automatic generation and analysis of attack graphs
DESCRIPTION
Automatic Generation and Analysis of Attack Graphs. Written by Oleg Sheyner, Joshua Haines, Somesh Jha, Richard Lippmann, and Jeannette M. Wing IEEE Symposium on Security and Privacy 2002. Presented by HAN Jin Singapore Management University September 2008. Outline. Preliminaries - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Automatic Generation and Analysis of Attack Graphs](https://reader036.vdocuments.mx/reader036/viewer/2022062315/568159df550346895dc72b8c/html5/thumbnails/1.jpg)
Automatic Generation and Automatic Generation and Analysis of Attack GraphsAnalysis of Attack Graphs
Written by Oleg Sheyner, Joshua Haines, Somesh Jha, Richard Lippmann, and Jeannette M. Wing
IEEE Symposium on Security and Privacy 2002
Presented by HAN Jin
Singapore Management University
September 2008
![Page 2: Automatic Generation and Analysis of Attack Graphs](https://reader036.vdocuments.mx/reader036/viewer/2022062315/568159df550346895dc72b8c/html5/thumbnails/2.jpg)
OutlineOutline
• Preliminaries• Motivation
– Attack Graph Definition
• Automated Generation– An Illustrative Example
• Automated Analysis• Limitations
![Page 3: Automatic Generation and Analysis of Attack Graphs](https://reader036.vdocuments.mx/reader036/viewer/2022062315/568159df550346895dc72b8c/html5/thumbnails/3.jpg)
OutlineOutline
• PreliminariesPreliminaries• Motivation
– Attack Graph Definition
• Automated Generation– An Illustrative Example
• Automated Analysis• Limitations
![Page 4: Automatic Generation and Analysis of Attack Graphs](https://reader036.vdocuments.mx/reader036/viewer/2022062315/568159df550346895dc72b8c/html5/thumbnails/4.jpg)
VulnerabilityVulnerability
• In computer security, the term vulnerability is applied to a weakness in a system which allows an attacker to violate the integrity of that system.
• Vulnerabilities may result from weak passwords, software bugs, a computer virus or other malware, a script code injection, or a SQL injection.
![Page 5: Automatic Generation and Analysis of Attack Graphs](https://reader036.vdocuments.mx/reader036/viewer/2022062315/568159df550346895dc72b8c/html5/thumbnails/5.jpg)
Common Vulnerabilities and Common Vulnerabilities and ExposuresExposures
• http://cve.mitre.org/
– CVE is a list or dictionary that provides common names for publicly known information security vulnerabilities and exposures
– Every vulnerability is assigned with a CVE Number:E.g. CVE-2008-0075:Unspecified vulnerability in Microsoft Internet Information Services (IIS) 5.1 through 6.0 allows remote attackers to
execute arbitrary code via crafted inputs to ASP pages.
![Page 6: Automatic Generation and Analysis of Attack Graphs](https://reader036.vdocuments.mx/reader036/viewer/2022062315/568159df550346895dc72b8c/html5/thumbnails/6.jpg)
ExploitExploit
• An exploit is a piece of software, a chunk of data, or sequence of commands that take advantage of a vulnerability in order to cause unintended or unanticipated behavior to occur on computer software & hardware.
