Network security (Part II):
Can we do a better job? "
Rattikorn Hewett"
NSF SFS Workshop
August 12-16, 2013
Outline
•  State of the practices"
•  Drawbacks and Issues"
•  A proposed alternative"
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering
2
Computer Network
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering 3
1
Computer Network
How can I secure
this network?
Network
Administrator
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering 4
State of the practices
1) Admission Control
Authentication
Authentication
Authentication
Verifying the identification of authorized users
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering 5
State of the practices
2) Data Control
Encryption
Encryption/Decryption of data to be transmitted
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering 6
2
State of the practices
3) Infection Control
Anti-Virus
Anti-Virus
Anti-Virus
Virus protection, virus removal, and infection containment
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering 7
State of the practices
4) Security Policy
ftp
http
SMTP
Firewall policy to protect unauthorized
requests from outside the network
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering 8
State of the practices
Common IT Security Setup
Authentication
Where is the
weakness of this
network to hack into?
Anti-Virus
Encryption
Authentication
Anti-Virus
Authentication
Anti-Virus
Attacker
Secure enough?
Network
Administrator
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering 9
3
State of the practices
Where is the
weakness of this
network to hack into?
Authentication
Anti-Virus
Encryption
Attacker
Authentication
Anti-Virus
Authentication
Anti-Virus
What about IDS to detect intrusion?
Network
Administrator
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering 10
State of the practices
4) IDS (Intrusion Detection System)
I will outsmart IDS
with new tricks
Authentication
Anti-Virus
Encryption
Authentication
Anti-Virus
Authentication
Anti-Virus
Attacker
IDS monitors network activities and alerts when
attack patterns are detected
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering 11
Outline
•  State of the practices"
•  Drawbacks and Issues"
•  A proposed alternative"
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering
12
4
Recaps current practices & drawbacks
•  Admission control, e.g., authentication"
•  Data control, e.g., encryption"
•  Infection control, e.g., anti-virus, virus removal/containment"
•  Security policy, e.g., firewalls, RBAC(role-based access control)"
" à Most defend attack at entering points or
prevent non-targeted spreading
à What about targeted attacks in the network?
"•  Intrusion detection system (IDS)
à Can’t prevent attacks
à Can’t detect unfamiliar attacks
à Requires resource for continuous monitoring
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering
13
Other Issues …..
•  Computer networks are unavoidably vulnerable as long as
they have to provide services"
"
Network Vulnerabilities!
Exploitable
errors in !
Network
Configurations"
•  Ports & services enabled
Implementation of "
Software Services"
•  Apache Chunked-Code on
Apache web servers
•  Buffer overflow on Windows XP
SP2 operating environments
•  TNS- Listener on Oracle
software for database servers
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering
14
Network Security Issues
•  Computer networks are vulnerable"
Apache Chunked-Code Buffer-Over flow!
Apache httpd version 1.3 through 1.3.24 allows remote attackers to cause
a denial of service and possibly execute arbitrary code via a chunkencoded HTTP request that causes Apache to use an incorrect size."
Oracle TNS Listener!
…!
Wu-ftpd SockPrintf!
CVE 2002-0392"
…!
Common Vulnerability & Exposure
Wu-ftpd restricted-gid!
…!
"
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering
15
5
Network Security Issues
•  Computer networks are vulnerable"
•  Commercial scanners can only detect network
vulnerabilities at individual points "
"
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering
16
Network Security: Issues
•  Computer networks are vulnerable"
•  Commercial scanners can only detect network
vulnerabilities at individual points "
"
•  Perfectly secure isolated services do not guarantee
secure network of combined services"
"
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering
17
Whitacre College of Engineering
18
Outline
•  Current state of the practices"
•  Issues and drawbacks"
•  A proposed alternative"
Center for Science & Engineering of Cyber Security
6
A preventative approach
Idea: !
!
•  Pre-determine all possible attacks from network vulnerabilities "
•  Use results to determine appropriate actions"
Network"
•  Vulnerabilities" Security Model
•  Configurations" Generation!
