Network security (Part II):
Can we do a better job? "
Rattikorn Hewett"
NSF SFS Workshop
August 12-16, 2013
Outline
•  State of the practices"
•  Drawbacks and Issues"
•  A proposed alternative"
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering
2
Computer Network
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering 3
Computer Network
How can I secure
this network?
Network
Administrator
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering 4
State of the practices
1) Admission Control
Authentication
Authentication
Authentication
Verifying the identification of authorized users
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering 5
State of the practices
2) Data Control
Encryption
Encryption/Decryption of data to be transmitted
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering 6
State of the practices
3) Infection Control
Anti-Virus
Anti-Virus
Anti-Virus
Virus protection, virus removal, and infection containment
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering 7
State of the practices
4) Security Policy
ftp
http
SMTP
Firewall policy to protect unauthorized
requests from outside the network
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering 8
State of the practices
Common IT Security Setup
Authentication
Where is the
weakness of this
network to hack into?
Anti-Virus
Encryption
Authentication
Anti-Virus
Authentication
Anti-Virus
Attacker
Secure enough?
Network
Administrator
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering 9
State of the practices
Authentication
Where is the
weakness of this
network to hack into?
Anti-Virus
Encryption
Attacker
Authentication
Anti-Virus
Authentication
Anti-Virus
What about IDS to detect intrusion?
Network
Administrator
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering 10
State of the practices
4) IDS (Intrusion Detection System)
I will outsmart IDS
with new tricks
Authentication
Anti-Virus
Encryption
Authentication
Anti-Virus
Authentication
Anti-Virus
Attacker
IDS monitors network activities and alerts when
attack patterns are detected
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering 11
Outline
•  State of the practices"
•  Drawbacks and Issues"
•  A proposed alternative"
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering
12
Recaps current practices & drawbacks
•  Admission control, e.g., authentication"
•  Data control, e.g., encryption"
•  Infection control, e.g., anti-virus, virus removal/containment"
•  Security policy, e.g., firewalls, RBAC(role-based access control)"
" à Most defend attack at entering points or
prevent non-targeted spreading
à What about targeted attacks in the network?
"•  Intrusion detection system (IDS)
à Can’t prevent attacks
à Can’t detect unfamiliar attacks
à Requires resource for continuous monitoring
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering
13
Other Issues …..
•  Computer networks are unavoidably vulnerable as long as
they have to provide services"
"
Network Vulnerabilities!
Exploitable
errors in !
Network
Configurations"
•  Ports & services enabled
Center for Science & Engineering of Cyber Security
Implementation of "
Software Services"
•  Apache Chunked-Code on
Apache web servers
•  Buffer overflow on Windows XP
SP2 operating environments
•  TNS- Listener on Oracle
software for database servers
Whitacre College of Engineering
14
Network Security Issues
•  Computer networks are vulnerable"
Apache Chunked-Code Buffer-Over flow!
Apache httpd version 1.3 through 1.3.24 allows remote attackers to cause
a denial of service and possibly execute arbitrary code via a chunkencoded HTTP request that causes Apache to use an incorrect size."
Oracle TNS Listener!
…!
Wu-ftpd SockPrintf!
CVE 2002-0392"
…!
Common Vulnerability & Exposure
Wu-ftpd restricted-gid!
…!
"
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering
15
Network Security Issues
•  Computer networks are vulnerable"
•  Commercial scanners can only detect network
vulnerabilities at individual points "
"
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering
16
Network Security: Issues
•  Computer networks are vulnerable"
•  Commercial scanners can only detect network
vulnerabilities at individual points "
"
•  Perfectly secure isolated services do not guarantee
secure network of combined services"
"
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering
17
Outline
•  Current state of the practices"
•  Issues and drawbacks"
•  A proposed alternative"
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering
18
A preventative approach
Idea: !
!
•  Pre-determine all possible attacks from network vulnerabilities "
•  Use results to determine appropriate actions"
Network"
•  Vulnerabilities" Security Model
•  Configurations" Generation!
•  Security Policy "
•  Prioritize critical path"
Model
•  Select appropriate
Analysis!
counter measures"
Attack Model: all possible chains of exploits"
(or exploitable vulnerabilities)"
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering
19
Security Model Generation
Goal: !
To generate all possible attacks from network vulnerabilities
Exploit CVE-1
CVE-1
CVE-3
Exploit CVE-3
CVE-1
CVE-2
Exploit CVE-4
CVE-4
Scanner
….
Exploit CVE-2
Exploit CVE-1
….
