Outline
Network security (Part II):
Can we do a better job? "
•  State of the practices"
•  Drawbacks and Issues"
•  A proposed alternative"
Rattikorn Hewett"
NSF SFS Workshop
August 14-18, 2014
Center for Science & Engineering of Cyber Security
Computer Network
Whitacre College of Engineering
2
Computer Network
How can I secure
this network?
Network
Administrator
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering 3
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering 4
1
State of the practices
State of the practices
1) Admission Control
2) Data Control
Authentication
Encryption
Authentication
Authentication
Verifying the identification of authorized users
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering 5
State of the practices
Encryption/Decryption of data to be transmitted
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering 6
State of the practices
4) Security Policy
3) Infection Control
ftp
Anti-Virus
http
Anti-Virus
Anti-Virus
SMTP
Virus protection, virus removal, and infection containment
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering 7
Firewall policy to protect unauthorized
requests from outside the network
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering 8
2
State of the practices
State of the practices
Where is the
weakness of this
network to hack into?
Common IT Security Setup
Authentication
Authentication
Anti-Virus
Where is the
weakness of this
network to hack into?
Anti-Virus
Encryption
Encryption
Attacker
Authentication
Authentication
What about IDS to detect intrusion?
Network
Administrator
Center for Science & Engineering of Cyber Security
Anti-Virus
Anti-Virus
Secure enough?
Attacker
Authentication
Authentication
Anti-Virus
Anti-Virus
Network
Administrator
Whitacre College of Engineering 9
State of the practices
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering 10
Outline
4) IDS (Intrusion Detection System)
I will outsmart IDS
with new tricks
•  State of the practices"
•  Drawbacks and Issues"
Authentication
Anti-Virus
•  A proposed alternative"
Encryption
Authentication
Anti-Virus
Authentication
Anti-Virus
Attacker
IDS monitors network activities and alerts when
attack patterns are detected
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering 11
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering
12
3
Recaps current practices & drawbacks
Other Issues …..
•  Admission control, e.g., authentication"
•  Data control, e.g., encryption"
•  Infection control, e.g., anti-virus, virus removal/containment"
•  Security policy, e.g., firewalls, RBAC(role-based access control)"
" à Most defend attack at entering points or
prevent non-targeted spreading
à What about targeted attacks in the network?
•  Computer networks are unavoidably vulnerable as long as
they have to provide services"
"
Network Vulnerabilities!
Exploitable
errors in !
Network
Configurations"
"•  Intrusion detection system (IDS)
à Can’t prevent attacks
à Can’t detect unfamiliar attacks
à Requires resource for continuous monitoring
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering
•  Ports & services enabled
13
•  Apache Chunked-Code on
Apache web servers
•  Buffer overflow on Windows XP
SP2 operating environments
•  TNS- Listener on Oracle
software for database servers
Center for Science & Engineering of Cyber Security
Network Security Issues
Whitacre College of Engineering
14
Network Security Issues
•  Computer networks are vulnerable"
•  Computer networks are vulnerable"
•  Commercial scanners can only detect network
vulnerabilities at individual points "
Apache Chunked-Code Buffer-Over flow!
Apache httpd version 1.3 through 1.3.24 allows remote attackers to cause
a denial of service and possibly execute arbitrary code via a chunkencoded HTTP request that causes Apache to use an incorrect size."
Oracle TNS Listener!
…!
Wu-ftpd SockPrintf!
CVE 2002-0392"
…!
Common Vulnerability & Exposure
Wu-ftpd restricted-gid!
…!
"
Center for Science & Engineering of Cyber Security
Implementation of "
Software Services"
Whitacre College of Engineering
"
15
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering
16
4
Network Security: Issues
Outline
•  Computer networks are vulnerable"
•  Commercial scanners can only detect network
vulnerabilities at individual points "
•  Current state of the practices"
•  Issues and drawbacks"
•  A proposed alternative"
"
•  Perfectly secure isolated services do not guarantee
secure network of combined services"
"
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering
17
Center for Science & Engineering of Cyber Security
A preventative approach
18
Security Model Generation
Idea: !
