Abstract
Today's business and computing infrastructure is becoming increasingly Internet based. However, at the same time, the exposure of sensitive business information, resources and operational corporate content to a public access medium provides significant risk of and ample opportunity for network and computer attacks. The benefits of networked business computer infrastructures can be significantly reduced when taking into account the costs associated with network-based attacks, and recovering from compromised systems. This talk outlines the Vertical Intrusion Model for Network-Based Computer Attacks (NetVIM). NetVIM is a vertical four layer model proposed for the identification, detection and profiling of network based attacks. NetVIM models attack profiles consisting of the components involved in the physical delivery, the involved computation and communication processes and the states and state transitions inherent in an attack. Attack profiles allow for both forward and reverse prediction of attacks. Consider: NetVIM detects suspicious activity at some point in an attack sequence, but after the attack has already been launched. NetVIM allows for matching the detected suspicious activity to states in the attack profile, thereby also determining attack states that have already occurred, or likely to occur. NetVIM could then scan past network or host logs for evidence of specific activities that would match with past states; and heighten scanning for expected attack vectors. A case study of the core capabilities of NetVIM is also presented.