0% found this document useful (0 votes)
25 views10 pages

Cyber Attack

Cyber attack

Uploaded by

bosodon682
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
25 views10 pages

Cyber Attack

Cyber attack

Uploaded by

bosodon682
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/229020163

AVOIDIT: A Cyber Attack Taxonomy

Article · January 2009

CITATIONS READS
118 5,499

5 authors, including:

S. Shiva Dipankar Dasgupta


The University of Memphis The University of Memphis
88 PUBLICATIONS 1,904 CITATIONS 266 PUBLICATIONS 12,347 CITATIONS

SEE PROFILE SEE PROFILE

Chase Qishi Wu
New Jersey Institute of Technology
292 PUBLICATIONS 3,754 CITATIONS

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

DNDO-IRSS View project

Evolutionary Data Mining View project

All content following this page was uploaded by S. Shiva on 27 October 2014.

The user has requested enhancement of the downloaded file.


AVOIDIT: A Cyber Attack Taxonomy

Chris Simmons, Charles Ellis, Sajjan Shiva, Dipankar Dasgupta, Qishi Wu


Department of Computer Science
University of Memphis
Memphis, TN, USA
{cbsmmons, ceellis, sshiva, ddasgupta, qishiwu}@memphis.edu

Abstract—Cyber attacks have greatly increased over the years, remediate attack vulnerabilities. One approach to gaining
where the attackers have progressively improved in devising insight into attacker’s target is to consider the attack paths, or
attacks towards a specific target. To aid in identifying and combination of exploits [2]. AVOIDIT intends to provide a
defending against cyber attacks we propose a cyber attack defender with vulnerability details to what encompasses an
taxonomy called AVOIDIT (Attack Vector, Operational Impact, attack and any impact the attack may have on a targeted
Defense, Information Impact, and Target). We use five major system. A blended attack exploits one or more vulnerabilities to
classifiers to characterize the nature of an attack, which are perform an attack against a target [3]. AVOIDIT is able to
classification by attack vector, classification by attack target, classify blended attacks by providing the ability to label
classification by operational impact, classification by
various vulnerabilities of an attack in a tree-like structure.
informational impact, and classification by defense. Our fifth
category, classification by defense, is used to provide the network People question the impact a cyber attack has once its target
administrator with information of how to mitigate or remediate is compromised. AVOIDIT provides useful information to the
an attack. Contrary to the existing taxonomies, our taxonomy network administrator. We provide a mean to classify
efficiently classifies blended attacks. Our taxonomy is applied vulnerabilities that lead to cyber attacks with methods to
using an application approach with pabulum to educate the mitigate and remediate vulnerabilities to help alleviate the
defender on possible cyber attacks. impact of a successful exploitation. Avoiding the attack could
simply require defending against propagation or further
Keywords - taxonomy; cyber attack taxonomy; vulnerability;
damage once an attack is identified. In order to better grasp this
computer security; cyberspace
scenario, we provide several representative examples of attacks
and how our proposed taxonomy successfully classifies well
I. INTRODUCTION known attacks with defensive strategies.
Cyber attacks have created a global threat, both in Our paper is organized as follows: In Section 2 we survey
defending local and global networks. Attacks are becoming previous attack taxonomies. In Section 3, we highlight
more sophisticated and possess the ability to spread in a matter requirements for a taxonomy and propose AVOIDIT a cyber
of seconds. It is essential to provide tools necessary in attack taxonomy. In Section 4, we use well known attacks to
detecting, classifying, and defending from various types of compare previous taxonomies with AVOIDIT and show how
attacks. A variety of taxonomies aim at classifying our taxonomy is able to classify a vast majority of attacks. In
