Erland Jonsson

A quantitative model of the security intrusion process based on attacker behavior

The paper is based on a conceptual framework in which security can be split into two generic types of characteristics, behavioral and preventive. Here, preventive security denotes the systems ability to protect itself from external attacks. One way to describe the preventive security of a system is in terms of its interaction with the alleged attacker, i.e., by describing the intrusion process. To our knowledge, very little is done to model this process in quantitative terms. Therefore, based on empirical data collected from intrusion experiments, we have worked out a hypothesis on typical attacker behavior. The hypothesis suggests that the attacking process can be split into three phases: the learning phase, the standard attack phase, and the innovative attack phase. The probability for successful attacks during the learning and innovative phases is expected to be small, although for different reasons. During the standard attack phase it is expected to be considerably higher. The collected data indicates that the breaches during the standard attack phase are statistically equivalent and that the times between breaches are exponentially distributed. This would actually imply that traditional methods for reliability modeling could be applicable.

How to systematically classify computer security intrusions

This paper presents a classification of intrusions with respect to the technique as well the result. The taxonomy is intended to be a step on the road to an established taxonomy of intrusions for use in incident reporting, statistics, warning bulletins, intrusion detection systems etc. Unlike previous schemes, it takes the viewpoint of the system owner and should therefore be suitable to a wider community than that of system developers and vendors only. It is based on data from a realistic intrusion experiment, a fact that supports the practical applicability of the scheme. The paper also discusses general aspects of classification, and introduces a concept called dimension. After having made a broad survey of previous work in the field, we decided to base our classification of intrusion techniques on a scheme proposed by Neumann and Parker (1989) and to further refine relevant parts of their scheme. Our classification of intrusion results is derived from the traditional three aspects of computer security: confidentiality, availability and integrity.

Security aspects of the in-vehicle network in the connected car

In this paper, we briefly survey the research with respect to the security of the connected car, and in particular its in-vehicle network. The aim is to highlight the current state of the research; which are the problems found, and what solutions have been suggested. We have structured our investigation by categorizing the research into the following five categories: problems in the in-vehicle network, architectural security features, intrusion detection systems, honeypots, and threats and attacks. We conclude that even though quite some effort has already been expended in the area, most of it has been directed towards problem definition and not so much towards security solutions. We also highlight a few areas that we believe are of immediate concern.

A map of security risks associated with using COTS

Combining Internet connectivity and COTS based systems results in increased threats from both external and internal sources. Traditionally, security design has been a matter of risk avoidance. Now more and more members of the security community realize the impracticality and insufficiency of this doctrine. It turns out that strict development procedures can only reduce the number of flaws in a complex system, not eliminate every single one. Vulnerabilities may also be introduced by changes in the system environment or the way the system operates. Therefore, both developers and system owners must anticipate security problems and have a strategy for dealing with them. This is particularly important with COTS based systems, because system owners have no control over the development of the components. The authors present a taxonomy of potential problem areas. It can be used to aid the analysis of security risks when using systems that to some extent contain COTS components.

Synthesizing test data for fraud detection systems

We report an experiment aimed at generating synthetic test data for fraud detection in an IP based video-on-demand service. The data generation verifies a methodology previously developed by the present authors [E. Lundin et al., (2002)] that ensures that important statistical properties of the authentic data are preserved by using authentic normal data and fraud as a seed for generating synthetic data. This enables us to create realistic behavior profiles for users and attackers. The data is used to train the fraud detection system itself, thus creating the necessary adaptation of the system to a specific environment. Here we aim to verify the usability and applicability of the synthetic data, by using them to train a fraud detection system. The system is then exposed to a set of authentic data to measure parameters such as detection capability and false alarm rate as well as to a corresponding set of synthetic data, and the results are compared.

An approach to specification-based attack detection for in-vehicle networks

An upcoming trend for automotive manufacturers is to create seamless interaction between a vehicle and fleet management to provide remote diagnostics and firmware updates over the air. To allow this, the previously isolated in-vehicle network must be connected to an external network, and can thus be exposed to a whole new range of threats known as cyber attacks. In this paper we explore the applicability of a specification-based approach to detect cyber attacks within the in-vehicle network. We derive information to create security specifications for communication and ECU behavior from the CANopen draft standard 3.01 communication protocol and object directory sections. We also provide a set of example specifications, propose a suitable location for the attack detector, and evaluate the detection using a set of attack actions.

Anomaly-based intrusion detection: privacy concerns and other problems

Abstract This paper addresses the specific advantages and disadvantages of anomaly-based intrusion detection. One important disadvantage is its impact on user privacy. A great deal of potentially sensitive information is recorded and analyzed in ways that threaten personal integrity. A solution for this may be to pseudonymize the sensitive information in the log files, i.e., exchange user names, etc., for pseudonyms. This paper shows how this can be done. We have carried out a number of experiments using an anomaly detection tool on pseudonymized data collected from a proxy firewall. The experiments revealed most of the known problems of anomaly detection and also some problems originating from the use of intrusion detection in combination with pseudonymization. This paper focuses on these problems and discusses how they can be remedied or circumvented. Also discussed is the extent to which these problems apply to tools based on misuse detection.

Towards an integrated conceptual model of security and dependability

It is now commonly accepted that security and dependability largely represent two different aspects of an overall meta-concept that reflects the trust that we put in a computer system. There exist a large number of models of security and dependability with various definitions and terminology. This position paper suggests a high-level conceptual model that is aimed to give a novel approach to the area. The model defines security and dependability characteristics in terms of a systems interaction with its environment via the system boundaries and attempts to clarify the relation between malicious environmental influence, e.g. attacks, and the service delivered by the system. The model is intended to help reasoning about security and dependability and to provide an overall means for finding and applying fundamental defense mechanisms. Since the model is high-level and conceptual it must be interpreted into each specific sub-area of security/dependability to be practically useful.

Efficient In-Vehicle Delayed Data Authentication Based on Compound Message Authentication Codes

Modern vehicles contain an in-vehicle network consisting of a number of electronic control units (ECUs). These ECUs are responsible for most of the functionality in the vehicle, including vehicle control and maneuverability. To date, no security features exist in this network since it has been isolated. However, an upcoming trend among automobile manufacturers is to establish a wireless connection to the vehicle to provide remote diagnostics and software updates. As a consequence, the in-vehicle network is exposed to external communication, and a potential entry point for attackers is introduced. Messages sent on the in-vehicle network lack integrity protection and data authentication; thus, the network is vulnerable to injection and modification attacks. Due to the real-time constraints and the limited resources in the ECUs, achieving data authentication is a challenge. In this paper, we propose an efficient delayed data authentication using compound message authentication codes. A message authentication code is calculated on a compound of successive messages and sent together with the subsequent messages, resulting in a delayed authentication. This data authentication could be used to detect and possibly recover from injection and modification attacks in the in-vehicle network.

A Synthetic Fraud Data Generation Methodology

In many cases synthetic data is more suitable than authentic data for the testing and training of fraud detection systems. At the same time synthetic data suffers from some drawbacks originating from the fact that it is indeed synthetic and may not have the realism of authentic data. In order to counter this disadvantage, we have developed a method for generating synthetic data that is derived from authentic data. We identify the important characteristics of authentic data and the frauds we want to detect and generate synthetic data with these properties.