1 / 48

A Quantitative Model of the Security Intrusion Process Based on Attacker Behavior

This study presents a quantitative model of the security intrusion process based on attacker behavior, with a focus on assessing security vulnerabilities and fault-tolerance. It includes experimental data, modeling, and a hypothesis regarding typical attacker behavior.

cbritt
Download Presentation

A Quantitative Model of the Security Intrusion Process Based on Attacker Behavior

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. A Quantitative Model of the Security Intrusion Process Based on Attacker Behavior Erland Jonsson and Tomas Olovsson IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, VOL. 23 NO. 4, APRIL 1997 Presented by Huan-Ting,Chen 2007/4/30

  2. Author • Erland Jonsson • Chalmers University of Technology, Göteborg, Sweden • -His major research interests include issues regarding the quantitative assessment of security. Tomas Olovsson -Chalmers University of Technology, Göteborg, Sweden -His current research areas are security with an emphasis on assessment of operational security, fault-tolerance. OPLab,IM,NTU

  3. Outline • Introduction • Experiment • Recorded Data • Modeling the Intrusion Process • A Hypothesis For The Intrusion Process • Conclusions OPLab,IM,NTU

  4. Outline • Introduction • Experiment • Recorded Data • Modeling the Intrusion Process • A Hypothesis For The Intrusion Process • Conclusions OPLab,IM,NTU

  5. Introduction • The traditional security evaluation is usually based on the classes of various security evaluation criteria. • These classes primarily reflect static design properties and the development process of the system, but do not incorporate the interaction with the operational environment. OPLab,IM,NTU

  6. Introduction • We have tried to model intrusion process in quantitative terms. • We have carried out a practical intrusion experiment and collected the empirical data. OPLab,IM,NTU

  7. Introduction • Based on empirical data , we have worked out a hypothesis on typical attacker behavior. • Another objective of the experiment was to gain some general knowledge of the intrusion process and the exploited vulnerabilities. OPLab,IM,NTU

  8. Outline • Introduction • Experiment • Recorded Data • Modeling the Intrusion Process • A Hypothesis For The Intrusion Process • Conclusion OPLab,IM,NTU

  9. Experiment • The experiment was conducted during a 4-week period. • There were three different kinds of actors involved in the experimentation: - attackers - coordinator - system administrator OPLab,IM,NTU

  10. Experiment • The target system consisted of a set of 24 SUN ELC diskless workstations connected to one file-server, all running SunOS 4.1.2. • The system itself was configured as a “standard” configuration. OPLab,IM,NTU

  11. Experiment • We were aiming for attackers that could be considered to be the “normal” users of the system. • We decided to use undergraduate students from our university. • There were 24 attackers (12 groups) participating in the experiment. OPLab,IM,NTU

  12. Experiment • Rules for the Attackers : - A security breach occurs whenever they succeed in doing something they were not normally allowed to do. - The attack teams were forbidden to cooperate with other teams. - The attackers were not allowed to cause physical damage to the system. OPLab,IM,NTU

  13. Experiment • The coordinator’s role was to monitor and coordinate all activities during the experiment. • The followings are that the coordinator had to make sure - the attackers and the system administrator were complying with the experimental rules - the activities of attackers would not interfere with each other OPLab,IM,NTU

  14. Experiment • The system administrator would monitor the system in the usual way and not intensify his search for security violations or other unwanted user behavior. OPLab,IM,NTU

  15. Experiment • In addition to automatically logging and recording data, the attackers were required to perform extensive manual reporting. • There were three manual reports of “fill-in form” type: - the background report - the activity report - the evaluation report OPLab,IM,NTU

  16. Experiment • The background report was submitted before the experiment started. • The attackers were to document their background together with their interest and motivation for participating in the experiment. OPLab,IM,NTU

  17. Experiment • Each activity report contained data for one specific activity, such as working time. • After the experiment, the attackers were asked to write a evaluation report. OPLab,IM,NTU

  18. Outline • Introduction • Experiment • Recorded Data • Modeling the Intrusion Process • A Hypothesis For The Intrusion Process • Conclusions OPLab,IM,NTU

  19. Recorded Data • The most tangible parameters are the time parameters. - tA = working time for group member A, when working alone - tB = working time for group member B, when working alone - tA+B = time when group members A and B work together OPLab,IM,NTU

  20. Recorded Data • The individual working time parameters can be combined in two obvious ways to yield a useful variable for time measurement: - tgw = tA + tB+ tA+B = group working time - taw = tA + tB + 2 · tA+B = attacker working time OPLab,IM,NTU

  21. Recorded Data • Resource Parameters - network resources - other written media - human resources - programs developed by the attacker OPLab,IM,NTU

