ACML: Capability Based Attack Modeling Language

Abstract

In this paper, we propose attack capability modelling language (ACML) used for capability model proposed by Zhau et. al. is a specification and description language that has been utilized to express the capability gained by attacker at each step in the intrusion process. These capabilities have been defined using the IDS alerts. Moreover the language also provides for the specification of compete attack scenarios in terms of capabilities of the intruder. This, in turn, helps to determine the state of the system, in terms of the extent of infiltration. ACML helps to avoid ambiguity in capability specifications while sharing among developers. We also propose attack capability modelling framework (ACMF) which forms the basis of a capability model-based semi-automated alert correlation process, which has been used to detect and identify the attack scenarios from IDS alerts. The framework consists of the tools for the implementation of the algebraic structure of capability, as defined in Pandey et al., which are needed for the correlation algorithm. Additionally, the language also has features for customizing the definitions of these structures as well as for customizing the correlation algorithm. To verify the expressiveness of the language and its suitability in describing attack capability model, experimental result of standard benchmark has been discussed.