ACML : Capability Based Attack Modeling Language Navneet Kumar Pandey, S. K. Gupta, Shaveta Leekha Indian Institute of Technology Delhi, India {npandey,skg, mcs052943}@cse.iitd.ac.in Jingmin Zhou University of California, Devis, USA zhouji@cs.ucdavis.edu Abstract In this paper, we propose Attack capability modelling language (ACML) used for capability model proposed by Zhau et. al. is a specification and description language that has been utilized to express the capability gained by at- tacker at each step in the intrusion process. These capabil- ities have been defined using the IDS alerts. Moreover the language also provides for the specification of compete at- tack scenarios in terms of capabilities of the intruder. This, in turn, helps to determine the state of the system, in terms of the extent of infiltration. ACML helps to avoid ambiguity in capability specifications while sharing among develop- ers. We also propose Attack capability modelling frame- work (ACMF) which forms the basis of a capability model- based semi-automated alert correlation process, which has been used to detect and identify the attack scenarios from IDS alerts. The framework consists of the tools for the im- plementation of the algebraic structure of capability, as de- fined in Pandey et al., which are needed for the correla- tion algorithm. Additionally, the language also has features for customizing the definitions of these structures as well as for customizing the correlation algorithm. To verify the expressiveness of the language and its suitability in describ- ing attack capability model, experimental result of standard benchmark has been discussed. Keywords:- Intrusion detection, Capability model, At- tack scenario, Attack language, ACML. 1 Introduction Most of the existing intrusion detection systems (IDS) of- ten generate large numbers of alerts which contain numer- ous false positives and non relevant positives [15]. Non rel- evant positives are alerts that correctly identify an attack, but the attack fails to meet its objective [19]. Alert correla- tion techniques aim to aggregate and combine the outputs of single/multiple IDS to provide a concise and broad view of the security state of network [11]. Several alert correlation techniques have been proposed, including approaches based on similarity between alert attributes, using pre-defined at- tack scenarios, pre/post-conditions of attacks, using multi- ple networks and auditing tools. Each technique has its own advantages and disadvantages[20]. For example, similar- ity based approaches lack on finding attack step sequence, pre-defined attack scenario work well only for known sce- narios, pre-post condition based approaches can detect new scenario but defining these conditions is itself error-prone and enumeration of these conditions is non trivial task, and multiple information source based approaches suffer from sheer volume of data to process. As stated in the require/provide model[17], the early at- tacks in a multistage intrusion acquire certain advantages. Information about the system under attack and ability to perform actions on that system are some of the advantages gained. These are in turn used to support the later attacks that require them. Capability model [21] captures this no- tion of attacker capability and use it for logical alert corre- lation. However the model is manual and requires human intervention to execute the process. In our previous work [14], we have offered some im- provements to the definition of capability. Specifically, we refined the definition of a capability with temporal attributes to avoid ambiguity. We also defined several algebraic oper- ations and relations to formalize the definition of capability and inference rules. We showed the usage and benefit of these algebraic properties. As capability is an abstract term, therefore it is strongly needed to customize the model according to network en- vironment and other system preferences. Languages are the best tool to express these preferences. It formalizes the meaning of elements used in language and make it is less ambiguous. Language also helps in making the correlation process modular and simple. This makes system easily un- derstandable for even non security expert. This approach helps in facilitating the process flexibility and easy enhance- ment. In this paper, we propose a Attack Capability Modelling framework (ACMF) to semi-automate the whole capability model based correlation process with the help of algebra for attack capability defined in [21]. The framework mini- The Fourth International Conference on Information Assurance and Security 978-0-7695-3324-7/08 $25.00 © 2008 IEEE DOI 10.1109/IAS.2008.26 147