480 likes | 494 Views
This study presents a quantitative model of the security intrusion process based on attacker behavior, with a focus on assessing security vulnerabilities and fault-tolerance. It includes experimental data, modeling, and a hypothesis regarding typical attacker behavior.
E N D
A Quantitative Model of the Security Intrusion Process Based on Attacker Behavior Erland Jonsson and Tomas Olovsson IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, VOL. 23 NO. 4, APRIL 1997 Presented by Huan-Ting,Chen 2007/4/30
Author • Erland Jonsson • Chalmers University of Technology, Göteborg, Sweden • -His major research interests include issues regarding the quantitative assessment of security. Tomas Olovsson -Chalmers University of Technology, Göteborg, Sweden -His current research areas are security with an emphasis on assessment of operational security, fault-tolerance. OPLab,IM,NTU
Outline • Introduction • Experiment • Recorded Data • Modeling the Intrusion Process • A Hypothesis For The Intrusion Process • Conclusions OPLab,IM,NTU
Outline • Introduction • Experiment • Recorded Data • Modeling the Intrusion Process • A Hypothesis For The Intrusion Process • Conclusions OPLab,IM,NTU
Introduction • The traditional security evaluation is usually based on the classes of various security evaluation criteria. • These classes primarily reflect static design properties and the development process of the system, but do not incorporate the interaction with the operational environment. OPLab,IM,NTU
Introduction • We have tried to model intrusion process in quantitative terms. • We have carried out a practical intrusion experiment and collected the empirical data. OPLab,IM,NTU
Introduction • Based on empirical data , we have worked out a hypothesis on typical attacker behavior. • Another objective of the experiment was to gain some general knowledge of the intrusion process and the exploited vulnerabilities. OPLab,IM,NTU
Outline • Introduction • Experiment • Recorded Data • Modeling the Intrusion Process • A Hypothesis For The Intrusion Process • Conclusion OPLab,IM,NTU
Experiment • The experiment was conducted during a 4-week period. • There were three different kinds of actors involved in the experimentation: - attackers - coordinator - system administrator OPLab,IM,NTU
Experiment • The target system consisted of a set of 24 SUN ELC diskless workstations connected to one file-server, all running SunOS 4.1.2. • The system itself was configured as a “standard” configuration. OPLab,IM,NTU
Experiment • We were aiming for attackers that could be considered to be the “normal” users of the system. • We decided to use undergraduate students from our university. • There were 24 attackers (12 groups) participating in the experiment. OPLab,IM,NTU
Experiment • Rules for the Attackers : - A security breach occurs whenever they succeed in doing something they were not normally allowed to do. - The attack teams were forbidden to cooperate with other teams. - The attackers were not allowed to cause physical damage to the system. OPLab,IM,NTU
Experiment • The coordinator’s role was to monitor and coordinate all activities during the experiment. • The followings are that the coordinator had to make sure - the attackers and the system administrator were complying with the experimental rules - the activities of attackers would not interfere with each other OPLab,IM,NTU
Experiment • The system administrator would monitor the system in the usual way and not intensify his search for security violations or other unwanted user behavior. OPLab,IM,NTU
Experiment • In addition to automatically logging and recording data, the attackers were required to perform extensive manual reporting. • There were three manual reports of “fill-in form” type: - the background report - the activity report - the evaluation report OPLab,IM,NTU
Experiment • The background report was submitted before the experiment started. • The attackers were to document their background together with their interest and motivation for participating in the experiment. OPLab,IM,NTU
Experiment • Each activity report contained data for one specific activity, such as working time. • After the experiment, the attackers were asked to write a evaluation report. OPLab,IM,NTU
Outline • Introduction • Experiment • Recorded Data • Modeling the Intrusion Process • A Hypothesis For The Intrusion Process • Conclusions OPLab,IM,NTU
Recorded Data • The most tangible parameters are the time parameters. - tA = working time for group member A, when working alone - tB = working time for group member B, when working alone - tA+B = time when group members A and B work together OPLab,IM,NTU
Recorded Data • The individual working time parameters can be combined in two obvious ways to yield a useful variable for time measurement: - tgw = tA + tB+ tA+B = group working time - taw = tA + tB + 2 · tA+B = attacker working time OPLab,IM,NTU
Recorded Data • Resource Parameters - network resources - other written media - human resources - programs developed by the attacker OPLab,IM,NTU
