Cyber Attack
Cyber Attack
net/publication/229020163
CITATIONS READS
118 5,499
5 authors, including:
Chase Qishi Wu
New Jersey Institute of Technology
292 PUBLICATIONS 3,754 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by S. Shiva on 27 October 2014.
Abstract—Cyber attacks have greatly increased over the years, remediate attack vulnerabilities. One approach to gaining
where the attackers have progressively improved in devising insight into attacker’s target is to consider the attack paths, or
attacks towards a specific target. To aid in identifying and combination of exploits [2]. AVOIDIT intends to provide a
defending against cyber attacks we propose a cyber attack defender with vulnerability details to what encompasses an
taxonomy called AVOIDIT (Attack Vector, Operational Impact, attack and any impact the attack may have on a targeted
Defense, Information Impact, and Target). We use five major system. A blended attack exploits one or more vulnerabilities to
classifiers to characterize the nature of an attack, which are perform an attack against a target [3]. AVOIDIT is able to
classification by attack vector, classification by attack target, classify blended attacks by providing the ability to label
classification by operational impact, classification by
various vulnerabilities of an attack in a tree-like structure.
informational impact, and classification by defense. Our fifth
category, classification by defense, is used to provide the network People question the impact a cyber attack has once its target
administrator with information of how to mitigate or remediate is compromised. AVOIDIT provides useful information to the
an attack. Contrary to the existing taxonomies, our taxonomy network administrator. We provide a mean to classify
efficiently classifies blended attacks. Our taxonomy is applied vulnerabilities that lead to cyber attacks with methods to
using an application approach with pabulum to educate the mitigate and remediate vulnerabilities to help alleviate the
defender on possible cyber attacks. impact of a successful exploitation. Avoiding the attack could
simply require defending against propagation or further
Keywords - taxonomy; cyber attack taxonomy; vulnerability;
damage once an attack is identified. In order to better grasp this
computer security; cyberspace
scenario, we provide several representative examples of attacks
and how our proposed taxonomy successfully classifies well
I. INTRODUCTION known attacks with defensive strategies.
Cyber attacks have created a global threat, both in Our paper is organized as follows: In Section 2 we survey
defending local and global networks. Attacks are becoming previous attack taxonomies. In Section 3, we highlight
more sophisticated and possess the ability to spread in a matter requirements for a taxonomy and propose AVOIDIT a cyber
of seconds. It is essential to provide tools necessary in attack taxonomy. In Section 4, we use well known attacks to
detecting, classifying, and defending from various types of compare previous taxonomies with AVOIDIT and show how
attacks. A variety of taxonomies aim at classifying our taxonomy is able to classify a vast majority of attacks. In
vulnerabilities or attacks, but to date they have limitations in Section 5, we show how AVOIDIT can be applied as an
providing a defense strategy that can be used in a local organizational element within a network setting. In Section 6,
application setting. This can be due to the enormous we present limitations along with areas for continued research
possibilities of defense strategies. We believe that coupling a and Section 7 we conclude this paper.
defense mechanism with an attack taxonomy would enable a
network administrator to not only understand the vulnerability,
but also the strategy needed to mitigate and/or remediate the II. A BRIEF SURVEY OF ATTACK TAXONOMIES
potential exploitation. Limitations exist toward providing Kjaerland [4] proposed a taxonomy of cyber-intrusions
defense strategies within an attack taxonomy. This presents an from Computer Emergency Response Team (CERT) related to
invaluable research area focused on the information a network computer crime profiling, highlighting cyber-criminals and
administrator can apply when attempting to defend the network victims. In this research, attacks were analyzed using facet
against cyber attacks. We propose a solution that addresses the theory and multidimensional scaling (MDS) with Method of
shortcomings of existing taxonomies. Operation, Target, Source, and Impact. Each facet contains a
There is a deficient standard when disseminating number of elements with an exhaustive description. Kjaerland
vulnerability information, making it difficult for analysis with uses these facets to compare commercial versus government
multiple vulnerabilities for potential defense. Landwehr et al. incidents. Kjaerland’s taxonomy focuses on the motive of the
[1] state a taxonomy is most useful when it classifies threats in attacker in an attempt to quantify why the attack takes place,
scope that correspond to potential defenses. This taxonomy and where the attack originated. Her taxonomy contains some
differs from previous taxonomies, as it aids a defender to not limitations as she provides a high level view to the methods of
only identify attacks, but also defense measures to mitigate and
operation without providing more details to the methods that Howard [9] provides an incident taxonomy that classifies
can be used in identifying attack inception. attacks by events, which is an attack directed at a specific target
intended to result in a changed state. The event involves the