!
•  Pre-determine all possible attacks from network vulnerabilities "
•  Use results to determine appropriate actions"
Goal: !
To generate all possible attacks from network vulnerabilities
Exploit CVE-1
CVE-1
CVE-3
Network"
•  Vulnerabilities" Security Model
•  Configurations" Generation!
•  Security Policy "
Whitacre College of Engineering
•  Prioritize critical path"
Exploit CVE-4
Model
•  Select appropriate
Analysis!
counter measures"
CVE-4
Scanner
Attack Model: all possible chains of exploits"
(or exploitable vulnerabilities)"
Exploit CVE-3
CVE-1
CVE-2
….
Exploit CVE-2
Exploit CVE-1
….
All possible attacks
•  Identify vulnerabilities of each computer in the network using a"
vulnerability scanner (e.g., Nessus, SAINT, OpenVAS)
•  Apply all exploitable vulnerabilities for each attack state
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering
19
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering 20
5
Example of Simple Network
Example of Simple Network
Host A, access = 2
Scan the vulnerabilities
ap
t1
ap
t1
tns
t2
Center for Science & Engineering of Cyber Security
Exploit ap? Preconditions:
Whitacre College of Engineering 21
Center for Science & Engineering of Cyber Security
Example of Simple Network
Whitacre College of Engineering 22
Example of Simple Network
Host A, access = 2
Host A, access = 2
exploit ap
ap
t1
Center for Science & Engineering of Cyber Security
tns
t2
•  Access on A≥1
•  A & W are
connected
Goal: root access
tns
t2
Host W access = 2
Whitacre College of Engineering 23
Exploit tns? Preconditions:
ap
t1
Center for Science & Engineering of Cyber Security
tns
t2
•  Access on A≥1
•  A & D are
connected
Whitacre College of Engineering 24
6
Example of a simple network
Complete Attack Model
Can you finish the rest?
Host A, access = 2
Exploit tns?
ap
t1
tns
t2
Not exploitable
t1
Host W, access = 1
Goal: root access
of a database server
Attack Model shows all possible attack paths
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering 25
Center for Science & Engineering of Cyber Security
A preventative approach
Why model analysis? - Example
Idea: !
!
•  Pre-determine all possible attacks from network vulnerabilities "
•  Use results to determine appropriate actions"
Network"
•  Vulnerabilities" Security Model
•  Configurations" Generation!
•  Security Policy "
•  Prioritize critical path"
Model
•  Select appropriate
Analysis!
counter measures"
How can we prevent attack to gain root access at IP2?"
v3 = CVE-2004-0148"
“wu-ftpd 2.6.2 and earlier, with the
restricted-gid option enabled, allows
local users to bypass access
restrictions by changing the
permissions to prevent access to their
home directory, which causes wu-ftpd
to use the root directory instead.”"
"
Counter-measure "
1.  Upgrade wu-ftpd to version > 2.6.2, OR!
2.  Replace wu-ftpd with other ftpd-service, OR!
3.  Stop providing ftpd-service at IP2
Attack Model: all possible chains of exploits"
(or exploitable vulnerabilities)"
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering 26
Whitacre College of Engineering
27
Center for Science & Engineering of Cyber Security
Root access to IP2
Whitacre College of Engineering 28
7
Why model analysis? - Example
Issues
•  The resulting attack models are huge even for a
Root access at the
small network "
attacker’s machine
How can we prevent attack to gain root access at IP2?"
Block v3 into IP2
More …."
Block v1 into IP2 •  How do we identify these blocks?"
•  How do we pick an appropriate
block/counter measure?"
•  Which state to focus first, e.g.,
(IP1, 2) vs. (IP2, 1)"
Which is more likely to be attacked?"
