350 likes | 461 Vues
Evaluating Network Security with Two-Layer Attack G raphs. Anming Xie Zhuhua Cai Cong Tang Jianbin Hu Zhong Chen ACSAC (Dec., 2009) . Outline. Introduction Related Work Model Examples Conclusion. Attack Graphs. Describe attack scenarios
E N D
Evaluating Network Security with Two-Layer Attack Graphs AnmingXie ZhuhuaCai Cong Tang JianbinHu ZhongChen ACSAC (Dec., 2009)
Outline • Introduction • Related Work • Model • Examples • Conclusion
Attack Graphs • Describe attack scenarios • Play important roles in analyzing network vulnerabilities
Problems • Although there are many previous works on attack graphs about evaluating network security, some problems still need to be addressed • Scalability • Several targets for overall security of networks • Inside malicious attackers’ attacks
The Work of The Paper • Firstly, propose a new generation model • Generate two-layer attack graphs model to reduce computation costs • Then, propose a measurement methodology • Evaluate network security based on adjacency matrixes
Network Security Metrics • Traditionally, focus on vulnerabilities as static values in different networks • However, ignore how they could be exploitedby the attackers • An attack graph describe s all the possible ways to break into a network, and reveals actual effect among vulnerabilities
Outline • Introduction • Related Work • Model • Examples • Conclusion
Related Works • Resulting attack graphs are sometimes too large to be computed • Lacks meaningful and efficient suggestions to evaluate network security
Outline • Introduction • Related Work • Model • Examples • Conclusion
A. Generation Model • Two assumptions • Preconditions on an exploit would never be changed from satisfied to unsatisfied • Attackers only need user access privileges at source host when exploiting vulnerabilities at target host
A. Generation Model • The two-layer model • Lower layer • Describe all of the detailed attack scenarios between each host-pair • Set up host-pair attack graphs to describe attack sequences from one source host to one target host directly • Show how attackers obtain user or root access privileges at the target host • N * N host-pair attack graphs at most with N hosts
A. Generation Model • The two-layer model • Upper layer • Set up host access attack graphs to show the direct access relationships among hosts • A node represents a host in networks, and a directed edge between two nodes represents the access relationship between the corresponding two hosts
A. Generation Model • Generation of host-pair attack graphs • Just deal with host’s configurations, vulnerabilities, its network connection with source host • Be generated very quickly and the size is small
A. Generation Model • Generation of hosts access attack graphs • Built on the results of the host-pair attack graphs • Add a directed edge to the corresponding nodes in hosts access graph • Edge’s label shows the corresponding privilege which could be obtained
B. Analysis on probability of success • Used in analysis of network security • Firstly • apply probability of success to each atomic exploit • Secondly • calculate the probabilities of obtaining user and root privileges successfully for each host-pair attack graph • Finally • change the edges’ label of the hosts access graph as (HPAGID, Puser, Proot)
C. Analysis on Adjacency Matrixes • In order to evaluate the overall network, composite these attack probabilities to a global measurement dynamically based on adjacency matrixes • A network with N nodes, draw a hosts access graph withN +1 nodes • Use H1, H2, · · ·, Hn to indicate hosts in the target network, and use H0 to indicate an attacker’s host.
C. Analysis on Adjacency Matrixes • Element uijindicates the probability of obtaining user privilegefrom host Hi to host Hj • C = F(A,B) • A, B, C are matrixes • F is defined as
C. Analysis on Adjacency Matrixes • Define the power iterationsof Function F • Stable matrix • User adjacency matrix U • maximum • Root adjacency matrix R • maximum
D. Network Security Measurement • Total prospective damage of whole network brought by this attacker in host Hiis • the set of important hosts in network is C, C ⊆ H • Dangerous Score • Indicate the security level of a network • use wk rather than duk and drk. For each host Hk in C, wk is its important factor, where 0 ≤ wk ≤ 1
D. Network Security Measurement • Transition score, which evaluates the host’s action as a stepping stone when an outside attacker attacks the network
Outline • Introduction • Related Work • Model • Examples • Conclusion
C. Network Security Evaluation • Assume the set of important hosts in network is C = {F,D} • Obtain user privilege • Prospective damage du = {200, 2000} • Obtain root privilege • Prospective damage dr= {2000, 10000}
C. Network Security Evaluation • Total prospective damage potentially caused by outside attackers • Total prospective damage potentially caused by inside attackers 1
C. Network Security Evaluation • Set important factors wk for each host Hk in C • set w = {0.2, 1} • 0.2 for host F, 1 for host D • Dangerous Score • Transition Score
Outline • Introduction • Related Work • Model • Examples • Conclusion
Conclusion • A novel generation approach and a measurement methodology • Apply the probability of success to our attack graphs • Results not only describe the potential attack probabilities of success launched from an outside attacker, but also describe the potential attack probabilities launched from inside malicious users • Draw gray scale images to indicate the overall network security
Q & A Thank you!