• Commonly categorized and named by the type of vulnerability they utilize:E.g.SQL Injection Vulnerability SQL Inj. ExploitBuffer Overflows Vulnerability B.O. Exploit
![Page 7: Automatic Generation and Analysis of Attack Graphs](https://reader036.vdocuments.mx/reader036/viewer/2022062315/568159df550346895dc72b8c/html5/thumbnails/7.jpg)
Attack PathAttack Path
• An attacker may need several steps to achieve his attack goal:
S1 S2
Begin State End Stategain administrator privilege
IIS ASP Input Processing ErrorCVE-2008-0075
Adobe Reader Unsafe Libary Path
CVE-2007-5666
Execute Arbitrary Code
gain user privilege
• Attack path: a series of exploits/atomic attacks
![Page 8: Automatic Generation and Analysis of Attack Graphs](https://reader036.vdocuments.mx/reader036/viewer/2022062315/568159df550346895dc72b8c/html5/thumbnails/8.jpg)
OutlineOutline
• Preliminaries• MotivationMotivation
– Attack Graph Definition
• Automated Generation– An Illustrative Example
• Automated Analysis• Limitations
![Page 9: Automatic Generation and Analysis of Attack Graphs](https://reader036.vdocuments.mx/reader036/viewer/2022062315/568159df550346895dc72b8c/html5/thumbnails/9.jpg)
Limitations of Former ToolsLimitations of Former Tools
• Limitations of Vulnerability ScannersVulnerability Scanners– Generate overwhelming amount of data
Example Nessusscan• Elapsed time: 00:48:07• Total security holes found: 255• High severity: 40• Low severity: 117• Informational: 98
– No indication of how vulnerabilities can be combined
• Limitations of Intrusion Detection SystemsIntrusion Detection Systems– Generate overwhelming number of alerts– Many false alerts– Require extensive human intervention– Alerts are isolated, no indication of how alerts can be
combined
• Where does a security administrator start?
![Page 10: Automatic Generation and Analysis of Attack Graphs](https://reader036.vdocuments.mx/reader036/viewer/2022062315/568159df550346895dc72b8c/html5/thumbnails/10.jpg)
What is lacking?What is lacking?
• Context for total network security
• How outsiders penetrate firewalls and launch attacks from compromised hosts
• Insider attacks
![Page 11: Automatic Generation and Analysis of Attack Graphs](https://reader036.vdocuments.mx/reader036/viewer/2022062315/568159df550346895dc72b8c/html5/thumbnails/11.jpg)
Attack GraphAttack Graph
• Attack graph is the data structure which is used to represent all possible attacks on a network
• Formal Definition:
![Page 12: Automatic Generation and Analysis of Attack Graphs](https://reader036.vdocuments.mx/reader036/viewer/2022062315/568159df550346895dc72b8c/html5/thumbnails/12.jpg)
Algorithm for Generating Attack Algorithm for Generating Attack GraphsGraphs
![Page 13: Automatic Generation and Analysis of Attack Graphs](https://reader036.vdocuments.mx/reader036/viewer/2022062315/568159df550346895dc72b8c/html5/thumbnails/13.jpg)
Example of Attack Graph Developed by a Example of Attack Graph Developed by a Professional Red TeamProfessional Red Team
Sandia Red Team “White Board” attack graph from DARPA CC20008 Information battle space preparation experiment
![Page 14: Automatic Generation and Analysis of Attack Graphs](https://reader036.vdocuments.mx/reader036/viewer/2022062315/568159df550346895dc72b8c/html5/thumbnails/14.jpg)
Problem StatementProblem Statement
• Problem: Generating attack graphs by hand is tedious, error-prone, and impractical for large systems.
• Goal: Automate the generation and analysis of attack graphs.– Generation
• Must be fast and completely automatic• Must handle large, realistic examples• Should guarantee properties of attack graphs
– Analysis• Must enable security analysis by system
administrators• Should support incremental, partial specification
![Page 15: Automatic Generation and Analysis of Attack Graphs](https://reader036.vdocuments.mx/reader036/viewer/2022062315/568159df550346895dc72b8c/html5/thumbnails/15.jpg)
OutlineOutline
• Preliminaries• Motivation
– Attack Graph Definition
• Automated GenerationAutomated Generation– An Illustrative Example
• Automated Analysis• Limitations
![Page 16: Automatic Generation and Analysis of Attack Graphs](https://reader036.vdocuments.mx/reader036/viewer/2022062315/568159df550346895dc72b8c/html5/thumbnails/16.jpg)
ProcedureProcedure
• XML spec for: network, vulnerability, connections, safety property…
• NuSMV: symbolic model checkers, modified version, used to automatically produce AG
• Graph visualization tools
![Page 17: Automatic Generation and Analysis of Attack Graphs](https://reader036.vdocuments.mx/reader036/viewer/2022062315/568159df550346895dc72b8c/html5/thumbnails/17.jpg)
4 hosts30 actions138 nodes742 edges6 minutes
= Attacker gains root access to Host 1.
