On the Completeness of Attack Mutation Algorithms

An attack mutation algorithm takes a known instance of an attack and transforms it into many distinct instances by repeatedly applying attack transformations. Such algorithms are widely used for testing intrusion detection systems. We investigate the notion of completeness of a mutation algorithm: its capability to generate all possible attack instances from a given set of attack transformations. We define the notion of a Φ-complete mutation algorithm. Given a set of transformations Φ, an algorithm is complete with respect to Φ, if it can generate every instance that the transformations in Φ derive. We show that if the rules in Φ are uniform and reversible then a Φ-complete algorithm exists. Intuitively speaking, uniform and reversible transformations mean that we can first exclusively apply transformations that simplify the attack, then exclusively apply transformations that complicate it, and still get all possible instances that are derived by the rules in Φ. Although uniformity and reversibility may appear severe restrictions, we show that common attack transformations are indeed uniform and reversible. Therefore, our Φcomplete algorithm can be incorporated into existing testing tools for intrusion detection systems. Furthermore, we show that a Φ-complete algorithm is useful, not only for testing purposes, but also for determining whether two packet traces are two different mutations of the same attack. 1