Using Attack Trees to Identify Malicious Attacks from Authorized Insiders

  • Indrajit Ray
  • Nayot Poolsapassit
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3679)


A major concern for computer systems security is the threat from malicious insiders who execute perfectly legitimate operations to compromise system security. Unfortunately, most currently available intrusion detection systems (which include anomaly and misuse detection systems) fail to address this problem in a comprehensive manner. In this work we propose a framework that uses an attack tree to identify malicious activities from authorized insiders. We develop algorithms to generate minimal forms of attack tree customized for each user such that it can be used efficiently to monitor the user’s activities. If the user’s activities progress sufficiently up along the branches of the attack tree towards the goal of system compromise, we generate an alarm. Our system is not intended to replace existing intrusion detection and prevention technology, but rather is intended to complement current and future technology.


Leaf Node Intrusion Detection Intrusion Detection System Attack Scenario Malicious Attack 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Ammann, P., Wijesekera, D., Kaushik, S.: Scalable, graph-based network vulnerability analysis. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, Washington DC, pp. 217–224 (November 2002)Google Scholar
  2. 2.
    Chinchani, R., Upadhyaya, S., Kwiat, K.: Towards the scalable implementation of a user level anomaly detection system. In: Proceedings of the 2002 IEEE MILCOM Conference, Anaheim, CA, vol. 2, pp. 7–10 (October 2002)Google Scholar
  3. 3.
    Dawkins, J., Campbell, C., Hale, J.: Modeling network attacks: Extending the attack tree paradigm. In: Proceedings of the Workshop on Statistical Machine Learning Techniques in Computer Intrusion Detection Baltimore. Johns Hopkins University (June 2002)Google Scholar
  4. 4.
    Denning, D., Neumann, P.: Requirements and model for ”ides” - ”a” real-time intrusion detection expert system. Technical report, Technical Report, Computer Science Laboratory, SRI International (1985)Google Scholar
  5. 5.
    The SANS Institute. Intrusion detection faq (April 2004), Available at
  6. 6.
    Jha, S., Sheyner, O., Wing, J.: Minimization and reliability analysis of attack graphs. Technical Report CMU-CS-02-109, School of Computer Science, Carnegie Mellon University (February 2002)Google Scholar
  7. 7.
    Jha, S., Sheyner, O., Wing, J.: Two formal analyses of attack graphs. In: Proceedings of the 2002 Computer Security Foundations Workshop, Nova Scotia, pp. 45–59 (June 2002)Google Scholar
  8. 8.
    Moore, A.P., Ellison, R.J., Linger, R.C.: Attack modeling for information survivability. Technical Note CMU/SEI-2001-TN-001, Carnegie Melon University / Software Engineering Institute (March 2001)Google Scholar
  9. 9.
    Phillips, C., Swiler, L.P.: A graph-based system for network-vulnerability analysis. In: Proceedings of the 1998 New Security Paradigms Workshop, Chicago, IL, pp. 71–79 (January 1998)Google Scholar
  10. 10.
    Ritchie, R.W., Ammann, P.: Using model checking to analyze network. In: Proceedings of the 2000 IEEE Symposium on Security and Privacy, Oakland, CA (May 2000)Google Scholar
  11. 11.
    Schneier, B.: Attack trees: Modeling security threats. Dr. Dobb’s Journal (December 1999)Google Scholar
  12. 12.
    Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.: Automated generation and analysis of attack graphs. In: Proceedings of the 2002 IEEE Computer Society Symposium on Security and Privacy, Oakland, CA (May 2002)Google Scholar
  13. 13.
    Swiler, L., Phillips, C., Ellis, D., Chakerian, S.: Computer-attack graph generation tool. In: Proceedings of DISCEX ’0: DARPA Information Survivability Conference and Exposition II, pp. 307–321 (June 2001)Google Scholar
  14. 14.
    Upadhyaya, S., Chinchani, R., Kwiat, K.: An analytical framework for reasoning about instrusions. In: Proceedings of the 2001 IEEE Symposium on Reliable Distributed Systems, New Orleans, LA, pp. 99–108 (October 2001)Google Scholar
  15. 15.
    Upadhyaya, S., Chinchani, R., Kwiat, K.: A comprehensive reasoning framework for information surviability. In: Proceedings of the 2nd Annual IEEE Systems, Man, and Cybernetics Information Assurance Workshop, West Point, NY, pp. 148–155 (June 2001)Google Scholar
  16. 16.
    Upadhyaya, S., Kwiat, K.: A distributed concurrent intrusion detection scheme based on assertions. In: Proceedings of the SCS International Symposium on Performance Evaluation of Computer and Telecommunications Systems, Chicago, IL, pp. 369–376 (July 1999)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Indrajit Ray
    • 1
  • Nayot Poolsapassit
    • 1
  1. 1.Colorado State UniversityFort CollinsUSA

Personalised recommendations