A Novel Approach for Network Attack Classification Based on Sequential Questions

With the development of incipient technologies, user devices becoming more exposed and ill-used by foes. In upcoming decades, traditional security measures will not be sufficient enough to handle this huge threat towards distributed hardware and software. Lack of standard network attack taxonomy has become an indispensable dispute on developing a clear understanding about the attacks in order to have an operative protection mechanism. Present attack categorization techniques protect a specific group of threat which has either messed the entire taxonomy structure or ambiguous when one network attacks get blended with few others attacks. Hence, this raises concerns about developing a common and general purpose taxonomy. In this study, a sequential question-answer based model of categorization is proposed. In this article, an intrusion detection framework and threat grouping schema are proposed on the basis of four sequential questions (Who, Where, How and What). We have used our method for classifying traditional network attacks in order to identify initiator, source, attack style and seriousness of an attack. Another focus of the paper is to provide a preventive list of actions for network administrator as a guideline to reduce overall attack consequence. Recommended taxonomy is designed to detect common attacks rather than any particular type of attack which can have a practical effect in real life attack classification. From the analysis of the classifications obtained from few infamous attacks, it is obvious that the proposed system holds certain benefits related to the prevailing taxonomies. Future research directions have also been well acknowledged.


Introduction
Network attack classification is the process of grouping network attacks to specific subgroups in order to determine similar types of attack in future. The purpose of this classification is that it can help us to know more detail about the network attack characteristics like origins, scopes, initiator and seriousness of an attack. We can also plan effective defences and preventive measures as well to www.aetic.theiaer.org

The Necessity of Network Attack Classification:
However, the main reason for a new taxonomy is lack of standard and globally accepted classification. The first problem is, most of the taxonomies are related only to a specific field of interest. The second problem is, how existing study has classified the blended attacks. The attacks that contain other attacks cause a messy structure during classifications. List of those classifications would become almost infinite and there are few instances within each category or multi-dimension taxonomies where each leaf node could point to other leaf nodes and makes them difficult to be used for classification. The last problem is, existing taxonomies have to face with the unlimited subbranches in their classifications when network attacks don't have many common traits. Therefore, the simplicity of the list classifications or the heritance of multi-dimensional ones lost. Although collective anomaly detection and their techniques for network traffic attack were analysed and discussed by few studies, still for further generalization, we proposed this sequential question-based attack classification [20]. Another classification is proposed by MIT Lincoln Laboratory where multidimensional assault grouping was done on the basis of the level of privileges [21]. In that classification, attacks were divided as public vs local, user vs root, investigation and denial of services (DoS) [21]. With these requirements, in the next section, we discuss some previous classifications. We outlined three reasons for a new classification by evaluating these studies [22][23][24].
1. Very often, administrators find difficulty to detect the exact attack sub-group due to complex taxonomy. This caused delay and that makes the situation worst. 2. Organizations are collecting attack information differently with their own way of classification. However, in future, those data cannot help other classification. Since our proposed classification is applicable for every kind of attacks, this taxonomy can easily use collected information in the future for a similar case. 3. There is no fixed or standardized taxonomy, lots of taxonomies are being created with different viewpoints.

