1

Vulnerability Analysis and Patches Management

Using Secure Mobile Agents

Presented by: Muhammad Awais Shibli

2

Outline Introduction The problem and our proposal Structure of The System Operation of The System Conclusions Future Work

3

Introduction Nowadays, computers and internet are

everywhere. This resulted in a huge number of

security threats. Attacks and attack tools are becoming

everyday more complex and sophisticated.

4

Introduction (cont’d)

Traditional point solutions like antivirus, firewalls, anti-spyware, etc. are not enough anymore to face the current security challenge.

Another layer of security is needed.

5

Vulnerability problem Basically, vulnerability is a weakness in a

system that can be a potential vector of an attack performed by a malicious user

Two different possibilities to face the vulnerability problem: Build secure software that does not have

vulnerabilities Detect and eliminate all the vulnerabilities before

an attacker can discover and exploit them

6

Vulnerability problem (cont’d)

The first option is clearly infeasible, due to several factors like cost, bad programming practices, programming language limitation and inherent OS bugs, etc.

Therefore, the best way is to detect those vulnerabilities in advance and apply patches before an attack can occur.

7

Our proposal A system based on MAs technology, moving

from the usual passive/reactive approach to a proactive one.

The approach includes the following aspects: Autonomously vulnerabilities detection on different

hosts (in a distributed network) before an attacker can exploit them;

When a vulnerability is discovered, applying patches automatically;

Perform tasks related to security management.

8

Structure of the System1. Comprehensive Vulnerability DataBase (CVDB)

2. DataBase Management Engine (DBME)

3. MAgNet Vulnerability Management Console (MVMC)

4. Mobile Agents

5. Sensors

9

Structure of the System (cont’d)

10

CVDB To achieve a high level of vulnerability

assessment, we need a very Comprehensive Vulnerability DataBase (CVDB)

Comprehensive in terms of quantity of data and quality of data.

CVDB is composed of two layers of information.

11

CVDB - 1st (static) Layer

12

CVDB - 2nd layer

13

DB Management Engine (DBME) Provides SysAdmin with up-to-date and rich

information about vulnerabilities. It can be achieved by analyzing any db in xml format

and whose structure is defined by a XML Schema Definition (xsd) or sql/mysql schema file.

Moreover, this “engine” scans the securityfocus web database, storing all the information needed in the CVDB.

14

MAgNet Vulnerability Management Console (MVMC) The GUI that interacts with the system and

allows the system administrator to manage all the functionalities available

15

Mobile Agent: brief overview It is a particular software agent that can

works autonomously towards a specific goal It comprises of code and data It can interact with other agents It can sospend its execution on a host, save

the state, move to another host, then come back and resume its execution from the previous point and complete it

16

Advantages of using MAs MAs and Vulnerability Analysis

Automatically vulnerability scan at remote hosts MAs write the host profile, check this profile against

the CVDB, fetch the relative patches from patch db and execute these patches at the target machine autonomously

MAs increase the ability of SysAdmin to add quickly and easily distributed components to existing systems

This whole process will help SysAdmin to keep secure the entire network in an efficient, effective and, more than everything else, timely manner.

17

Advantages of using MAs (cont’d)

Overcoming Network Latency Reducing Network Load Robust and Fault-tolerant Behaviour Scalability Etc…

18

Sensors We have used Nessus as sensor to scan

vulnerabilities. Nessus is a vulnerability scanner able to

detect known and unknown weaknesses. It performs several kinds of analyses on the target system from the port scan until the malformed packet test.

19

Operation of the System CVDB generation Vulnerability Analysis Patches Management and Enforcement

20

CVDB Generation

21

Vulnerability Analysis Two ways to do it Security administrator launches

Agent_Vulnerability_Analyzer from his computer to a host or multiple hosts in the network through MVMC.

Once agent reaches the remote host, it fetches host profile containing information about the every software installed and their attributes.

This agent will check the host profile against the vulnerability database, looking for known vulnerabilities present in the remote machine.

22

Vulnerability Analysis (cont’d)

The other way is to send Agent_Host_Scanning to the desired hosts.

It executes local Nessus daemon in the background that scans the target.

After its execution ends, Nessus generates a report in xml format. Once the scanning is completed, Agent_Host_Scanning launches an Agent_Scanning_Report through which it will send the detailed scanning report back to the administrator.

23

Vulnerability Analysis (cont’d)

When Agent_Scanning_Report reaches the security administrator’s workstation, it notifies the administrator how many vulnerabilities have been found, allowing the administrator to check the report immediately or later.

In case the administrator wants to check the report immediately, it will be transformed into the more “human-readable” html format by using XSL Transformer and then showed in the web browser integrated in MAgNet.

24

Patches Management and Enforcement When MA finds a vulnerability, in the

corresponding CVDB entry there are info regarding the eventual availability of patch and the url where to download from

MA autonomously downloads it, carries and install it to the target host

From now on, the patch is stored in the server in case in the future it will be needed

25

Conclusions The solution proposed shows the great

advantage to use MAs interacting with a comprehensive vulnerability database and other external tools.

The design shows that, with MA, is possible to decrease considerably the big amount of time needed to a system admin to perform vulnerabiltiy management.

26

Conclusions (cont’d)

Moreover, scanning with Nessus and through MAs the scans take place locally on each host.

Hence the system uses the computational power of all the hosts without overloading a single central workstation, and it does not flood either the network with a lot of packets.

27

Future Work Patch installation requires deeper

feasibility study. The currently system delivers patches

and is able to install only those one for which human being interaction is not required

28

Future Work (cont’d)

A future research can be conducted to see how, with the help of mobile agents, could be possible to “deliver” the input request to the system administrator whenever it is required during the installation process, and then bringing back the response.

Moreover it could save administrator responses and use them to perform autonomously future execution on other hosts, without bothering the administrator anymore.