540 likes | 656 Views
Maximizing Network Security Given a Limited Budget. Nwokedi C. Idika , Brandeis H. Marshall, Bharat K. Bhargava. Advisor : Professor Frank Y.S. Lin Presented by Yu-Pu Wu. About. Author Nwokedi C. Idika , Brandeis H. Marshall, Bharat K. Bhargava Title
E N D
MaximizingNetworkSecurityGivenaLimitedBudget NwokediC.Idika,BrandeisH.Marshall,BharatK.Bhargava Advisor : Professor Frank Y.S. Lin Presented by Yu-Pu Wu
About • Author • NwokediC.Idika,BrandeisH.Marshall,BharatK.Bhargava • Title • MaximizingNetworkSecurityGivenaLimitedBudget • Provenance • (TAPIA ‘09)The Fifth Richard Tapia Celebration of Diversity in Computing Conference: Intellect, Initiatives, Insight, and Innovations
Agenda • Introduction • TheAttackGraph • RelatedWork • ProvidingNetworkSecurity • SolvingTheSMCP • ConclusionandFutureWork
Introduction • Network administrators fulfill the duty of preventing network attacks by identifying vulnerabilities in the network and then systematically removing the identified vulnerabilities. • The removal of an identified vulnerability from a network may be referred to as a patch or a security measure.
Introduction • A security measure is any action performed to remove at least one vulnerability from a system. • The set of all security measures is infinite. • However, practically, a network administrator will consider only a finite set of security measures for possible application to the network she is protecting. • modifying firewall rules, updating software on networked hosts, shutting down system services, or modifying an authentication routine.
Introduction • The identification of vulnerabilities is critical to the effective use of security measures. • vulnerability scanners. • A drawback of this method is that vulnerability scanners do not reveal the interdependencies that may exist between vulnerabilities found on different hosts of the same network. • This shortcoming has been addressed with automated attack graphs.
Introduction • In this work, we detail an attack graph analysis that helps network administrators be more effective at the Security Measures Choosing Problem (SMCP). • Informally, SMCP is the following: • given a limited budget • choose from a finite set of available security measures a subset of security measures that provide the highest security possible without going over budget.
Introduction • We propose to provide this analysis by modeling the SMCP as a Binary Knapsack Problem. • We suggest the use of dynamic programming to solve the SMCP. • Hence, our contribution includes: • Anovel approach that combines budget and hardening recommendations into attack graph analysis, and • Specification of how security metrics can be used to choose hardening measures.
Agenda • Introduction • TheAttackGraph • RelatedWork • ProvidingNetworkSecurity • SolvingTheSMCP • ConclusionandFutureWork
TheAttackGraph • An attack graph is a concise representation of all the ways an attacker may leverage known vulnerabilities to violate a given set of security policies. • Each path in an attack graph corresponds to at least one attack scenario where the attacker achieves his objective.
TheAttackGraph • An attack scenario is a sequence of actions that moves the network from its initial state to a compromised state. • The initial state corresponds to the initial configuration of the network. • The compromised state corresponds to the state where the security policy violation(s) occurs.
TheAttackGraph • Attack graphs have a variety of representations. • Attacks graphs are composed of a series of exploits and security conditions. • An exploit is the realization of a vulnerability. • For example, we can describe a ssh vulnerability as sshv1(h1, h2). If such a vulnerability existed between two actual network hosts such as 128.x.y.2 and 128.x.y.9, then the corresponding exploit would have the form of sshv1 (128.x.y.2, 128.x.y.9). • In other words, if a vulnerability is instantiated with actual network specific information, then the result is an exploit.
TheAttackGraph • Security conditions are those attributes that are relevant to the vulnerabilities of the network. • A security condition can be relevant to an exploit in two ways: • (1) the security condition serves as a precondition for a vulnerability • (2) the security condition serves as a postcondition of a realized vulnerability
TheAttackGraph • Types of Attack Graphs • Although attack graphs have different representations, we assert that they rely on common foundational definitions. • The state space for a network system is given by S, which is a set of binary strings of size q. • Hence, |S| = 2q.
