How are threats named, e.g., INPXX or AAXX?

[amrmp]

I wonder how the acronyms for the threats are made. I can't find a logical relationship between the threat's name and its acronym. Let's take a look at the following example:

DO01 - Flooding

Is there any specific standard for such acronyms?

[izar]

If I remember correctly, DO stands for "denial of ...". DO02 is Excessive Allocation, DO03 is XML Ping of Death, and so on.
The IDs are there just to serve as a unique identifier, and were grouped more or less by category: INP for input, DO for denial of service, etc. The ids have no semantic value and are not used in any way apart from differentiating items in the JSON file, and providing a shorthand to reference findings.

A standard would be a welcome addition, if you have time and ideas!

[amrmp]

Thanks for your comment.

Based on the CAPEC website, one can use "Related Attack Patterns" to capture the parent attack and then build the IDs based on that. In this way, it is more meaningful and can be traced back to the main type of threat. I have taken the fields of "related attack pattern" and have looked for the parent of such an attack via following "ChildOf" or "CanPrecede",...

Following is the output of main attacks:

['Authentication Bypass', 'Buffer Manipulation', 'Code Inclusion', 'Exploitation of Trusted Identifiers', 'Action Spoofing', 'Privilege Escalation', 'Protocol Manipulation', 'Command Injection', 'File Manipulation', 'Functionality Misuse', 'Brute Force', 'Interface Manipulation', 'Authentication Abuse', 'Identity Spoofing', 'Interception', 'Communication Channel Manipulation', 'Input Data Manipulation', 'Shared Resource Manipulation', 'Flooding', 'Pointer Manipulation', 'Exploiting Trust in Client', 'Excessive Allocation', 'Resource Leak Exposure', 'Resource Location Spoofing', 'Parameter Injection', 'Manipulating State', 'Content Spoofing', 'Configuration/Environment Manipulation', 'Footprinting', 'Reverse Engineering', 'Fingerprinting', 'Functionality Bypass', 'Code Injection', 'Software Integrity Attack', 'Protocol Analysis', 'Modification During Manufacture', 'Sustained Client Engagement', 'Resource Injection', 'Forced Deadlock', 'Leveraging Race Conditions', 'Fuzzing', 'Manipulate Human Behavior', 'Bypassing Physical Security', 'Hardware Integrity Attack', 'Information Elicitation', 'Manipulation During Distribution', 'Malicious Logic Insertion', 'Physical Theft', 'Local Execution of Code', 'Obstruction', 'Contaminate Resource', 'Object Injection', 'Traffic Injection', 'Hardware Fault Injection']

and their corresponding acronyms are like:

'AUT_BYP', 'BUF_MAN', 'COD_INC', 'EXP_OF_TRU_IDE', 'ACT_SPO', 'PRI_ESC', 'PRO_MAN', 'COM_INJ', 'FIL_MAN', 'FUN_MIS', 'BRU_FOR', 'INT_MAN', 'AUT_ABU', 'IDE_SPO', 'INT', 'COM_CHA_MAN', 'INP_DAT_MAN', 'SHA_RES_MAN', 'FLO', 'POI_MAN', 'EXP_TRU_IN_CLI', 'EXC_ALL', 'RES_LEA_EXP', 'RES_LOC_SPO', 'PAR_INJ', 'MAN_STA', 'CON_SPO', 'CON_MAN', 'FOO', 'REV_ENG', 'FIN', 'FUN_BYP', 'COD_INJ', 'SOF_INT_ATT', 'PRO_ANA', 'MOD_DUR_MAN', 'SUS_CLI_ENG', 'RES_INJ', 'FOR_DEA', 'LEV_RAC_CON', 'FUZ', 'MAN_HUM_BEH', 'BYP_PHY_SEC', 'HAR_INT_ATT', 'INF_ELI', 'MAN_DUR_DIS', 'MAL_LOG_INS', 'PHY_THE', 'LOC_EXE_OF_COD', 'OBS', 'CON_RES', 'OBJ_INJ', 'TRA_INJ', 'HAR_FAU_INJ'

Each non-main attack is then indexed.

"SID": "AUT_BYP00", ..., "description": "Accessing Functionality Not Properly Constrained by ACLs",

This can be a standard for naming.

[izar]

This is a great idea! I don't know if or how people are using the existing naming convention, but perhaps we could add an ALT_SID field using yours and warn people that in the future we would sunset the original names, then move ALT_SID to SID.

[colesmj]

We might consider using MITRE ATT&CK Tactics and Techniques as additional threats, so be careful tying the threat IDs to CAPEC structures (although the "main attack types" above seem generic enough to consider).