A Novel Approach on Zero Day Attack Safety Using Different Scenarios

Transcription

1 A Novel Approach on Zero Day Attack Safety Using Different Scenarios 1Shaik Yedulla Peer,2N. Mahesh, 3 R. Lakshmi Tulasi 2 Assist Professor, 3 Head of The Department [email protected] Abstract-A zero day attack is the type of attack where people make use of flaw in the software developed by various companies. There is no patch available so it is difficult to tackle such types of attacks even when developers of the company are known to this. Research on this maticx has been hindered by unknown vulnerability since they are not quantifiable & that s why they are unpredictable. This paper resolves this issue of Zero day security here in place of ranking the vulnerability a count is maintain which shows that how vulnerabilities are acceptable for compromising with network assets.count is directly proportional with unknown vulnerabilities. In this we are devising heuristic algorithms to make out intractable issues. security metric, k-zero day safety, which addresses these issues. Here instead of measuring which unknown vulnerabilities are more likely to exist, we begin with the worst case that this is not measurable and then metric simply counts number of zero-day vulnerabilities that are required to compromise with a network. Matrics count is directly proportional to the security of the network.base of our implementation is an abstract model of networks and zero-day attacks. Considerations in our implementation are the complexity of computing the metric and design heuristic algorithms addressing this complexity in some special cases and we think metrics approach is the best way. I.Introduction The internet network is growing with very rate and so is the case with network security threats.main issues in securing computer networks are the insufficient methods for directly measuring the effectiveness of security solutions in a network, since one can t improve what one can't measure itrusion detection system or firewall are not effective in this case for real world. Matrix method is accepted since it has the ability to directly measure and compare the amounts of security is been provided by different security solutions,but it has some us tackled issues which need to be handle. This paper proposes a Encryption Encryption is converting useful data into such format so that nobody can understand it. This has four different methods. Wireless Encryption (WE) Wireless Encryption is done on wireless network. Various wireless algorithms are developed to implement this encryption. IJCSIET-ISSUE5-VOLUME3-SERIES1 Page 1

2 Wired Equivalent Privacy (WEP) This also called as Wireless Encryption Protocol. This is the method which states that malicious link should not use. Wi-Fi Protected Access (WPA) This generally used to encrypt the secure and source traffic by efficient. Pre-shared Key (PSK) In this method the sharing key will be done in the two different machines and security is provided. User ID Here it uses the Username and ID to identify the permitted user and according to it he has the rights to access. Authentication Authentication has three types. 1) One Factor 2) Two Factor 3) Three Factor. In one factor user knows something to access the network. In two factor anything that user has to physically access the network. In three factor something that user needs like retina scan or finger prints. Firewall Firewall blocks unwanted packets and it also analyze the network traffic. It checks incoming packets and give authority that to allow this packets or not. Physical Security When somebody breaks something by going physically there. Web applications basically deals with such problems which needs services to run those applications. Web application with injection flaw is widely occurring in the network. Researcher wants to find it from many years to understand it. Existed Systems Common Weakness Scoring System (CWSS) is the system where it counts the known vulnerability but say very little about the unknown. Sometimes it was recommended that to merge this into firewall so as client side would not need external security. Modeling network graph can be way to demolish it and has been tested over hosts to check its compatibility with network [1]. Even if many methods are available to lower down this attacks but no method nearly predict the exact risk of the threat which are acting on the network [2]. NetSPA was one of the tool which uses attack graph to model this threats [3]. It scans the network for the vulnerability and from the preferable input it draws the attack graph to know that vulnerability present over the network [3]. Topological Vulnerability Analysis (TVA) is one of the attack prevention methods which is powerful [4]. This vulnerability can be depending on each other of the different network system. User sometimes even cannot know that how this thing are happening as there is large abstraction in the given applications. In this approach the network is configured and tested for the sequences of the vulnerability. This is shown in the Fig. 2. Vulnerability Discovery Model is also one of the models to detect count of the vulnerability in any software [5]. So there is always one question can arise that is there any database for measuring the risk of attacks [2]. The attacks related to the exploitation of the vulnerability are common but to make patch of such vulnerability is difficult and cost effective. II.Related work Firewall allows all the outgoing Connection requests but it blocks all IJCSIET-ISSUE5-VOLUME3-SERIES1 Page 2

