Evaluating Network Security with Two-Layer Attack Graphs Anming Xie Zhuhua Cai Cong Tang Jianbin Hu...
35
Evaluating Network Security with Two- Layer Attack Graphs Anming Xie Zhuhua Cai Cong Tang Jianbin Hu Zhong Chen ACSAC (Dec., 2009) 2010/6/15 1
-
Upload
geraldine-mcdonald -
Category
Documents
-
view
215 -
download
0
Transcript of Evaluating Network Security with Two-Layer Attack Graphs Anming Xie Zhuhua Cai Cong Tang Jianbin Hu...
1
Evaluating Network Security with Two-Layer Attack
GraphsAnming XieZhuhua CaiCong TangJianbin Hu
Zhong Chen
ACSAC (Dec., 2009)
2010/6/15
2
Outline
• Introduction• Related Work• Model• Examples• Conclusion
2010/6/15
3
Attack Graphs
• Describe attack scenarios• Play important roles in analyzing network
vulnerabilities
2010/6/15
4
Problems
• Although there are many previous works on attack graphs about evaluating network security, some problems still need to be addressed– Scalability– Several targets for overall security of networks– Inside malicious attackers’ attacks
2010/6/15
5
The Work of The Paper
• Firstly, propose a new generation model– Generate two-layer attack graphs model to reduce
computation costs
• Then, propose a measurement methodology– Evaluate network security based on adjacency
matrixes
2010/6/15
6
Network Security Metrics
• Traditionally, focus on vulnerabilities as static values in different networks
• However, ignore how they could be exploited by the attackers
• An attack graph describe s all the possible ways to break into a network, and reveals actual effect among vulnerabilities
2010/6/15
7
Outline
• Introduction• Related Work• Model• Examples• Conclusion
2010/6/15
8
Related Works
• Resulting attack graphs are sometimes too large to be computed
• Lacks meaningful and efficient suggestions to evaluate network security
2010/6/15
9
Outline
• Introduction• Related Work• Model• Examples• Conclusion
2010/6/15
10
A. Generation Model
• Two assumptions– Preconditions on an exploit would never be
changed from satisfied to unsatisfied– Attackers only need user access privileges at
source host when exploiting vulnerabilities at target host
2010/6/15
11
A. Generation Model
• The two-layer model– Lower layer• Describe all of the detailed attack scenarios between
each host-pair• Set up host-pair attack graphs to describe attack
sequences from one source host to one target host directly• Show how attackers obtain user or root access
privileges at the target host• N * N host-pair attack graphs at most with N hosts
2010/6/15
12
A. Generation Model
• The two-layer model– Upper layer• Set up host access attack graphs to show the direct
access relationships among hosts• A node represents a host in networks, and a directed
edge between two nodes represents the access relationship between the corresponding two hosts
2010/6/15
13
A. Generation Model
• Generation of host-pair attack graphs– Just deal with host’s configurations,
vulnerabilities, its network connection with source host
– Be generated very quickly and the size is small
2010/6/15
14
A. Generation Model
• Generation of hosts access attack graphs– Built on the results of the host-pair attack graphs– Add a directed edge to the corresponding nodes in
hosts access graph– Edge’s label shows the corresponding privilege
which could be obtained
2010/6/15
15
A. Generation Model
2010/6/15
16
B. Analysis on probability of success
• Used in analysis of network security• Firstly– apply probability of success to each atomic exploit
• Secondly– calculate the probabilities of obtaining user and root
privileges successfully for each host-pair attack graph• Finally– change the edges’ label of the hosts access graph as
(HPAGID, Puser, Proot)
2010/6/15
17
B. Analysis on probability of success
2010/6/15
18
C. Analysis on Adjacency Matrixes
• In order to evaluate the overall network, composite these attack probabilities to a global measurement dynamically based on adjacency matrixes
• A network with N nodes, draw a hosts access graph with N +1 nodes
• Use H1, H2, · · ·, Hn to indicate hosts in the target network, and use H0 to indicate an attacker’s host.
2010/6/15
19
C. Analysis on Adjacency Matrixes
• Element uij indicates the probability of obtaining user privilege from host Hi to host Hj
• C = F(A,B)– A, B, C are matrixes– F is defined as
2010/6/15
Nkji
bababa
bac
NjiNjiji
kjikk
ij
,,0
)*,...*,*max(
)*(max
2100
)*(max kjikk
ij bac )*,...*,*max( 2100 NjiNjiji bababa
Nkji ,,0
20
C. Analysis on Adjacency Matrixes
• Define the power iterations of Function F
• Stable matrix– User adjacency matrix U• maximum
– Root adjacency matrix R• maximum
2010/6/15
R),(UR
1-NM
(U)(U)U
I)U(,0
)U),U(()U(
1
0
1
succsucc
MN-succ
mm
F
FF
Fm
FFF
)U),U(()U( 1 mm FFF I)U(,0 0 Fm
(U)(U)U 1 MN-succ FF
R),(UR succsucc F
1-NM
21
D. Network Security Measurement
• Total prospective damage of whole network brought by this attacker in host Hi is
– the set of important hosts in network is C, C H⊆
• Dangerous Score
– Indicate the security level of a network– use wk rather than duk and drk. For each host Hk in
C, wk is its important factor, where 0 ≤ wk ≤ 12010/6/15
)*(
))*,*(max(
0kkCH
ikkikkCH
i
rwDS
rdruduTDH
k
k
)*( 0kkCH
rwDSk
))*,*(max( ikkikkCH
i rdruduTDHk
22
D. Network Security Measurement
• Transition score, which evaluates the host’s action as a stepping stone when an outside attacker attacks the network
2010/6/15
CHkk
CHikki
k
k
rw
rwr
TSi)*(
)*(*
0
0
CHkk
CHikki
k
k
rw
rwr
TSi)*(
)*(*
0
0
23
Outline
• Introduction• Related Work• Model• Examples• Conclusion
2010/6/15
24
A. Network Environment
2010/6/15
25
A. Network Environment
2010/6/15
26
B. Result Attack Graphs
2010/6/15
27
B. Result Attack Graphs
2010/6/15
28
C. Network Security Evaluation
2010/6/15
29
C. Network Security Evaluation
2010/6/15
30
C. Network Security Evaluation
• Assume the set of important hosts in network is C = {F,D}
• Obtain user privilege– Prospective damage du = {200, 2000}
• Obtain root privilege– Prospective damage dr = {2000, 10000}
2010/6/15
31
C. Network Security Evaluation
• Total prospective damage potentially caused by outside attackers
• Total prospective damage potentially caused by inside attackers
2010/6/15 1
32
C. Network Security Evaluation
• Set important factors wk for each host Hk in C– set w = {0.2, 1}– 0.2 for host F, 1 for host D
• Dangerous Score
• Transition Score
2010/6/15
33
Outline
• Introduction• Related Work• Model• Examples• Conclusion
2010/6/15
34
Conclusion
• A novel generation approach and a measurement methodology
• Apply the probability of success to our attack graphs
• Results not only describe the potential attack probabilities of success launched from an outside attacker, but also describe the potential attack probabilities launched from inside malicious users
• Draw gray scale images to indicate the overall network security
2010/6/15
35
Q & A
Thank you!
2010/6/15