vulnerabilities or attacks, but to date they have limitations in Section 5, we show how AVOIDIT can be applied as an
providing a defense strategy that can be used in a local organizational element within a network setting. In Section 6,
application setting. This can be due to the enormous we present limitations along with areas for continued research
possibilities of defense strategies. We believe that coupling a and Section 7 we conclude this paper.
defense mechanism with an attack taxonomy would enable a
network administrator to not only understand the vulnerability,
but also the strategy needed to mitigate and/or remediate the II. A BRIEF SURVEY OF ATTACK TAXONOMIES
potential exploitation. Limitations exist toward providing Kjaerland [4] proposed a taxonomy of cyber-intrusions
defense strategies within an attack taxonomy. This presents an from Computer Emergency Response Team (CERT) related to
invaluable research area focused on the information a network computer crime profiling, highlighting cyber-criminals and
administrator can apply when attempting to defend the network victims. In this research, attacks were analyzed using facet
against cyber attacks. We propose a solution that addresses the theory and multidimensional scaling (MDS) with Method of
shortcomings of existing taxonomies. Operation, Target, Source, and Impact. Each facet contains a
There is a deficient standard when disseminating number of elements with an exhaustive description. Kjaerland
vulnerability information, making it difficult for analysis with uses these facets to compare commercial versus government
multiple vulnerabilities for potential defense. Landwehr et al. incidents. Kjaerland’s taxonomy focuses on the motive of the
[1] state a taxonomy is most useful when it classifies threats in attacker in an attempt to quantify why the attack takes place,
scope that correspond to potential defenses. This taxonomy and where the attack originated. Her taxonomy contains some
differs from previous taxonomies, as it aids a defender to not limitations as she provides a high level view to the methods of
only identify attacks, but also defense measures to mitigate and
operation without providing more details to the methods that Howard [9] provides an incident taxonomy that classifies
can be used in identifying attack inception. attacks by events, which is an attack directed at a specific target
intended to result in a changed state. The event involves the
Hansman and Hunt [6] proposed a taxonomy with four action and the target. He highlights all steps that encompass an
unique dimensions that provide a holistic classification attack and how an attack develops. The attack consists of five
covering network and computer attacks. Their taxonomy logical steps an attacker performs to achieve an unauthorized
provides assistance in improving computer and network result. Those steps are: tools, vulnerability, action, target, and
security as well as consistency in language with attack unauthorized result. The tool refers to the mechanism used to
description. The first dimension being attack vector is used to perform the attack; the vulnerability is the type of exploit used
classify the attack. The second dimension classifies the target to perform attack. The action refers to the method used by the
of the attack. The third dimension consists of the vulnerability attacker to perform the attack (i.e. Probe, Scan, Authenticate,
classification number, or criteria from Howard’s taxonomy [9]. etc.). The target is the intention the attack is attempting to
The fourth and final dimension highlights the payload or compromise, and the unauthorized result is the change state
effects involved. Within each dimension various levels of caused due to the attack. Although Howard presents a useful
information are provided to supply attack details. Hansman et taxonomy that provides an informative baseline for cyber
al. mentioned the need of future work to improve classifying intrusions, he lacks the details needed for thorough insight into
blended attacks, which is a limitation within their taxonomy. the attack.
