1. Andy Freeland Avatar Andy Freeland
  2. Untitled project
  3. pig

Wiki

Clone wiki

pig / AttackAnalyzer

View History

AttackAnalyzers

AttackAnalyzers are machines, built on the Threatomaton structure, that are created with a specific attack profile in order to classify a set of packets as an example of that attack or not. The more general Threatomaton structure is what is described below: the subclass AttackAnalyzer differs only in that it contains the ability to pre-construct a machine on initialization, based on a specific set profile; also, any AttackAnalyzer instance has a type attribute that is a string representing what type of attack it is looking for.

STRUCTURE

Threatomata consist of Nodes distributed among three states:

  1. Safe
  2. Preliminary
  3. Threat

Any Threatomaton has only one Safe node: it is automatically-created when the Threatomaton is initialized. This is the home base for a Threatomaton: if in Safe, the machine is in a neutral state.

Preliminary nodes represent the possible start of an attack. For example, if an attack can start by either receiving a UDP packet with payload like 'abc', or by receiving 3 TCP packets within 1 second, the corresponding AttackAnalyzer would have one Preliminary node for the UDP packet and three Preliminary nodes in succession for the TCP packets. When a Threatomaton enters the Preliminary state, it begins storing attack data.

Threat nodes represent states in which we know the series of packets being analyzed represents an attack. There can be multiple Threat nodes in any machine, with each representing a particular way an attack can be performed.

FUNCTIONALITY

AttackAnalyzer Threatomata work as follows: on being handed a set of Packet objects to analyze, they will:

  1. Check if the machine as a whole has timed out. If so, then any attack that was in progress has completed; therefore, dumps completed attack data into DB.
  2. Loop through the packets as follows:
    1. Hand the packet to the machine's current node to see if it matches any of that node's stored transitions; if not, ignore it and move on
    2. If it does, move the machine's current node to the destination of the matched transition, and update the stored attack data (score and attack packets) to include the packet and transition score
    3. Update the machine's state to the state of the new current node.
    4. If the machine has moved from Safe into a Preliminary node, mark this packet as the possible beginning of an attack and begin logging attack data, including the initialization of an Attack object.
    5. If the machine transferred back to the Safe node from either Preliminary or Threat (via a timeout transition or a series of end of attack packets), dump any accrued attack data and reset the machine to a blank starting state.
    6. If the machine is now in Threat, mark the packet in the DB as classified to the current Attack object.

METHODS

  • Threatomaton(source IP address, destination IP address)
  • addPrelimNode() -- returns the index in the Threatomatons list of Nodes where the new node was inserted
  • addThreatNode() -- returns new node's index
  • addTransition(index of source node, index of destination node, transition score, list of boolean functions to match as transition conditions)
  • processPackets(list of Packet objects to analyze)

IMPLEMENTATION

Threatomata are implemented as a list of Node objects and a dictionary mapping machine state (Safe, Preliminary, or Threat) to a list of indices in the node list of the nodes corresponding to that state.

Updated