![Page 18: Automatic Generation and Analysis of Attack Graphs](https://reader036.vdocuments.mx/reader036/viewer/2022062315/568159df550346895dc72b8c/html5/thumbnails/18.jpg)
A Graph Larger than Fits on A Graph Larger than Fits on ScreenScreen
= Attacker gains root access to Host 1.
4 hosts30 actionslarger initial state space310 nodes3400 edges30 minutes
![Page 19: Automatic Generation and Analysis of Attack Graphs](https://reader036.vdocuments.mx/reader036/viewer/2022062315/568159df550346895dc72b8c/html5/thumbnails/19.jpg)
OutlineOutline
• Preliminaries• Motivation
– Attack Graph Definition
• Automated Generation– An Illustrative ExampleAn Illustrative Example
• Automated Analysis• Limitations
![Page 20: Automatic Generation and Analysis of Attack Graphs](https://reader036.vdocuments.mx/reader036/viewer/2022062315/568159df550346895dc72b8c/html5/thumbnails/20.jpg)
An Illustrative ExampleAn Illustrative Example
database
attackerfirewall
Windows
Linux
Squid
firewall
IIS Web Server
IDS
LICQ
Action ArsenalIIS buffer overflow: remotely get rootSquid portscan: port scanLICQ remote-to-user: gain user privileges remotelyIE scripting exploit: gain user privileges remotelylocal buffer overflow: locally get root
Always Detected
Attack goal: disrupt the functioning of the database
IE
![Page 21: Automatic Generation and Analysis of Attack Graphs](https://reader036.vdocuments.mx/reader036/viewer/2022062315/568159df550346895dc72b8c/html5/thumbnails/21.jpg)
Security PropertySecurity Property
• Attack graphs depict ways in which an intruder can force a network into an unsafe state:
• E.g. in this network
![Page 22: Automatic Generation and Analysis of Attack Graphs](https://reader036.vdocuments.mx/reader036/viewer/2022062315/568159df550346895dc72b8c/html5/thumbnails/22.jpg)
Example Attack GraphExample Attack Graph
database
attackerfirewall
Windows
Linux
Squid
firewall
IIS Web Server
IDS
LICQ
![Page 23: Automatic Generation and Analysis of Attack Graphs](https://reader036.vdocuments.mx/reader036/viewer/2022062315/568159df550346895dc72b8c/html5/thumbnails/23.jpg)
Alternative Attack Scenario Avoiding Alternative Attack Scenario Avoiding IDSIDS
database
attackerfirewall
Windows
Linux
Squid
firewall
IIS Web Server
IDS
LICQ
![Page 24: Automatic Generation and Analysis of Attack Graphs](https://reader036.vdocuments.mx/reader036/viewer/2022062315/568159df550346895dc72b8c/html5/thumbnails/24.jpg)
OutlineOutline
• Preliminaries• Motivation
– Attack Graph Definition
• Automated Generation– An Illustrative Example
• Automated AnalysisAutomated Analysis• Limitations
![Page 25: Automatic Generation and Analysis of Attack Graphs](https://reader036.vdocuments.mx/reader036/viewer/2022062315/568159df550346895dc72b8c/html5/thumbnails/25.jpg)
Single Action RemovalSingle Action Removal
![Page 26: Automatic Generation and Analysis of Attack Graphs](https://reader036.vdocuments.mx/reader036/viewer/2022062315/568159df550346895dc72b8c/html5/thumbnails/26.jpg)
Minimization AnalyzerMinimization Analyzer
• What actions are necessary for the intruder to succeed? – Given a fixed set of atomic attacks,
not all of them may be available to the intruder
– Nondeterministically decide which subset of atomic attacks to choose initially
![Page 27: Automatic Generation and Analysis of Attack Graphs](https://reader036.vdocuments.mx/reader036/viewer/2022062315/568159df550346895dc72b8c/html5/thumbnails/27.jpg)
Minimum Critical Set of ActionsMinimum Critical Set of Actions
A = the set of actions available to the intruderDef 1: A set of actions C is critical if the intruder cannot achieve his goal using only actions in A \ C.