Another limitation is the lack of vulnerability information,
which prohibits capturing information to aid in protecting a
system from attacks. III. OUR PROPOSED TAXONOMY: AVOIDIT
Mirkovic and Reihner [10] offer a comprehensive A taxonomy defines what data is to be recorded and how
taxonomy of Distributed Denial of Services (DDoS) attack and like and unlike samplings are to be distinguished [1]. In
defense mechanisms in aim to classify attacks and defense developing a successful taxonomy, there are requirements that
strategies. This research highlight features of attack strategies, should be observed for universal acceptance. In this paper we
where the strategies are imperative in devising analyze previous taxonomies and highlight valuable aspects
countermeasures. Mirkovic and Reihner’s taxonomy of DDoS that are needed to create a complete useful taxonomy [8,9].
attacks is categorized by Degree of Automation, Exploited These requirements include the following:
Weakness, Source Address Validity, Attack Rate Dynamics, Accepted – builds on previous work that is well accepted.
Possibility of Characterization, Persistent Agent Set, Victim
Type, and Impact on Victim. These categories are used to Mutually exclusive – each attack can only be classified into
examine the exploitation, the victim impact, and characteristics one category, which prevents overlapping.
with exploiting a DDoS attack. In addition to classifying DDoS Comprehensible – clear and concise information; able to be
attacks, Mirkovic and Reihner developed a taxonomy of DDoS understood by experts and those less familiar.
defenses consisting of Activity Level, Cooperation Degree, and
Deployment Location. The combination classifying DDoS Complete/exhaustive – available categories are exhaustive
attacks and defenses within a taxonomy provides within each classification, it is assumed to be complete.
communication of threats to foster cooperation between Unambiguous – involves clearly defined classes, with no
researchers for discussing solutions. doubt of which class an attack belongs.
Lough [8] proposed an attack-centric taxonomy called Repeatable – the classification of attack should be
VERDICT (Validation Exposure Randomness Deallocation repeatable.
Improper Conditions Taxonomy). Lough focuses on four major
causes of security errors: Improper Validation, Improper Terms well defined – categories should be well defined,
Exposure, Improper Randomness, and Improper Deallocation. and those terms should consist of established terminology that
He labels these four characteristics with a prefix of “Improper” is compliant within the security community
with attacks being thought of as improper conditions. Useful – the ability to be used and gain insight into a
Validation refers to improperly validating or unconstrained particular field of study, particularly those having great interest
data, which also includes physical security. Exposure involves within the field of study.
the improper exposure of information that could be used
directly or indirectly for the exploitation of a vulnerability. Applying these requirements for a complete taxonomy, we
Randomness deals with the fundamentals of cryptography and propose AVOIDIT. AVOIDIT provides, through application, a
the improper usage of randomness. Deallocation is the knowledge repository used by a defender to classify
improper destruction of information, or residuals of data, which vulnerabilities that an attacker can use. Fig. 1 provides an
also includes dumpster diving. He uses one or more of these overview of our proposed taxonomy, which provides details to
characteristics to describe vulnerability within a system. support comprehending each attack classification and how a
Hansman and Hunt [6] describe Lough’s taxonomy as lacking variety of attacks are represented in each category.
pertinent information that would be beneficial for knowledge
bodies, such as CERT, to classify day-to-day attacks and
issuing advisories. Lough’s taxonomy lacks the classification to
the type of attack, such as worms, Trojans, viruses, etc.
Distort
Misconfiguration
Disrupt

