Eun-Jung Choi, Joo-Young Yu, HyungJong Kim, Do-Yoon Ha, and
Myuhng Joo Kim
Seoul Women's University, KISA
email: {hjkim,dyha,chej}@swu.ac.kr
The dominant cause of most Internet incidents is vulnerabilities that are exploited by human attacker or worm virus. When a new vulnerability is revealed, its information is added to the vulnerability database. The vulnerability database, however, has limits in describing the countermeasures, which can be used in removal or avoidance of vulnerabilities. This comes from the lack of the analysis on semantics and patterns for these countermeasures.
In this paper, we define countermeasures in the view of defense mechanism and suggest their representation schemes. For definition, we considered vulnerabilities, attacks, and their relation. That structure is combined atomic vulnerabilities, steps of attack, solutions, and etc. For representation, we researched rules of other intrusion detection systems and firewalls. As a result of semantics analysis, the defense mechanisms are classified into prevention, detection, recovery and tolerance by when the mechanism is applied to. And as a result of patterns, the defense mechanisms are represented as the composition of aim, condition, and action.
By reflecting these factors, we have implemented a new knowledge base on defense mechanism called DMKB (Defense Mechanism Knowledge Base), in which users can browse the whole knowledge with keyword searching by GUI. Our work can be utilized in constructing the automatic security test and management environment.