Re: On classifying attacks

[Daniel Weber <djweber () alum mit edu>]

Crispin Cowan wrote:
> I participated in that Lincoln Labs study, and my recollection is
> that the remote/local distinction was already popular on bugtraq at
> the time.

I was working on that project, and Dr. Cowan's recollection matches
mine.  Talks of "local" and "remote" were already in use somewhat on
Bugtraq, although I don't think they had yet become universal.  (I'd
like to claim that the Lincoln studies helped push use of those terms
along, but the concepts are so simple and elegant that their universal
use was inevitable.)

One of the mental models involved in those 1998 classifications of
attacks was a "presence" of an attacker -- is the attacker outside
your network, on your network, or on your machine as a non-privileged
user?  This model doesn't necessarily fit in well with some of today's
most common attacks, as was mentioned when this thread started.

It's not that trojan horses (whether you interpret that to mean just
hostile applications, or hostile data run by vulnerable applications)
weren't known about in 1998.  It's that those attacks weren't
considered all that important when compared to things that were more
common at the time -- smurf attacks, pings of death, Sendmail buffer
overflows, SYN queue starvation.



I've seen a lot of classification schemes proposed on Bugtraq in the
intervening years, some of them quite good.  (Search the archives for
"taxonomy" or "classification".)  But unless they are -very- simple to
use, they won't be taken up by the community.  If you can come up with
a single word that imputes the concept of "malicious data that I can
easily get onto the victim's machine and in front of the victim's
eyes but requires him to run it," that would be a great step forward.

Simplicity is key.  (Unlike this posting, which I did not have time 
to make shorter and simpler.)