All possible attacks
•  Identify vulnerabilities of each computer in the network using a"
vulnerability scanner (e.g., Nessus, SAINT, OpenVAS)
•  Apply all exploitable vulnerabilities for each attack state
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering 20
Example of Simple Network
Scan the vulnerabilities
ap
t1
Center for Science & Engineering of Cyber Security
tns
t2
Whitacre College of Engineering 21
Example of Simple Network
Host A, access = 2
Exploit ap? Preconditions:
ap
t1
Goal: root access
tns
t2
Center for Science & Engineering of Cyber Security
•  Access on A≥1
•  A & W are
connected
Whitacre College of Engineering 22
Example of Simple Network
Host A, access = 2
exploit ap
ap
t1
Center for Science & Engineering of Cyber Security
tns
t2
Host W access = 2
Whitacre College of Engineering 23
Example of Simple Network
Host A, access = 2
Exploit tns? Preconditions:
ap
t1
Center for Science & Engineering of Cyber Security
tns
t2
•  Access on A≥1
•  A & D are
connected
Whitacre College of Engineering 24
Example of a simple network
Can you finish the rest?
Host A, access = 2
Exploit tns?
ap
t1
tns
t2
Not exploitable
t1
Host W, access = 1
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering 25
Complete Attack Model
Goal: root access
of a database server
Attack Model shows all possible attack paths
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering 26
A preventative approach
Idea: !
!
•  Pre-determine all possible attacks from network vulnerabilities "
•  Use results to determine appropriate actions"
Network"
•  Vulnerabilities" Security Model
•  Configurations" Generation!
•  Security Policy "
•  Prioritize critical path"
Model
•  Select appropriate
Analysis!
counter measures"
Attack Model: all possible chains of exploits"
(or exploitable vulnerabilities)"
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering
27
Why model analysis? - Example
How can we prevent attack to gain root access at IP2?"
v3 = CVE-2004-0148"
“wu-ftpd 2.6.2 and earlier, with the
restricted-gid option enabled, allows
local users to bypass access
restrictions by changing the
permissions to prevent access to their
home directory, which causes wu-ftpd
to use the root directory instead.”"
"
Counter-measure "
1.  Upgrade wu-ftpd to version > 2.6.2, OR!
2.  Replace wu-ftpd with other ftpd-service, OR!
3.  Stop providing ftpd-service at IP2
Center for Science & Engineering of Cyber Security
Root access to IP2
Whitacre College of Engineering 28
Why model analysis? - Example
How can we prevent attack to gain root access at IP2?"
Block v3 into IP2
More …."
Block v1 into IP2 •  How do we identify these blocks?"
•  How do we pick an appropriate
block/counter measure?"
•  Which state to focus first, e.g.,
(IP1, 2) vs. (IP2, 1)"
Which is more likely to be attacked?"
Center for Science & Engineering of Cyber Security
Root access to IP2
Whitacre College of Engineering 29
Issues
•  The resulting attack models are huge even for a
Root access at the
small network "
attacker’s machine
Goal: Root access to IP2
How do we effectively analyze the huge attack model? !
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering 30
Attack Model Analysis
To extract useful information from security model to
protect the network
Visualization!
•  Group similar nodes for
display [Noel & Jajodia, 05]"
•  Manual, time-consuming"
•  Non-systematic"
Markov model-based!
•  Estimate likelihood of attack"
[Sheyner et al., 02; "
Mehta et al.,06; PageRank]"
•  Handle cyclic models"
Center for Science & Engineering of Cyber Security
Graph-based !
•  Minimisation analysis to block
attack paths [Jha et al, 02] "
•  Automatic "
•  Limited to specific models"
Our approach!
•  Exploit-based analysis"
•  Use knowledge about exploitability"
Whitacre College of Engineering
31
Exploit-based Analysis
Prioritizes attack points in an attack model based on the
ease in exploiting their vulnerabilities"
"
"Easy to exploit à High exploitability "
à High priority (for fixing) "
Approach!
Estimate a probability distribution of intrusion for each
attack state "
•  To obtain its relative chance of being attacked using the
knowledge about exploitability"
"
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering
32
Exploitability
•  Atomic level!
•  Exploitability of each vulnerability
""
Access Vector × Access Complexity × Authentication"
"
" E.g., remote, "
local"
E.g., low efforts
to exploit"
Center for Science & Engineering of Cyber Security
E.g., no or single
authentication
Whitacre College of Engineering
33
Exploitability
•  Atomic level!
