A Framework for Analysis A Network Vulnerability



Similar documents
A NEW METRICS FOR PREDICTING NETWORK SECURITY LEVEL

Attack Graph Techniques

Topological Vulnerability Analysis

A Review on Zero Day Attack Safety Using Different Scenarios

Metrics Suite for Enterprise-Level Attack Graph Analysis

NV: Nessus Vulnerability Visualization for the Web

How To Analyze And Detect A Network Attack Through A Network Graph

GVScan: Scanning Networks for Global Vulnerabilities

ON ATTACK GRAPH MODEL OF NETWORK SECURITY. Hasmik Sahakyan, Daryoush Alipour

WHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION

VEA-bility Security Metric: A Network Security Analysis Tool

INTRODUCTION: PENETRATION TEST A BUSINESS PERSPECTIVE:

VEA-bility Analysis of Network Diversification

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

MulVAL: A logic-based network security analyzer

Attack graph analysis using parallel algorithm

A logic-programming approach to. network security analysis

Fault Localization in a Software Project using Back- Tracking Principles of Matrix Dependency

Vulnerability Assessment Report Format Data Model

A Cyber Attack Modeling and Impact Assessment Framework

A Novel Approach on Zero Day Attack Safety Using Different Scenarios

CPNI VIEWPOINT CYBER SECURITY ASSESSMENTS OF INDUSTRIAL CONTROL SYSTEMS

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

What a Vulnerability Assessment Scanner Can t Tell You. Leveraging Network Context to Prioritize Remediation Efforts and Identify Options

Vulnerability Management

Statistical Analysis of Computer Network Security. Goran Kap and Dana Ali

Structuring a Vulnerability Description for Comprehensive Single System Security Analysis

NETWORK PENETRATION TESTING

NIST Interagency Report 7788 Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs

ECS 235A Project - NVD Visualization Using TreeMaps

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK

NetSecuritas: An Integrated Attack Graph-based Security Assessment Tool for Enterprise Networks

Modeling Modern Network Attacks and Countermeasures Using Attack Graphs

A Graph theoretical approach to Network Vulnerability Analysis and Countermeasures

Cisco Advanced Services for Network Security

Foundstone ERS remediation System

Cyber Security RFP Template

WHITE PAPER. An Introduction to Network- Vulnerability Testing

Information Technology Career Field Pathways and Course Structure

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

An Introduction to Network Vulnerability Testing

Distributed Computing and Big Data: Hadoop and MapReduce

Penetration Test Report

Network Attack Platform

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

International Journal of Advancements in Research & Technology, Volume 3, Issue 4, April ISSN

How To Understand and Configure Your Network for IntraVUE

System Specification. Author: CMU Team

Validating and Restoring Defense in Depth Using Attack Graphs

Keywords Vulnerability Scanner, Vulnerability assessment, computer security, host security, network security, detecting security flaws, port scanning.

Information Security Attack Tree Modeling for Enhancing Student Learning

Efficiently Managing Firewall Conflicting Policies

Total Protection for Compliance: Unified IT Policy Auditing

Network Security Administrator

Proof of Concept. A New Data Validation Technique for Microsoft ASP.NET Web Applications. Foundstone Professional Services

Implementation of Botcatch for Identifying Bot Infected Hosts

A Practical Approach to Threat Modeling

AN OVERVIEW OF VULNERABILITY SCANNERS

Software Application Control and SDLC

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

SANS Top 20 Critical Controls for Effective Cyber Defense

A Biologically Inspired Approach to Network Vulnerability Identification

Attack Graph based Evaluation of Network Security

About Effective Penetration Testing Methodology

EECS PhD Comprehensive Examination Guidelines

Component visualization methods for large legacy software in C/C++

TECHNICAL NOTE 08/04 IINTRODUCTION TO VULNERABILITY ASSESSMENT TOOLS

PSG College of Technology, Coimbatore Department of Computer & Information Sciences BSc (CT) G1 & G2 Sixth Semester PROJECT DETAILS.

Toward Measuring Network Security Using Attack Graphs

User s Guide. Skybox Risk Control Revision: 11

A Study on the Security aspects of Network System Using Penetration Testing

CyberNEXS Global Services

Viewfinity Privilege Management Integration with Microsoft System Center Configuration Manager. By Dwain Kinghorn

Data Driven Assessment of Cyber Risk:

Transcription:

A Framework for Analysis A Tito Waluyo Purboyo 1, Kuspriyanto 2 1,2 School of Electrical Engineering & Informatics, Institut Teknologi Bandung Jl. Ganesha 10 Bandung 40132, Indonesia Abstract: administrators must rely on labourintensive processes for tracking network configurations and vulnerabilities, which needs a lot of expertise and error prone. vulnerabilities and interdependencies are so complex to make traditional vulnerability analysis become inadequate. Capability of decision support let analysts make tradeoffs between security and optimum availability, and explains how best to apply limited security resources. Recent works in network security has focused on the fact that a combination of exploitation is the typical way in which the invader breaks the network security. Researchers have proposed various algorithms to generate graphs based attack tree (or graph). In this paper, a framework, architecture and approach to Analysis are presented. Keywords:, Analysis, Attack, Attack Graph, Analysis 1. INTRODUCTION While we cannot predict the origin and the time of attacks, we can reduce their impact by knowing the possible attack paths through the networks. Reliance on manual processes and mental models is inadequate. Automated tools are needed for analysing and visualizing vulnerability dependencies and the path of attacks, for understanding overall security posture [1]. Attack graphs are constructed by starting an adversary at a given network location and, using information about the network topology and host vulnerabilities, examining how the attacker can progressively compromise vulnerable hosts that are reachable from already compromised hosts. A vulnerability scanners and analyses of filtering performed by firewalls and routers are used to obtain information about host vulnerabilities and to determine host-to-host reachability in a network. Almost all approaches have a method of generating recommendations to patch critical vulnerabilities or make firewalls more restrictive. In addition, most of the existing implementations provide some type of attack graph display. However, the abstract nature of attack graphs has proven to be a serious practical weakness in creating an effective display [2]. Recently, in order to analyse the vulnerabilities in a network of hosts, many methods have been proposed. One significant method is attack graph analysis [1,2,3]. The attack graph depicts the attack paths of a potential attacker, for a determined attacker is likely to penetrate deeper into the network by exploiting a chain of vulnerabilities. There are several methods to generate attack graphs. At first, attack graph are produced manually by Red Teams. Later, model checking tools NuSMV and TVA (Topological vulnerability analysis) tools are introduced to generate attack graphs automatically [3]. administrators raise major challenges if he confronted with software vulnerabilities on the host network. With the number of vulnerabilities found each year developed rapidly, it is not possible for system administrators to safeguard the software running on their networks free of security bugs. One of the everyday tasks of a system administrator is to read bug reports from various sources (such as CERT, bugtraq etc.) and understand the real bug reported security vulnerabilities in the context of its own network. With the appearance of new vulnerabilities, assessment of their impact on the network security important in choosing the right countermeasures: patch and reboot, reconfigure the firewall, dismount the partition file-server, and so on [5]. In Section II we will discuss the framework, approach and model for vulnerability analysis. 2. FRAMEWORK, APPROACH, MODEL FOR VULNERABILITY ANALYSIS In this section, we will discuss some framework, approach and model for vulnerability analysis. 2.1 Topological Analysis (TVA) Figure 1 is an overview of the approaches to construct and analyse attack graph through TVA. Fetching data network used for build a network models, particularly with respect to the relevant security attributes. base is a comprehensive repository of a reported vulnerability, the vulnerability of each record list of affected software (and hardware). Exploit conditions of vulnerabilities encode how each can be exploited (preconditions) and results of exploitation (post condition). Fetching data networks is collecting data to a Volume 2, Issue 4 July August 2013 Page 405

network that is maintained, in the form of the corresponding elements in the base and Exploit Conditions. Together, these inputs are used to build an environment model for multi-stage attack graph simulation [1]. provided). This program uses a pattern-matching algorithm that has been trained on a sample vulnerability data set. The classifier was built using the available LNKNet tool which is a free tool. The engine, written in C++, is responsible for computing reachability, generating attack graphs, and analysing the graphs to generate recommendations. The engine reads the model of network from the custom binary file produced by the importer. The block diagram in Figure 1 gives an review of the design of the NetSPA system [2]. 2.3 C. Architecture of intelligent vulnerability analysis model Figure 1 Topological Analysis (TVA) [1] The model is used by Environmental Graphics Engine to simulate multi-step attacks through the network, to attack scenarios defined by user. Analysis of dependencies vulnerabilities, exploits matching preconditions and postconditions, thus generating all possible paths through the network (for a given attack scenario) are done by the engine. The system then provides advanced capabilities for Interactive Visual Analysis of attack graph. It also calculates Optimal Counter Measures, for example, the minimum number of network changes to thwart an attack scenario. 2.2 System architecture of NetSPA tool NetSPA system composed of several software components. Importers, written in PERL, is responsible for reading raw data such as Nessus scan, firewall rule sets, and records NVD database (NVD 2007), and converts the data into the format of a custom binary file for use in the future. Attack graph is a state transition diagram, which depicts ways in which attackers exploit the possible known vulnerabilities to achieve a desired state. The architecture of the intelligent vulnerability analysis model is illustrated in Figure 3. Figure 3 Architecture of intelligent vulnerability analysis model [3] The architecture (Figure 3) contains three modules. The vulnerability scanning module scans the host in the network. The vulnerability classification module classifies the found vulnerabilities patterns in the scanning report into two types i.e. the application vulnerability and misconfiguration vulnerability, and the classified vulnerabilities information are input into the deduction engine as fact files. The module of deduction engine generates atomic attacks and attack graphs [3]. Figure 2 System architecture of NetSPA tool [2] A small program (created by C) acts as a vulnerability classifier. This program is designed to identify vulnerability s locality (remote or local access) and effect (whether root, user, DoS, or other privilege level is Figure 4 Fragment of Deduction Engine [3] Volume 2, Issue 4 July August 2013 Page 406