•  Security Policy "
•  Prioritize critical path"
Model
•  Select appropriate
Analysis!
counter measures"
Attack Model: all possible chains of exploits"
(or exploitable vulnerabilities)"
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering
19
Security Model Generation
Goal: !
To generate all possible attacks from network vulnerabilities
Exploit CVE-1
CVE-1
CVE-3
Exploit CVE-3
CVE-1
CVE-2
Exploit CVE-4
CVE-4
Scanner
Exploit CVE-2
….
Exploit CVE-1
….
All possible attacks
•  Identify vulnerabilities of each computer in the network using a"
vulnerability scanner (e.g., Nessus, SAINT, OpenVAS)
•  Apply all exploitable vulnerabilities for each attack state
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering 20
Example of Simple Network
Scan the vulnerabilities
ap
t1
Center for Science & Engineering of Cyber Security
tns
t2
Whitacre College of Engineering 21
7
Example of Simple Network
Host A, access = 2
Exploit ap? Preconditions:
ap
t1
•  Access on A≥1
•  A & W are
connected
Goal: root access
tns
t2
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering 22
Example of Simple Network
Host A, access = 2
exploit ap
ap
t1
Host W access = 2
tns
t2
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering 23
Example of Simple Network
Host A, access = 2
Exploit tns? Preconditions:
ap
t1
Center for Science & Engineering of Cyber Security
tns
t2
•  Access on A≥1
•  A & D are
connected
Whitacre College of Engineering 24
8
Example of a simple network
Can you finish the rest?
Host A, access = 2
Exploit tns?
ap
t1
tns
t2
Not exploitable
t1
Host W, access = 1
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering 25
Complete Attack Model
Goal: root access
of a database server
Attack Model shows all possible attack paths
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering 26
A preventative approach
Idea: !
!
•  Pre-determine all possible attacks from network vulnerabilities "
•  Use results to determine appropriate actions"
Network"
•  Vulnerabilities" Security Model
•  Configurations" Generation!
•  Security Policy "
•  Prioritize critical path"
Model
•  Select appropriate
Analysis!
counter measures"
Attack Model: all possible chains of exploits"
(or exploitable vulnerabilities)"
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering
27
9
Why model analysis? - Example
How can we prevent attack to gain root access at IP2?"
v3 = CVE-2004-0148"
“wu-ftpd 2.6.2 and earlier, with the
restricted-gid option enabled, allows
local users to bypass access
restrictions by changing the
permissions to prevent access to their
home directory, which causes wu-ftpd
to use the root directory instead.”"
"
Counter-measure "
1.  Upgrade wu-ftpd to version > 2.6.2, OR!
2.  Replace wu-ftpd with other ftpd-service, OR!
3.  Stop providing ftpd-service at IP2
Center for Science & Engineering of Cyber Security
Root access to IP2
Whitacre College of Engineering 28
Why model analysis? - Example
How can we prevent attack to gain root access at IP2?"
Block v3 into IP2
More …."
Block v1 into IP2 •  How do we identify these blocks?"
•  How do we pick an appropriate
block/counter measure?"
•  Which state to focus first, e.g.,
(IP1, 2) vs. (IP2, 1)"
Which is more likely to be attacked?"
Center for Science & Engineering of Cyber Security
Root access to IP2
Whitacre College of Engineering 29
Issues
•  The resulting attack models are huge even for a
Root access at the
small network "
attacker’s machine
Goal: Root access to IP2
How do we effectively analyze the huge attack model? !
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering 30
10
Attack Model Analysis
To extract useful information from security model to
protect the network
Visualization!
•  Group similar nodes for
display [Noel & Jajodia, 05]"
Graph-based !
•  Minimisation analysis to block
"
rks [Jha et al, 02] "
attackwpaths
o
net
•  Manual, time-consuming" about •  Automatic "
•  Non-systematic"
•  Limited to specific models"
dge
wle
kno
ses
Markov model-based!
Our approach!
u
e
on
•  EstimateNlikelihood
of attack"
•  Exploit-based analysis"
[Sheyner et al., 02; "
•  Use knowledge about exploitability"
Mehta et al.,06; PageRank]"
•  Handle cyclic models"
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering
31
Exploit-based Analysis
Prioritizes attack points in an attack model based on the
ease in exploiting their vulnerabilities"
"
"Easy to exploit à High exploitability "
à High priority (for fixing) "
Approach!
