Correlated Attack Modeling (CAM)
Correlated Attack Modeling (CAM)
Abstract : This report describes research into the nature of multistep cyber attack scenarios, aimed toward automatic detection and identification of such attacks. Previous work in intrusion detection and cyber attack analysis has been focused mainly on isolated attack steps, and less on how such steps are combined into composite scenarios. The purpose of this work is to gain a deeper understanding of multistep attack scenarios, develop models of such scenarios, and design the mechanisms needed to automatically recognize such scenarios through event monitoring. Several multistep attack scenarios were developed and are documented in great detail in this report. Based on these scenarios, an attack modeling language called the Correlated Attack Modeling Language (CAML) was designed. A library of predicates and the concept of attack patterns were also developed to support the use of CAML. To validate CAML, a scenario recognition engine was developed. Furthermore, we designed an architecture supporting novel concepts in highly dynamic monitoring and correlation functionality, and a language for specification of active component behavior.
citations This is an alternative to the "Influence" indicator, which also reflects the overall/total impact of an article in the research community at large, based on the underlying citation network (diachronically).4 popularity This indicator reflects the "current" impact/attention (the "hype") of an article in the research community at large, based on the underlying citation network.Average influence This indicator reflects the overall/total impact of an article in the research community at large, based on the underlying citation network (diachronically).Average impulse This indicator reflects the initial momentum of an article directly after its publication, based on the underlying citation network.Average
Citations provided by BIP!Popularity provided by BIP!