Employing attack graphs for intrusion detection

Capobianco, Frank; George, Rahul; Huang, Kaiming; Jaeger, Trent; Krishnamurthy, Srikanth V.; Qian, Zhiyun; Payer, Mathias; Yu, Paul

doi:10.1145/3368860.3368862

Cited by 15 publications

(8 citation statements)

References 47 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The latest static user-space solution also relies on postmortem detection. Capobianco et al [40] provided a solution for detecting TOCTOU vulnerabilities by calculating the attack graph of the vulnerable program and analyzing it to detect sequences of events that may end up exploiting the vulnerability. These attack graphs allow the user to find the attack surface used by the adversaries and how they effectively elevate privileges.…”

Section: Based On Static User-space Detectionmentioning

confidence: 99%

“…If the attacker is able to execute the attack from the kernel-space level, there is no real gain in exploiting the vulnerability. We give a more detailed discussion on this matter below in Section V-A.Regarding time of detection/exploitation, static proposals are exclusively defense approaches, and can be further divided into source code detection approaches, which analyze the source code of the vulnerable program[31,6,32], and post-mortem detection approaches, which detect the TOC-TOU vulnerability after the exploitation attempt has already occurred[33,34,35,36,37,38,39,40]. Unlike post-mortem detection approaches, source code detection approaches find the TOCTOU vulnerability before it is exploited, which is often preferable in certain systems as critical infrastructures or systems with highly sensitive information.Dynamic proposals are more diverse, based on a multitude of runtime analysis techniques.…”

mentioning

confidence: 99%

See 1 more Smart Citation

Defense and Attack Techniques Against File-Based TOCTOU Vulnerabilities: A Systematic Review

2022

View full text Add to dashboard Cite

File-based Time-of-Check to Time-of-Use (TOCTOU) race conditions are a well-known type of security vulnerability. A wide variety of techniques have been proposed to detect, mitigate, avoid, and exploit these vulnerabilities over the past 35 years. However, despite these research efforts, TOCTOU vulnerabilities remain unsolved due to their non-deterministic nature and the particularities of the different filesystems involved in running vulnerable programs, especially in Unix-like operating system environments. In this paper, we present a systematic literature review on defense and attack techniques related to the file-based TOCTOU vulnerability. We apply a reproducible methodology to search, filter, and analyze the most relevant research proposals to define a global and understandable vision of existing solutions. The results of this analysis are finally used to discuss future research directions that can be explored to move towards a universal solution to this type of vulnerability. INDEX TERMS file-based race condition, TOCTOU vulnerability, avoidance techniques

show abstract

Section: Based On Static User-space Detectionmentioning

confidence: 99%

mentioning

confidence: 99%

Defense and Attack Techniques Against File-Based TOCTOU Vulnerabilities: A Systematic Review

2022

View full text Add to dashboard Cite

show abstract

“…Besides, [4], [21] present methods to harden computer networks using attack graphs. Attack graphs are also applied to intrusion detection systems [11], [34].…”

Section: Related Workmentioning

confidence: 99%

Iota: A Framework for Analyzing System-Level Security of IoTs

Zheng¹,

Hao²,

Gu³

et al. 2022

Preprint

Self Cite

View full text Add to dashboard Cite

Most IoT systems involve IoT devices, communication protocols, remote cloud, IoT applications, mobile apps, and the physical environment. However, existing IoT security analyses only focus on a subset of all the essential components, such as device firmware, and ignore IoT systems' interactive nature, resulting in limited attack detection capabilities. In this work, we propose IOTA, a logic programming-based framework to perform system-level security analysis for IoT systems. IOTA generates attack graphs for IoT systems, showing all of the system resources that can be compromised and enumerating potential attack traces. In building IOTA, we design novel techniques to scan IoT systems for individual vulnerabilities and further create generic exploit models for IoT vulnerabilities. We also identify and model physical dependencies between different devices as they are unique to IoT systems and are employed by adversaries to launch complicated attacks. In addition, we utilize NLP techniques to extract IoT app semantics based on app descriptions. To evaluate vulnerabilities' system-wide impact, we propose two metrics based on the attack graph, which provide guidance on fortifying IoT systems. Evaluation on 127 IoT CVEs (Common Vulnerabilities and Exposures) shows that IOTA's exploit modeling module achieves over 80% accuracy in predicting vulnerabilities' preconditions and effects. We apply IOTA to 37 synthetic smart home IoT systems based on realworld IoT apps and devices. Experimental results show that our framework is effective and highly efficient. Among 27 shortest attack traces revealed by the attack graphs, 62.8% are not anticipated by the system administrator. It only takes 1.2 seconds to generate and analyze the attack graph for an IoT system consisting of 50 devices.

show abstract

“…Their method keeps only statistical and spectral features of a given connectivity graph to detect traffic anomalies. In [21] are used attack graphs to analyze the state evolution of multi-layered attacks in a vulnerable system. We mention that the vertices in these graphs are the attack states and actions, since they serve to modeling of the causality of vulnerability exploitation.…”

Section: A Related Workmentioning

confidence: 99%

Unsupervised Abnormal Traffic Detection through Topological Flow Analysis

Irofti¹,

Pătraşcu²,

Hîji³

2022

Preprint

View full text Add to dashboard Cite

Cyberthreats are a permanent concern in our modern technological world. In the recent years, sophisticated traffic analysis techniques and anomaly detection (AD) algorithms have been employed to face the more and more subversive adversarial attacks. A malicious intrusion, defined as an invasive action intending to illegally exploit private resources, manifests through unusual data traffic and/or abnormal connectivity pattern. Despite the plethora of statistical or signaturebased detectors currently provided in the literature, the topological connectivity component of a malicious flow is less exploited. Furthermore, a great proportion of the existing statistical intrusion detectors are based on supervised learning, that relies on labeled data. By viewing network flows as weighted directed interactions between a pair of nodes, in this paper we present a simple method that facilitate the use of connectivity graph features in unsupervised anomaly detection algorithms. We test our methodology on real network traffic datasets and observe several improvements over standard AD.

show abstract

Employing attack graphs for intrusion detection

Cited by 15 publications

References 47 publications

Defense and Attack Techniques Against File-Based TOCTOU Vulnerabilities: A Systematic Review

Defense and Attack Techniques Against File-Based TOCTOU Vulnerabilities: A Systematic Review

Iota: A Framework for Analyzing System-Level Security of IoTs

Unsupervised Abnormal Traffic Detection through Topological Flow Analysis

Contact Info

Product

Resources

About