With the development of incipient technologies, user devices becoming more exposed and ill-used by foes. In upcoming decades, traditional security measures will not be sufficient enough to handle this huge threat towards distributed hardware and software. Lack of standard network attack taxonomy has become an indispensable dispute on developing a clear understanding about the attacks in order to have an operative protection mechanism. Present attack categorization techniques protect a specific group of threat which has either messed the entire taxonomy structure or ambiguous when one network attacks get blended with few others attacks. Hence, this raises concerns about developing a common and general purpose taxonomy. In this study, a sequential question-answer based model of categorization is proposed. In this article, an intrusion detection framework and threat grouping schema are proposed on the basis of four sequential questions (Who, Where, How and What). We have used our method for classifying traditional network attacks in order to identify initiator, source, attack style and seriousness of an attack. Another focus of the paper is to provide a preventive list of actions for network administrator as a guideline to reduce overall attack consequence. Recommended taxonomy is designed to detect common attacks rather than any particular type of attack which can have a practical effect in real life attack classification. From the analysis of the classifications obtained from few infamous attacks, it is obvious that the proposed system holds certain benefits related to the prevailing taxonomies. Future research directions have also been well acknowledged.
Network attack classification is the process of grouping network attacks to specific subgroups in order to determine similar types of attack in future. The purpose of this classification is that it can help us to know more detail about the network attack characteristics like origins, scopes, initiator and seriousness of an attack. We can also plan effective defences and preventive measures as well to www.aetic.theiaer.org reduce attacks' consequences for global networks. Network attack classification is the first step to have a clear idea about attacking style and subsequent system protection.
The fast increasing of network attacks in both scales and severities encourage us to classify and investigate in detail about the network attacks. There are many research on base of network attack classification. Vulnerabilities [1][2], lists of term taxonomy [3], application of taxonomy [4][5][6][7] and multiple dimensional taxonomies [8][9] etc. are important. Before defining a classification for network attacks, it is important to define the requirements which must be compiled with the new classification [10]. Bailey with Bishop in a study, outline a classification which lets exclusive identification of objects [3]. Categorizations of attack served as a helpful tool in modelling security guidelines for a defence mechanism. Here, we selected some requirements that relevant to the proposed classification by studies [10][11]: Accepted [12]: The taxonomy can be generally approved. The taxonomy must be designed so that it becomes commonly accepted one. Understandable [12]: Classification should be easy to understand by those who are in network, security or related field. Completeness [13]: In order for a classification to be complete, all network attacks must be included in this classification and have a specific category. It is difficult to prove a classification has accomplished, but it could be accepted based on the successful categorization of the actual attacks. Above two reflect that a taxonomy should be accountable for all threat and capable of categorizing them. The classification should be acceptable through successful categorization of the threats. Mutually exclusive [13]: This requirement categorizes each assault into one class. Repeatable [12][13]: Classification needed to be repeatable. Unambiguous [12][13]: Grouping must be defined clearly in such a way that there is no doubt as to what category the network attack should be in. Useful [12][13]: A useful classification could be used in the network field, or security field, or other related fields.
Other early taxonomies were Protection Analysis (PA) plus Research in Secured Operating System (RIOS) [14][15]. They also focus on vulnerabilities rather than attack, but they provided the categories on security defects and lead to related grouping arrangements. Direct use of syntax and semantic relations between attacks by ontologies were discussed in the study [15]. Field-specific taxonomies are there like for computer worms [16] and standardized attack [15]. Several of these taxonomies will be introduced in the next part of this study. Hidden Markov model (HMM) with Markov model is currently being used for attack classification. HTTP payload was analysed in work like this with HMM [17]. Pattern identification is the main idea of the attack categorization. HMM can easily define unknown parameters, through the observation and feature considerations. Healthcare and financial anomaly detection were mentioned by a study like this [18]. Where false data injection attacks [FDIA] with their full scope on smart grid and healthcare technology were discussed. Network equipment as switches, routers are also at high risk of attack. This type of attack costs money and energy losses to recover from that attack with devices was discussed by Onik [19].
This study proposes, a new approach that is constructed on the sequential questions: ‘Who’, ‘Where’, ‘How’ and ‘What’. The attacks, which have the same type of attackers (Who), same locations where attacks were begun (Where), using some similar tools to attack (How) and degree and type of attack range (What), could be considered in the same type of attacks. Our proposed classification takes a different approach than the above classifications but also uses them as a part of our taxonomy. We create this classification based on the normal sequences when all network attacks occurred. First, all network attacks must be controlled by a person or a group of people, organizations, as well as governments. That why “Who” is the first question in our model. Second, all attacks must have a starting point from some places or locations and also have destinations to destroy or destruct. This is our “Where” question. Next “How” question covers the tools, the ways or the vulnerabilities that the network attacks could exploit to perform their actions. This is the most complicated question in our taxonomies. The last question “What” describes th
This content is AI-processed based on open access ArXiv data.
