Vulnerability%20Analysis%20Using%20Attack%20Graphs - PowerPoint PPT Presentation

About This Presentation
Title:

Vulnerability%20Analysis%20Using%20Attack%20Graphs

Description:

Title: Theory Generation for Security Protocols Author: snooze Last modified by: Jeannette M. Wing Created Date: 4/14/1999 3:55:44 AM Document presentation format – PowerPoint PPT presentation

Number of Views:100
Avg rating:3.0/5.0
Slides: 36
Provided by: sno128
Category:

less

Transcript and Presenter's Notes

Title: Vulnerability%20Analysis%20Using%20Attack%20Graphs


1
Vulnerability Analysis Using Attack Graphs
Jeannette M. Wing School of Computer
ScienceCarnegie Mellon UniversityPittsburgh, PA
USA
  • joint work with Somesh Jha (Wisconsin) and Oleg
    Sheyner (CMU)

2
Network of Networks
MIT
Microsoft
Office of Homeland Security
Carnegie Mellon
3
Example of Attack Graph Developed by a
Professional Red Team
Drawn By Hand
  • Sandia Red Team White Board attack tree from
    DARPA CC20008 Information battle space
    preparation experiment

Sandia Red Team White Board attack graph from
DARPA CC20008 Information battle space
preparation experiment
4
Vulnerability Analysis by System Administrators
  • Information-gathering
  • What attacks is my system vulnerable to?
  • Is a different configuration of my system less
    attackable?
  • What is the likelihood of this attack?
  • Is this on-going attack similar to any of the
    known attacks?
  • Decision-making
  • If I put this set of security measures in place,
    what attacks can I prevent?
  • Given the likelihood of certain attacks,
    deploying which measures will increase the
    security of my system?
  • What is the most cost-effective set of measures I
    should deploy, to increase the security of my
    system?

5
Problem Statement
  • Problem Generating attack graphs by hand is
    tedious, error-prone, and impractical for large
    systems.
  • Our Goal Automate the generation and analysis of
    attack graphs.
  • Generation
  • Must be fast and completely automatic
  • Must handle large, realistic examples
  • Should guarantee properties of attack graphs
  • Analysis
  • Must enable further security analysis by system
    administrators
  • Should support incremental, partial specification

6
Overview of Our Method
Query What is the cost benefit of deploying this
security measure?
7
Why Model Checking?
  • Pragmatic reasons
  • Off-the-shelf technology
  • Major verification success story
  • Technical reasons
  • Fast, automatic
  • Large state spaces
  • Handles safety and liveness properties
  • Generates counterexamples

8
Model Checking Primer
Finite State Machine model M
Temporal Logicproperty F
F AG p
AF p, EG p, EF p
Model Checker
9
Counterexample Attack
F ? AG p
single counterexample violation of F
path by which intruder succeeds
attack
10
Definition of Attack Graph
  • Given
  • a finite state model, M, of network
  • a security property ?
  • An attack is an execution of M that violates ?.
  • An attack graph is a set of attacks of M.

11
Properties of Attack Graphs
  • Exhaustive
  • All possible attacks are represented in G.
  • Succinct
  • Only relevant states are contained in G.
  • Only relevant transitions are contained in G.
  • The next two algorithms satisfy these properties.

12
Symbolic-State Attack Graph Generation Algorithm
  • Inputs
  • M ltS, S0 ? S, R ? S X Sgt
  • F AG (unsafe) (a safety property in CTL)
  • Output
  • Attack graph G (Sunsafe, S0F, RF )
  • Algorithm
  • Sunsafe modelCheck(S, S0, R, F)
  • ( Use an iterative algorithm derived from the
    fixpoint characterization of AG operator. )
  • S0F S0 ? Sunsafe
  • RF R ? (Sunsafe X Sunsafe)

13
Explicit-State Attack Graph Generation Algorithm
  • Inputs
  • M
  • F LTL property (safety or liveness)
  • Algorithm
  • Interpret both network model M and security
    property F as Buchi automata.
  • M and F induce languages L(M ) and L(F).
  • Compute L(M )\L(F) executions of M that violate
    F.
  • Construct M ? F by computing intersection of
    Buchi automata.