Estimate a probability distribution of intrusion for each
attack state "
•  To obtain its relative chance of being attacked using the
knowledge about exploitability"
"
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering
32
Exploitability
•  Atomic level!
•  Exploitability of each vulnerability
""
Access Vector × Access Complexity × Authentication"
"
" E.g., remote, "
local"
E.g., low efforts
to exploit"
Center for Science & Engineering of Cyber Security
E.g., no or single
authentication
Whitacre College of Engineering
"
33
11
Exploitability
•  Atomic level!
•  Exploitability of each vulnerability (degrees 1à 10)"
"
"
High exploitability "
à High vulnerability"
à Easy to exploit"
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering
34
Exploitability
•  Atomic level!
•  Exploitability of each vulnerability (degrees 1à 10)"
•  Global level!
•  Exploitability of attack states in the network topology"
"
à Based on Markov Model (Applied to PageRank)"
"
"
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering
35
Markov Model
•  Approximates a probability distribution of dynamic
behaviors randomly evolving to a stationary state
à Define the probability of intrusion of each attack
point recursively
Markov Property:
The probability distribution for the future network
intrusion only depends on the current states
à Repeat the computation until no change in the
probability distribution approximation
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering
36
12
Recurrence Equation
h(u, v) = exploitability of exploits from state u to v
rt(u) = probability of state u being attacked at time t
d
= probability that attackers continue attacking on a current path
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering
37
Recurrence Equation
h(u, v) = exploitability of exploits from state u to v
rt(u) = probability of state u being attacked at time t
d
= probability that attackers continue attacking on a current path
If v is not an initial state
u
h(
Chance of
continuing attack
Chances of
entering v
Chances of
exploitability of u to v
)
,v u
v
…
If v is an initial state
+
Chance of entering v
from all other states
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering
38
Whitacre College of Engineering
39
ExploitRank Algorithm
Center for Science & Engineering of Cyber Security
13
5
(thus, maintain a user access level in a victim host), and to
obtain a denial of service (thus, gain a root access level in the
victim host), respectively. Local users can exploit the last vulnerability to bypass access restrictions by changing their access permissions of a home directory via the ftp, which causes
its service program, wu-ftpd to, instead, allow access of the
root directory. We annotate each configuration of the network
in Figure 4 with its corresponding vulnerabilities and their
associated labels. For example, IP2 has two vulnerabilities,
namely CVE-2006-5794 (or v1) and CVE-2004-0148 (or v3).
More details of these common standard vulnerabilities are
described in [14, 17].
Although our approach can be applied to any form of a security model, in this study we use a host-centric attack graph
model [5]. Suppose the goal of an attacker is to violate a security requirement. Based on the network configurations and the
vulnerabilities shown in Figure 4, we can automatically generate a host-centric attack model as shown in Figure 5 a) by employing a model-checking tool such as NuSMV [4] as illustrated in [5]. !
!
!
Rank 5!
!
9.9
9.9
Node Intrusion
4.9
!
9.9
Likelihood
Rank 3!
!
4.9
S0
0.1500
!
S1
0.1287
Rank 2!
9.9 9.9
Rank 4!
!
S
0.1658
A simple Illustration
Fig. 6. Normalized exploitability of the analysis graph in Figure 5 b)
The model obtained in Figure 5 b) is useful in computing a
normalized exploitability w(i, j) used in the ExploitRank algorithm to estimate a probability of advancing from attack in
state i to state j. The normalization is required so that the sum
of the probabilities of all possible attack transitions would be
one. For example, there are three possible exploits applicable
to advance from state s0, to states s1, s2 and s3 with exploitability values 4.9, 9.9, and 9.9, respectively. The normalized heuristic value for exploiting v2 from s0 to s1 can be computed as
4.9/(4.9 + 9.9 + 9.9) = 0.2. A complete weight matrix, whose
entry wij = w(i, j) is shown in Figure 6. Note that in fact w(i, j)
in the algorithm is the second factor of the function gt(v) defined in Equation (3).!
