Slides: k-Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown...
-
Upload
sundevil-lee -
Category
Documents
-
view
217 -
download
0
Transcript of Slides: k-Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown...
-
8/9/2019 Slides: k-Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown Vulnerabilities
1/19
k
-
Zero Day Safety: A Network
Security
Metric
for Measuring the
Risk of
Unknown Vulnerabilities
Lingyu Wang, Sushil Jajodia, Anoop Singhal, Pengsu Cheng,and Steven Noel
IEEE Transactions on Dependable and Secure Computing, vol. 11, no. 1, pp. 30-44, 2014
-
8/9/2019 Slides: k-Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown Vulnerabilities
2/19
Goal
• Existing efforts on network security metrics typically assign
numeric scores to vulnerabilities based on known facts about vulnerabilities.
• This paper proposes a novel network security metric, k-zero daysafety, to count how many zero-day vulnerabilities are requiredto compromise a network asset.
Instead of measuring which unknown vulnerabilities are more likely to exist
Unknown vulnerabilities are not measurable.
2
-
8/9/2019 Slides: k-Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown Vulnerabilities
3/19
Motivating example
• Policy 1. The iptables rules are left ina default configuration that acceptsall requests.
At least one zero-day attack.
At least two zero-day attacks.
• Policy 2. The iptables rules areconfigured to only allow specific IPs,excluding host 0, to access the sshservice.
3
-
8/9/2019 Slides: k-Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown Vulnerabilities
4/19
Modeling
k
-
zero day safety
• Information about the network:
A collection of hosts {0, 1, 2, F } ( F for the firewall).
The connectivity relation {, , , , , , , , .
Services {http, ssh, iptables} on host 1, {ssh} on host 2, and { firewall } onhost F .
Privileges {user, root }.
4
-
8/9/2019 Slides: k-Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown Vulnerabilities
5/19
-
8/9/2019 Slides: k-Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown Vulnerabilities
6/19
Modeling
k
-
zero day safety
• Attack sequence is any sequence of exploits.
a: as the asset
seq(a): for any attack sequence that leads to a.
• Attack sequences all lead to the asset :
1. ,,
2. ,,
3. ,,,
4. ,,
6
-
8/9/2019 Slides: k-Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown Vulnerabilities
7/19
Modeling k-zero day safety
• The metric function k0d (.) counts how many exploits in their
symmetric difference are distinct. Not related through
• The k-zero day safety metric is defined by applying the metricfunction k0d (.) to the minimal attack sequences leading to anasset.
7
-
8/9/2019 Slides: k-Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown Vulnerabilities
8/19
Modeling k-zero day safety
• Definition 3 (k -Zero day safety). Given the set of zero-day
exploits E 0, we define a relation such that indicates either e and e’
involve the same zero-day vulnerability, or e = and e’ = are true, and exploiting s yields p. e and e’ are said distinctif ;
a function k0d (.):
where |F’’| denotes the cardinality, max (.) the maximum value, andthe symmetric difference ; and
for an asset a, we use k=k0d (a) for ,
where min(.) denotes the minimum value. For any , we say a isk’-zero day safe.
0 0
1 2 1 2
0 (.) : 2 2 [0, ] as
0 ( , ') ({| '' |: '' ( '), ( , '')( )max }),
E E
v
k d
k d F F F F F F e e F e e
× → ∞
= ⊆ ∆ ∀ ∈ ≠
8
-
8/9/2019 Slides: k-Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown Vulnerabilities
9/19
Modeling k-zero day safety
• Assume A = {} then we have k0d ( A) = 2, and the network is 2-zero day safe.
1. ,,
2. ,,
3. ,,
,
4. ,,
9
-
8/9/2019 Slides: k-Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown Vulnerabilities
10/19
Redefining Network Hardening
• Network hardening: rendering a network k-zero day safe for a
larger k.• Under the model, those qualitative approaches essentially
achieve k > 0, meaning that attacks are no longer possible withknown vulnerabilities only.
