Modeling and detection of complex attacks

Seyit Ahmet Camtepe, Bulent Yener
2007 2007 Third International Conference on Security and Privacy in Communications Networks and the Workshops - SecureComm 2007  
A complex attack is a sequence of temporally and spatially separated legal and illegal actions each of which can be detected by various IDS but as a whole they constitute a powerful attack. IDS fall short of detecting and modeling complex attacks therefore new methods are required. This paper presents a formal methodology for modeling and detection of complex attacks in three phases: (1) we extend basic attack tree (AT) approach to capture temporal dependencies between components and expiration
more » ... ents and expiration of an attack, (2) using enhanced AT we build a tree automaton which accepts a sequence of actions from input message streams from various sources if there is a traversal of an AT from leaves to root, and (3) we show how to construct an enhanced parallel automaton that has each tree automaton as a subroutine. We use simulation to test our methods, and provide a case study of representing attacks in WLANs.
doi:10.1109/seccom.2007.4550338 dblp:conf/securecomm/CamtepeY07 fatcat:4sj723wnbbcvrkw7cvfgjeatvy