•  Exploitability of each vulnerability (degrees 1à 10)"
"
"
High exploitability "
à High vulnerability"
à Easy to exploit"
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering
34
Exploitability
•  Atomic level!
•  Exploitability of each vulnerability (degrees 1à 10)"
•  Global level!
•  Exploitability of attack states in the network topology"
"
à Based on Markov Model (Applied to PageRank)"
"
"
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering
35
Markov Model
•  Approximates a probability distribution of dynamic
behaviors randomly evolving to a stationary state
à Define the probability of intrusion of each attack
point recursively
Markov Property:
The probability distribution for the future network
intrusion only depends on the current states
à Repeat the computation until no change in the
probability distribution approximation
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering
36
Recurrence Equation
h(u, v) = exploitability of exploits from state u to v
rt(u) = probability of state u being attacked at time t
d
= probability that attackers continue attacking on a current path
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering
37
Recurrence Equation
h(u, v) = exploitability of exploits from state u to v
rt(u) = probability of state u being attacked at time t
d
= probability that attackers continue attacking on a current path
If v is not an initial state
Chance of
continuing attack
Chances of
entering v
Chances of
exploitability of u to v
u
v
…
If v is an initial state
+
Chance of entering v
from all other states
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering
38
ExploitRank Algorithm
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering
39
cess permissions of a home directory via the ftp, which causes
its service program, wu-ftpd to, instead, allow access of the
root directory. We annotate each configuration of the network
in Figure 4 with its corresponding vulnerabilities and their
associated labels. For example, IP2 has two vulnerabilities,
namely CVE-2006-5794 (or v1) and CVE-2004-0148 (or v3).
More details of these common standard vulnerabilities are
described in [14, 17].
Although our approach can be applied to any form of a security model, in this study we use a host-centric attack graph
model [5]. Suppose the goal of an attacker is to violate a security requirement. Based on the network configurations and the
vulnerabilities shown in Figure 4, we can automatically generate a host-centric attack model as shown in Figure 5 a) by employing a model-checking tool such as NuSMV [4] as illustrated in [5]. !
!
!
Rank 5!
!
9.9
9.9
Node Intrusion
4.9
!
9.9
Likelihood
Rank 3!
!
4.9
S0
0.1500
!
S1
0.1287
Rank 2!
9.9 9.9
Rank
4!
!
S
0.1658
A simple Illustration
2
S3
S4
0.2548
0.3007
host-centric
attack
graph
Center for Science &a)
Engineering
of Cyber
Security
no
rith
sta
of
on
to
ity
ris
4.9
ent
in
fin
!
!
3.9
4.9
Rank 1!
b) exploit-based
analysis
graph
Whitacre College
of Engineering
Fig. 5. Attack model analysis of the network in Figure 4.
40
tRa
ho
ble
corresponding vulnerabilities and their
associated labels. For example, IP2 has two vulnerabilities,
The model obtained in Figure 5 b
example, IP2 has two vulnerabilities,
no
namely CVE-2006-5794 (or v1normalized
) and CVE-2004-0148
(or
v3).
exploitability
w(i,
j)
used
94 (or v1) and CVE-2004-0148 (or v3).
More details of these common
standard
vulnerabilities
are ofrita
rithm
to
estimate
a
probability
e common standard vulnerabilities are
st
described in [14, 17].
state i to state j. The normalization i
of
Although our approach can be
applied
to any form
of possible
a seof
the
probabilities
of
all
at
ach can be applied to any form of a seon
curity model, in this study we one.
use aFor
host-centric
graph
example, attack
there are
three po
tudy we use a host-centric attack graph
to
model [5]. Suppose the goal of to
anadvance
attacker from
is to violate
a
secustate
s
,
to
states
s
0
1,
e goal of In
anMehta
attacker
isal.ʼs
to violate
a secuity
et
approach"
rity requirement. Based on the ity
network
and respectiv
the
valuesconfigurations
4.9, 9.9, and 9.9,
d on the network configurations and the
ris
vulnerabilities
shown
in chance
Figure ristic
4,towe
can
automatically
genervalue
for exploiting
vof
•
Each
node
has
equal
be
attacked
–
no
use
2 from s0
4.
n Figure 4, we can automatically generate a host-centric attack model 4.9/(4.9
as shown+in
Figure
5=
a) 0.2.
by em9.9
+ 9.9)
A compl
the degree
of vulnerability
"" shown in Figureen
k model as shown
in Figure
5 a) by em- exploitability
w(i, j) is [4]
ploying a model-checking toolentry
suchwas
as illusij =NuSMV
in
king tool" such as NuSMV [4] as illusin the algorithm is the second factor
trated in [5]. !
fin
fined
in
Equation
(3).!