Kernel Flaws
Destruct

Design Flaws
Disclosure

Buffer
Discovery
Overflow

Stack

Heap

Insufficient Input
Validation

Symbolic Link

File Descriptor
Attack

Race Condition

Incorrect
Permission

User Installed
Malware

Fig. 1: AVOIDIT – A Cyber Attack Taxonomy

buffer overflow when a buffer with weak or no bounds


A. Classification by Attack Vector checking is populated with user supplied data. An
When an attack takes place, there is a possibility it uses attack can exploit a buffer overflow vulnerability
several vectors as a path to a full blown cyber attack. An attack leading to a possible exploitation of arbitrary code
vector is defined as a path by which an attacker can gain access execution, often of privileges at the administrative
to a host [7]. This definition includes vulnerabilities, as it may level with the program running [5]. Buffer Overflow
require several vulnerabilities to launch a successful attack. In can occur in both stack and heap memory locations. A
this section we list several vulnerabilities that are used to buffer overflow constitute majority of attacks [11]. A
render a majority of attacks. heap buffer overflow occurs in the heap data area,
which is dynamically allocated by the application
 Misconfiguration - Misconfiguration - An attacker can
running [6].
use a configuration flaw within a particular application
to gain access to a network or personal computer to  Insufficient Input Validation - A program fails to
cause a variety of attacks. Settings that are improperly validate the input sent to the program from a user [5].
configured, usually default settings, are an easy target An attacker can exploit an insufficient input validation
for an attacker to exploit [5]. vulnerability and inject arbitrary code, which
commonly occurs within web applications.
 Kernel Flaws - An attacker can use a kernel flaw
within an operating system, which is the core code of  Symbolic Links - A file that points to another file [5].
an operating system, to gain certain privileges to An attacker can exploit a symbolic link vulnerability to
exploit a vulnerability within the operating system. point to a target file for which an operating system
process has write permissions.
 Buffer Overflow - Buffer overflow is caused when a
piece of code does not adequately check for  File Descriptor - A file that uses numbers from a
appropriate input length and the input value is not the system to keep track of files, as opposed to file names
size the program expects. Cowan [11] describes a
[5]. Exploitation of a file descriptor vulnerability replicate upon execution of program. Types
allows an attacker the possibility of gaining elevated of viruses include boot record infectors, file
privileges to program related files. infectors, and macros.
 Race Condition - Occurs when a program attempts to o Spyware - A type of malware program that is
run a process and the object changes concurrently covertly installed and infects its target by
between repeated references allowing an attacker to collecting information from a computing
gain elevated privileges while a program or process is system without owner’s consent.
in privilege mode [5].
o Trojan - A benign program to the user that
 Incorrect File/Directory Permission - An incorrect allows unauthorized backdoor access to a
permission associated to a file or directory consists of compromised system. A common way to
not appropriately assigning users and processes [5]. introduce a victim into a multitude of attacks.
Exploiting this vulnerability can allow a multitude of o Worms – A self-replicating computer
attacks to occur. program. A considerable threat to the internet
 Social Engineering – The process of using social today. Worms do not require human
interactions to acquire information about a victim or intervention to propagate as it is a self-
computer system. These types of attacks provide quick replicating program that spreads throughout
alternatives in disclosing information to assist an attack the network. Worms include mass mailing
that in normal circumstances may not be available. and network aware worms.
o Arbitrary Code Execution - Involves a
B. Classification by Operational Impact malicious entity that gains control through
Classification by Operational Impact involves the ability for some vulnerability injecting its own code to
an attack to culminate and provide high level information perform any operation the overall application
known by security experts, as well those less familiar with has permission [13].
cyber attacks. We provide a mutually exclusive list of
 Denial of Service - Denial of Service (DoS) is an attack
operational impacts that can be categorized and concisely
to deny a victim access to a particular resource or
presented to the public.
service, and has become one of the major threats and
 Misuse of Resources - An unauthorized use of IT rated among the hardest Internet security issues [13].
resources [4]. We can extend this definition to In this section we will provide details into the types of
