Models for Threat Assessment in Networks

Central to computer security are detecting attacks against systems and managing computer systems to mitigate threats to the system. Attacks exploit vulnerabilities in the system such as a programming flaw. Threats are vulnerabilities which could lead to an attack under certain circumstances. The key to the detection of attacks is discovering an ongoing attack against the system. Mitigating threats involves a continuous assessment of the vulnerabilities in the system and of the risk these vulnerabilities pose with respects to a security policy. Intrusion detection systems (IDS) are programs which detect attacks. The goal is to issue alerts only when an actual attack occurs, but also to not miss any attacks. The biological immune system provides a compelling model on which to base an IDS. This work adds the biological concepts of positive selection and collaboration to artificial immune systems to achieve a better attack detection rate without unduly raising the false alarm rate. Attack graphs assess the threat to the system by showing the composition of vulnerabilities in the system. The key issues with attack graphs are scalability to large networks, ease of coding new attacks into the model, incomplete network information, visualization of the graph and automatic analysis of the graph. This work presents an abstract class model that aggregates individual attacks into abstract classes. Through these abstractions, scalability is greatly increased and the codification of new attacks into the model is made easier when compared to the current approach that models each attack. Clustering of identical machines is used to reduce the visual complexity of the graph and also to increase scalability. Incomplete network information is handled Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number. 1. REPORT DATE SEP 2006 2. REPORT TYPE 3. DATES COVERED 00-00-2006 to 00-00-2006 4. TITLE AND SUBTITLE Models for Threat Assessment in Networks 5a. CONTRACT NUMBER