A graph-based system for network

advertisement
Phillips, C. and Swiler, L. P. 1998. A graph-based system for network-vulnerability
analysis. In /Proceedings of the 1998 Workshop on New Security Paradigms/. ACM,
New York, NY, 71-79.
Summary:
This paper introduces a method for analyzing vulnerabilities in computer networks
by matching the network configuration, attack templates borrowed from a database of
common attacks, and attacker profile. The paper describes how attack templates are
matched to the configuration and attacker profile to generate the attack graph.
Attack templates include generic steps in known attacks and condition which must
be hold. Attack templates are represented by a directed graph in which nodes are user
level, machines, vulnerability, capabilities and state. Edges are actions by the attacker.
The nodes of attack graph stages of an attack, and the edges are attacks that change the
state. So the nodes in attack graph are the nodes in attack template instantiated with
particular attackers/users and machines. The edges can be labeled with probability of
success or cost. One can analyze the attack graphs by identifying the attack paths that are
most likely to succeed, i.e. using shortest path algorithm.
Why it is good:
Attack graph provides a method for modeling attacks and relating the attacks to the
machines in a network and users which could be the attackers. Using this approach,
temporal stages and steps of an attack can be expressed. In addition, it supports
expressing multiple ways to achieve malicious goals or attack the system by branches in
the attack graph. An interesting suggestion of this work is using a database of common
attacks, which contain various information about attacks; such as level of user who
imposes the threat, machines which are involved, vulnerabilities which are imposed to the
configuration by an attack, capabilities which express the malicious behavior needed to
be delivered, and states which are atomic steps of an attack.
Problems and limitations:
The description of attack, i.e. user level, machine, vulnerability, capabilities, and
state, are added to the nodes of the attack graph based on matching the configuration,
attack template, and attacker profile. However, it is not described how the matching is
performed. This matching may require defining a taxonomy of attacks, vulnerabilities,
and capabilities, and a detailed description of the configuration. In addition, all the
information about steps of an attack (user level, machine, vulnerability, capabilities, and
state) are presented to the reader or user of the model in the same view. This reduces the
use of such models for understanding the behavior of one single user or group of users, or
security impact of an action or atomic steps.
Although the proposed approach to modeling attacks is able to express the steps of
occurring an attack, its post and pre conditions, required configurations, and capabilities,
it does not provide a way to express the impact of the attacks on the normal functions of
the system. It is not argued why the proposed method is limited to network vulnerability
analysis, and why it cannot be generalized to apply to other computer systems such as
Internet attacks, applications’ vulnerability, domain specific attacks, wireless
communication, etc. The proposed quantitative analysis method which assigns
probability or cost to the edges for computing the shortest path, and as a result the most
likely attack works well in theory. However, in real-world practices such quantitative
values and even approximate measures may not be available. Finally, the approach
mentions the possibility of countermeasure analysis, but it does not provide means to link
possible countermeasures to the attacks.
Download