Def 2: A critical set of actions C is minimum if there is no critical action set of smaller size.
Finding a minimum set: NP-complete
Def 3: A set of actions A’ A is realizable if the intruder can achieve his goal using only actions in A’.
Minimum Critical Set of Actions (MCSA):Given a set of actions A and an attack graph G, finda minimum critical action subset C A.
![Page 28: Automatic Generation and Analysis of Attack Graphs](https://reader036.vdocuments.mx/reader036/viewer/2022062315/568159df550346895dc72b8c/html5/thumbnails/28.jpg)
Reliability AnalyzerReliability Analyzer
• What is the likelihood that the intruder goes undetected?
– Interpret as a Markov Decision Process
– Assign probability for detecting each atomic attack
• Each attack has both detectable and stealthy variants
Probabilistic Attack Graph
![Page 29: Automatic Generation and Analysis of Attack Graphs](https://reader036.vdocuments.mx/reader036/viewer/2022062315/568159df550346895dc72b8c/html5/thumbnails/29.jpg)
Overview of their workOverview of their work
Phase 2
Annotations
Phase 1
System Model
Security Property
Attack Graph
Generator
Query: What actions are necessary for the intruder to succeed?
Attack Subgraph
Minimization Analyzer
Query: What is the likelihood that the intruder goes undetected?
Probabilistic Attack Graph
ReliabilityAnalyzer
… RiskAnalyzer
Query: What is the intruder’s risk of discovery during an attack?
Payoff Attack Graph
![Page 30: Automatic Generation and Analysis of Attack Graphs](https://reader036.vdocuments.mx/reader036/viewer/2022062315/568159df550346895dc72b8c/html5/thumbnails/30.jpg)
OutlineOutline
• Preliminaries• Motivation
– Attack Graph Definition
• Automated Generation– An Illustrative Example
• Automated Analysis• LimitationsLimitations
![Page 31: Automatic Generation and Analysis of Attack Graphs](https://reader036.vdocuments.mx/reader036/viewer/2022062315/568159df550346895dc72b8c/html5/thumbnails/31.jpg)
LimitationsLimitations
• Attack Graph Visualization Problem
![Page 32: Automatic Generation and Analysis of Attack Graphs](https://reader036.vdocuments.mx/reader036/viewer/2022062315/568159df550346895dc72b8c/html5/thumbnails/32.jpg)
![Page 33: Automatic Generation and Analysis of Attack Graphs](https://reader036.vdocuments.mx/reader036/viewer/2022062315/568159df550346895dc72b8c/html5/thumbnails/33.jpg)
Scalability ProblemScalability Problem
One possible solution:
Ou, X., Boyer, W. F., and McQueen, M. A.
A scalable approach to attack graph generationA scalable approach to attack graph generation.
In Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS '06). ACM, New York, NY, 336-345.
Too complex and difficult to use for large network
![Page 34: Automatic Generation and Analysis of Attack Graphs](https://reader036.vdocuments.mx/reader036/viewer/2022062315/568159df550346895dc72b8c/html5/thumbnails/34.jpg)
Zero-day exploitZero-day exploit
• A zero-day (or zero-hour) attack or threat is a computer threat that tries to exploit unknown, undisclosed or unpatched computer application vulnerabilities
• Current attack graph analysis is based completely on known vulnerability info
![Page 35: Automatic Generation and Analysis of Attack Graphs](https://reader036.vdocuments.mx/reader036/viewer/2022062315/568159df550346895dc72b8c/html5/thumbnails/35.jpg)
Q & AQ & A
ThanksThanks