3 the incoming requests to host 2. Main security issue here is whether any Of the attacker on host 0 can obtain root control on host 2. Under this we have 2 policies on which we are working Policy 1 : The iptables rules and regulation are left in a default setup that accepts all the given requests. Policy 2 : The iptables rules and regulation are configured which allows specific IPs, excluding host 0, to have access to the ssh service. Now network is considered already secure in policy 1. Conclusions drawn after comparing these 2 policies For policy 1 The attacker on host 0 exploits zeroday vulnerability in HTTP service of host 1 and then use it to exploit another vulnerability in the secure service of host 2. Host 0 exploits zero-day vulnerability in secure service on both of the hosts (1 & 2). Host 0 exploited zero-day vulnerability in the firewall (e.g., a default password) to create problems in the traffic blocking it before it compromises host 2. The 1st and 3rd case require 2 different and distinct zero-day vulnerabilities, instead the second requires one zeroday vulnerability (in the secure shell service). That s why, the network may be compromised with at least one zero-day attack under policy 1. For policy 2 1st and 3rd points are same as that of policy 1 Attacker on host 0 can exploit zeroday vulnerability to create problems in the iptables rules before exploiting the secured service on both hosts(1 & 2) The important observation in this concern is that considering a network s resistance to zero-day vulnerabilities can assist in the relative security of different network configurations. Standardization efforts:- There exit multiple standardization efforts on security metrics for vulnerability tracking, like the Common Vulnerability Scoring System (CVSS) and, more recent, the Common Weakness Scoring System (CWSS). If will focuses on software weaknesses as vulnerability. CVSS & CWSS do not address their over all impact of vulnerability on system these efforts founded a foundation for research on security metrics, as they provide standard way for assigning numerical scores to known vulnerabilities that are already available in public vulnerability database, similar to the National Vulnerability Database. Network security metrics :- In previous work a security metric was proposed as time and efforts required by potential adversaries based on the of a Markov model of attack stages. another work was based on, parameters that consider a security metric that measure the amount of security of networks in which, the length of shortest attack paths, in number of exploits, conditions, or both. Disadvantage :- These work generally don t take certain factors under consideration and those were the relative severity of vulnerabilities. Solution :- Compromise Percentage Metric (NCP) which shows the percentage of network assets that can be compromised by attackers and now in more recent work Page Rank Algorithm is introduced This focus on the percentage of network assets that can be compromised and for that assumption made is that, the attackers would progress along different paths in an attack graph in a random fashion and another more recent research replaced an attack trees with more advanced attack graphs and replace its attack paths IJCSIET-ISSUE5-VOLUME3-SERIES1 Page 3

4 with attack scenarios of the system. More recently authors proposed a framework for grouping such metrics based on their relative importance and some risk management framework for quantifying the chances of attacks and for developing a security mitigation and management plans are also proposed. Zero-day attack :- Attacks that exploits a previously unknown vulnerability in a computer system application, one that developer had no time to address & patch them are called as Zero day attack because programmer has Zero day to fix these kind of flaws. Security metrics :- Security metrics have been proposed in fields other than network security which measures that how a software is vulnerable to attacks, based on the degree of exposure Our focuses is on ranking, instead of quantifying, security threats at network and system level essentially allow us to work with weaker assumptions that actually stem from such immeasurability results III.APPROACHES OF ZERO DAY MODEL The zero day safety comes under the firewall security methods. Firewall blocks the unknown packets which are always roaming in the corresponding network. For this type it is further divided into five types of security. It is shown in Fig 3. k-zero Day In this model, the various connected host are measured and different services related to it are detected [1]. The services in which vulnerability can be possible are to be found out. Such count is measured and then it is informed to the corresponding network administrator. The remote services are accessed remotely over the network. Fig2. Zero day vulnerability The above system check s the existing known vulnerabilities and unnecessary services, which seam s innocent enough at first, affect the k-zero day safety of a network. The case study also demonstrates that patching known vulnerabilities does not always improve the networks resistance to zero-day attacks; a formal approach, thus, becomes necessary to check how effective such patching tasks are. In the upper half of Fig, assume no known vulnerabilities and we are mainly concerned on host 5 and the root privileges assigned to it. Host 4 is suppose to be an client administrator, and now we check the effect of unneeded ssh service running on host 4 and the effect of adding a known vulnerability into that part of the system. For an attack graph-based analytic system, these may seem to not pose threat the security of host 5 because host 5 cannot be reached from host 0 anyway (due to firewall 3). However, by applying this metric, we will reach different conclusions. The lower half of Fig shows two attack sequences leading to the root privilege on host 5. The edges in dashed lines correspond to attacks that become possible after introducing the ssh service and the corresponding known vulnerability mentioned. Mathematical Model Input(I)={No of Network, No of Host } IJCSIET-ISSUE5-VOLUME3-SERIES1 Page 4

