A Defense-Centric Taxonomy Based on Attack Manifestations

  • Authors:

  • Kevin S. Killourhy;Roy A. Maxion;Kymie M. C. Tan

  • Affiliations:

  • Carnegie Mellon University, Pittsburgh, Pennsylvania;Carnegie Mellon University, Pittsburgh, Pennsylvania;Carnegie Mellon University, Pittsburgh, Pennsylvania

  • Venue:
  • DSN '04 Proceedings of the 2004 International Conference on Dependable Systems and Networks
  • Year:
  • 2004

Quantified Score

Hi-index 0.00

Visualization

Abstract

Many classifications of attacks have been tendered, oftenin taxonomic form. A common basis of these taxonomies isthat they have been framed from the perspective of an attacker - they organize attacks with respect to the attacker's goals, such as privilege elevation from user to root (fromthe well known Lincoln taxonomy). Taxonomies based onattacker goals are attack-centric; those based on defendergoals are defense-centric. Defenders need a way of determiningwhether or not their detectors will detect a given attack.It is suggested that a defense-centric taxonomy wouldsuit this role more effectively than an attack-centric taxonomy.This paper presents a new, defense-centric attack taxonomy,based on the way that attacks manifest as anomaliesin monitored sensor data.Unique manifestations, drawn from 25 attacks, wereused to organize the taxonomy, which was validated throughexposure to an intrusion-detection system, confirming attackdetectability. The taxonomy's predictive utility wascompared against that of a well-known extant attack-centrictaxonomy. The defense-centric taxonomy is shown to be amore effective predictor of a detector's ability to detect specificattacks, hence informing a defender that a given detectoris competent against an entire class of attacks.