!
Table 3. Ranking results on the attack model.
!
2
5
3.9
S3
0.2548
4.9
5
Rank 1!
S4
0.3007
Applying the heuristics obtained in Figure 6 to the Exploi(thus,a)maintain
a
user
access
level
in
a
victim
host),
and
to
host-centric
attack
graph
b) exploit-based
analysis
graph
tRank algorithm, the results of ranking attack states in the
(thus, maintain a user access
in &aEngineering
victim
and
to
40
Centerlevel
for Science
ofhost),
Cyber
Security
Whitacre College
of Engineering
obtain a denial of service (thus, gain a root access level in the
host-centric attack model are shown in the first column of Taobtain a denial of service (thus, gain a root
access
level
in the
Fig.
5. respectively.
Attack
model
analysis
the network
in Figurethe
4. last vulvictim host),
Localofusers
can exploit
ble 3. We then apply Mehta et al.’s ranking approach that does
victim host), respectively. Local users can exploit the last vulnerability to bypass access restrictions by changing their acnot employ the exploitability heuristic and obtain the results as
nerability to bypass access restrictions
changing
their
Eachby
state
is labeled
byaca tuple representing a host name and
cess permissions of a home directory via the ftp, which causes
shown in the second column of Table 3.
cess permissions of a home directory
via thelevel
ftp, which
causes
its access
obtained
by an attacker. Thus, (Attacker, root)
its service program, wu-ftpd to, instead, allow access of the
As shown in Table 3, the ranking result obtained when we
is an initial
state
sinceofanthe
attacker has a root access privilege
its service program, wu-ftpd to, instead,
allow
access
root directory. We annotate each configuration of the network
Fig. 6. Normalized exploitability of the analysis graph in Figure 5 b)
apply
thegraph
heuristics
< s4, s3, s2, s0, s1 > (i.e., our approach)
on his own machine.
The attacker’s
goal
is to obtain
a root of the
root directory. We annotate each configuration
of the network
Fig.
6. Normalized
exploitability
analysis
in Figureis5 b)
in Figure
4 with
its corresponding
vulnerabilities
and their
and otherwise, < s4, s3, s0, s1, s2 > is obtained when no heuristic
access
to IP2
and thus,
(IP2, root) represents
a goal state.
As
in Figure 4 with its corresponding
vulnerabilities
and their
The model
obtained
inal.’s
Figure
5 b) is useful in computing a
associated
labels.5 For
example,
IP2
has
two
vulnerabilities,
shown
in
Figure
b),
we
rename
the
states
(Attacker,
root),
is
applied
(i.e.,
Mehta
et
The
model
obtained
in
Figure
5
b)
is
useful
in
computing
a approach). The ranking is in the
associated labels. For example, IP2 has two vulnerabilities,
normalized exploitability w(i, j) used in the ExploitRank algonamely
CVE-2006-5794
(or v1normalized
) and
v3).
(IP1,
root),
(IP1, user),
andCVE-2004-0148
(IP2,
root) as s0,(or
sw(i,
order
likelihood
of intrusion
based on vulnerability exploitexploitability
in of
the
ExploitRank
algo1, s2,j) used
namely CVE-2006-5794 (or v1) and
CVE-2004-0148
(or(IP2,
v3). user)
rithm to estimate a probability of advancing from attack in
More
details
of these! common
standard
vulnerabilities
are of
s
,
and
s
,
respectively.
rithm
to
estimate
a
probability
advancing
from
attack
in
ability.
Both
results
suggest
that
s has the highest (relative)
3
4
More details of these common standard vulnerabilities are
state i to state j. The normalization4 is required so that the sum
! described in [14, 17].
state i to state j. The normalization
is required
that the
sum (i.e., highest exploitability and
likelihood
ofso
being
attacked
described in [14, 17].
of the probabilities of all possible attack transitions would be
2. Vulnerability
exploitability.
Although Table
our approach
can and
be
applied
to any form
of possible
a seof
the
probabilities
of
all
attack
transitions
would
be
most
Although our approach can be applied to any form of a seone. vulnerable).