consider any IT related function that require a certain DoS attacks.
privilege and those privileges are converted into an
o Host Based - A Host based DoS aims at
abusive action.
attacking a specific computer target within
 User Compromise - A perpetrator gaining unauthorized the configuration, operating system, or
use of user privileges on a host, as a user compromise software of a host. These types of attacks
[4]. usually involved resource hogs, aimed at
consuming up all resources on a computer;
 Root Compromise - Gaining unauthorized privileges of crashers, which attempts to crash the host
an administrator on a particular host [4]. We shall system [6].
extend this notion slightly by including any elevated
privileges above a normal user including o Network Based - A Network based DoS
administrative and/or root level privileges to a targets a complete network of computers to
particular system. prevent the network of providing normal
services [13]. Network based DoS usually
 Web Compromise - A website or web application occur in the form of flooding with packets
using vulnerabilities to further an attack [4]. An attack [6], where the network’s connectivity and
can occur through a web compromise, usually via cross bandwidth are the target [13].
site scripting or sql injection.
o Distributed - A Distributed Denial of Service
 Installed Malware - Exploiting some vulnerability an (DDoS) is becoming more popular as an
attack can be launched via user installed malware, attacker’s choice of DoS. A distributed
whether user installed or drive-by installation. denial of service uses multiple attack vectors
Installed malware can allow an adversary to gain full to obtain its goal [10].
control of the compromised systems leading to the
exposure of sensitive information or remote control of C. Classification by Defense
the host.
We extend previous attack taxonomy research to include a
o Virus - A form of installed malware, where defense classification. In this section we highlight several
Hansman and Hunt[6] describes a virus as a strategies a defender can employ to remain vigilant in
piece of code that will attach itself through defending against pre- and post- attacks. We provide the
some form of infected files, which will self- possibility of using both mitigation and remediation when
classifying attack defenses, as an attack could be first mitigated  Disrupt - A disruption in services, usually from a
before a remediation can occur. Denial of Service. When an attack involves disrupt, it
is an access change, or removal of access to victim or
 Mitigation - Prior to vulnerability exploitation or to information [4].
during an attack, there are several steps a defender can
use to mitigate damage an attack has caused, or has the  Destruct - A destruction of information, usually when
potential to cause. An example can involve an an attack has caused a deletion of files or removal of
installation of a worm that propagate over the network, access. Destruct is the most malicious impact, as it
one instance could be to remove a set of hosts from the involves the file deletion, or removal of information
network and route traffic, while the administrator from the victim [4].
works on removal of the worm. Mitigation involves
lessening the severity of the attack.  Disclosure - A disclosure of information, usually
providing an attacker with a view of information they
o Remove from Network - The ability of an would normally not have access to. Kjaerland [4]
administrator to remove infected hosts describes disclosure as unauthorized disclosure of
preventing further damage. As the example information, with the possibility of leading to other
described above, a particular worm may compromises.
reside in a network and begins propagation.
 Discovery - To discover information not previously
o Whitelisting - A list of permissible known. For example, when a scanning tool probes for
connections that are known to the defender. information, the information discovered can be used to
An attack could be directed at a particular launch an attack on a particular target.
software, which may reside on
predetermined port. E. Classification by Attack Target
o Reference Advisement - Notes provided by Various attacks target a variety of hosts, leaving the
the defender to mitigate an attack, or a defender unknowingly susceptible to the next attack.
vulnerability/vendor database reference
number used to alleviate a vulnerability or  Operating System (Kernel / User / Driver) -
attack. Responsible for the coordination of activities and the
sharing of resources of a computer. An attack can be
 Remediation - In the presence or prior to vulnerability formulated to target vulnerabilities within a particular
exploitation, there are resolution steps that are operating system.
available to a defender to prevent an attack.
Remediation would involve taking the appropriate  Network - Target a particular network or gain access
steps to correct the situation prior to or during an through a vulnerability within a network or one of the
exploitation. network protocols [6].