Output - Attack graph G s.t. L(G) L(M ?
?)
14
Performance Charts
Symbolic-state algorithm
Explicit-state algorithm
15
Performance
Linear Regression R2 0.9967
16
An Illustrative Example
17
Modeling a Network and Intruder
  • Set of hosts H
  • running services
  • CVE vulnerabilities
  • trust relationships
  • misc. configuration
  • Set of networks N
  • each network n ? N is a subset of H
  • packet filter between each pair of networks n1,
    n2
  • Intrusion detection systems
  • placement P ? N ? N
  • detectability per action
  • Intruder
  • store of knowledge
  • privileges on each host
  • Set of actions A
  • preconditions
  • postconditions

18
Example Attack Graph
? G (intruder.privilege(Linux) lt root)
LICQ remote- to-user CVE-2001-0439
Local buffer overflow CVE-2002-0004
Done!
19
Overview of Our Method
20
Minimization Analysis
  • Scenario The system analyst must decide
  • among several different firewall configurations,
    or
  • among several vulnerabilities to patch, or
  • among several intrusion detection systems to set
    up,
  • each of which prevents different subsets of
    actions.
  • What should he do?
  • Problem Question (Minimum Critical Set of
    Actions) What is a minimum set of actions that
    must be prevented to guarantee the intruder
    cannot achieve his goal?
  • Solution (Sketch)
  • Reduce MCSA to Minimum Hitting Set (MHS) Problem
    JSW02.
  • Reduce MHS to Minimum Set Covering (MSC) Problem
    ADG80.
  • Use textbook Greedy Approximation Algorithm to
    approximate solution CLR85.

21
Minimum Critical Set of Actions
A the set of actions available to the intruder
Def 1 A set of actions C is critical if the
intruder cannot achieve his goal using only
actions in A \ C.
Def 2 A set of actions C is realizable if the
intruder can achieve his goal using only actions
in C.
Def 3 A critical set of actions C is minimum if
there is no critical action set of smaller size.
Minimum Critical Set of Actions (MCSA) Given a
set of actions A and an attack graph G, find a
minimum critical action subset C ? A
Finding a minimum set NP-complete
22
Reduction to Minimum Hitting Set Problem
Minimum Hitting Set (MHS) Given a collection C
of subsets of a finite set S, find a minimum
subset S ? S such that each subset in C contains
at least one element from S.
MCSA and MHS are polynomially-equivalent.
MHS Collection of subsets C
MCSA Collection of realizable sets of actions
JSW02b Jha, Sheyner, Wing, Two Formal Analyses
of Attack Graphs, Computer Security Foundations
Workshop, Nova Scotia, June 2002.
23
Sketch of Reduction from MCSA to MHS
A
B
C
D
E
F
G
H
I
24
Reduction of MHS to Minimum Set Covering
Minimum Set-Covering (MSC) Given a collection C
of subsets of a finite set S that covers S, find
a minimum sub-collection C ? C that covers S.
MHS and MSC are polynomially-equivalent ADP80.
Use textbook Greedy Approximation Algorithm for
MSC CLR85, p. 975.
25
LICQ Coverage
? G (intruder.privilege(Linux) lt root)
26
Other Minimization Analyses JSW02b, S04
  • Scenario The system analyst has a set of
    measures, each of which prohibits a subset of
    actions.
  • E.g., M packet filter firewall, application
    firewall, smart cards, one-time passwords,
    authentication policy servers, VPNs, anti-virus
    software, email filters, database encryption,
    host-based IDS, net-based IDS, network monitors,
    auditing, key stroke replicator, log analysis,
    forensic software, hardened O/S
  • Problem Question 1 If he deploys all measures,
    does the system become safe? JSW02b
  • Solution Approach (Naïve) Remove all edges from
    graph that are covered by the measures.
    Reachability analysis is linear time in size of
    graph.
  • Problem Question 2 What is the smallest subset
    of measures he can deploy to make the system
    safe? S04
  • Solution Approach Greedy algorithm with provable
    bounds. General case is NP-complete (slightly
    more complex than minimum cover problem).