Literature Review:
Based on vulnerability classification: Based on genesis, instruction time and location, Landwehr presented one of the earliest attack taxonomy that is shown in Figure. 1 [2]. In another way, Matt Bishop [3] introduced a categorization of UNIX weaknesses in which the core faults of weaknesses were being used to make attack taxonomy. He introduced six "axes" to arrange vulnerabilities: time of initiation, nature, exploitation sector, minimum number, attacked domain and attack causes. Bishop suggested that one of the key advantages of a classification is that it ought to help working out where to invest resources to prevent an attack.
Based on type of vulnerability classification: List of terms were the simple and popular taxonomy but that couldn't help much. They included a necessary longer list of attacks terms without classifying. Cohen presented terms for threat grouping: harassment, denial of services, hiding, illegal information duplication, software piracy, reduction of services quality, worms and malware etc. [1]. www.aetic.theiaer.org Figure 2. Attack classification matrix [4]. Secondly, Alvarez [5] proposed a web threat grouping, in which he included around ten classes and sub-classes. This research focused on the principles of the attack progression that assisted to understand the characteristics and way of attack. Another taxonomy related to denial-of-service (DoS) attack classifications is proposed by Anthony and Mirkovic [6][7]. These classifications are only specular for DoS attacks but it can help us to identify the attackers, his capabilities, targets, vulnerabilities and his end results. Another field, they can help us to exploit the weakness, a communication mechanism, automation degree, the impact on victims etc. Figure.   Based on multiple dimension classification: Nowadays, describing the network attacks with the single attribute cannot cover all the processes of attack characteristics. So, there are several approaches which are based on multi-dimension classification.
In [9], Howard proposed a classification for network and computer attacks which got five stages: access, tools, objectives, attackers and results. The attackers are the types of people who launched an attack. Tools are considered as the way that attackers used for performing their actions. Access is completed by implementation, formation or design weaknesses. After the access is reached, the www.aetic.theiaer.org outcome could be theft of service or information corruption. This classification focused on attack, not on its process. Figure  Hansman [10] used the concepts of dimensions to introduce his computer and network attack classification. There are four dimensions in Hansman's taxonomy. The first aspect is being used to categorize threat into a group which is created on the attack vector. The second aspect covered the attack target. The vulnerabilities and exploits are covered in the third aspect. The final aspect considers the possibility of a threat to have a payload or outcome which does not belong to itself.

Proposed Classification
The motivation of our proposed classification: Our classification focuses on four sequential questions network attack processes with are: Who, Where, How and What. The approach is based on an idea that all similar network attack have a similar way to attack and the classification is built with those four questions. By following the network attack process from launching to ending, this approach can provide a better approach which adapts all requirements of a network attack classification as well as covers all current network attacks in a simple way which is very helpful for future. Four questions link together as shown in Figure. 6. Next part illustrates the detail of each question and way in which they are being used to provide a complete classification.

Who launched a network attack?
Our classification focuses on four sequential questions network attack processes with are: Who, Where, How and What. The approach is based on an idea that all similar network attack have a similar way to attack and the classification is built with those four questions. By following the network attack process from launching to ending, this approach can provide a better approach which adapts all requirements of a network attack classification as well as covers all current network attacks in a simple way which is very helpful for future. Four questions link together as shown in Figure. 6. Next part illustrates the detail of each question and way in which they are being used to provide a complete classification. These five categories and their related objectives are shown in Figure. 7.
 Joker -perform a network attack primarily on the learning and challenges. An example can be Jonathon James was a US student hacked US department of defence and NASA. Similar cases were mentioned in this blog [25].
www.aetic.theiaer.org  White-hat hackers -perform a network attack to find out the vulnerabilities of the attacked network and report to the network administrator. This type of hackers just finds the backdoor for helping administrator to stop future attacks like this [26].  Black-hat hackers -perform a network attack by exploiting some vulnerabilities of the network and damage or stole the information from the attacked network.  Little sisters -the organizations or companies who launch attacks on competitor's network for financial gain.  Big brothers -the governments or the government-related organizations launch attacks primarily in order to achieve political gain. For example, some hacking group were active after Donald trump won US elections was mentioned by this study [27].

