Automated Generation and Analysis of Attack Graphs

1
Automated Generation and Analysis of Attack Graphs

• IEEE Symposium on Security and Privacy 2002

Oleg Sheyner, CS, CMU Joshua Haines,
MIT Lincoln Lab Somesh Jha, CS, WISC
Richard Lippmann, MIT Lincoln Lab Jeannette
M. Wing, CS, CMU
Presented by Allen C.B. Kuo
2
Outline

• Introduction
• Attack Graphs
• An Intrusion Detection Example
• Analysis of Attack Graphs
• Summary

3
Introduction

• Overview
• Model the network security by constructing attack
  graphs
• Present an automated technique for generating and
  analyzing attack graphs
• Which attacks would be most cost-effective to
  guard against

4
Introduction (contd.)

• Evaluate the vulnerabilities of a network of
  hosts
• Effects of interactions of vulnerabilities
• Each path in an attack graph is a series of
  exploits
• Automated constructing attack graphs ensures that
  the graphs are
• exhaustive
• succinct
• suitable for networks with hundreds of nodes

5
Introduction (contd.)

• Steps to produce and analyze attack graphs
• Model the network
• Model the network as a finite state machine
• Produce an attack graph
• Model checker NuSMV automatically produces the
  attack graph
• Analysis of attack graphs

6
Introduction (contd.)

• Tool Suite

7
Introduction (contd.)

• Model checking
• A method for formally verifying finite-state
  concurrent systems
• Specifications about the system are expressed as
  temporal logic formulas
• Efficient symbolic algorithms are used to
  traverse the model
• Check if the specification holds or not
• Main challenge is state space explosion
• Reference http//www.cs.cmu.edu/modelcheck/

8
Attack Graphs
9
Attack Graphs

• Definition
• An attack graph (AG) is a tuple G
• S is a set of states
• is a transition relation
• is a set of initial states
• is a set of success states

10
Attack Graphs (contd.)

• We define an execution fragment as a finite
  sequence of states
• An execution fragment with is an
  execution
• An execution with final state in is an
  attack

11
Attack Graphs (contd.)

• Constructing attack graphs
• Formal model M (network)
• Given property p (safety property)
• We can express the property that an unsafe state
  cannot be reached as
• Ex

12
Attack Graphs (contd.)

• Algorithm for generating attack graphs

A attacks (set, indication, quantity?) P
properties (set, boolean?)
13
Attack Graphs (contd.)
14
An intrusion Detection Example

1. Finite State Model
2. NuSMV Encoding
3. Experimental Results Attack Graphs
4. Performance Observations

15
Example Network
Intruders goal
16
Example Network (contd.)

• Two target nodes, ip1 and ip2
• Services in ip1 ftp, sshd
• Services in ip2 ftp, database
• Attack node, ipa, with four possible atomic
  attacks
• (0) sshd buffer overflow
• (1) ftp .rhosts
• (2) remote login
• (3) local buffer overflow

17
Example Network (contd.)

• An atomic attack
• Detectable
• Stealthy
• Goal of intruder
• Disrupt the functioning of the database
• Intruder needs root access on the database host
  ip2

18
Finite State Model

• Connectivity
• Expressed as a ternary relation
• Network route
• When there is a network route form h1 to h2
• Model trust as binary relation
• A user may log in from h2 to h1 without
  authentication

19
Finite State Model (contd.)
(1) h1 and h2 are connected by a physical
link gt y (2) h1 can connect to h2 on ftp port gt
y (3) h1 can connect to h2 on the sshd port
gt y

• Initial states of network
• Tr is empty
• Relation R

R IPa IP1 IP2
IPa y,n,n y,y,y y,y,n
IP1 y,n,n y,y,y y,y,n
IP2 y,n,n y,y,y y,y,n
20
Finite State Model (contd.)