27
Overview of Our Method
28
Reliability Analysis
  • Scenario The system analyst must decide between
    installing a network-based IDS between host 1 and
    host 2 or a host-based IDS on host 2. Which
    increases the likelihood that he will detect an
    intruder?
  • Problem Question What is the probability of the
    intruder succeeding? I.e., what is the
    worst-case probability of reaching an unsafe
    state?
  • Solution Approach
  • Annotate attack graph with probabilities.
  • Interpret annotated attack graph as a Markov
    Decision Process.
  • Run the standard MDP value iteration algorithm to
    compute the optimal policy that results in
    maximum benefit/minimum cost for system analyst
    (decision maker).

29
Status of Tool Suite
Network Configuration Data
Attack Graph Generators
Attack Graph Analyzers
30
XML Specification of a Host
lthost namelin" ip"192.168.0.4"
network"internal"gt ltservicesgt ltSquid/gt
ltLICQ/gt ltdatabase/gt lt/servicesgt
ltconnectivitygt ltremote id"ferrari"gt ltW3SVC/gt
lt/remotegt ltremote id"smilla"gt ltftp/gt ltsshd/gt
lt/remotegt lt/connectivitygt ltcvegt
ltCVE_2002_0004/gt ltCVE_2001_1030/gt
ltCVE_2001_0439/gt lt/cvegt lt/hostgt
31
XML Specification of an Action
ltaction namelicq_r2u" cve1CVE-2001-0439"gt
ltlocal_preconditionsgt ltprivilege
hostsource relgte valueuser/gt
ltprivilege hosttarget releq valuenone/gt
ltknowledge namescan valueTRUE/gt
lt/local_preconditionsgt ltglobal_preconditionsgt
ltservice hosttarget nameLICQ/gt
ltconnectivity fromsource serviceLICQ/gt
lt/global_preconditionsgt ltlocal_effectsgt
ltprivilege hosttarget valueuser/gt
lt/local_effectsgt ltglobal_effectsgt
ltdetectable modeyes/gt lt/global_effectsgt lt/ac
tiongt
32
Information Sources
  • MITRE Corp. Outpost
  • Host identification
  • Vulnerabilities
  • Services
  • Lockheed ATL Next Generation Infrastructure
    (ANGI)
  • Network topology
  • Connectivity
  • Nessus vulnerability scan info

lthost namelin ipOutpostgt ltservices
sourceNessusgt ltconnectivity sourceANGIgt
ltcve sourceOutpostgt lt/hostgt
33
Related Work
  • Philips and Swiler 1998
  • Tool constructs attack graph by forward
    exploration starting from initial state. Also
    based on model checking.
  • Our backward algorithm saves space
    (vulnerabilities not relevant are not explored)
    and can handle liveness properties.
  • Models only attacks
  • Our modeling framework can handle arbitrary state
    transitions (actions), not just actions.
  • Dacier 1994, Orlato et al. 1999
  • Privilege graphs nodes sets of user
    privileges, edges vulnerabilities. Explore
    privilege graphs to construct attack graphs.
  • Defines a metric, Mean-Effort-To-Failure, based
    on attack graphs.
  • Ritchey and Ammann 2001
  • Also use model checking. Produces only one
    counter-example (attack).
  • No post-facto analysis.

34
Limitations gt Current and Future Work
  • Input to graph generation
  • Need a library of specifications of actions (with
    CMU students)
  • CERT advisories, MSR security bulletins,
    Symantec,
  • Ontology for vulnerabilities and exploits
  • Discover new attacks
  • More analyses
  • Reduction of attack surface
  • Which configuration of my system is less
    attackable?
  • Ongoing with Jon Pincus at MSR/Redmond and CMU
    students
  • Cost-benefit analysis
  • Exploit MDP theory further

35
Recent References
  • JSW02a Jha, Sheyner, and Wing, Minimization
    and Reliability Analyses of Attack Graphs,
    Carnegie Mellon technical report, CMU-CS-02-109,
    February 2002.
  • JSW02b Jha, Sheyner, Wing, Two Formal Analyses
    of Attack Graphs, Computer Security Foundations
    Workshop, Nova Scotia, June 2002.
  • SHJ02 Sheyner, Haines, Jha, Lippmann, and
    Wing, Automated Generation and Analysis of
    Attack Graphs, IEEE Symposium on Security and
    Privacy, May 2002.
Write a Comment
User Comments (0)
About PowerShow.com