| Much research has been done in modeling network intruder attacks using attack graphs and the requires-provides model. However, that research has focused on the attackers' use of vulnerabilities and other known or unknown flaws in existing services. An attacker could utilize what would otherwise be considered valid actions within a system before or after an attack, or he could take advantage of a misconfiguration of a service in order to delve deeper into that system.This paper presents System Analyst, a tool suite for generating requires-provides relations that represent the security consequences of the configuration of various services. These relations can then be utilized by intrusion detection engines or forensic tools to enable a greater level of correlating events of an attack, or as a configuration checker for detecting dangerously configured and misconfigured services on a computer system. |
