Professor Sushil Jajodia
Center for Secure Information Systems jajodia@gmu.edu
http://csis.gmu.edu/jajodia

• Network configurations are ever more sophisticated
• Vulnerabilities are becoming more complex
• Remediation resources are sparse
A total solution is a combination of technology and services
I will describe the technology component

Server
LAN
160
Vulns
W2K
Exchange
Server
158
Vulns
W2K
Web
Server
Vulnerability
Scanner
External
Attacker
WWW
DB
LAN
Oracle
DB
Server
Firewall
Frontend
Router
Backend
Router
Firewall
DMZ
Router
Legend
Symbol Count Description
5 Server
2 PC
2
3
Firewall
Router
DMZ
41 Vulns
W2K
Web
Server
Client
LAN
Linux
Mail
Server
15 Vulns
`
W2K Pro
Client
107 Vulns
WinXP
Client
` 60 Vulns
Vulnerability
Scanner
4

• Generate overwhelming amount of data
• Example Nessus scan
– Elapsed time: 00:48:07
– Total security holes found: 255
– High severity: 40
– Low severity: 117
– Informational: 98
• No indication of how vulnerabilities can be combined
• Can an outside attacker obtain access to the Crown Jewels?
• Where does a security administrator start?

• Generate overwhelming number of alerts
• Many false alerts – normal traffic or failed attacks
• Alerts are isolated
• No indication of how alerts can be combined
• Incomplete alert information
• Where does a security administrator start?
• Is the attacker trying to obtain access to
Crown Jewels?
• Require extensive human intervention

• Current security measures largely independent
• Little synergy among tools
• Vulnerabilities considered in isolation may seem acceptable risks, but attackers can combine them to produce devastating results

• “A distributed system is one in which the failure of computer you didn’t even know existed can render your own computer unusable” – Leslie Lamport
• Context for total network security
• How outsiders penetrate firewalls and launch attacks from compromised hosts
• Insider attacks

Simply Listing Problems
Misses the Big Picture!
The reality – security concerns are highly interdependent.
9

• Few experts available
• Red teams can be expensive
• Tedious
• Error-prone
• Impractical for large networks
• No formal claims

• An attacker breaks into a network through a chain of exploits where each exploit lays the groundwork for subsequent exploits
• Chain is called an attack path
• Set of all possible attack paths form an attack graph
• Generate attack graphs to mission critical resources
• Report only those vulnerabilities associated with the attack graphs

• Phillips and Swiler NSPW 1998
• Templeton and Levitt NSPW 2000
• Ritchey and Ammann S&P 2000
• Wing, Jha et al. CSFW 2002
• Ammann et al CCS 2002
• Ou et al. CCS 2006
• Sawilla and Ou ESORICS 2008

Attacker
10.10.101.10
Linux attack tools
NT4.0
IIS
Web Server
10.10.100.20
Firewall
Hub
Mail Server
10.10.100.10
Linux wu_ftpd

• Sushil Jajodia, Steven Noel, Pramod
Kalapa, Massimiliano Albanese, John
Williams, "Cauldron: Mission-centric cyber situational awareness with defence in depth," Proc. MILCOM Conf.
, Baltimore,
MD, November 7-10, 2011.



 
 
     
1
  
 
 
Minimal-Cost
Network
Hardening g


  
 
   


  g


Solution 1 Solution 1 Solution 1

Solution 1
Solution 2
Solution 2
Solution 1 Solution 1
Solution 2
Solution 2

No impact No impact

• Massimiliano Albanese, Sushil Jajodia,
Steven Noel, "A time-efficient approch to cost-effective network hardening using attack graphs," Proc. 42nd Annual
IEEE/IFIP International Conference on
Dependable and Networks (DSN), Boston,
Mass, June 25-28, 2012.

25

Server
LAN
W2K
Exchange
Server
W2K
Web
Server
Attack
DB
Target
LAN
Oracle
DB
Server
Firewall
Backend
Router
External
Attacker
WWW
Frontend
Router
Firewall
DMZ
Router
Legend
Symbol Count Description
5 Server
2 PC
2
3
Firewall
Router
2/21/2008
DMZ
W2K
Web
Server
Linux
Mail
Server
Client
LAN
`
W2K Pro
Client
`
WinXP
Client
26

27

2/21/2008 28

2/21/2008 29

• Correlate alerts to build attack scenarios
• For efficient response, this must be done in real time

• Based on a priori knowledge, such as the preparefor relationship (Cuppens et al S&P’02, Ning et al
CCS’02 CCS’03, etc.)
• Based on statistical analysis, such as temporal similarity between alert sequences (Lee et al
RAID’03, Dacier et al KDD’02, Valdes et al
RAID’01, etc.)
• Hybrid approaches (Ning et al ACSAC’04, Lee et al ESORICS’04, Morin et al RAID’02, etc.)

• Provides context for alarms
• Can help with forensic analysis, attack response, attack prediction

• Correlation based on the prepare-for relationship is vulnerable to alerts missed by IDSs - Reassembling a broken attack scenario is expensive and errorprone
• By reasoning about the inconsistency between the knowledge (encoded in attack graph) and the facts
(represented by received alerts), missing alerts can be hypothesized
• By extending the facts in a way that is consistent with the knowledge, possible consequences of current attacks can be predicted

• Lingyu Wang, Anyi Liu, Sushil Jajodia,
"An efficient and unified approach to correlating, hypothesizing, and predicting network intrusion alerts," Proc. 10th
European Symposium on Research in
Computer Security (ESORICS), Springer
Lecture Notes in Computer Science, Vol.
3679, September 2005, pages 247-266.