WHERE is network attack from and WHERE is it to?
In WHERE question, all network attacks always have the initiated points to be launched and their attack scopes are depended on the objects and the WHO in the previous question. Therefore, we divided WHO question into two sequences: (i) Initiated locations and (ii) Attack scope. The relationship between initiated location and the attack scope of WHERE is shown in Figure. 8. i.
Initiated location: For initiated location, there are two types of address. One is host-based initiation that an attack is launched from a computer or any device that has a network connection and one is network-based initiation that an attack could be launched by multiple devices connected together. ii.
Attack Scope: With attack scope, we separate every network attack by five categories as:  Object-based -the target of the attack is a single object in real life which has a network connection, such as a car, a mobile-phone, a smart-watch and so on. In here, we can have some groups of object: computer, mobility device, embedded device and network equipment.  Host-based -the target of the attack is on a computer terminal like a personal computer, a server and after gained access on this host, the attack can be easy to expand to other hosts in the same network with the victim host.  Local segment-based -the target of the attack is on a segment of the network that has many hosts connected with each other. For example. Metropolitan Area Network is one example.
Other similar examples are Local Area Network as well as Wide Area Network.
www.aetic.theiaer.org  Segment-to-segment-based -This type of target tries to attack in the core of the global network (User-to-Network Interface, Network-to-Network Interface), for example in Border Gateway Protocol.  Wireless network-based -the target of the attack is on the mobile network. Such as Bluetooth and WiFi hotspot.

How does the attack succeed?
The HOW question can be said in another way that how a network attack can perform their actions and gain the accesses from the attacked system. To answer this question, we proposed three sub-processes: Vulnerabilities, hacking tool platform and attack channel. There are already many taxonomies for the vulnerabilities. However, classifying the vulnerabilities is out of scope in this paper. In here, we focus on the way to exploit the vulnerabilities by using some hacking tool platforms and some attack channels. To perform the hacking actions quickly, the WHO should use some hacking tool platforms. In this paper, we propose four types of platform Figure. 9.
 Software -hacking platform that based on Operating system (OS) of devices or applications installed on devices.  Hardware -hacking platform that based on devices' physical accessing to change their normal functions  Embedded hardware -a hacking platform that used the firmware of devices to perform the hacking actions, as well as to change the features of firmware for attacker's purposes.  Mobile -new rising hacking platform that got unauthorized permissions from applications installed on mobile devices, or from SMS/MMS services. Using hacking tool platforms, an attacker from WHO must rely on some channels to access and to steal information. In here, five types of the channel are proposed as follows Figure. 9.
 Legacy network equipment ports -the type of channel that followed by standardized network protocols  Undefined network equipment ports -the type of channel that followed by some special network protocols, that are produced by manufacturers.  Virtualization channel -the type of channel is based on cloud computing or virtualization technique.  User-to-network channel -the normal channel, which is used in daily network activities, is exploited by an attacker. Like as (MITM) Man-in-the-middle or DDoS botnet. Figure 9. HOW question.
 Network-to-network channel -the channel is relied on in the core of the network, is exploited by using some segment-by-segment protocols.

What is the type of the attack?
The last question is about the intensity of the network attacks into the specific networks. This question belongs at the end of attack process when attackers from WHO already gained systems and can control attacked networks by themselves through WHERE and HOW. On the other hand, the intensity and type of an attack depend on the objectives of the attacker and it can be divided by three type according to WHAT question. Follows are the three situation which helps us to define the type of attack after the virus has already infected the system. This tells us to what extent we should defend. www.aetic.theiaer.org With this WHAT question, we can detect the strength and type of the attack. Our intention is to know the class and effect of the attack with "What" question to an attack. When any one of three happen we detect that type of attack it is. Figure. 10 depicts these types of WHAT question.
 Abnormal system activities -when the network has some abnormal activities from it resources such as CPU utilization, disk utilization, or network utilization.  Traffic volume -when the network has to face to response a number of requests to steal their information. Only restriction and limitations over data are there with this subcategory.  Controllable requests -when the network is detected that occurred some abnormal requests from host-based or network-based. Figure 10. WHAT question.

Overall Taxonomy in a nutshell:
The overall taxonomy of all its subclasses is shown in below Figure. 11. This taxonomy does not focus any special sector of attack rather, it can classify every kind of attacks. An attack can easily defence if an administrator can know about the attacker, how it attacks and how much trouble a particular attack can cause with our proposed taxonomy stated below. Figure 11. Sequential Question-based Network attack taxonomy.