Center for Science & Engineering of Cyber Security
Goal: Root access to IP2
Root access to IP2
Whitacre College of Engineering 29
Attack Model Analysis
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering 30
Exploit-based Analysis
To extract useful information from security model to
protect the network
Prioritizes attack points in an attack model based on the
ease in exploiting their vulnerabilities"
"
"Easy to exploit à High exploitability "
à High priority (for fixing) "
Visualization!
•  Group similar nodes for
display [Noel & Jajodia, 05]"
Graph-based !
•  Minimisation analysis to block
s"
attackwpaths
ork [Jha et al, 02] "
net
t
u
•  Manual, time-consuming" abo •  Automatic "
e
•  Non-systematic"
•  Limited to specific models"
edg
owl
s kn
e
s
Markov model-based!
Our approach!
u
one
•  EstimateNlikelihood
of attack"
•  Exploit-based analysis"
[Sheyner et al., 02; "
•  Use knowledge about exploitability"
Mehta et al.,06; PageRank]"
•  Handle cyclic models"
Center for Science & Engineering of Cyber Security
How do we effectively analyze the huge attack model? !
Whitacre College of Engineering
Approach!
Estimate a probability distribution of intrusion for each
attack state "
•  To obtain its relative chance of being attacked using the
knowledge about exploitability"
"
31
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering
32
8
Exploitability
Exploitability
•  Atomic level!
•  Exploitability of each vulnerability
•  Atomic level!
•  Exploitability of each vulnerability (degrees 1à 10)"
"
""
Access Vector × Access Complexity × Authentication"
"
"
E.g., remote, "
local"
E.g., low efforts
to exploit"
E.g., no or single
authentication
"
"
High exploitability "
à High vulnerability"
à Easy to exploit"
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering
33
Exploitability
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering
34
Markov Model
•  Approximates a probability distribution of dynamic
behaviors randomly evolving to a stationary state
•  Atomic level!
•  Exploitability of each vulnerability (degrees 1à 10)"
à Define the probability of intrusion of each attack
point recursively
Markov Property:
The probability distribution for the future network
intrusion only depends on the current states
•  Global level!
•  Exploitability of attack states in the network topology"
"
à Based on Markov Model (Applied to PageRank)"
"
à Repeat the computation until no change in the
probability distribution approximation
"
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering
35
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering
36
9
Recurrence Equation
Recurrence Equation
h(u, v) = exploitability of exploits from state u to v
rt(u) = probability of state u being attacked at time t
d
= probability that attackers continue attacking on a current path
h(u, v) = exploitability of exploits from state u to v
rt(u) = probability of state u being attacked at time t
d
= probability that attackers continue attacking on a current path
If v is not an initial state
u
h(
Chance of
continuing attack
Chances of
entering v
Chances of
exploitability of u to v
)
,v u
v
…
If v is an initial state
+
Chance of entering v
from all other states
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering
37
ExploitRank Algorithm
a user
access
Center for (thus,
Science & maintain
Engineering of Cyber
Security
level in a
victim
host),
and to38
Whitacre
College
of Engineering
obtain a denial of service (thus, gain a root access level in the
victim host), respectively. Local users can exploit the last vulnerability to bypass access restrictions by changing their access permissions of a home directory via the ftp, which causes
its service program, wu-ftpd to, instead, allow access of the
root directory. We annotate each configuration of the network
in Figure 4 with its corresponding vulnerabilities and their
associated labels. For example, IP2 has two vulnerabilities,
namely CVE-2006-5794 (or v1) and CVE-2004-0148 (or v3).
More details of these common standard vulnerabilities are
described in [14, 17].
Although our approach can be applied to any form of a security model, in this study we use a host-centric attack graph
model [5]. Suppose the goal of an attacker is to violate a security requirement. Based on the network configurations and the
vulnerabilities shown in Figure 4, we can automatically generate a host-centric attack model as shown in Figure 5 a) by employing a model-checking tool such as NuSMV [4] as illustrated in [5]. !