TheAttackGraph • Cond is a function that produces some subset of the system state that represents the relevant security conditions given either a vertex or an edge but not both. • Hence, Cond(vi ⊕(vk, vl)) ⊆ S where the vertices vi , vk , vl ∈ V . • A represents the infinite set of possible attacks. • An attack ai ∈ A where 1 ≤ i < ∞. • A labeling function L labels either a vertex or an edge with an attack. • L(vi ⊕ (vk, vl)) = aj where vi, vk, vl ∈ V and aj ∈ A.
TheAttackGraph • Given either a vertex or edge, a function Prereq produces the necessary conditions required for the exploit to be realized. • That is, Prereq(vi⊕ (vk, vl)) = vp(Rvi)∗ ⊕u ⊆ E ⊕ ∅, where R ∈ {∨,∧}, E is the set of edges, and 1 ≤ i ≤ n with n as the number of nodes in the graph. • Given either a vertex or an edge a function Postproduces conditions provided by the exploit. • This gives Post(vi ⊕ (vk, vl)) = vp(∨vi)∗ ⊕u ⊆ E ⊕ ∅, where E is the set of edges and 1 ≤ i ≤ n with n as the number of nodes in the graph.
TheAttackGraph • Attack Tree. • An attack tree is an undirected acyclic graph. • The root node represents the attacker’s objective or main goal. • Leaf nodes represent different starting states for an attacker. • The intermediate nodes of the graph represent any of the subgoals that may be used to achieve the attacker’s main goal. • Nodes in the attack tree may represent security conditions or exploits. • Edgesin the attack tree simply give the parent-child (i.e., goal-subgoal) relation between nodes.
TheAttackGraph • Formally an attack tree is an acyclic graph G = (V,E). • There exists a set of attacker objectives O where |O| = |V|. • O ⊂ S∪A. ∃L(vi) = oi and Cond(vj) = oj where oi, oj∈ O. • E ⊆ {ek = (vi, vj),ek = (vj, vi)|vi, vj∈ V ∧i≠ j∧0 ≤ k < [n2/2]}. • We have P(ek) = P(vi, vj) = vi ⊕ vj. • P is a function that yields the parent-child relationship existing between two nodes connected by an edge. • Given an edge that connects a goal and subgoal, P always returns the goal. • ∃vg ∈ V|if ∀ek where ek = (vg, vi)∧P(ek) = vg then vg is the attacker’s main objective. • As for the preconditions and post conditions, we have respectively Prereq(vi ∈ V ) = vp(Rvi)∗ ⊕ ∅ and Post(vj ∈ V ) = vp(∨vi)∗.
TheAttackGraph • Condition Dependency Graph. • A condition dependency graph is a directed graph where nodes represent security conditions and edges represent exploits that connect the graph’s security conditions. • A condition dependency graph is given by G = (V,E) where ∀vi ∈ V, Cond(vi) ⊆ S. • E ⊆ {ek = (vi, vj)|vi, vj∈ V ∧ vi≠ vj}. • L(ek) = ai, where ai ∈ A. • We also have Prereq(ek) = vw and Post(ek) = vx, where (vw,vx) ∈ E.
TheAttackGraph • Exploit Dependency Graph. • An exploit dependency graph is a directed graph where nodes represent exploits and edges represent the security conditions that connect exploits. • An incoming edge represents a precondition for the exploit it points to in the attack graph. An outgoing edge represents a postcondition for the node (exploit) the edge is leaving. • An exploit dependency graph is given by G = (V,E) where∀vi ∈V,L(vi)=abwhere ab∈A. E⊆{ek = (vi, vj)|vi, vj∈ V ∧ vi≠vj}. Cond(ek) ⊆ S. • We have Prereq(vj) = u ⊆ E ⊕ ∅. We also have Post(vl) = u ⊆ E ⊕ ∅.