Figure 4 is the fragment of deduction engine. Prolog language is used to simulate the behaviour of the attacker's invasion and a set of Prolog rules are introduced. Compared to algorithms written by C or Java languages, prolog rules is more concise. Fact files from vulnerability classification module, and rule files from security knowledge library, are input into the deduction engine. According to the target query in the automating interactive interface, GNU prolog interpreter can automatically generate atomic attacks and attack graphs [3]. 2.4 Framework for Efficient Analysis The framework for Efficient Analysis is shown in Figure 5. The framework is very similar to MulVAL framework [5]. The differences of these two frameworks are mainly the extended security policies input to the system and the interaction of attack graph and analysis engine. Figure 5 Framework for Efficient Analysis [4] For Windows XP, Saha [4] uses the rules provided by Netra and for SELinux TM he use the rules provided by PAL. Attack graph is shown to the user in the udrawgraph environment. udrawgraph is freely available graphical viewing software which has various abstraction functions to hide/view/zoom graphs or part of it which is exposed to the user for easy navigation and view of attack graphs. It also takes graph input as in Prolog term format which is suitable to generate in Prolog environment. It exposes hooks which can be used to define user-defined function on the events. He uses its API to present customized menu functionality for various analyses on attack graphs. He has used these features to expose interactive functionality to the attack graph. User can select facts nodes and delete/undelete it and see the effects on the attack graph. Based on user options, the changes to the graphical environment can affect the actual network and host, or can temporarily affect the facts existed in the Prolog environment without affecting the actual configuration. The user of the system can see the effect first and then decide to push the changes to the actual network [4]. 3. ATTACK GRAPH GENERATION Attack Graph plays a vital role in network security, as it immediately indicate the existence of vulnerabilities in network and how attackers use the vulnerability to implement an effective attack, the analysis on the attack graph or the simulation of dynamic attacks through attack graph can help us easily figure out vulnerabilities in network, and take the corresponding security measures, to reinforce network security. As far as we know, not all the attackers aim to control the target networks. In satellite communication networks, for example, it is really hard to get privileges promoted, account cheat and waste of resource are more effective attacks. Taking network performance into consideration, we introduce loss of performance to attack graph status and define it as Virtual Performance Node [6]. In [6], Zhao et.al. propose a new method for generation of attack graph, based on VPNs mentioned above. Algorithm: AG_Generation(H,R, s0) Input: host attributes (H), attack rules (R), initial status (s0) Output: attack graph AG Begin Step 1. Build the network status queue, named status_que, and add s0 to it. Step 2. Pick up a next status from status_que. Go to step 3 if this status hasn t been dealt with, or quit. Step 3. a) Take every host as attack source and every host as attack target at a time. b) If the value in Link Matrix for these two hosts (maybe is a same host) is 1, check the Attack Rules and identify the eligible attack rules. c) Executing every attack under these rules and generating a new status at a time. If the new status didn t exist in status_que, add it to the queue. d) Generating graphviz codes to plot attack edge and nodes from previous status to the new status. The probability of this attack can also been determined from attack rules. e) Go to step 2 after every host is tried. End Volume 2, Issue 4 July August 2013 Page 407

4. THE PROPOSED FRAMEWORK In the studies conducted until now, we proposed a new framework that can be seen in the Figure 8. Asset Firewall Rules Extractor Model Attack Graph Reducer Evaluator Optimal Hardening Figure 6 Architecture of network graph generation [7] In [7], Zhong et. al. explains that after gathering the information of network, they are able to generate a description of the hosts. Associated with the attack rule library and the attacker profiles given by network security analyst, the attacker-graph generator is able to generate an attack graph of network through the algorithm describe in Figure 7. Figure 6 shows the architecture of this system. Topology Attack Graph Generat or Hardener Figure 8 The Proposed Framework for Analysis A The proposed framework will be implemented using the software that will be developed by the researchers. Explanation of the data network can be seen in the Figure 9. OVAL McAfee Foundscan Symantec Discovery Nessus Retina Asset Asset Inventory Altiris Firewall Rule Checkpoint Topology Secure Sidewinder Reachability IP base NVD Connectivity Adjacency CVE OSVDB Figure 7 Algorithm to generate attack graph [7] Nodes in an attack graph is generated based on the above algorithm represents the host in the network. Attack graph contains attack routes from attacker host to all the victims. The condition in line 7 of the algorithm guarantees that there are no loops in the graph of attacks, and also, each attack is the shortest route. That is, the line of attack in the attack graph is the shortest route from the hosts toward the victim's attacker. Figure 9 The Source of A simulation study which implementing our framework will be done in the next paper. 5. Conclusion This paper discussed some of the framework, architecture and approaches for analyzing the vulnerability of computer networks. Volume 2, Issue 4 July August 2013 Page 408