Hansman and Hunt [6] proposed a taxonomy with four action and the target. He highlights all steps that encompass an
unique dimensions that provide a holistic classification attack and how an attack develops. The attack consists of five
covering network and computer attacks. Their taxonomy logical steps an attacker performs to achieve an unauthorized
provides assistance in improving computer and network result. Those steps are: tools, vulnerability, action, target, and
security as well as consistency in language with attack unauthorized result. The tool refers to the mechanism used to
description. The first dimension being attack vector is used to perform the attack; the vulnerability is the type of exploit used
classify the attack. The second dimension classifies the target to perform attack. The action refers to the method used by the
of the attack. The third dimension consists of the vulnerability attacker to perform the attack (i.e. Probe, Scan, Authenticate,
classification number, or criteria from Howard’s taxonomy [9]. etc.). The target is the intention the attack is attempting to
The fourth and final dimension highlights the payload or compromise, and the unauthorized result is the change state
effects involved. Within each dimension various levels of caused due to the attack. Although Howard presents a useful
information are provided to supply attack details. Hansman et taxonomy that provides an informative baseline for cyber
al. mentioned the need of future work to improve classifying intrusions, he lacks the details needed for thorough insight into
blended attacks, which is a limitation within their taxonomy. the attack.
Another limitation is the lack of vulnerability information,
which prohibits capturing information to aid in protecting a
system from attacks. III. OUR PROPOSED TAXONOMY: AVOIDIT
Mirkovic and Reihner [10] offer a comprehensive A taxonomy defines what data is to be recorded and how
taxonomy of Distributed Denial of Services (DDoS) attack and like and unlike samplings are to be distinguished [1]. In
defense mechanisms in aim to classify attacks and defense developing a successful taxonomy, there are requirements that
strategies. This research highlight features of attack strategies, should be observed for universal acceptance. In this paper we
where the strategies are imperative in devising analyze previous taxonomies and highlight valuable aspects
countermeasures. Mirkovic and Reihner’s taxonomy of DDoS that are needed to create a complete useful taxonomy [8,9].
attacks is categorized by Degree of Automation, Exploited These requirements include the following:
Weakness, Source Address Validity, Attack Rate Dynamics, Accepted – builds on previous work that is well accepted.
Possibility of Characterization, Persistent Agent Set, Victim
Type, and Impact on Victim. These categories are used to Mutually exclusive – each attack can only be classified into
examine the exploitation, the victim impact, and characteristics one category, which prevents overlapping.
with exploiting a DDoS attack. In addition to classifying DDoS Comprehensible – clear and concise information; able to be
attacks, Mirkovic and Reihner developed a taxonomy of DDoS understood by experts and those less familiar.
defenses consisting of Activity Level, Cooperation Degree, and
Deployment Location. The combination classifying DDoS Complete/exhaustive – available categories are exhaustive
attacks and defenses within a taxonomy provides within each classification, it is assumed to be complete.
communication of threats to foster cooperation between Unambiguous – involves clearly defined classes, with no
researchers for discussing solutions. doubt of which class an attack belongs.
Lough [8] proposed an attack-centric taxonomy called Repeatable – the classification of attack should be
VERDICT (Validation Exposure Randomness Deallocation repeatable.
Improper Conditions Taxonomy). Lough focuses on four major
causes of security errors: Improper Validation, Improper Terms well defined – categories should be well defined,
Exposure, Improper Randomness, and Improper Deallocation. and those terms should consist of established terminology that
He labels these four characteristics with a prefix of “Improper” is compliant within the security community
with attacks being thought of as improper conditions. Useful – the ability to be used and gain insight into a
Validation refers to improperly validating or unconstrained particular field of study, particularly those having great interest
data, which also includes physical security. Exposure involves within the field of study.
the improper exposure of information that could be used
directly or indirectly for the exploitation of a vulnerability. Applying these requirements for a complete taxonomy, we
Randomness deals with the fundamentals of cryptography and propose AVOIDIT. AVOIDIT provides, through application, a
the improper usage of randomness. Deallocation is the knowledge repository used by a defender to classify
improper destruction of information, or residuals of data, which vulnerabilities that an attacker can use. Fig. 1 provides an
also includes dumpster diving. He uses one or more of these overview of our proposed taxonomy, which provides details to
characteristics to describe vulnerability within a system. support comprehending each attack classification and how a
Hansman and Hunt [6] describe Lough’s taxonomy as lacking variety of attacks are represented in each category.
pertinent information that would be beneficial for knowledge
bodies, such as CERT, to classify day-to-day attacks and
issuing advisories. Lough’s taxonomy lacks the classification to
the type of attack, such as worms, Trojans, viruses, etc.
