Eun-Jung Choi(1), Joo-Young Yu(1), HyungJong Kim(2),
Do-Yoon Ha(2), Myuhng Joo Kim(1),
(1) College of Information and Communications
Seoul Women's University, 126 Gongneung-Dong Nowon-Gu,
Seoul 139-774, Korea
{chej, yjy1024, mjkim}@swu.ac.kr
(2) Korea Information Security Agency,
78 Garak-Dong Songpa-Gu, Seoul 138-803, Korea
email: {hjkim, dyha}@kisa.or.kr
With Internet incident improving, it is very important problem that requirement of 'secure'± system. Until now, most of security solutions are passive on security host and particular security system. Because Internet incidents have been concentrated special system or network vulnerabilities. In this result, many firewalls, intrusion detection systems and scanners have been developed commercially. In recent year, the most of Internet incidents are attacking overall information infrastructure, network and related system. But, current research is weak from attacks through the networks based Internet system. It is new paradigm for defense to Internet incident that Enterprise Management System and survivability. Those solutions are to integrity individual security tool and to change security viewpoint to overall infrastructure. Furthermore, their organization has to require applying of security policy. For this, we suggest defense mechanism and defense mechanism knowledge base.
The dominant cause of most Internet incidents is vulnerabilities that are exploited by human attacker or worm virus. When a new vulnerability is revealed, its information is added to the vulnerability database. The vulnerability database, however, has limits in describing the countermeasures, which can be used in removal or avoidance of vulnerabilities. This comes from the lack of the analysis on semantics and patterns for these countermeasures.
In this paper, we define countermeasures in the view of defense mechanism and suggest their representation schemes. For definition, we considered vulnerabilities, attacks, and their relation. That structure is combined atomic vulnerabilities, steps of attack, solutions, and etc. For representation, we researched rules of other intrusion detection systems and firewalls. As a result of semantics analysis, the defense mechanisms are classified into prevention, detection, recovery and tolerance by when the mechanism is applied to. And as a result of patterns, the defense mechanisms are represented as the composition of aim, condition, and action.
By reflecting these factors, we have implemented a new knowledge base on defense mechanism called DMKB(Defense Mechanism Knowledge Base), in which users can browse the whole knowledge with keyword searching by GUI. Our work can be utilized in constructing the automatic security test and management environment.