!
!
Rank 5!
!
9.9
9.9
Node Intrusion
4.9
!
9.9
Likelihood
Rank 3!
!
4.9
S0
0.1500
!
S1
0.1287
Rank 2!
9.9 9.9
Rank 4!
!
S
0.1658
A simple Illustration
2
S3
S4
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering
39
0.2548
0.3007
host-centric
attack
graph
Center for Science &a)
Engineering
of Cyber
Security
The model obtained in F
normalized exploitability w
rithm to estimate a probab
state i to state j. The norma
of the probabilities of all p
one. For example, there ar
to advance from state s0, to
ity values 4.9, 9.9, and 9.9,
ristic value for exploiting v
4.9/(4.9 + 9.9 + 9.9) = 0.2.
entry wij = w(i, j) is shown
in the algorithm is the seco
fined in Equation (3).!
!
Table 3. Ranking r
!
3.9
4.9
Rank 1!
b) exploit-based
analysis
graph
Whitacre College
of Engineering
40
Fig. 5. Attack model analysis of the network in Figure 4.
Each state is labeled by a tuple representing a host name and
its access level obtained by an attacker. Thus, (Attacker, root)
is an initial state since an attacker has a root access privilege
on his own machine. The attacker’s goal is to obtain a root
access to IP2 and thus, (IP2, root) represents a goal state. As
shown in Figure 5 b), we rename the states (Attacker, root),
(IP1, root), (IP1, user), (IP2, user) and (IP2, root) as s0, s1, s2,
s3, and s4, respectively. !
!
Table 2. Vulnerability and exploitability.
Fig. 6. Normalized exploitab
Applying the heuristics
tRank algorithm, the resu
host-centric attack model a
ble 3. We then apply Mehta
not employ the exploitabilit
shown in the second colum
As shown in Table 3, th
apply the heuristics is < s4
and otherwise, < s4, s3, s0, s
is applied (i.e., Mehta et al
order of likelihood of intru
ability. Both results sugge
likelihood of being attack
most vulnerable).
10
5
5
(thus, maintain a user access level in a victim host), and to
(thus, maintain a user access level in a victim host), and to
obtain a denial of service (thus, gain a root access level in the
obtain a denial of service (thus, gain a root access level in the
victim host), respectively. Local users can exploit the last vulvictim host), respectively. Local users can exploit the last vulnerability to bypass access restrictions by changing their acnerability to bypass access restrictions by changing their access permissions of a home directory via the ftp, which causes
cess permissions of a home directory via the ftp, which causes
its service program, wu-ftpd to, instead, allow access of the
its service program, wu-ftpd to, instead, allow access of the
root directory. We annotate each configuration of the network
Fig. 6. Normalized exploitability of the analysis graph in Figure 5 b)
root directory. We annotate each configuration of the network
Fig. 6. Normalized exploitability of the analysis graph in Figure 5 b)
in Figure 4 with its corresponding vulnerabilities and their
in Figure 4 with its corresponding vulnerabilities and their
The model obtained in Figure 5 b) is useful in computing a
associated labels. For example, IP2 has two vulnerabilities,
The model obtained in Figure 5 b) is useful in computing a
associated labels. For example, IP2 has two vulnerabilities,
normalized exploitability w(i, j) used in the ExploitRank algonamely CVE-2006-5794 (or v1normalized
) and CVE-2004-0148
(or
v3).
exploitability
w(i,
j) used in the ExploitRank algonamely CVE-2006-5794 (or v1) and CVE-2004-0148 (or v3).
rithm
to estimate a probability of advancing from attack in
More details of these common
standard
vulnerabilities
are of advancing
rithm
to estimate
a probability
from attack in
More details of these common standard vulnerabilities are
state i to state j. The normalization is required so that the sum
described in [14, 17].
state
i
to
state
j.