Distort
Misconfiguration
Disrupt
Kernel Flaws
Destruct
Design Flaws
Disclosure
Buffer
Discovery
Overflow
Stack
Heap
Insufficient Input
Validation
Symbolic Link
File Descriptor
Attack
Race Condition
Incorrect
Permission
User Installed
Malware
o Patch System - Applying patches the vendor Local - An attack targeting a user’s local computer.
has released due to some vulnerability within User - An attack against a user is an attack to retrieve a
software in use. When a vulnerability or user’s personal information.
attack is present, on various cases, a defender
fails to utilize the patches a vendor provides. Application – An attack towards specific software. An
application can be either client or server. A client
o Correct Code - Steps within an organization application is software that is available to aid a user
to release a code patch to a specific performing common tasks. A server application is
application that will close the potential for an software designed to serve as a host to multiple
attacker to exploit. concurrent users.
D. Classification by Informational Impact
IV. TAXONOMY COMPARISON
An attack on a targeted system has potential to impact
sensitive information in various ways. A committed resource In this section we use previous taxonomies described in
must be able defend information warfare strategies in an effort Section 2 to compare AVOIDIT with past computer attacks and
to protect themselves against theft, disruption, distortion, denial vulnerabilities. This section will highlight how our cyber
of service, or destruction of sensitive information assets [12]. attack taxonomy successfully captures vulnerability attack
In this section we classify an attacks impact, or the effect on information and provide a defender with countermeasures that
information and define the criteria used. can be efficient in preventing or assuaging successful attacks.
Slammer X X
HOWARD
Name Tools Vulnerability Action Target Unauthorized Result
HANSMAN
Name 1st Dimension 2nd Dimension 3rd Dimension 4th Dimension
Slammer Network-Aware MS SQL Server 2000 CAN-2002-0649 Stack Buffer Overflow &
Worm UDP packet flooding DoS
AVOIDIT
Name Attack Vector Operational Informational Defense Target
Impact Impact
MS RPC Stack X X
Overflow
HOWARD
Name Tools Vulnerability Action Target Unauthorized Result
MS RPC Stack Script Design Modify Process Increased Access
Overflow
HANSMAN
Name 1st Dimension 2nd Dimension 3rd Dimension 4th Dimension
AVOIDIT
Name Attack Vector Operational Informational Defense Target
Impact Impact
ACKNOWLEDGMENT
This work is supported by the Office of Naval Research
(ONR) under grant N00014-09-1-0752.
REFERENCES
[1] Landwehr, Carl E., Bull, Alan R., McDermott, John P., Choi, William
S., “A Taxonomy of Computer Program Security Flaws, with
Examples”. ACM Computing Surveys, 26,3 (Sept. 1994).
[2] S. Noel, S. Jajodia, B. O’Berry, M. Jacobs, “Efficient Minimum-Cost
Network Hardening via Exploit Dependency Graphs,” in Proceedings of
the 19th Annual Computer Security Applications Conference, Las
Vegas, Nevada, December 2003.
[3] David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart
Staniford, and Nicholas Weaver. Inside the slammer worm. In IEEE
Security and Privacy, volume 1, 2003.
[4] Kjaerland, M., “A taxonomy and comparison of computer
securityincidents from the commercial and government sectors”.
Computers and Security, 25:522–538, October 2005.
[5] Scarfone, K., Souppaya, M., et al., “Technical Guide to Information
Security Testing and Assessment”. NIST (Sept. 2008)
http://web.nvd.nist.gov/view/vuln/detail?execution=e7s1
[6] Hansman, S., Hunt R., “A taxonomy of network and computer attacks”.
Computer and Security (2005).
[7] Attack Vector. Retrieved June 19, 2009.
http://searchsecurity.techtarget.com/dictionary/definition/1005812/attack
-vector.html