• Based on those equations of k = k0d ( A), we can see that k may be
increased in many ways, including:
Increasing diversity
Strengthening isolation
Disabling services
Firewalls
Stricter access control
Asset backup
Detection and prevention
Security services
Patching known vulnerabilities
10
-
8/9/2019 Slides: k-Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown Vulnerabilities
11/19
Case study - Diversity
Assume
− Different services or firewalls involve different zero-day vulnerabilities.
− None of the services, except iptables and tcpwrapper, are protected by sufficient isolation.
− No known vulnerabilities are assumed in the services.
− A =
Case1: the three web servers (host 1 through 3) are providing the http serviceusing the same software
−k would remain the same regardless of the degree of diversity in these http services (k = 2)
11
-
8/9/2019 Slides: k-Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown Vulnerabilities
12/19
Case study - Diversity
Case2: the iptables services on host 4 only accept requests from hosts 2 and 3.
− Diversifying the ftp services on hosts 2 and 3 does not help for k. (k = 3)
Case3: ftp x and ftpy indicate two different ways for providing the ftp service onhosts 2 and 3
− The shortest attack sequences do not increase (k = 3).
Increasing diversity in hosts and services would not always help improving anetwork’s security.
12
-
8/9/2019 Slides: k-Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown Vulnerabilities
13/19
Case study - Known Vulnerability andUnnecessary Service
Assume
− An unnecessary rsh service running on host 4 and additionally the effect of introducing a known vulnerability vrsh into that service.
− A =
Case4: without the rsh service on host 4
− Totally four different zero-day vulnerabilities will be needed (k = 4).
13
-
8/9/2019 Slides: k-Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown Vulnerabilities
14/19
Case study - Known Vulnerability andUnnecessary Service
Case5: if service rsh is left running on host 4, but without any known vulnerability
− This does not actually change k (k = 4).
Case6: if vrsh is a known vulnerability
− k will be reduced by one (k = 3).
Case7: if there is a known vulnerability in the ftp service on host 2.
− This does not actually change k (k = 4). And patching this vulnerability will not help to make thenetwork more secure.
14
-
8/9/2019 Slides: k-Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown Vulnerabilities
15/19
Case study - Backup of Asset
Assume
− A known vulnerability exists in the http service on both hosts 1 and 5
− Three candidate positions for placing a backup server for host 4 with location a, b, and c.
− A =
Case8: without introducing any asset backup
− Shortest attack sequences: [,,], [,,],[,].
− Two different zero-day vulnerabilities are needed (k = 2).
15
-
8/9/2019 Slides: k-Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown Vulnerabilities
16/19
Case study - Backup of Asset
Case9: the backup server, host 7, at location a.
− This does not actually change k, because the same zero-day vulnerability of the nfs service cancompromise both hosts 4 and 7 (k = 2).
Case10: the backup server, host 7, at location b, and changing firewall rules suchthat host 4 is directly accessible from host 7 for backup purposes.
− The shortest attack sequence: [,,,]. Only one zero-day vulnerability is required (k = 1).
Case11: the backup server, host 7, at location c
− The shortest attack sequence: [,,,]. Three zero-day vulnerability is required. (k = 3)
16
-
8/9/2019 Slides: k-Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown Vulnerabilities
17/19
Case study - Firewall
Assume
− A =
− the personal firewall service on host 3 has a known vulnerability that may allow attackers to establishconnections to the ftp service running on host 3.
Case12:− Shortest attack sequences: [,,,,,],
[,,,]. Since v p_firewall1 is known, k = 3.
Case13: moving host 3 to location a behind firewall 2, and removing its personalfirewall p firewall1, and adding extra rules to firewall 2 to only allow connectionrequests from 1 to 3 and from 3 to 4.
− Shortest attack sequences: [,,,]. k = 2.
In:1,Out:4 In:3,Out:5 In:5, 7
17
-
8/9/2019 Slides: k-Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown Vulnerabilities
18/19
Conclusion
• The paper proposes a concept of vulnerability relations that would replace some relational attack sequences by the same one with the same vulnerability.
• Many unknown vulnerabilities would appear at the same time toachieve the attack.
• The known vulnerabilities are cut-edge path on the attack graph
which decrease the length of zero-day attack sequence.
18
-
8/9/2019 Slides: k-Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown Vulnerabilities
19/19