The
normalization
is
required
so that the sum
described in [14, 17].
of
the
probabilities
of all possible attack transitions would be
Although our approach can be
to any form
of possible
a seof applied
the probabilities
of all
attack transitions would be
Although our approach can be applied to any form of a seone. For example, there are three possible exploits applicable
curity model, in this study we one.
use aFor
host-centric
graph
example, attack
there are
three possible exploits applicable
curity model, in this study we use a host-centric attack graph
to advance from state s0, to states s1, s2 and s3 with exploitabilmodel [5]. Suppose the goal of to
anadvance
attacker from
is to violate
secustate s0,ato
states s1, s2 and s3 with exploitabilmodel [5]. Suppose the goal of In
anMehta
attacker
to violate
a secuity values 4.9, 9.9, and 9.9, respectively. The normalized heuetisal.ʼs
approach"
rity requirement.
Based on the ity
network
and respectively.
the
valuesconfigurations
4.9, 9.9, and 9.9,
The normalized heurity requirement. Based on the network configurations and the
ristic value for exploiting v2 from s0 to s1 can be computed as
vulnerabilities
shown
in chance
Figure ristic
4,towe
can
automatically
genervalue
for exploiting
vof
•
Each
node
has
equal
be
attacked
–
no
use
2 from s0 to s1 can be computed as
4.9/(4.9 + 9.9 + 9.9) = 0.2. A complete weight matrix, whose
vulnerabilities shown in Figure 4, we can automatically generate a host-centric attack model 4.9/(4.9
as shown+in
Figure
a) 0.2.
by em9.9
+ 9.9)
=
A complete weight matrix, whose
the degree
of vulnerability
"" 5shown
entry wij = w(i, j) is shown in Figure 6. Note that in fact w(i, j)
ate a host-centric attack model as shown
in Figure
5 a) by em- exploitability
w(i, j) is [4]
in Figure 6. Note
that in fact w(i, j)
ploying a model-checking toolentry
suchwas
as illusij =NuSMV
in the algorithm is the second factor of the function gt(v) deploying a model-checking tool" such as NuSMV [4] as illusin the algorithm is the second factor of the function gt(v) detrated in [5]. !
fined in Equation (3).!
trated in [5]. !
fined in Equation
(3).!
Our Approach!
! Mehta et al.ʼs Approach!
!
!
Table 3. Ranking results on the attack model.
! From s0 (9.9)" Table 3. Ranking results on the attack model.
!
!
Rank
5!
!
From! s0-s3 (9.9, 9.9)"
Rank 5!
!
!
" 4.9
9.9
9.9
!
9.9
9.9
4.9
!
9.9
Rank 3!
!
9.9
Rank
4!
4.9
!
4.9
From s0"
!
!
Rank 2!
9.9 9.9
Rank 3!
From s0-s3"
Rank 2!Rank 4!
9.9 9.9
!
Rank 3!
!
Rank 2!
Rank 1!
From s0 (4.9)"
Some Comparisons
From s0"
From s0-s2"
From s0-s3"
3.9
4.9
Rank 1!
More complex attack model
From s0-s2 (9.9, 4.9)"4.9
From s0-s3 (9.9, 4.9)"
Rank 1!
3.9
Applying the heuristics obtained in Figure 6 to the ExploiApplying the heuristics obtained in Figure 6 to the Exploi-
a) host-centric attack graph
b) exploit-based analysis graph
tRank algorithm, the results of ranking attack states in the
b) exploit-based analysis graph
tRank
algorithm,
attack states in the
More
exposuresthe
+ ! results of ranking
host-centric attack model are shown in the first column of TaFig.
5. Attack model analysis
of the networkattack
in Figure
4.
host-centric
model
are
shown
in the first column of TaMore
exposures!
Fig. 5. Attack model analysis of the network in Figure 4.