Evaluation and Discussion
In last two section, we discussed other classification methods and proposed out classification. In this section, we will now evaluate our classification by classifying few network attacks and worms with our proposed system. Firstly, we will compare the presence of key characteristics according to a study [10] with two other studies [28][29] who did similar kind of classification shown in Table. 1.      Table. 2 to Table. 6 assessment of 'Sequential Question' classification is done by relating with few other noticeable classifications. The conclusion of the comparisons concludes three drawbacks of previous classifications. Firstly, useful information was unavailable when Lough describes the threat with VERDICT. Secondly, classification done by Howard's helps us only with common evidence. Thirdly, valuable information about the method of payload was supplied by Hunt and Hangman's classification. It also provides little information regarding target, operation and vulnerability but no particular preventive measures were mentioned.
A study by Aziz proposed prevention according to attack classification [36]. Another study also mentioned other protections mechanism against security issues related to fingerprint forgery [37]. A collective anomaly detection techniques were analysed in this study, where data from network traffic were taken into care [38][39]. Similarly, the proposed 'Sequential Question' classification can deliver data to a system administrator regarding the attackers, also the technique of attack, threat consequence to decrease attack's influence. Probable defence mechanism by proposed mechanism can be as shown in Table. 7:   TABLE 7 Defence actions based on Sequential question (proposed) taxonomy.

Sequential Question
Defence Action WHO The attacker and his intention are known to the administrator. Therefore management and administrator can work as below: 1.
He/she can take action against attacker after that secure system 2.
Secure system and thanks for identifying vulnerability 3.
International meeting and resolve 4.
Just secure system and save system WHERE Attacked source and way is known. Therefore administrator can install filtering systems like firewalls, spam filters, censorware and wiretaps. Certain system and devices can be marked as risky for easy identification and recovery. HOW Administrator knows through which it will be affected. If the administrator knows how the system will be affected he can take extra care or isolate those parts for extra care. WHAT Finally, if the administrator knows the characteristics of the computer system after attack then it is easy to decide the safety level that should be installed. The virus can partially attack a certain system or take control of the whole system after a successful attack. The administrator can act according to the type of network attack. Avoidance of result from the particular system can be a possible preventive measure.

Conclusion:
This taxonomy is completely different approach than existing attack classification practices which is based on consecutive questions. Our methodology identified common queries towards a threat to detect detail behaviour then classify accordingly. With these four questions (Who, Where, How and what), a network attack type can be clearly acknowledged. A detail validation of this work and comparison with other works has delivered for validation and justification. Our study has successfully identified in detail classification for risky threats like blaster, Melissa, Slammer, MS RPC Stack Overflow and Morris. Proposed classification also satisfied most of the requirements needed for development of an attack taxonomy.
From where the attack is being initiated, to whom it will attack, to what extent the attack affected the system can easily be identified if the answers to those sequential questions are correctly found. However, if the type and gravity of aforementioned attacks could be easily identified far ahead, we can yield a protection mechanism based on that information. It has been observed that threat can be initiated by either a professional hacker or humorous attacker. It has also been perceived that source of the attack can be from solo or in a group. In the same way, the proposed method detected that threat can spread from multiple sources like a computer, flash drive, wire, WiFi etc. Lastly, proposed taxonomy detected that consequence of attack can either be a takeover of the system control or just affect without sharing to other connected systems.
Eventually, our future goal is to construct a taxonomy based on the correlation among personal identification information with the publicly available Internet of Things (IoT) data. Since privacy of personal data is crucial for protecting individuals' credentials, our aim is to define a classification www.aetic.theiaer.org based on their vulnerability level to create a priority among easily available IoT data. In the era of industry 4.0, everything will be connected and rate of privacy breaching will also increase. However, currently, we generalized every kind of data protection with the same level of security measures which is quite insecure for future days. Therefore, the future objective is to generate a taxonomy based on a number of correlated IoT information needed to identify an individuals' identity.
Overall, the safety of the system depends fully on attack detection and subsequent security mechanism. This indicates the necessity of a taxonomy which provides detail information about an attack. Obviously, proposed progressive question centred attack taxonomy can squeeze attacks to extract detail information for assisting system administrators.