TheAttackGraph • Hybrid Dependency Graph. • A hybrid dependency graph is a directed graph where nodes are represented as either a security condition or an exploit. • Edges reveal the relationships between nodes but have no labels. • Edges exist only between a security condition and an exploit or between an exploit and a security condition. • When there is more than one edge going from security condition nodes to an exploit node, then all security condition nodes must be satisfied in order for the exploit to be realized. • When there is more than one edge going from exploit nodes to a security condition node, then any one of the exploit nodes will satisfy the security condition.
TheAttackGraph • The hybrid dependency graph is given by G = (V, E). • V = Vexploits ∪ Vconditions. • E = Edisjunction∪ Econjunction. • Cond(vi) ⊆ S, where vi ∈ Vconditions. • L(vi) = aj, where vi ∈ Vexploits and aj ∈ A. • Econjunction⊆ {ek=(vi, vj)|vi ∈ Vconditions ∧ vj ∈ Vexploits}. • Edisjunction ⊆ {el = (vt, vs)|vt ∈ Vexploits ∧ vs ∈ Vconditions}. • We have Prereq(vc ∈ Vexploits) = vb(∧vi)∗, where vb, vi ∈ Vconditions. • We have Post(vc∈ Vexploits) = va(∨vj)∗, where va, vj∈ Vconditions.
Agenda • Introduction • TheAttackGraph • RelatedWork • ProvidingNetworkSecurity • SolvingTheSMCP • ConclusionandFutureWork
RelatedWork • In attack graphs, the application of security measures is simulated by removing some subset of vulnerabilities or exploits from its representation. • The literature discussed in this section propose analyses that provide the network administrator with hardening suggestions that if implemented produce a safe network or a more secure network with respect to a security metric.
RelatedWork • Jha et al. attempt to find the smallest subset of measures that are needed to make the network safe. • The authors note that finding such a subset is equivalent to the minimum hitting set problem which is NP-complete. • The authors approximate a solution using a greedy approach where the measures preventing the most attacks are chosen in descending order. • A drawback of this approach is that it is an approximation and yields potentially suboptimal solutions.
RelatedWork • Noel et al. propose a minimum-cost hardening method. • The authors propose the use of algebraic backwards substitution from an attack graph’s goal state to its initial state. • This backwards substitution yields the goal state in terms of the initial conditions. • The Boolean expression obtained for the initial conditions is converted into conjunctive normal form yielding maxterms that are then evaluated on a lattice.
RelatedWork • Maxterms represent hardening suggestions that will preserve the safety of the network. • Maxterms lower in the lattice correspond to hardening suggestions requiring the least cost or effort. • The primary drawback of this approach is that it is binary. That is, the effectiveness of this approach hinges on the ability of the network administrator to implement all hardening recommendations.
RelatedWork • The assumption is made that the network administrator has all the resources she needs to implement hardening recommendations. • However, a network administrator’s ability to safeguard a network is often times constrained by a limited budget. • Our approach deals with this challenge by incorporating the network administrator’s funding constraint into the attack graph analysis to discover hardening recommendations.
RelatedWork • Phillips and Swiler incorporate a budget into their attack graph analysis to generate hardening suggestions. • However, their algorithm follows a greedy approach that does not guarantee optimality. • Furthermore, their analysis is based on knowing attacker costs or attacker success probabilities, which are difficult to ascertain in practice. • Our approach guarantees optimality and does not rely on knowing attacker costs or attacker success probabilities.
RelatedWork • Lippmann et al.[13]describe a method for generating hardening recommendations that are derived from removing edges from the attack graph and observing its effect on the system’s Network Compromise Percentage (NCP). • A NCP of 0 percent would suggest a safe network. • A NCP of 100 percent would suggest a network that is completely compromised. • When the analysis is done, the network administrator is presented with recommendations in ascending order of NCP. • she still has no assurance that the recommendations offered represent optimal usage of her resources.