Easier exploit vulnerability!
ble 3. We then apply Mehta et al.’s ranking approach that does
a) host-centric attack graph
ble 3. We then apply Mehta et al.’s ranking approach that does
not employ the exploitability heuristic and obtain the results as
Each state is labeled by a tuple
representing
host name and
not
employ
the aexploitability
heuristic
and obtain the
results
as Engineering of Cyber Security
Each state is labeled by a Center
tupleforrepresenting
a host
name
41
Science
& Engineering
of Cyber
Securityand
Whitacre College
of Engineering
Center column
for Science &of
Whitacre College of Engineering
shown in the second
Table 3.
its access
level
obtained
by an shown
attacker.
(Attacker,
root)
in Thus,
the second
column
of Table 3.
its access level obtained by an attacker. Thus, (Attacker, root)
As shown in Table 3, the ranking result obtained when we
is an initial state since an attacker
has
a
root
access
privilege
As shown in Table 3, the ranking result obtained when we
is an initial state since an attacker has a root access privilege
apply the heuristics is < s4, s3, s2, s0, s1 > (i.e., our approach)
on his own machine. The attacker’s goal is to obtain a root
apply the heuristics is < s4, s3, s2, s0, s1 > (i.e., our approach)
on his own machine. The attacker’s goal is to obtain a root
and otherwise, < s , s3, s0, s1, s2 > is obtained when no heuristic
access to IP2 and thus, (IP2, root) represents a goal state. As
and otherwise, < s4, s3, s0, s1, s2 > is obtained when no4 heuristic
access to IP2 and thus, (IP2, root) represents a goal state. As
shown in Figure 5 b), we rename the states (Attacker,
root),
is applied (i.e., Mehta et al.’s approach). The ranking is in the
shown in Figure 5 b), we rename the states (Attacker, root),
is applied (i.e., Mehta et al.’s approach). The ranking is in the
(IP1, root), (IP1, user), (IP2, user) and (IP2, root) as s0, s1, s2,
order of likelihood of intrusion based on vulnerability exploit(IP1, root), (IP1, user), (IP2, user) and (IP2, root) as s0, s1, s2,
order
of
likelihood
of
intrusion
based
on vulnerability exploits3, and s4, respectively. !
ability. Both results suggest that s4 has the highest (relative)
s3, and s4, respectively. !
ability. Both results suggest that s4 has the highest (relative)
!
likelihood of being attacked (i.e., highest exploitability and
!
of being attacked (i.e., highest exploitability and
Table 2. Vulnerability likelihood
and exploitability.
most vulnerable).
Table 2. Vulnerability and exploitability.
most vulnerable).
To further compare the ranking results, if we ignore s0 in
To further compare the ranking results, if we ignore s0 in
both ranking lists, both ranking orders generally agree except
both ranking lists, both ranking orders generally agree except
a conflicting case of
ranking
order between
s1 and s2Model
. Consider
•  Hewett,
R.; Kijsanayothin,
P., "Host-Centric
Checking for Network Vulnerability
•  Current state of security practices
help guard
against"
a conflicting
case of
ranking order between s1 and s2. Consider
Analysis," Computer
Applications
Conference,
attackers from the initial
state. AsSecurity
shown
in Figure
5 b), 2008.
to ACSAC 2008. Annual ,
attackers
shown in Figure 5vol.,
b),
to
•  illegitimate network
entry access
" from the initial! state. Asreach
no.,
pp.225,234,
8-12
Dec,
2008,
doi:
10.1109/ACSAC.2008.15
"
!