  22. Recorded Data • Resource Parameters - existing programs - processor usage on the target workstation - use of external computers OPLab,IM,NTU

  23. Recorded Data • The resource-related data is more difficult to quantify than the time-related data. • We decided to allow the resources to form a part of the environment of the system. OPLab,IM,NTU

  24. Recorded Data • The rationale for this assumption is that the same resources were equally available to all attackers, thus forming a fairly uniform environment. OPLab,IM,NTU

  25. Recorded Data • Skill Level - We required that the attackers, before the experiment started, stated their skill level denoted, SnX , X ∈ (A, B) , n ∈(1, 12). - It was necessary to derive a skill level that was representative for the group, Sn, where n is the group number. OPLab,IM,NTU

  26. Recorded Data • Skill Level OPLab,IM,NTU

  27. Outline • Introduction • Experiment • Recorded Data • Modeling the Intrusion Process • A Hypothesis For The Intrusion Process • Conclusions OPLab,IM,NTU

  28. Modeling the Intrusion Process • The figure shows the accumulated working times for consecutive breaches. OPLab,IM,NTU

  29. Modeling the Intrusion Process • The Low Cluster - group 2 and 12 - the skill level of these groups clearly were below all other groups • Our interpretation of these facts is that the two groups in the low cluster are still in their learning phase. OPLab,IM,NTU

  30. Modeling the Intrusion Process • The High Cluster - 10 groups - they show a consistent behavior with a short time between breaches OPLab,IM,NTU

  31. Modeling the Intrusion Process • We will test the statistical hypothesis that the times to breach are exponentially distributed. • This test is based on the following necessary preconditions: - 1. The recorded data refers to the same phenomenon OPLab,IM,NTU

  32. Modeling the Intrusion Process - 2. The data for the different groups are independent - 3. The breach process is stationary OPLab,IM,NTU

  33. Modeling the Intrusion Process • The diagram in Fig. 4 below shows the accumulated working time (tgw) to breach n for the high cluster. OPLab,IM,NTU

  34. Modeling the Intrusion Process • We extracted the differential working times for each breach. OPLab,IM,NTU

  35. Modeling the Intrusion Process intermediate early late OPLab,IM,NTU

  36. Modeling the Intrusion Process • Using the mean value of the sample times to breach, , and the standard deviation, Sclass, for the three classes with sample sizes nclass, we calculate the confidence intervals, Cclass, on the 95% level : class OPLab,IM,NTU

  37. Modeling the Intrusion Process • Testing data for exponential distribution - We grouped the sample in intervals according to Table 4. OPLab,IM,NTU

  38. Modeling the Intrusion Process • The expectation value E[ξ] = -1 of the assumed exponential distribution was estimated to be 4.06 hours. • The chi-square distance can then be calculated as 2.07. • The probability that the chi-square distribution with k – 1 – 1 = 4 degrees of freedom will exceed 2.07 is as high as 72%. OPLab,IM,NTU

  39. Outline • Introduction • Experiment • Recorded Data • Modeling the Intrusion Process • A Hypothesis For The Intrusion Process • Conclusions OPLab,IM,NTU

  40. A Hypothesis For The Intrusion Process • Based on the recorded data, and in particular on the skill level, we have formulated a generic hypothesis for the intrusion process. OPLab,IM,NTU

  41. A Hypothesis For The Intrusion Process • The learning phase - a low-skilled attacker would have to start by raising his skill level - his knowledge may be below some minimal attacking skill threshold - attackers above the attacking skill threshold are able to start an active attacking process directly OPLab,IM,NTU

  42. A Hypothesis For The Intrusion Process • The standard attack phase - test all attack methods - search for documented vulnerabilities • During the standard attack phase, the goodness-of-fit test performed indicates that the time to breach is exponentially distributed. OPLab,IM,NTU

  43. A Hypothesis For The Intrusion Process • The innovative attack phase - When all “standard” attack methods have been tested, the attacking process enters a more complicated phase. - The probability for success is expected to be much lower and the time to perform a successful breach much longer. OPLab,IM,NTU

  44. Outline • Introduction • Experiment • Recorded Data • Modeling the Intrusion Process • A Hypothesis For The Intrusion Process • Conclusions OPLab,IM,NTU

  45. Conclusions • We performed a practical intrusion test on a distributed computer system and collected data related to the difficulty of making these intrusions. • These data seem to support our hypothesis that the intrusion process can be split into three distinctive phases: the learning phase, the standard attack phase, and the innovative attack phase. OPLab,IM,NTU

  46. Conclusions • Most of the data collected can be related to the standard attack phase. • The times between consecutive breaches during the standard attack phase are exponentially distributed. OPLab,IM,NTU

  47. Thanks for your listening OPLab,IM,NTU

  48. OPLab,IM,NTU

More Related