Attack graph provides a powerful way to understand the context and the relative importance of vulnerabilities in systems and networks. Attack graph analysis depends on complete and accurate model of the network. Such models are usually built using data from network (remote) vulnerability scanners such as Nessus. However, the scanning range has a fundamental limitation on the information available about the target host. Our future work is to improve the framework and developing a model for vulnerability analysis including metrics in [8, 11, 12, 13]. A simulation study also will be improved in our next paper. References [1] S. Noel, M. Elder, S. Jajodia, P. Kalapa, S. O Hare, K. Prole, Advances in Topological Analysis, IEEE CATCH 2009. [2] L. Williams, R. Lippmann, K. Ingols, An Interactive Attack Graph Cascade and Reachability Display, VIZSEC 2007. [3] W. Yi, X. Jinghua, An Intelligent Model for Analysis Using Attack Graph, International Forum on Information Technology and Application, 2009. [4] D. Saha, Extending Logical Attack Graphs for Efficient Analysis, CCS 08, Alexandria, Virginia, USA, October 27 31, ACM 2008. [5] X. Ou, S. Govindavajhala, A.W. Appel, MulVAL: A Logic-based Analyzer, In SSYM 05: Proceedings of the 14th conference on USENIX Symposium, pages 8 8, Berkeley, CA, USA, 2005. [6] Y. Zhao, Z. Wang, X. Zhang, J. Zheng, An Improved Algorithm for Generation of Attack Graph Based on Virtual Performance Node, International Conference on Multimedia Information ing and, 2009. [7] S. Zhong, D. Yan, C. Liu, Automatic Generation of Host-based Attack Graph, World Congress on Computer Science and Information Engineering, 2009. [8] T.W. Purboyo, B. Rahardjo, Kuspriyanto, I.M. Alamsyah, A New Metrics for Predicting Level, Journal of Global Research in Computer Science, Volume 3, No. 3, March 2012. [9] T.W. Purboyo, B. Rahardjo, Kuspriyanto, Metrics: A Brief Survey, 2011 International Conference on Instrumentation, Communication, Information Technology and Biomedical Engineering, Bandung, Indonesia, 8-9 November 2011. [10] Irawati, T.W. Purboyo, Developing Computer Program for Computing Eigen pairs of 2x2 Matrices and 3x3 Upper Triangular Matrices Using The Simple Algorithm, Far East Journal of Mathematical Sciences (FJMS), Volume 56, Issue 2, p. 185-200, September 2011. [11] T.W. Purboyo, Kuspriyanto, New Non Path Metrics for Evaluating Based on, International Journal of Computer Science Issue, Volume 9, Issue 4, July 2012. [12] T.W. Purboyo, Kuspriyanto, Attack Graph Based Metrics: State of The Art, International Journal of Science and Engineering Investigations, Volume 1, Issue 7, August 2012. [13] T.W. Purboyo, Kuspriyanto, Some Algorithm for Generating Attack Graph, International Journal of Advanced Research in Computer Science and Software Engineering, Volume 2, Issue 8, August 2012.A. Bonnaccorsi, On the Relationship between Firm Size and Export Intensity, Journal of International Business Studies, XXIII (4), pp. 605-635, 1992. (journal style) AUTHORS Tito Waluyo Purboyo is currently a Ph.D. student at Institut Teknologi Bandung since August 2010. He received his Master's degree in mathematics from Institut Teknologi Bandung in 2009. He is currently a research assistant at Department of Computer Engineering, School of Electrical Engineering and Informatics, Institut Teknologi Bandung. His research interest includes security, cryptography, physics and mathematics. Kuspriyanto is Professor of Computer Engineering at Institut Teknologi Bandung. He received his D.E.A. in Automatic System (1979) from USTL France and Ph.D. in Automatic System (1981) from the same university. He is working as a lecturer in Computer Engineering Department, School of Electrical Engineering and Informatics, Institut Teknologi Bandung, Indonesia. His field of interest includes network security, neural network, genetic algorithm, robotics, real time system etc. Volume 2, Issue 4 July August 2013 Page 409

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information