For example, there are three possible exploits applicable
curity model, in this study we one.
use aFor
host-centric
graph
example, attack
there are
three possible
exploits
applicable
further
compare
ranking results, if we ignore s0 in
curity model, in this study we use a host-centric attack graph
toTo
advance
from
state sthe
0, to states s1, s2 and s3 with exploitabilmodel [5]. Suppose the goal of to
anadvance
attacker from
is to violate
secustate s0,ato
states sboth
and s with
exploitabil1, s2 ranking
lists,
ranking
orders generally
agree except
model [5]. Suppose the goal of In
anMehta
attacker
isal.ʼs
to violate
a secuity values 34.9,
9.9,both
and 9.9,
respectively.
The normalized
heuet
approach"
rity requirement. Based on the ity
network
and respectively.
the
valuesconfigurations
4.9, 9.9, and 9.9,
The normalized
heu- order between s1 and s2. Consider
aristic
conflicting
case
of ranking
rity requirement. Based on the network configurations and the
value for
exploiting
v2 from s0 to s1 can be computed as
shown
in chance
Figure ristic
4,towe
can
automatically
generfor exploiting
vof
s0 to s1 can
be the
computed
as
• vulnerabilities
Each node has
equal
bevalue
attacked
– no use
2 from attackers
initial
state.
As shown
in Figure
5 b),
to
4.9/(4.9 +from
9.9 +
9.9)
= 0.2.
A complete
weight
matrix,
whose
vulnerabilities shown in Figure 4, we can automatically gener!
ate a host-centric attack model 4.9/(4.9
as shown+in
Figure
a) 0.2.
by em9.9
+ 9.9)
=
A complete
weight matrix,
whose
reach
s0in
, sFigure
requires
exploiting
vul-j)
the degree
of vulnerability
"" 5shown
entry state
wij = s
w(i,
j) is from
shown
Note that
in fact w(i,
1 (e.g.,
2 or s3)6.
ate a host-centric attack model as shown
in Figure
5 a) by em- exploitability
w(i, j) is [4]
in Figure
6. Note
in fact w(i,
j)
ploying a model-checking toolentry
suchwas
as illusij =NuSMV
nerability
vthat
tosecond
reach
state
s2 of
(e.g.,
s0 orgts(v)
in the algorithm
is the
factor
the from
function
de2 shows
the
computed
for each of the
2, whereas
3) reploying a model-checking tool" suchTable
as NuSMV
[4]
asexploitability
illusin the algorithm is the second factor of the function gt(v) detrated in [5]. !
quires
exploiting
v1. However, according to the
fined in
Equationvulnerability
(3).!
relevant vulnerabilities obtained from publically known CVSS
trated in [5]. !
fined in Equation
(3).!
Our Approach!
! Mehta et al.ʼs Approach!
CVSS
standard, since exploitability(v1) = 9.9 but exploitabil!
as described in previous section"!!Based
on heuristic values in
!
Table 3. Ranking results on the attack model.
! From s0 (9.9)"
!
Table 3.
Ranking
results
on
the
attack
model.
ity(v
)
=
4.9,
v
is
more
vulnerable
than v2. Therefore, it should
2
1
!
Rankfor
5! analTable 2, we obtained the corresponding
attack graph
!
From! s0-s3 (9.9, 9.9)"
Rank 5!
!
be easier to reach s2. For example, from initial state s0, reachysis
as shown in Figure 5 b), where
we replace the state transi!
" 4.9
9.9
9.9
! ing s2 requires v1 exploit compared to a v2 exploit or a chain of
tions
of the
exploits
by corresponding exploita9.9 vulnerability
9.9
4.9
!
9.9
Rank 3!
v1 and v1 exploits to reach s1. Therefore, s2 should rank higher
!
bility
values
9.9 2.
Rank
4! in Table
4.9
!
than s1. This intuitive reasoning conforms to our ranking order
4.9
From s0"
!
!
Rank 2!
9.9 9.9
From s0-s3"
9.9
Rank 2!Rank 4!
9.9
!
Rank 3!
!
