280 likes | 407 Views
Vulnerability Analysis and Patches Management Using Secure Mobile Agents. Presented by: Muhammad Awais Shibli. Outline. Introduction The problem and our proposal Structure of The System Operation of The System Conclusions Future Work. Introduction.
E N D
Vulnerability Analysis and Patches Management Using Secure Mobile Agents Presented by: Muhammad Awais Shibli
Outline • Introduction • The problem and our proposal • Structure of The System • Operation of The System • Conclusions • Future Work
Introduction • Nowadays, computers and internet are everywhere. • This resulted in a huge number of security threats. • Attacks and attack tools are becoming everyday more complex and sophisticated.
Introduction (cont’d) • Traditional point solutions like antivirus, firewalls, anti-spyware, etc. are not enough anymore to face the current security challenge. • Another layer of security is needed.
Vulnerability problem • Basically, vulnerability is a weakness in a system that can be a potential vector of an attack performed by a malicious user • Two different possibilities to face the vulnerability problem: • Build secure software that does not have vulnerabilities • Detect and eliminate all the vulnerabilities before an attacker can discover and exploit them
Vulnerability problem (cont’d) • The first option is clearly infeasible, due to several factors like cost, bad programming practices, programming language limitation and inherent OS bugs, etc. • Therefore, the best way is to detect those vulnerabilities in advance and apply patches before an attack can occur.
Our proposal • A system based on MAs technology, moving from the usual passive/reactive approach to a proactive one. • The approach includes the following aspects: • Autonomously vulnerabilities detection on different hosts (in a distributed network) before an attacker can exploit them; • When a vulnerability is discovered, applying patches automatically; • Perform tasks related to security management.
Structure of the System • Comprehensive Vulnerability DataBase (CVDB) • DataBase Management Engine (DBME) • MAgNet Vulnerability Management Console (MVMC) • Mobile Agents • Sensors
CVDB • To achieve a high level of vulnerability assessment, we need a very Comprehensive Vulnerability DataBase (CVDB) • Comprehensive in terms of quantity of data and quality of data. • CVDB is composed of two layers of information.
DB Management Engine (DBME) • Provides SysAdmin with up-to-date and rich information about vulnerabilities. • It can be achieved by analyzing any db in xml format and whose structure is defined by a XML Schema Definition (xsd) or sql/mysql schema file. • Moreover, this “engine” scans the securityfocus web database, storing all the information needed in the CVDB.
MAgNet Vulnerability Management Console (MVMC) • The GUI that interacts with the system and allows the system administrator to manage all the functionalities available
Mobile Agent: brief overview • It is a particular software agent that can works autonomously towards a specific goal • It comprises of code and data • It can interact with other agents • It can sospend its execution on a host, save the state, move to another host, then come back and resume its execution from the previous point and complete it
Advantages of using MAs • MAs and Vulnerability Analysis • Automatically vulnerability scan at remote hosts • MAs write the host profile, check this profile against the CVDB, fetch the relative patches from patch db and execute these patches at the target machine autonomously • MAs increase the ability of SysAdmin to add quickly and easily distributed components to existing systems • This whole process will help SysAdmin to keep secure the entire network in an efficient, effective and, more than everything else, timely manner.
Advantages of using MAs (cont’d) • Overcoming Network Latency • Reducing Network Load • Robust and Fault-tolerant Behaviour • Scalability • Etc…
Sensors • We have used Nessus as sensor to scan vulnerabilities. • Nessus is a vulnerability scanner able to detect known and unknown weaknesses. It performs several kinds of analyses on the target system from the port scan until the malformed packet test.
Operation of the System • CVDB generation • Vulnerability Analysis • Patches Management and Enforcement
Vulnerability Analysis • Two ways to do it • Security administrator launches Agent_Vulnerability_Analyzer from his computer to a host or multiple hosts in the network through MVMC. • Once agent reaches the remote host, it fetches host profile containing information about the every software installed and their attributes. • This agent will check the host profile against the vulnerability database, looking for known vulnerabilities present in the remote machine.
Vulnerability Analysis (cont’d) • The other way is to send Agent_Host_Scanning to the desired hosts. • It executes local Nessus daemon in the background that scans the target. • After its execution ends, Nessus generates a report in xml format. Once the scanning is completed, Agent_Host_Scanning launches an Agent_Scanning_Report through which it will send the detailed scanning report back to the administrator.
Vulnerability Analysis (cont’d) • When Agent_Scanning_Report reaches the security administrator’s workstation, it notifies the administrator how many vulnerabilities have been found, allowing the administrator to check the report immediately or later. • In case the administrator wants to check the report immediately, it will be transformed into the more “human-readable” html format by using XSL Transformer and then showed in the web browser integrated in MAgNet.
Patches Management and Enforcement • When MA finds a vulnerability, in the corresponding CVDB entry there are info regarding the eventual availability of patch and the url where to download from • MA autonomously downloads it, carries and install it to the target host • From now on, the patch is stored in the server in case in the future it will be needed
Conclusions • The solution proposed shows the great advantage to use MAs interacting with a comprehensive vulnerability database and other external tools. • The design shows that, with MA, is possible to decrease considerably the big amount of time needed to a system admin to perform vulnerabiltiy management.
Conclusions (cont’d) • Moreover, scanning with Nessus and through MAs the scans take place locally on each host. • Hence the system uses the computational power of all the hosts without overloading a single central workstation, and it does not flood either the network with a lot of packets.
Future Work • Patch installation requires deeper feasibility study. • The currently system delivers patches and is able to install only those one for which human being interaction is not required
Future Work (cont’d) • A future research can be conducted to see how, with the help of mobile agents, could be possible to “deliver” the input request to the system administrator whenever it is required during the installation process, and then bringing back the response. • Moreover it could save administrator responses and use them to perform autonomously future execution on other hosts, without bothering the administrator anymore.