Abstract
A major concern for computer systems security is the threat from malicious insiders who execute perfectly legitimate operations to compromise system security. Unfortunately, most currently available intrusion detection systems (which include anomaly and misuse detection systems) fail to address this problem in a comprehensive manner. In this work we propose a framework that uses an attack tree to identify malicious activities from authorized insiders. We develop algorithms to generate minimal forms of attack tree customized for each user such that it can be used efficiently to monitor the user’s activities. If the user’s activities progress sufficiently up along the branches of the attack tree towards the goal of system compromise, we generate an alarm. Our system is not intended to replace existing intrusion detection and prevention technology, but rather is intended to complement current and future technology.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Ammann, P., Wijesekera, D., Kaushik, S.: Scalable, graph-based network vulnerability analysis. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, Washington DC, pp. 217–224 (November 2002)
Chinchani, R., Upadhyaya, S., Kwiat, K.: Towards the scalable implementation of a user level anomaly detection system. In: Proceedings of the 2002 IEEE MILCOM Conference, Anaheim, CA, vol. 2, pp. 7–10 (October 2002)
Dawkins, J., Campbell, C., Hale, J.: Modeling network attacks: Extending the attack tree paradigm. In: Proceedings of the Workshop on Statistical Machine Learning Techniques in Computer Intrusion Detection Baltimore. Johns Hopkins University (June 2002)
Denning, D., Neumann, P.: Requirements and model for ”ides” - ”a” real-time intrusion detection expert system. Technical report, Technical Report, Computer Science Laboratory, SRI International (1985)
The SANS Institute. Intrusion detection faq (April 2004), Available at http://www.sans.org/resources/idfaq
Jha, S., Sheyner, O., Wing, J.: Minimization and reliability analysis of attack graphs. Technical Report CMU-CS-02-109, School of Computer Science, Carnegie Mellon University (February 2002)
Jha, S., Sheyner, O., Wing, J.: Two formal analyses of attack graphs. In: Proceedings of the 2002 Computer Security Foundations Workshop, Nova Scotia, pp. 45–59 (June 2002)
Moore, A.P., Ellison, R.J., Linger, R.C.: Attack modeling for information survivability. Technical Note CMU/SEI-2001-TN-001, Carnegie Melon University / Software Engineering Institute (March 2001)
Phillips, C., Swiler, L.P.: A graph-based system for network-vulnerability analysis. In: Proceedings of the 1998 New Security Paradigms Workshop, Chicago, IL, pp. 71–79 (January 1998)
Ritchie, R.W., Ammann, P.: Using model checking to analyze network. In: Proceedings of the 2000 IEEE Symposium on Security and Privacy, Oakland, CA (May 2000)
Schneier, B.: Attack trees: Modeling security threats. Dr. Dobb’s Journal (December 1999)
Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.: Automated generation and analysis of attack graphs. In: Proceedings of the 2002 IEEE Computer Society Symposium on Security and Privacy, Oakland, CA (May 2002)
Swiler, L., Phillips, C., Ellis, D., Chakerian, S.: Computer-attack graph generation tool. In: Proceedings of DISCEX ’0: DARPA Information Survivability Conference and Exposition II, pp. 307–321 (June 2001)
Upadhyaya, S., Chinchani, R., Kwiat, K.: An analytical framework for reasoning about instrusions. In: Proceedings of the 2001 IEEE Symposium on Reliable Distributed Systems, New Orleans, LA, pp. 99–108 (October 2001)
Upadhyaya, S., Chinchani, R., Kwiat, K.: A comprehensive reasoning framework for information surviability. In: Proceedings of the 2nd Annual IEEE Systems, Man, and Cybernetics Information Assurance Workshop, West Point, NY, pp. 148–155 (June 2001)
Upadhyaya, S., Kwiat, K.: A distributed concurrent intrusion detection scheme based on assertions. In: Proceedings of the SCS International Symposium on Performance Evaluation of Computer and Telecommunications Systems, Chicago, IL, pp. 369–376 (July 1999)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Ray, I., Poolsapassit, N. (2005). Using Attack Trees to Identify Malicious Attacks from Authorized Insiders. In: di Vimercati, S.d.C., Syverson, P., Gollmann, D. (eds) Computer Security – ESORICS 2005. ESORICS 2005. Lecture Notes in Computer Science, vol 3679. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11555827_14
Download citation
DOI: https://doi.org/10.1007/11555827_14
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-28963-0
Online ISBN: 978-3-540-31981-8
eBook Packages: Computer ScienceComputer Science (R0)