Runtime Monitoring and Dynamic Reconfiguration for Intrusion Detection Systems
RAID '09 Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection
Minimal complexity attack classification intrusion detection system
Applied Soft Computing
| Hi-index | 0.00 |
Attack graphs have been used to show multiple attack paths in large scale networks. They have been proved to be useful utilities for network hardening and penetration testing. However, the basic concept of using graphs to represent attack paths has limitations. In this paper, we propose a new approach, the attack grammar, to model and analyze network attack sequences. Attack grammars are superior in the following areas: First, attack grammars express the interdependency of vulnerabilities better than attack graphs. They are especially suitable for the IDS alerts correlation. Second, the attack grammar can serve as a compact representation of attack graphs and can be converted to the latter easily. Third, the attack grammar is a context-free grammar. Its logical formality makes it better comprehended and more easily analyzed. Finally, the algorithmic complexity of our attack grammar approach is quartic with respect to the number of host clusters, and analyses based on the attack grammar have a run time linear to the length of the grammar, which is quadratic to the number of host clusters.