[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CONTENT DECISION: MP/AN Categories
MP/AN Categories ---------------- Besides the SA, CF, and SF categories, many security tools I've examined have checks which identify vulnerabilities in two more categories, namely MP (Malicious Presence) and AN (ANomalous state). MP identifies the cases where an intruder has successfully compromised a system. AN deals with cases where the system state is inconsistent with normal expectations. Recall the emphasis in the CVE vulnerability definition on the state of the system. Both MP and AN vulnerabilities reflect the state of a system after it has been compromised. Certainly the presence of a "hacker toolkit" like Back Orifice or NetBus may be a vulnerability, unless it is being used legitimately as a network management tool. AN category vulnerabilities are a little more fuzzy. Just because a system isn't in a state that you would expect, does not necessarily indicate a vulnerability. On the other hand, if the MD5 checksum for a login program suddenly changes, then there is a strong indication that it has been replaced with a more nefarious program. The candidates for these categories of vulnerabilities are at a fairly high level of abstraction, and there are very few of them. This is because each is a High Cardinality problem, or is Not Enumerable. Consider the number and variety of Trojan Horses or hacker utilities. It could be argued that MP is a sub-category of AN. Assuming that the Editorial Board accepts these categories, should we merge them?