state s1 (e.g., from s0, s2 or s3) requires exploiting vulreach state s1 (e.g., from s0, s2 or s3) requires exploiting
vul•
Kijsanayothin,
P.;
Hewett,
R.,
"Analytical
Approach
to
Attack
nerability v2, whereas to reach state s2 (e.g., from s0 or s3) re- Graph Analysis for
Table
2 shows
the and
exploitability
computed
for each
of
the state
•
network
intrusion
network
infection"
nerability
v
,
whereas
to
reach
s
(e.g.,
from
s
or
s
)
reTable 2 shows the exploitability computed for each of the
2
2
3
Network
Security," Availability,
Reliability,
and Security,
2010. ARES '10 International
exploiting0 vulnerability
v1. However,
according
to the
relevant vulnerabilities obtainedquires
publically known
CVSS v . quires
exploiting
to the on , vol.,
BUT
attackers
can CVSS
still attack from
the network
by vulnerability
exploiting
relevant vulnerabilities obtained from
publically
known
no., pp.25,32,
15-18 Feb, 2010, doi: 10.1109/ARES.2010.21"
1 However, accordingConference
CVSS standard, since exploitability(v
1) = 9.9 but exploitabilas described in previous section"!!Based
on heuristic
values
in
CVSS
standard,
since
exploitability(v
)
=
9.9
but
exploitabil•
Noel,
S.;
Jajodia,
S.,
"Understanding
complex
network
attack
graphs through
1
as described in previous section"!!Based
on heuristic
values in
network
vulnerabilities
(due to configuration
or software
ity(v
) = 4.9, v1 is more vulnerable than v2. Therefore, it should
Table
2, we
obtained the corresponding
attack
graph
anality(v2) = 4.9,
v1 is
morefor
vulnerable
than 2v2. Therefore,
itclustered
shouldadjacency matrices," Computer Security Applications Conference, 21st
Table 2, we obtained the corresponding attack graph for analbe
easier
to
reach
s
.
For
example,
from
initial
state
s
,
reach2
0
ysis
as shown in Figure 5 b), where
we replace
thes2state
errors)"
vol., no., pp.10 pp.,169, 5-9 Dec, 2005, doi: 10.1109/CSAC.2005.58"
be easier
to reach
. Fortransiexample, from initial state s0,Annual ,
reachysis as shown in Figure 5 b), where we replace the state transiing s requires v1 exploit
to aJ. vWing,
or aanalysis
chain ofofattack graphs," in CSFW
2 exploit
Jha, S.,compared
O. Sheyner, and
"Two formal
tions
of
the vulnerability
corresponding
exploitaing sby
v1 exploit
compared to a 2v2 exploit or
a•  chain
of
2 requires
One
remedy
is toexploitaaim to exploits
prevent
critical
possible
attacks
tions of the vulnerability exploits•  by
corresponding
v
and
v
exploits
to
reach
s1. Therefore,
s2 should
higherSecurity Foundations.
1
1
'02:
Proceedings
of the 15th IEEE
workshoprank
on Computer
bility values in Table 2.
v
and
v
exploits
to
reach
s
.
Therefore,
s
should
rank
higher
1
1
1
2
bility values in Table 2.
from these vulnerabilities (notthan
justs entry
points)"
than s1. This intuitive
reasoning
to our Society,
ranking
order
Washington,
DC,conforms
USA: IEEE Computer
p. 49,
2002."
1. This intuitive reasoning conforms to our ranking order
Conclusions
References
•  Mehta, V., C. Bartzis, H. Zhu, E. M. Clarke, and J. M. Wing, "Ranking attack graphs,"
in Recent Advances in Intrusion Detection, pp. 127-144, 2006. "
•  Schiffman, Cisco CIAG, A Complete Guide to the Common Vulnerability Scoring
System (CVSS), Forum Incident Response and Security Teams (http://www.first.org/)"
•  Sheyner, O., J. Haines, S. Jha, R. Lippmann, and J. Wing, "Automated generation
and analysis of attack graphs," Proc. of the IEEE Symposium on Security and
Privacy, pp. 273-284, 2002. "
"
•  We give an example of how"
•  Attack model can be automatically constructed and
used for security management"
•  This helps address scalability of network protection"
Center for Science & Engineering of Cyber Security
42
Whitacre College of Engineering
43
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering
44
11