• The intruder
• Has a store of knowledge about the target network
  and its users
• The function
  gives the level of privilege
  that intruder A has on each host

21
Finite State Model (contd.)

• Intrusion detection system
• Specify the IDS with a function
• When h1 and h2 refer to the same host or
  different hosts

22
Finite State Model (contd.)

• Atomic attacks
• sshd buffer overflow
• Give a remote user a root shell on the target
• Both detectable and stealthy
• ftp .rhosts
• Create remote login trust relationship, stealthy
• remote login
• Detectable
• Local buffer overflow
• User -gt buffer overflow -gt gain root access,
  stealthy

23
Finite State Model (contd.)

• Specification of sshd buffer overflow

24
NuSMV Encoding

• Nondeterministically assigned state variables
• Which attack (attack num) will be tried next
• The source host from which the atomic attack will
  be initiated
• The target host of the atomic attack
• If next attack has both detectable and stealthy
  strains, the variable is set nondeterministicallys

25
Experimental Results Attack Graphs

• We want to violate the property

26
Experimental Results Attack Graphs
Overflow sshd buffer on host 1, it is a stealthy
attack
Overwrite .rhosts file on host 2 to establish rsh
trust between host 1 and 2
Log in using rsh from host 1 to host 2
Overflow a local buffer on host to obtain root
privileges
27
Performance Observations

• Environment
• PentiumIII/ 1Ghz/ 1GB RAM / RedHat Linux 7.0
• Performance

Hosts Attacks Vulnerabilities Bits of state Num of states Reachable states Time
3 4 less 91 101 5 sec
5 8 more 229 So many 6190 2 hr to construct 5 min to check model
28
Analysis of Attack Graphs

1. Minimization Analysis
2. Minimum and Minimal Critical Attack Sets
3. Computing Minimal Critical Sets
4. Probabilistic Reliability Analysis

29
Minimization Analysis

• Find a minimal set of atomic attacks
• Modify the model making only a subset of atomic
  attacks available to the intruder

30
Minimization Analysis (contd.)
right subgraph all attacks are available to the
intruder
Left subgraph sshd buffer overflow attack is not
available to the intruder
States where the attacker had not been detected
by IDS
Desirable for the attacker
31
Minimization Analysis (contd.)

• Checking every possible subset of attacks is
  exponential in the number attacks
• Finding the minimum set of atomic attacks which
  must be removed to thwart the intruder is in fact
  NP-complete

32
Minimum and Minimal Critical Attack Sets

• Assume that we have produced an attack graph

33
Minimum and Minimal Critical Attack Sets (contd.)

• Given
• C is critical respect to s
• Intruder cannot reach his goal when the attacks
  in C are removed for A
• Every path from s to an unsafe state has at least
  one edge labeled with an attack

34
Minimum and Minimal Critical Attack Sets (contd.)

• A critical set ( A(s) ) corresponding to a state
  s is minimal
• If no subset of A(s) is critical with respect to
  s
• A critical set ( M(s) ) corresponding to a state
  s is minimum
• If there is no critical set M(s) such that
  M(s) lt M(s)

35
Minimum and Minimal Critical Attack Sets (contd.)

• Lemma
• Given
  and integer k
• Determine where is
  NP-complete
• Proof sketch
• Prove that the problem is in NP
• Prove the problem is NP-hard
• The reduction is from the minimum cover problem

36
Computing Minimal Critical Sets

• Finding a minimal critical set
  corresponding to the initial state s0

37
Probabilistic Reliability Analysis

• Suppose we know the probabilities of some
  transitions in the scenario graph
• Markov Decision Process
• Nodes are assigned to 1 or 0 (intruders goal has
  been achieved or not)
• Expected value is a fraction of 1 (equivalent to
  the probability of getting to the goal state)

38
Probabilistic Reliability Analysis (contd.)

• Example to the scenario
• 0.8 for sshd buffer overflow
• 0.5 for ftp .rhosts
• 0.95 for the remote login
• 0.2 for local buffer overflow
• The computed probability of intruder success is
  0.2
• Best strategy is to attempt sshd buffer overflow
  on host IP1, and then conduct the rest of attack
  from that host

39
Summary
40
Contributions

• Exhibit an algorithm for automatic generation of
  attack graphs
• Identify a level of atomicity appropriate for
  describing a model
• Network model includes intrusion detection
  components
• Stealthy and detectable attack variants
• Ways of analyzing attack graphs

41
Future Work

• A method of generating attack graphs for more
  general classes of properties
• Ex
• This will be disabled using a DOS attack
• Building a library of specifications of atomic
  attacks
• Discover new, unexpected attacks, and hence
  identify new network vulnerabilities
• Model benign system activity as well
• Ex a legitimate users transaction will finish
  despite intruder interference

42
Thanks for your attention!
Presented by Allen C.B. Kuo