[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


MP/AN Categories

Besides the SA, CF, and SF categories, many security tools I've
examined have checks which identify vulnerabilities in two more
categories, namely MP (Malicious Presence) and AN (ANomalous state).
MP identifies the cases where an intruder has successfully compromised
a system.  AN deals with cases where the system state is inconsistent
with normal expectations.

Recall the emphasis in the CVE vulnerability definition on the state
of the system.  Both MP and AN vulnerabilities reflect the state of a
system after it has been compromised.  Certainly the presence of a
"hacker toolkit" like Back Orifice or NetBus may be a vulnerability,
unless it is being used legitimately as a network management tool.

AN category vulnerabilities are a little more fuzzy.  Just because a
system isn't in a state that you would expect, does not necessarily
indicate a vulnerability.  On the other hand, if the MD5 checksum for
a login program suddenly changes, then there is a strong indication
that it has been replaced with a more nefarious program.

The candidates for these categories of vulnerabilities are at a fairly
high level of abstraction, and there are very few of them.  This is
because each is a High Cardinality problem, or is Not Enumerable.
Consider the number and variety of Trojan Horses or hacker utilities.

It could be argued that MP is a sub-category of AN.  Assuming that the
Editorial Board accepts these categories, should we merge them?

Page Last Updated or Reviewed: May 22, 2007