AFRL-IF-RS-TR-2003-249, Final Technical Report, October 2003

This report describes research into the nature of multistep cyber attack scenarios, aimed toward automatic detection and identification of such attacks. Previous work in intrusion detection and cyber attack analysis has been focused mainly on isolated attack steps, and less on how such steps are combined into composite scenarios. The purpose of this work is to gain a deeper understanding of multistep attack scenarios, develop models of such scenarios, and design the mechanisms needed to automatically recognize such scenarios through event monitoring. Several multistep attack scenarios were developed and are documented in great detail in this report. Based on these scenarios, an attack modeling language called the Correlated Attack Modeling Language (CAML) was designed. A library of predicates and the concept of attack patterns were also developed to support the use of CAML. To validate CAML, a scenario recognition engine was developed. Furthermore, we designed an architecture supporting novel concepts in highly dynamic monitoring and correlation functionality, and a language for specification of active component behavior.

Full-text PDF available for download from the sponsor here.