o Patch System - Applying patches the vendor  Local - An attack targeting a user’s local computer.
has released due to some vulnerability within  User - An attack against a user is an attack to retrieve a
software in use. When a vulnerability or user’s personal information.
attack is present, on various cases, a defender
fails to utilize the patches a vendor provides.  Application – An attack towards specific software. An
application can be either client or server. A client
o Correct Code - Steps within an organization application is software that is available to aid a user
to release a code patch to a specific performing common tasks. A server application is
application that will close the potential for an software designed to serve as a host to multiple
attacker to exploit. concurrent users.
D. Classification by Informational Impact
IV. TAXONOMY COMPARISON
An attack on a targeted system has potential to impact
sensitive information in various ways. A committed resource In this section we use previous taxonomies described in
must be able defend information warfare strategies in an effort Section 2 to compare AVOIDIT with past computer attacks and
to protect themselves against theft, disruption, distortion, denial vulnerabilities. This section will highlight how our cyber
of service, or destruction of sensitive information assets [12]. attack taxonomy successfully captures vulnerability attack
In this section we classify an attacks impact, or the effect on information and provide a defender with countermeasures that
information and define the criteria used. can be efficient in preventing or assuaging successful attacks.

 Distort - A distortion in information, usually when an A. SQL Slammer


attack has caused a modification of a file. When an
This section provides details into the SQL Slammer worm.
attack involves distort, it is a change to data within a
Slammer was able to perform 55 million scans per second and
file, or modification of information from the victim [4].
compromised ninety percent of vulnerable hosts in 10 minutes
[3]. Table 1 classifies the SQL Slammer worm.
Table 1. Slammer Attack Classification
LOUGH
Name Improper Validation Improper Improper Improper
Exposure Randomness Deallocation

Slammer X X

HOWARD
Name Tools Vulnerability Action Target Unauthorized Result

Slammer Script Configuration, Prob, Modify Network Corruption of


Design Information

HANSMAN
Name 1st Dimension 2nd Dimension 3rd Dimension 4th Dimension

Slammer Network-Aware MS SQL Server 2000 CAN-2002-0649 Stack Buffer Overflow &
Worm UDP packet flooding DoS

AVOIDIT
Name Attack Vector Operational Informational Defense Target
Impact Impact

Slammer Misconfiguration Installed Malware: Discovery Mitigation: Network


Worm: Network Whitelisting
Aware CAN-2002-0649

Slammer Buffer Overflow Installed Malware: Distort Remediation: Patch Application


Worm: Network System
Aware
In table 1 Lough’s taxonomy is too general to provide
useful information in describing the attack; Howard’s B. Microsoft RPC Stack Overflow
taxonomy provides preliminary information. Hansman and In 2008, a Windows Server service Remote Procedure Call
Hunt’s taxonomy is able capture more detail in comparison to (RPC) stack buffer overflow vulnerability [14] was exploited
Howard. Our taxonomy provides information on what caused and is currently “in the wild”. This RPC service provides print
the worm infection, and possible defense strategies a network support and network pipe sharing were other users were able to
administrator can use to reduce the malware’s ability to further access services over a network. The notable Conficker or
propagate and cause damage. Using AVOIDIT, if the first Downadup attacks use these vulnerabilities to perform attacks
insertion was alleviated, the Slammer worm would not be able on vulnerable systems. Table 2 classifies the RPC buffer
to spread. overflow.
Table 2. RPC Stack Overflow Classification
LOUGH
Name Improper Validation Improper Improper Improper
Exposure Randomness Deallocation

MS RPC Stack X X
Overflow

HOWARD
Name Tools Vulnerability Action Target Unauthorized Result
MS RPC Stack Script Design Modify Process Increased Access
Overflow

HANSMAN
Name 1st Dimension 2nd Dimension 3rd Dimension 4th Dimension

MS RPC Stack Buffer Windows Server CVE-2008-4250 Corruption of


Stack Overflow Information
Overflow

AVOIDIT
Name Attack Vector Operational Informational Defense Target
Impact Impact

MS RPC Buffer Installed Distort Mitigation: Reference OS: Windows


Stack Overflow: Malware: ACE Advisement Server
Overflow Stack VU#827267
Remediation:
Patch System

Gimmiv.A Buffer Installed Disclosure Mitigation: Reference OS: Windows:


Overflow: Malware: Advisement Server
Stack Trojan Microsoft
Remediation:
Patch System

Conficker Buffer Installed Disrupt Mitigation: Reference OS: Windows:


Overflow: Malware: Advisement Server, 2000, XP
Stack Worm Microsoft
Remediation:
Patch System
Classifying the buffer overflow vulnerability using Lough of being able to classify attacks in a tree-like structure,
or Howard’s taxonomy, we are unable to view the details, and providing the ability to classify the allusive blended attack.
unable to aid in defending against the vulnerability exploit. Predecessors [4, 6] state that providing a tree-like structure is a
Using Hansman and Hunt’s taxonomy, we may have been able solution to solving the blended attack, but claim this particular
to classify the attack, but the variations of the vulnerability the structure can become unorganized. We provide our taxonomy
various attacks exploited are not present. With this particular in a tree-like structure to successfully classify common
vulnerability exploitation, you can view AVOIDIT as being vulnerabilities and cyber attacks to provide defenders with the
able to thoroughly classify the vulnerability, potential blended needed information to defend their networks. Table 3 provides
attacks, and attack variations that specifically exploited the insight into how a searchable schema can be obtain we classify
Windows buffer overflow vulnerability. attacks using a tree-like structure, which enable a searchable
schema. By using a parent-child relationship, AVOIDIT is able
V. AVOIDIT CLASSIFICATION STRUCTURE to display how multi-staged attacks can be captured, classified,
and disseminated.
In this section we were able to classify a multitude of
vulnerabilities and attacks. AVOIDIT benefits from the ability

