Identifying the level of intelligence of a cyber-attacker is critical to detecting cyber-attacks and determining the next targets or steps of the adversary. This chapter explores intrusion detection systems (IDSs) which are the traditional tool for cyber-attack detection, and attack graphs which are a formalism used to model cyber-attacks. The time required to detect an attack can be reduced by classifying the attacker’s knowledge about the system to determine the traces or signatures for the IDS to look for in the audit logs. The adversary’s knowledge of the system can then be used to identify their most likely next steps from the attack graph. A computationally efficient technique to compute the likelihood and impact of each step of an attack is presented. The chapter concludes with a discussion describing the next steps for implementation of these processes in specialized hardware to achieve real-time attack detection.
TopIntroduction
Cyber-attackers are a grave threat to the security of the United States and to other nations. As the critical infrastructure systems are becoming increasingly interconnected through connections to the Internet it is possible for a cyber-attack originating anywhere in the world to cause significant damage within the United States. Monitoring of critical networks is a standard tool in the defenders arsenal, but when an attack is detected the defender could benefit from knowing the level of intelligence of the cyber-attacker. Intrusion detection systems (IDSs) provide this monitoring capability. Armed with better information about the cyber-attacker’s intelligence and what the cyber-attacker knows about the system under attack, the defenders can identify and deploy their defenses in the most optimal fashion to protect the system and minimize negative impact to users.
Attack graphs are one metric to model cyber-attacks and their consequences. They provide the sequence of events necessary to reach a particular goal (e.g. gaining access to a database with credit card information). The defender can use attack graphs to determine the set of possible next moves the cyber-attacker may take. However, without being able to infer the cyber-attacker’s intelligence their ability to correctly determine the attacker’s most likely next moves is greatly impaired.
Reconnaissance of a network or system is an important early, if not first, step in an attack. It is to the attacker’s benefit to discover as much information as possible about a network or system before launching their attack. This allows the attacker to determine the best course of action to achieve their goals. However, too much reconnaissance increases the risk that the attacker will be identified before they can achieve their goals or even launch their attack. This is especially true in the Smart Grid (next generation electric grid) which will utilize network connections and the Internet to connect grid components together (Farhangi, 2010). In the Smart Grid the types of devices, the IT (information technology) network architecture, and the power system architecture are the important pieces of information that the attacker needs to construct an attack (NIST, 2010).
This chapter will explore techniques to incorporate estimates of an adversary’s knowledge of the system to improve intrusion detection systems (IDSs) and attack graphs. First, the use of IDSs to detect attacks and the challenges associated with them are described. Next, a brief background and description of attack graphs are presented. The use of vulnerability databases, such as the National Vulnerability Database (National Vulnerability Database, 2012), to generate attack graphs is described. Then, a variation of attack graphs, termed an attack dependency graphs is described. An analysis technique using the attack dependency graph to infer an adversary’s future actions based on their past behavior is presented.
Attack graphs and IDSs can be combined to improve (reduce time) attack detection. A methodology to construct attack signatures or traces for the IDS using attack graphs is presented. This process is computationally intensive and ideas for future research directions for development of specialized hardware are presented.