Modeling Attacks

Modeling Attacks

S. Al-Fedaghi Samer Moein 

Computer Engineering Department, Kuwait University, Kuwait

Page: 
97-115
|
DOI: 
https://doi.org/10.2495/SAFE-V4-N2-97-115
Received: 
N/A
| |
Accepted: 
N/A
| | Citation

OPEN ACCESS

Abstract: 

The aim of this paper is to develop a general conceptual model of attack progression that can be applied to modeling of computer and communication threat risks. This paper focuses on attacks that aim at overpowering the victim/prey to gain some benefi t. It examines existing models and introduces a new fl ow model to facilitate development of a general model of two-sided combat. The symmetry between the attacker’s and defender’s fl ow systems of signals, information, plans, decisions, and actions results in a single combat model incorporating the realms of both attacker and defender. Based on this conceptualization, it is possible to characterize the weak points and develop a map of vulnerabilities in the defender’s system. Such a methodology of attack modeling provides a base for analysis in the fi elds of threat modeling and secure software development. Finally, this new model is applied to an SQL injection problem in web services to demonstrate implementation of a real system problem.

Keywords: 

attacks, conceptual model, security, SQL injection, threat risk

  References

[1] Moore, A.P., Ellison, R.J. & Linger, R.C., Attack Modelling for Information Security and Survivability. Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA, USA, Tech. Rep, 2001. CMU/SEI-2001-TN-001.

[2] Alberts, D.S. & Hayes, R.E., Understanding Command and Control. DoD Command and Control Research Program, 2006, available at http://www.dodccrp.org/fi les/ Alberts_UC2.pdf

[3] Cloppert, M., Security Intelligence: Introduction. SANS Institute Computer Forensic Blog, July 22, 2009, available at https://blogs.sans.org/computer-forensics/2009/07/22/ security-intelligence-introduction-pt-1/

[4] Johnson, D., Effects-based Operations: A New Operational Model? U.S.  Army War College, 2002, available at http://www.iwar.org.uk/military/resources/effect-based-ops/ ebo.pdf

[5] Brumley, L., Kopp, C. & Korb, K., The Orientation Step of the OODA Loop and Information Warfare, 2006, available at http://www.csse.monash.edu.au/courseware/

cse468/2006/Lectures/OODA-Loop-BKK-IWC7-2006.pdf

[6] Schechtman, GM., Manipulating the OODA Loop: The Overlooked Role of Information Resource Management in Information Warfare. 1996, available at http://www.au.af.mil/ au/awc/awcgate/afi t/schec_gm.pdf

[7] USAF Intelligence Targeting Guide, Chapter 1: Targeting and the Target. Air Force Pamphlet 14-210 Intelligence, 1998, available at  http://www.fas.org/irp/doddir/usaf/ afpam14-210/part09.htm

[8] Smith, D.J., Information Operations Primer. U.S. Army War College, 2006, available at http://www.iwar.org.uk/iwar/resources/primer/info-ops-primer.pdf

[9] Cloppert, M., Security Intelligence: Attacking the Kill Chain. SANS Institute Computer Forensic Blog, October 14, 2009, available at https://blogs.sans.org/computer- forensics/2009/10/14/security-intelligence-attacking-the-kill-chain/

[10] Al-Fedaghi, S., Conceptual software testing: a new approach. International Review on Computers and Software, 8(8), pp. 1832–1842, 2013.

[11] Al-Fedaghi, S., How the pride attacks. 9th European Conference on Information  Warfare and Security, Thessaloniki, Greece, July 1–2, 2010. Republished in: Leading Issues in Information Warfare and Security Research, Vol. 1, pp. 1–19, ed. Julie J. C. H. Ryan, Academic Publishing: UK, 2012.

[12] Al-Fedaghi, S., Some aspects of personal information theory. 7th Annual IEEE Information Assurance Workshop (IEEE-IAW 2006), United States Military Academy, West Point, NY, 2006, available at http://ieeexplore.ieee.org/stamp/stamp. jsp?arnumber=01652066

[13] Department of the Air Force, Vistas: Air Force Information Resources Management Strategic Plan, 1995. HQ USAF: Washington, DC.

[14] Sarriegi, J.M., Santos, J., Torres, J.M., Imizcoz, D. & Plandolit, A., Modeling security management of information systems: analysis of a ongoing practical case. The 24th International Conference of the System Dynamics Society, July 23–27, Nijmegen, The Netherlands, 2006.

[15] Cares, J.R., An Information Age Combat Model.  Alidade, 2004, available at http:// www.alidade.net/recent_research/IACM.pdf

[16] Friedl, S.J., SQL injection attacks by example, Steve Friedl’s Unixwiz.net Tech Tips, October 10, 2007. http://www.unixwiz.net/techtips/sql-injection.html

[17] Bejtlich, R., Threat model vs. attack model, TaoSecurity: Richard Bejtlich’s blog on digital security and the practices of network security monitoring, incident response, and forensics, June 12, 2007, available at http://taosecurity.blogspot.com/2007/06/threatmodel-vs-attack-model.html 

[18] Johansson, K., The Offensive Operations Model, v. 2.1. KSAJ, Inc., 2004 (accessed), available at http://www.penetrationtest.com/penetration_test_information_security_ whitepapers/Offensive_Operations_Model.pdf

[19] Brown, K., The .NET Developer’s Guide to Windows Security: What is Attack Modeling, 2007, available at http://alt.pluralsight.com/wiki/default.aspx/Keith.GuideBook/ WhatIsThreatModeling.html