Table 3. Cyber Attack Classifications Structure

ID Parent Name Attack Vector Operational Defense Informational Target


Impact Impact
001 Slammer Misconfigurati Worm:NetworkAw Mitigation: Discovery Network
on are Whitelisting
Remediation :
Patch System
002 001 Slammer Buffer Installed Malware: Remediation : Distort Application
Overflow Worm: Patch System
NetworkAware
003 Zotob Buffer Installed Malware: Remediation : Distort OS
Overflow Worm Patch System
004 003 Zotob BoF: Stack Installed Malware: Remediation : Distort Local
Worm Patch System
008 SamyXSS Design Flaw Web Compromise Remediation : Disrupt User
Correct Code
009 DebianAdmin Kernel Flaw Root Compromise Remediation : Disclosure OS
Patch System
010 009 DebianAdmin Kernel Flaw DoS Mitigation: RA Distort OS
011 Yamanner Social Web Compromise Mitigation: RA Disclosure Application:
Engineering Server: Email
012 011 Yamanner Design Flaw Installed Malware: Mitigation: RA Disrupt User
Worm:
MassMailing
013 MS RPC Stack Buffer Installed Malware: Mitigation: Distort OS: Windows
Overflow Overflow: ACE Reference Server
Stack Advisement
VU#827267
Remediation:
Patch System
014 013 Gimmiv.A Buffer Installed Malware: Mitigation: RA Disclosure OS: Windows:
Overflow: Trojan Microsoft Server
Stack Remediation:
Patch System
015 013 Conficker Buffer Installed Malware: Mitigation: RA Disrupt OS: Windows:
Overflow: Worm Microsoft Server, 2000, XP
Stack Remediation:
Patch System

