain all macros that BibTex supports.

@Misc{ wu,
	title = "Responding to the Unkown (Attacks)",
	author = "Yu-Sung "Hank" Wu, Bingrui Foo, Saurabh Bagchi",
	year = "2009",
	month = "1",
	institution = "Purdue University",
	day = "1",
	abstract = "Unknown security attacks, or zero-day attacks, exploit unknown or undisclosed vulnerabilities and can cause devastating damage. We approach the problem from an intrusion response system's point of view, which deploys responses to contain an ongoing attack. However, the escalation pattern, commonly represented as an attack graph, is not known a priori for a zero-day attack. Hence, current IRS can only provide ineffective or drastic responses. We present an IRS called ADEPTS that "conceptualizes" nodes in an attack graph, whereby they are generalized based on the object-oriented hierachy for components and alerts. This is done based on our insight that high level manifestations of unknown attacks bear similarity with those of previously seen attacks. Thus, ADEPTS can find similarities between attack graphs after they have been conceptualized to an appropriate level. Then ADEPTS performs Bayesian inference to determine which components have been affected and determines the optimal response combination. We evaluate ADEPTS by injecting real multi-stage attacks scenarios, not present in its knowledge base, and compare the system survivabilitiy to our prior IRS.",
	keywords = "irs, intrusion detection, intrusion response, ADEPTS",
}