SRI Logo
About Us|R and D Divisions|Careers|Newsroom|Contact Us|SRI Home
  SRI Logo

Modeling Multistep Cyber Attacks for Scenario Recognition
 by Dr. Steven Cheung, Martin Fong & Dr. Ulf Lindqvist.

From DARPA Information Survivability Conference and Exposition (DISCEX III).
Washington, D.C..
Pages 284–292.

Efforts toward automated detection and identification of multistep cyber attack scenarios would benefit significantly from a methodology and language for modeling such scenarios. The Correlated Attack Modeling Language (CAML) uses a modular approach, where a module represents an inference step and modules can be linked together to detect multistep scenarios. CAML is accompanied by a library of predicates, which functions as a vocabulary to describe the properties of system states and events. The concept of attack patterns is introduced to facilitate reuse of generic modules in the attack modeling process. CAML is used in a prototype implementation of a scenario recognition engine that consumes first-level security alerts in real time and produces reports that identify multistep attack scenarios discovered in the alert stream.
BibTEX Entry
    AUTHOR = {Steven Cheung and Ulf Lindqvist and Martin {W} Fong},
    TITLE = {Modeling Multistep Cyber Attacks for Scenario Recognition},
    YEAR = {2003},
    PAGES = {284--292},
    ADDRESS = {Washington, {D.C.}},
    URL = {},
    BOOKTITLE = {{DARPA} Information Survivability Conference and Exposition (DISCEX {III)}}


About Us  |  R&D Divisions  |  Careers  |  Newsroom  |  Contact Us
© 2024 SRI International 333 Ravenswood Avenue, Menlo Park, CA 94025-3493
SRI International is an independent, nonprofit corporation. Privacy policy