5 No of Networks(N)={N1,N2,N3,..,Nn} Network(N)={Host(H),Services(S),Privil eges(p)} Host(H)={H1,H2,,Hn,Firewall } Services(S)={ssh,HTTP,Iptable} Attack Packets(AP)={AP1,AP2,AP3,,APn} AP1={Host(H),Network(N),Data(D)} Output(O)={ K, Attack Graph, Iptable } Processing :- 1) Mappings from for Iptable :- Hosts to sets of services serv() :H 2S and privileges priv:p : H 2P 2) Value Of K L is logical proposition of asserts L=l1 v l2 v...ln k=min(k0d(fi union E0,fi)) Fi=Exploits 1<=i<=n K={0,1,2,3,,n} Fig3. Sequence of zero day attack Consider these 2 iptables tables policy:- 1) POLICY 1:- The rules defined in iptables are suppose to be in default setting,which accepts all requests. 2) POLICY 2:- The rules defined in iptables are configured to only specific IP s,excluding hostzero,to access ssh service. There are many flaws in the existing system so there is need of new system which tracks down the flaws in the existing system. Before proceeding it is necessary to know all the services are active on the network. The scenario proposed below is novel scenario and if we go through procedure in then it is easy to count the number of vulnerability possible in the network. Now let s see what is happening in each phase. Sequences Every service works differently as according to program that are written into it. Thus, make the different sequences of such services by using set theory. Example if host 1 can exploit the vulnerability on host 2 then in the matrix of n x n we will going to make corresponding field as 1(n is number of host). Fig5. Architecture of computing Computing is nothing but counting the number of vulnerabilities in the network by deriving various logic propositions rigorousness of the network is determined and vulnerabilities are kept aside. The assets related to it are taken away separately and attack graph tells the exact process of the services [3]. For the next phase determine safety for zero day upto the particular threshold by applying recursive methods. Its complexity will leads to the polynomial in size of zero day attack graph [3]. It means that whatever network assets are available it need to try that this assets would compromise the network upto certain threshold. There are many chances where value of k will become constant. The third phase consists of finding the shortest path via acyclic directed graph (DAG). As the remotely computer requires the privileges, same kind of zero day are arranged in a relation. Any algorithm can be applied to find out shortest path in the attack graph. It would IJCSIET-ISSUE5-VOLUME3-SERIES1 Page 5

