Modeling Multistep Cyber Attacks for Scenario Recognition

Washington, DC April 22-April 24

DOI Bookmark:

http://doi.ieeecomputersociety.org/10.1109/DISCEX.2003.1194892

DARPA Information Survivability Confe ...

	This Article
	PURCHASE ARTICLE: $19 PDF HTML IEEE Xplore Subscribers
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan/Endnote
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by Steven Cheung Articles by Ulf Lindqvist Articles by Martin W. Fong

	ASCII Text	x
	Steven Cheung, Ulf Lindqvist, Martin W. Fong, "Modeling Multistep Cyber Attacks for Scenario Recognition," DARPA Information Survivability Conference and Exposition,, vol. 1, pp. 284, DARPA Information Survivability Conference and Exposition - Volume I, 2003.

	BibTex	x
	@article{ 10.1109/DISCEX.2003.1194892, author = {Steven Cheung and Ulf Lindqvist and Martin W. Fong}, title = {Modeling Multistep Cyber Attacks for Scenario Recognition}, journal ={DARPA Information Survivability Conference and Exposition,}, volume = {1}, year = {2003}, issn = {2003102155}, pages = {284}, doi = {http://doi.ieeecomputersociety.org/10.1109/DISCEX.2003.1194892}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - CONF JO - DARPA Information Survivability Conference and Exposition, TI - Modeling Multistep Cyber Attacks for Scenario Recognition SN - 2003102155 SP EP A1 - Steven Cheung, A1 - Ulf Lindqvist, A1 - Martin W. Fong, PY - 2003 KW - null VL - 1 JA - DARPA Information Survivability Conference and Exposition, ER -

Steven Cheung, SRI International

Ulf Lindqvist, SRI International

Martin W. Fong, SRI International

Efforts toward automated detection and identification of multistep cyber attack scenarios would benefit significantly from a methodology and language for modeling such scenarios. The Correlated Attack Modeling Language (CAML) uses a modular approach, where a module represents an inference step and modules can be linked together to detect multistep scenarios. CAML is accompanied by a library of predicated, which functions as a vocabulary to describe the properties of system states and events. The concept of attack patterns is introduced to facilitate reuse of generic modules in the attack modeling process. CAML is used in a prototype implementation of a scenario recognition engine that consumes first-level security alerts in real time and produces reports that identify multistep attack scenarios discovered in the alert stream.

Citation:

Steven Cheung, Ulf Lindqvist, Martin W. Fong, "Modeling Multistep Cyber Attacks for Scenario Recognition," discex, vol. 1, pp.284, DARPA Information Survivability Conference and Exposition - Volume I, 2003

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.