RelatedWork • Coupling our method with the one in [13] gives the network administrator the assurance that she is receiving optimal recommendations with respect to her budget. • We offer an algorithm for generating recommendations that are guaranteed to optimize network security with respect to a security metric (e.g., NCP) for the budget specified by the network administrator.
RelatedWork • Chen et al. [6]use the System Quality Requirements Engineering (SQUARE) methodology to perform a detailed case study. • The researchers used linear programming to determine the best set of security measures to choose given the budget their client allocated for security. • Solving the problem of choosing security measures as a combinatorial optimization is consistent with our approach; • Our method maintains all discovered optimal solutions, whereas a single optimal solution is provided in [6]. • Network administrator can choose the best hardening recommendation based on her experience.
RelatedWork • Chen et al. use attack trees primarily for ancillary documentation purposes whereas in our approach attack graphs are integral. • The network administrator can obtain a visual representation of the effect each security measure has on the attack graph and subsequently the network. • Our approach can capture the effect of making the exploitation of a particular vulnerability. • The approach offered in [6] does not capture this form of vulnerability interdependence.
Agenda • Introduction • TheAttackGraph • RelatedWork • ProvidingNetworkSecurity • SolvingTheSMCP • ConclusionandFutureWork
ProvidingNetworkSecurity • Safeguarding a network, that is not under attack, begins with identifying the vulnerabilities of the network. • This process typically involves using vulnerability analysis methods. One commonly used method is to leverage vulnerability scanners to discover vulnerabilities and then provide patches to these vulnerabilities. • Because vulnerability scanners do not consider the interdependencies that may exist between vulnerabilities, automated attack graph generation techniques have been proposed to expose such interdependencies.
ProvidingNetworkSecurity • The removal of security flaws is performed by implementing one or more security measures; however, the selection of the appropriate set of security measures is nontrivial. • For example, discovering the “best” way of removing vulnerabilities could require the manual analysis of many combinations of security measures. • There may be overlap in the vulnerabilities that security measures remove. • v1, v2, v3, v4, v5, and v6,sm1,sm2, and sm3. • sm1 -v1, v5, and v6| sm2 - v1 and v4| sm3 - v1 and v3.
ProvidingNetworkSecurity • The problem of choosing the appropriate combination of security measures such that the security of the network is optimized and constrained to a given budget is called the Security Measures Choosing Problem (SMCP). • The SMCP formulation is inspired by the classic Binary Knapsack Problem. • The Knapsack Problem is a well-known optimization problem where the goal is to maximize a quantity subject to some constraint.
ProvidingNetworkSecurity • The problem can be formally defined as : given a set of n items and a knapsack with
ProvidingNetworkSecurity • mjmay take on different values depending on what security measures are already in place within the network. • The model also assumes that the network administrator is able to assign costs to the hardening measures in terms of money or time.
Agenda • Introduction • TheAttackGraph • RelatedWork • ProvidingNetworkSecurity • SolvingTheSMCP • ConclusionandFutureWork
SolvingTheSMCP • We adopt the dynamic programming approach to solving the SMCP. We define variables as the following:
SolvingTheSMCP • The necessary steps to leverage our approach are: • (1) determine the budget • (2) determine the security metric of interest • (3) generate the attack graph • (4) determine what security measures are available to safeguard the network and assign them costs • (5) apply the dynamic programming algorithm to the inputs given above.
SolvingTheSMCP • However, if we assume that the security metric value can be obtained from a depth-first search of the attack graph (e.g., total number of attack paths), then the dynamic programming algorithm’s time complexity is O(nH2B) • otherwise the algorithm has a time complexity of O(nHKB) where K is the time complexity of ζ. • The security measures chosen for an optimal hardening recommendation can be determined by backtracking through R.
Agenda • Introduction • TheAttackGraph • RelatedWork • ProvidingNetworkSecurity • SolvingTheSMCP • ConclusionandFutureWork