From s (4.9)"
Some Comparisons
From s0"
From s0-s2"
From s0-s3"
3.9
4.9
From s0-s2 (9.9, 4.9)"4.9
From s0-s3 (9.9, 9.9)"
Rank 1!
3.9
Applying the heuristics obtained in Figure 6 to the ExploiApplying the heuristics obtained in Figure 6 to the Exploia) host-centric attack graph
b) exploit-based analysis graph
tRank algorithm, the results of ranking attack states in the
a) host-centric attack graph
b) exploit-based analysis graph
tRank
algorithm,
attack states in the
More
exposuresthe
+ ! results of ranking
host-centric
attack model are shown in the first column of Ta5. Attack model analysis
of the networkattack
in Figure
4.
host-centric
model
are shown in the first column of TaMoreFig.
exposures!
Fig. 5. Attack model analysis of the network
in Figure 4.
Easier exploit vulnerability!
ble 3. We then apply Mehta et al.’s ranking approach that does
ble 3. We then apply Mehta et al.’s ranking approach that does
not
employ
the
exploitability heuristic and obtain the results as
Each state is labeled by a tuple
representing
host name and
not
employ
the aexploitability
heuristic
and obtain the results as
Each state is labeled by a Center
tupleforrepresenting
a host
name
41
Science
& Engineering
of Cyber
Securityand
Whitacre College
of Engineering
shown in the second column of Table 3.
its access
level
obtained
by an shown
attacker.
(Attacker,
root)
in Thus,
the second
column
of Table 3.
its access level obtained by an attacker. Thus, (Attacker, root)
As shown in Table 3, the ranking result obtained when we
is an initial state since an attacker
has
a root
As
shown
inaccess
Table privilege
3, the ranking result obtained when we
is an initial state since an attacker has a root access privilege
apply the heuristics is < s4, s3, s2, s0, s1 > (i.e., our approach)
on his own machine. The attacker’s goal is to obtain a root
apply the heuristics is < s4, s3, s2, s0, s1 > (i.e., our approach)
on his own machine. The attacker’s goal is to obtain a root
and otherwise, < s , s3, s0, s1, s2 > is obtained when no heuristic
access to IP2 and thus, (IP2, root) represents a goal state. As
and otherwise, < s4, s3, s0, s1, s2 > is obtained when no4 heuristic
access to IP2 and thus, (IP2, root) represents a goal state. As
shown in Figure 5 b), we rename the states (Attacker, root),
is applied (i.e., Mehta et al.’s approach). The ranking is in the
shown in Figure 5 b), we rename the states (Attacker, root),
is applied (i.e., Mehta et al.’s approach). The ranking is in the
(IP1, root), (IP1, user), (IP2, user) and (IP2, root) as s0, s1, s2,
order of likelihood of intrusion based on vulnerability exploit(IP1, root), (IP1, user), (IP2, user) and (IP2, root) as s0, s1, s2,
order of likelihood of intrusion based on vulnerability exploits3, and s4, respectively. !
ability. Both results suggest that s4 has the highest (relative)
s3, and s4, respectively. !
ability. Both results suggest that s4 has the highest (relative)
!
likelihood of being attacked (i.e., highest exploitability and
!
of being attacked (i.e., highest exploitability and
Table 2. Vulnerability likelihood
and exploitability.
most vulnerable).
Table 2. Vulnerability and exploitability.
most vulnerable).
To further compare the ranking results, if we ignore s0 in
To further compare the ranking results, if we ignore s0 in
both ranking lists, both ranking orders generally agree except
both ranking lists, both ranking orders generally agree except
a conflicting case of ranking order between s1 and s2. Consider
a conflicting case of ranking order between s1 and s2. Consider
from the initial state. As shown in Figure 5 b), to
! state. Asattackers
attackers from the initial
shown in Figure 5 b), to
!