Monitoring/Management
Plus more than
60 other vendors
Predictive
3 vendors
• Just what is
“predictive?
• Common
Operating
Picture
• Situational
Awareness
• I have 700 vulnerabilities
– now what?!?
“Put my problems/my risks in context”

Vulnerability Database
Exploit
Conditions
Network Capture
NVD
Environment
Model
FoundScan
Vulnerability Scanning
Asset Inventory
Attack
Scenario
Firewall Rules
Graph
Engine
Visual
Analysis
•
Network Capture
– builds a model of the network
– represents data in terms of corresponding elements in
Vulnerability Reporting and
Exploit Specifications
•
Vulnerability Database
Optimal
Counter
Measures
Aggregate / Correlate / Visualize
– a comprehensive repository of reported vulnerabilities
•
Graph Engine
– simulates multi-step attacks through the network, for a given user-defined Attack
Scenario
– analyzes vulnerability dependencies, matching exploit preconditions and post-conditions
– generates all possible paths through the network (for a given attack scenario)

• Common
Operating Picture
• Situational
Awareness
• Patching servers vs changing firewalls
• Combined vulnerabilities are real
Where do I need to focus my resources?!
Firewalls
Other
Vulnerability
Scans
Patch Mgmt/
Asset Mgmt

38

39

Attack
Start
40

Attack
Start
Attack
Goal
41

Attack
Start
Attack
Start
Attack
Goal
42

Harden
43

Harden
Harden
44

Harden
Harden
45

Security Metrics
Network
Hardening
Sensor
Placement
2/21/2008
Alarm
Correlation
And Attack
Response
46

• Automated analysis of all possible attack paths through a network
– Resulting attack “roadmap” provides context for optimal defenses
– Transforms volumes of isolated facts into manageable, actionable results
• Integrates with existing tools for capturing network configuration
• Your network is provably secure, with minimum effort
• A useful tool for making informed decisions about network security

• Lingyu Wang, Sushil Jajodia, Anoop
Singhal, Steven Noel, "k-Zero day safety:
Measuring the security risk of networks against unknown attacks," Proc. 15th
European Symp. on Research in Computer
Security (ESORICS), Springer Lecture
Notes in Computer Science, Vol. 6345,
2010, pages 540-557.

• An ever increasing number of critical applications and services rely on Information Technology infrastructures
– Increased risk of cyber attacks
– Increased negative impact of cyber attacks
• Attackers can exploit network configurations and vulnerabilities (both known and unknown) to incrementally penetrate a network and compromise critical systems
– Manual analysis is labor-intensive and error-prone
– Vulnerabilities are often interdependent, making traditional pointwise vulnerability analysis ineffective
– Services and machines on a network are interdependent
• Need for tools that provide analysts with a “big picture”
49 of the cyber situation

Current situation . Is there any ongoing attack? If yes, where is the attacker?
Impact . How is the attack impacting the enterprise or mission?
Can we asses the damage?
Web Server (A)
Evolution . How is the situation evolving? Can we track all the steps of an attack?
Behavior . How are the attackers expected to behave? What are their strategies?
Forensics . How did the attacker create the current situation? What was he trying to achieve?
Catalog Server (E)
DB Server (G)
Internet
Local DB Server (B)
Information . What information sources can we rely upon? Can we assess their quality?
Mobile App Server (C)
Order Processing Server (F)
Prediction . Can we predict plausible futures of the current situation?
Local DB Server (D)
Scalability . How can we ensure that solutions
50 networks?

Vulnerability Databases
Scenario Analysis & Visualization
Unexplained Activities
Heavy Iron
Model
Adversarial modeling Network Hardening NVD CVE OSVD
Analyst
Topological
Vulnerability Analysis
Cauldron Switchwall
Index & Data
Structures
Graph
Processing and Indexing
Stochastic
Attack Models
Situation Knowledge
Reference Model
Monitored Network
Dependency Analysis
NSDMine r
Generalized
Dependency Graphs
51
Alerts/Sensory Data

• Sushil Jajodia, Peng Liu, Vipin Swarup, Cliff Wang, eds., Cyber
Situational Awareness: Issues and Research, ISBN: 98-1-4419-0139-2,
Springer International Series on Advances in Information Security,
2009, 252 pages.
• Arun Natrajan, Peng Ning, Yao Liu, Sushil Jajodia, Steve E.
Hutchinson, "NSDMine: Automated discovery of network service dependencies," Proc. 31st Annual Int'l. Conf. on Computer
Communications (INFOCOM), Orlando, FL, March 25-30, 2012, pages 2507-2515.
• Massimiliano Albanese, Sushil Jajodia, Andrea Pugliese, V. S.
Subrahmanian, "Scalable analysis of attack scenarios," Proc. 16th
European Symp. on Research in Computer Security (ESORICS),
Springer Lecture Notes in Computer Science, Vol. 6879, V. Atluri and
C. Diaz, eds., Leuven, Belgium, September 12-14, 2011, pages 416-
433.

jajodia@gmu.edu
(703) 993-1653 http://csis.gmu.edu/jajodia