6 check from node to node and from each node there will be edge for knowing the connections statistics. There should be checking of each node visited or not and the statistic of such visited node have to be considered. Applying Here it shows the potential of the metric by applying it to the network hardening. It increases security and it can be done by changing some configuration. It also provides some solutions related to it so that security of the network will increase. This type of solutions could be valid or invalid thus only valid solutions would be taken into consideration. It takes care of the disabling services then in the network diversity it could be done by taking special care and by terminating each tree services. Counting is process of making final attack graph and determines the number of zero day attacks. This would inform to the network administrator to change settings or disabling the services which are acting currently and making vulnerabilities in it [7]. Currently all are taking efforts on making the attack graph which is little bit different kind to search the network security. The metric is varying day by day as the exploitation of the vulnerability is increasing. The concept of network hardening is currently stayed away but works also in the way to solve [7]. Empirical analysis has been done to know the actual effect of the attack [8]. The most of all are working on to provide security to particular applications but as the network sharing is increased everybody found that to work for the applications which are commonly used. The work was done only on one way to the system but it has to be done parallely. There are some tools need to be there to find it parallel this has been taken in account. Empirical study is aware of the vulnerability occur for the particular time period. Injections of attacks are generally considered as temporary task but it can be blocked by using solution of ant viruses sometimes [9]. The main thing is finding the location of an attacker so as to track such path via different locations [10]. Knowing the IP address of the system of an attacker it can be done but first it needs to find what was the path of the packet which was transmitted from the long distance. IV.Conclusion In this proposed paper of the k-zero day safety as a novel of network security metric,specifically, we have defined the k-zero day safety model and the metric satisfied the required algebraic properties of a metric function. We gone through the complexity of computing the metric and we have proposed efficient algorithms for determining the metric value. We are able to catch the total count of known and dynamic vulnerabilities in network which affect our system security. In previous system we are not able to calculate the risk of vulnerability as well as not able to rank the vulnerabilities for network hardening, this system provide this function. In this model we are using collaborative filtering for ranking vulnerabilities. In this model we are design practical model for firewall system. We configure optimal list of firewall rule list to make our system more secure and find the known as well as unknown and dynamic vulnerabilities in network. The scope of our metric is limited by the three basic assumptions about zero-day vulnerabilities (the existence of network connectivity, vulnerable services on destination host, and initial IJCSIET-ISSUE5-VOLUME3-SERIES1 Page 6

7 privilege on source host). The model will be more suitable for application to the evaluation of penetration attacks launched by human attackers or network propagation of worms or bots in mission critical networks. An important future work is to broaden the scope by accommodating other types of attacks. REFERENCES [1] P. Mell, K. Scarfone, and S. Romanosky, Common Vulnerability Scoring System, IEEE Security and Privacy, vol. 4, no. 6, pp , Nov./Dec (24) [2] MITRE Corp., Common Weakness Scoring System (CWSS), org/cwss/, 2010.(37) [3] M. Frigault, L. Wang, A. Singhal, and S. Jajodia, Measuring Network Security Using Dynamic Bayesian Network, Proc. Fourth ACM Workshop Quality of Protection (QoP 08), 2008.(9) [4] Kaur, R.; Singh, M., "Efficient hybrid technique for detecting zero-day polymorphic worms," Advance Computing Conference (IACC), 2014 IEEE International,pp.95,100, Feb [5] J. Homer, X. Ou, and D. Schmidt, A Sound And Practical Approach to Quantifying Security Risk in Enterprise Networks, technical report, Kansas State Univ., 2009.(12) [6] R. Lippmann, K. Ingols, C. Scott, K. Piwowarski, K. Kratkiewicz, M. Artz, and R. Cunningham, Validating and Restoring Defense in Depth Using Attack Graphs, Proc. IEEE Conf. Military Comm. (MILCOM 06), pp , 2006.(20) [7] N. Poolsappasit, R. Dewri, and I. Ray, Dynamic Security Risk Management Using Bayesian Attack Graphs, IEEE Trans. Dependable Secure Computing, vol. 9, no. 1, pp , Jan (31 [8] L. Wang, S. Jajodia, A. Singhal, and S. Noel, k-zero Day Safety: Measuring the Security Risk of Networks against Unknown Attacks, Proc. 15th European Conf. Research Computer Security (ESORICS 10), pp , 2010.(41) [9] Mohammed, M.M.Z.E.; Chan, H.A; Ventura, N.; Pathan, A-S.K., "An Automated Signature Generation Method for Zero-Day Polymorphic Worms Based on Multilayer Perceptron Model," Advanced Computer Science Applications and Technologies (ACSAT), 2013 International Conference on, vol., no., pp.450,455, Dec [10] Alosefer, Y.; Rana, O.F., "Predicting client-side attacks via behavior analysis using honeypot data," Next Generation Web Services Practices (NWeSP), th International Conference on Next Generation Web Services Practices, pp.31,36, Oct [11] D. Balzarotti, M. Monga, and S. Sicari, Assessing the Risk of Using Vulnerable Components, Proc. ACM Second Workshop Quality of Protection (QoP 05), pp , IJCSIET-ISSUE5-VOLUME3-SERIES1 Page 7