reach state s1 (e.g., from s0, s2 or s3) requires exploiting vulreach state s1 (e.g., from s0, s2 or s3) requires exploiting
vulnerability v2, whereas to reach state s2 (e.g., from s0 or s3) reTable 2 shows the exploitability
computed
for each
of
the state
nerability
v
,
whereas
to
reach
s
(e.g.,
from s or s3) reTable 2 shows the exploitability computed for each of the
2
2
exploiting0 vulnerability
v1. However, according to the
relevant vulnerabilities obtainedquires
from exploiting
publically known
CVSS v . quires
vulnerability
relevant vulnerabilities obtained from publically known CVSS
1 However, according to the
CVSS standard, since exploitability(v1) = 9.9 but exploitabilas described in previous section"!!Based
on heuristic
in
CVSS standard,
since values
exploitability(v
1) = 9.9 but exploitabilas described in previous section"!!Based on heuristic values in
ity(v
)
=
4.9,
v
is
more
vulnerable
than v2. Therefore, it should
2
1
Table 2, we obtained the corresponding
attack
graph
anality(v2) = 4.9,
v1 is
morefor
vulnerable
than v2. Therefore, it should
Table 2, we obtained the corresponding attack graph for analbe easier to reach s . For example, from initial state s0, reachysis as shown in Figure 5 b), where
we replace
thes2state
be easier
to reach
. Fortransiexample, from initial state s02, reachysis as shown in Figure 5 b), where we replace the state transiing
s
requires
v
exploit
compared
to a v2 exploit or a chain of
2
1
tions of the vulnerability exploits
corresponding exploitaing sby
2 requires v1 exploit compared to a v2 exploit or a chain of
tions of the vulnerability exploits by corresponding exploitav1 and v1 exploits to reach s1. Therefore, s2 should rank higher
bility values in Table 2.
v1 and v1 exploits to reach s1. Therefore,
s2 should rank higher
bility values in Table 2.
than s1. This intuitive reasoning conforms to our ranking order
than s1. This intuitive reasoning conforms
to our ranking order
Rank 1!
More complex attack model
Rank 3!
Rank 2!
Center for Science & Engineering of Cyber Security
Rank 1!
Whitacre College of Engineering
42
14
Conclusions
•  Current state of security practices help guard against"
•  illegitimate network entry access "
•  network intrusion and network infection"
BUT attackers can still attack the network by exploiting
network vulnerabilities (due to configuration or software
errors)"
•  One remedy is to aim to prevent all possible attacks from
these vulnerabilities (not just entry points)"
•  We give an example of how"
•  Attack model can be automatically constructed and
used for security management"
•  Scalability is a concern that requires further work"
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering
43
References
•  Hewett, R.; Kijsanayothin, P., "Host-Centric Model Checking for Network Vulnerability
Analysis," Computer Security Applications Conference, 2008. ACSAC 2008. Annual ,
vol., no., pp.225,234, 8-12 Dec, 2008, doi: 10.1109/ACSAC.2008.15 "
•  Kijsanayothin, P.; Hewett, R., "Analytical Approach to Attack Graph Analysis for
Network Security," Availability, Reliability, and Security, 2010. ARES '10 International
Conference on , vol., no., pp.25,32, 15-18 Feb, 2010, doi: 10.1109/ARES.2010.21"
•  Noel, S.; Jajodia, S., "Understanding complex network attack graphs through
clustered adjacency matrices," Computer Security Applications Conference, 21st
Annual , vol., no., pp.10 pp.,169, 5-9 Dec, 2005, doi: 10.1109/CSAC.2005.58"
•  Jha, S., O. Sheyner, and J. Wing, "Two formal analysis of attack graphs," in CSFW
'02: Proceedings of the 15th IEEE workshop on Computer Security Foundations.
Washington, DC, USA: IEEE Computer Society, p. 49, 2002."
•  Mehta, V., C. Bartzis, H. Zhu, E. M. Clarke, and J. M. Wing, "Ranking attack graphs,"
in Recent Advances in Intrusion Detection, pp. 127-144, 2006. "
•  Schiffman, Cisco CIAG, A Complete Guide to the Common Vulnerability Scoring
System (CVSS), Forum Incident Response and Security Teams (http://www.first.org/)"
•  Sheyner, O., J. Haines, S. Jha, R. Lippmann, and J. Wing, "Automated generation
and analysis of attack graphs," Proc. of the IEEE Symposium on Security and
Privacy, pp. 273-284, 2002. "
"
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering
44
15