John Pinkston

Modeling Computer Attacks: An Ontology for Intrusion Detection

We state the benefits of transitioning from taxonomies to ontologies and ontology specification languages, which are able to simultaneously serve as recognition, reporting and correlation languages. We have produced an ontology specifying a model of computer attack using the DARPA Agent Markup Language+Ontology Inference Layer, a descriptive logic language. The ontology’s logic is implemented using DAMLJessKB. We compare and contrast the IETF’s IDMEF, an emerging standard that uses XML to define its data model, with a data model constructed using DAML+OIL. In our research we focus on low level kernel attributes at the process, system and network levels, to serve as those taxonomic characteristics. We illustrate the benefits of utilizing an ontology by presenting use case scenarios within a distributed intrusion detection system.

On intrusion detection and response for mobile ad hoc networks

We present network intrusion detection (ID) mechanisms that rely upon packet snooping to detect aberrant behavior in mobile ad hoc networks. Our extensions, which are applicable to several mobile, ad hoc routing protocols, offer two response mechanisms, passive - to singularly determine if a node is intrusive and act to protect itself from attacks, or active - to collaboratively determine if a node, is intrusive and act to protect all of the nodes of an ad hoc cluster. We have implemented our extensions using the GloMoSim simulator and detail their efficacy under a variety of operational conditions.

Secure sensor networks for perimeter protection

Sensor networks have been identified as being useful in a variety of domains to include the battlefield and perimeter defense. We motivate the security problems that sensor networks face by developing a scenario representative of a large application class where these networks would be used in the future. We identify threats to this application class and propose a new lightweight security model that operates in the base station mode of sensor communication, where the security model is mindful of the resource constraints of sensor networks. Our application class requires mitigation against traffic analysis, hence we do not use any routing mechanisms, relying solely on broadcasts of end-to-end encrypted packets. Our model extends the broadcast range of the base station model by utilizing nodes adjacent to the base station as an intermediary hop. Additionally, our model detects and corrects some classes of aberrant node behavior. We have simulated our model and present simulation results.

Security for wireless sensor networks

This chapter identifies the vulnerabilities associated with the operational paradigms currently employed by Wireless Sensor Networks. A survey of current WSN security research is presented. The security issues of Mobile Ad-Hoc Networks and infrastructure supported wireless networks are briefly compared and contrasted to the security concerns of Wireless Sensor Networks. A framework for implementing security in WSNs, which identifies the security measures necessary to mitigate the identified vulnerabilities is defined.

Hidden processes: the implication for intrusion detection

We introduce a novel class of intrusion: the hidden process, a type of intrusion that will not be detected by an intrusion detection system operating under the assumption that the underlying computing architecture is functioning as specified. A hidden process executes in a manner that is unobservable by many of the operating systems accounting and reporting functions. We present a mechanism to hide processes. Additionally, we show how a hidden process may communicate with an external entity by piggybacking onto a legitimate network connection. We have implemented a mechanism that detects hidden processes and make recommendations calling for the separation of critical operating system functions from more general operating system functions.

Using DAML+OIL to classify intrusive behaviours

We have produced an ontology specifying a model of computer attack. Our ontology is based upon an analysis of over 4000 classes of computer intrusions and their corresponding attack strategies and is categorised according to system component targeted, means of attack, consequence of attack and location of attacker. We argue that any taxonomic characteristics used to define a computer attack be limited in scope to those features that are observable and measurable at the target of the attack. We present our model as a target-centric ontology that is to be refined and expanded over time. We state the benefits of forgoing dependence upon taxonomies in favour of ontologies for the classification of computer attacks and intrusions. We have specified our ontology using the DARPA Agent Markup LanguagepOntology Inference Layer and have prototyped it using DAMLJessKB. We present our model as a target-centric ontology and illustrate the benefits of utilising an ontology in lieu of a taxonomy, by presenting a use-case scenario of a distributed intrusion detection system.