Recorded Data • Resource Parameters - existing programs - processor usage on the target workstation - use of external computers OPLab,IM,NTU
Recorded Data • The resource-related data is more difficult to quantify than the time-related data. • We decided to allow the resources to form a part of the environment of the system. OPLab,IM,NTU
Recorded Data • The rationale for this assumption is that the same resources were equally available to all attackers, thus forming a fairly uniform environment. OPLab,IM,NTU
Recorded Data • Skill Level - We required that the attackers, before the experiment started, stated their skill level denoted, SnX , X ∈ (A, B) , n ∈(1, 12). - It was necessary to derive a skill level that was representative for the group, Sn, where n is the group number. OPLab,IM,NTU
Recorded Data • Skill Level OPLab,IM,NTU
Outline • Introduction • Experiment • Recorded Data • Modeling the Intrusion Process • A Hypothesis For The Intrusion Process • Conclusions OPLab,IM,NTU
Modeling the Intrusion Process • The figure shows the accumulated working times for consecutive breaches. OPLab,IM,NTU
Modeling the Intrusion Process • The Low Cluster - group 2 and 12 - the skill level of these groups clearly were below all other groups • Our interpretation of these facts is that the two groups in the low cluster are still in their learning phase. OPLab,IM,NTU
Modeling the Intrusion Process • The High Cluster - 10 groups - they show a consistent behavior with a short time between breaches OPLab,IM,NTU
Modeling the Intrusion Process • We will test the statistical hypothesis that the times to breach are exponentially distributed. • This test is based on the following necessary preconditions: - 1. The recorded data refers to the same phenomenon OPLab,IM,NTU
Modeling the Intrusion Process - 2. The data for the different groups are independent - 3. The breach process is stationary OPLab,IM,NTU
Modeling the Intrusion Process • The diagram in Fig. 4 below shows the accumulated working time (tgw) to breach n for the high cluster. OPLab,IM,NTU
Modeling the Intrusion Process • We extracted the differential working times for each breach. OPLab,IM,NTU
Modeling the Intrusion Process intermediate early late OPLab,IM,NTU
Modeling the Intrusion Process • Using the mean value of the sample times to breach, , and the standard deviation, Sclass, for the three classes with sample sizes nclass, we calculate the confidence intervals, Cclass, on the 95% level : class OPLab,IM,NTU
Modeling the Intrusion Process • Testing data for exponential distribution - We grouped the sample in intervals according to Table 4. OPLab,IM,NTU
Modeling the Intrusion Process • The expectation value E[ξ] = -1 of the assumed exponential distribution was estimated to be 4.06 hours. • The chi-square distance can then be calculated as 2.07. • The probability that the chi-square distribution with k – 1 – 1 = 4 degrees of freedom will exceed 2.07 is as high as 72%. OPLab,IM,NTU
Outline • Introduction • Experiment • Recorded Data • Modeling the Intrusion Process • A Hypothesis For The Intrusion Process • Conclusions OPLab,IM,NTU
A Hypothesis For The Intrusion Process • Based on the recorded data, and in particular on the skill level, we have formulated a generic hypothesis for the intrusion process. OPLab,IM,NTU
A Hypothesis For The Intrusion Process • The learning phase - a low-skilled attacker would have to start by raising his skill level - his knowledge may be below some minimal attacking skill threshold - attackers above the attacking skill threshold are able to start an active attacking process directly OPLab,IM,NTU
A Hypothesis For The Intrusion Process • The standard attack phase - test all attack methods - search for documented vulnerabilities • During the standard attack phase, the goodness-of-fit test performed indicates that the time to breach is exponentially distributed. OPLab,IM,NTU
A Hypothesis For The Intrusion Process • The innovative attack phase - When all “standard” attack methods have been tested, the attacking process enters a more complicated phase. - The probability for success is expected to be much lower and the time to perform a successful breach much longer. OPLab,IM,NTU
Outline • Introduction • Experiment • Recorded Data • Modeling the Intrusion Process • A Hypothesis For The Intrusion Process • Conclusions OPLab,IM,NTU
Conclusions • We performed a practical intrusion test on a distributed computer system and collected data related to the difficulty of making these intrusions. • These data seem to support our hypothesis that the intrusion process can be split into three distinctive phases: the learning phase, the standard attack phase, and the innovative attack phase. OPLab,IM,NTU
Conclusions • Most of the data collected can be related to the standard attack phase. • The times between consecutive breaches during the standard attack phase are exponentially distributed. OPLab,IM,NTU
Thanks for your listening OPLab,IM,NTU