Mehta
et
al.ʼs
Approach!
Our
Approach!
!
!
!
!
Ranking
results on the
From s0 (9.9)" Table 3.
!
Rank
5!
From
s0-s3
(9.9,
9.9)"
!
Rank
5!
!
" 4.9
9.9
9.9
!
9.9
9.9
4.9
!
9.9
Rank 3!
!
9.9
Rank 4!
4.9
4.9
From s0"
!
Rank 2!
9.9 9.9
From s0-s3"
9.9
Rank 2!Rank 4!
9.9
!
Some Comparisons
Rank 3!
From s0"
From s0-s2"
From s0-s3"
3.9
4.9
Rank 1!
From s (4.9)"
From s0-s2 (9.9, 4.9)"4.9
From s0-s3 (9.9, 9.9)"
Rank 1!
3.9
Applying the heuristics obtained i
a) host-centric attack graph
b) exploit-based analysis graph
tR
graph
b) exploit-based analysis graph
tRank
algorithm,
the
results
of
ran
More exposures + !
ho
Fig.
5.
Attack
model
analysis
of
the
network
in
Figure
4.
host-centric
attack
model
are
shown
More exposures!
odel analysis of the network
in Figure 4.
Easier exploit vulnerability!
bl
ble 3. We then apply Mehta et al.’s r
no
Each state is labeled by a tuple
representing
aexploitability
host name and
not
employ
the
heuristi
by a Center
tupleforrepresenting
a host
name
41
Science
& Engineering
of Cyber
Securityand
Whitacre
College
of Engineering
sh
its access
level
obtained
by an shown
attacker.
Thus,
(Attacker,
root)
in
the
second
column
of
Table
ed by an attacker. Thus, (Attacker, root)
is an initial state since an attacker
has
a root
As
shown
inaccess
Table privilege
3, the ranking
e an attacker has a root access privilege
More complex attack model
Rank 3!
Rank 2!
Center for Science & Engineering of Cyber Security
Rank 1!
Whitacre College of Engineering
42
Conclusions
•  Current state of security practices help guard against"
•  illegitimate network entry access "
•  network intrusion and network infection"
BUT attackers can still attack the network by exploiting
network vulnerabilities (due to configuration or software
errors)"
•  One remedy is to aim to prevent all possible attacks from
these vulnerabilities (not just entry points)"
•  We give an example of how"
•  Attack model can be automatically constructed and
used for security management"
•  Scalability is a concern that requires further work"
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering
43
References
•  Hewett, R.; Kijsanayothin, P., "Host-Centric Model Checking for Network Vulnerability
Analysis," Computer Security Applications Conference, 2008. ACSAC 2008. Annual ,
vol., no., pp.225,234, 8-12 Dec, 2008, doi: 10.1109/ACSAC.2008.15 "
•  Kijsanayothin, P.; Hewett, R., "Analytical Approach to Attack Graph Analysis for
Network Security," Availability, Reliability, and Security, 2010. ARES '10 International
Conference on , vol., no., pp.25,32, 15-18 Feb, 2010, doi: 10.1109/ARES.2010.21"
•  Noel, S.; Jajodia, S., "Understanding complex network attack graphs through
clustered adjacency matrices," Computer Security Applications Conference, 21st
Annual , vol., no., pp.10 pp.,169, 5-9 Dec, 2005, doi: 10.1109/CSAC.2005.58"
•  Jha, S., O. Sheyner, and J. Wing, "Two formal analysis of attack graphs," in CSFW
'02: Proceedings of the 15th IEEE workshop on Computer Security Foundations.
Washington, DC, USA: IEEE Computer Society, p. 49, 2002."
•  Mehta, V., C. Bartzis, H. Zhu, E. M. Clarke, and J. M. Wing, "Ranking attack graphs,"
in Recent Advances in Intrusion Detection, pp. 127-144, 2006. "
•  Schiffman, Cisco CIAG, A Complete Guide to the Common Vulnerability Scoring
System (CVSS), Forum Incident Response and Security Teams (http://www.first.org/)"
•  Sheyner, O., J. Haines, S. Jha, R. Lippmann, and J. Wing, "Automated generation
and analysis of attack graphs," Proc. of the IEEE Symposium on Security and
Privacy, pp. 273-284, 2002. "
"
Center for Science & Engineering of Cyber Security
Whitacre College of Engineering
44