Our taxonomy provides a more apparent approach to educate


VI. AVOIDIT APPLIED IN A NETWORK the defender on possible cyber attacks using vulnerability
In this section we show how AVOIDIT can be used within details. AVOIDIT will be used in a future game theoretic
cyber security to support a defender against malicious defense system to capture vulnerability information to provide
attackers. a network administrator with a solution when defending against
cyber attacks [15]. Until now, previous attack taxonomies have
AVOIDIT is intended to be used in multiple aspects of a not been applied in a defense model, thus through application,
network defense policy. It can be used to store event our taxonomy presents a better approach in capturing and
notifications within a database to educate administrators of disseminating valuable information in defending a network
attack frequency. The network administrator can also use an against cyber attacks.
AVOIDIT organized knowledge repository in order to locate
strategies that are appropriate for securing their network against
vulnerabilities that can be exploited and used for unauthorized VII. AVOIDIT LIMITATIONS
access. AVOIDIT used in a network defense strategy can Attacks have become increasingly present in the cyber
improve the overall level of security. Our taxonomy can be world, and being able to provide the ability to prevent all
used by applications that can offer a multitude of functions. attacks is extremely difficult. In this section we will highlight
The most obvious of these is that the taxonomy can be used to some of the limitations of AVOIDIT.
provide a defender with information related to the
commonality, frequency, and vendor response pertaining to an A. Lack of Defense Strategies
event in which a vulnerability was exploited. This information The defense strategies in our taxonomy present a defender
will then be used to identify and implement defense measures. with an appropriate starting point to mitigate and/or remediate
Previous taxonomies in Section 2 lack the structure of useful an attack. The plausible defenses are enormous, so the
information to classify attacks through vulnerabilities that can proposed taxonomy provides a high level approach to cyber
be used in an application to assist a defender against an attack.
defense. Although AVOIDIT is extensible, more research is [8] Lough, Daniel. “A Taxonomy of Computer Attacks with Applications to
needed to provide an exhaustive list of possible defense Wireless Networks,” PhD thesis, Virginia Polytechnic Institute and State
University, 2001.
strategies for each vulnerability exploited.
[9] Howard, John D. and Longstaff, Thomas A. “A Common Language for
Computer Security Incidents,” Technical report, Sandia National
B. Physical Attack Omission Laboratories, 1998.
Physical attacks are an important aspect in achieving [10] Mirkovic, J., and Reiher, P. “A Taxonomy of DDoS Attack and DDoS
security. While it is necessary to understand physical attacks, Defense Mechanisms. In ACM CCR (April 2004).
our proposed taxonomy focuses on cyber attacks. Further [11] Cowan, C., F. Wagle, Calton Pu, S. Beattie, and J. Walpole. 1999.
"Buffer overflows: attacks and defenses for the vulnerability of the
research can be done to include the physical aspect of cyber decade." 2.
security, which may include the end hosts of an attack. [12] Cronin, B. and Crawford, H. "Information warfare: Its Application in
military and civilian contexts," Information Society, volume 15, pp. 257-
VIII. CONCLUSION 263, 1999.
[13] C. Douligeris and A. Mitrokotsa, “DDoS Attacks and Defense
This paper provides a cyber attack taxonomy that enhances Mechanisms: Classification and State-of-theart,” Comp. Networks, vol.
the cyber security industry. AVOIDIT will classify attacks by 44, 2004, pp. 643–66.
attack vectors, operational impact, defense, informational [14] Porras, Phillip, Saidi, Hassen and Yegneswara, Vinod. An Analysis of
impact, and target. This classification scheme will aid a Conficker's Logic and Rendezvous Points. Malware Threat Center. SRI
defender in protecting their network by providing vital attack International Technical Report, February 2009.
information. It is presented in a tree-like structure to neatly [15] Shiva, S., Dasgupta, D., Wu, Q. “Game Theoretic Approaches to Protect
classify common vulnerabilities used to launch cyber attacks. Cyberspace,” Office of Naval Research, Grant Number N00014-09-1-
0752, 2009.
We are aware of the possibility of new attack manifestation,
therefore AVOIDIT could be extended to include new
categories within each classification. AVOIDIT will provide a
defender with the appropriate information to make an educated
decision in defending against cyber attacks. Creative
approaches to defending attacks will become available and
providing an extensible taxonomy able to capture new defenses
is imperative to defense. We believe AVOIDIT provides a
foundation for the cyber security community and provide the
ability to continuously grow as attacks and defenses become
more sophisticated. In future work, to build a Game Theoretic
Defense System, we will investigate the applicability of
AVOIDIT in determining the action space of the attacker [15].

ACKNOWLEDGMENT
This work is supported by the Office of Naval Research
(ONR) under grant N00014-09-1-0752.
REFERENCES
[1] Landwehr, Carl E., Bull, Alan R., McDermott, John P., Choi, William
S., “A Taxonomy of Computer Program Security Flaws, with
Examples”. ACM Computing Surveys, 26,3 (Sept. 1994).
[2] S. Noel, S. Jajodia, B. O’Berry, M. Jacobs, “Efficient Minimum-Cost
Network Hardening via Exploit Dependency Graphs,” in Proceedings of
the 19th Annual Computer Security Applications Conference, Las
Vegas, Nevada, December 2003.
[3] David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart
Staniford, and Nicholas Weaver. Inside the slammer worm. In IEEE
Security and Privacy, volume 1, 2003.
[4] Kjaerland, M., “A taxonomy and comparison of computer
securityincidents from the commercial and government sectors”.
Computers and Security, 25:522–538, October 2005.
[5] Scarfone, K., Souppaya, M., et al., “Technical Guide to Information
Security Testing and Assessment”. NIST (Sept. 2008)
http://web.nvd.nist.gov/view/vuln/detail?execution=e7s1
[6] Hansman, S., Hunt R., “A taxonomy of network and computer attacks”.
Computer and Security (2005).
[7] Attack Vector. Retrieved June 19, 2009.
http://searchsecurity.techtarget.com/dictionary/definition/1005812/attack
-vector.html

View publication stats

You might also like