Download presentation

Presentation is loading. Please wait.

Published byBlaze Larkin Modified over 2 years ago

1
k-Zero Day Safety: Measuring the Security Risk of Networks against Unknown Attacks Lingyu Wang 1 Sushil Jajodia 2, Anoop Singhal 3, and Steven Noel 2 1 Concordia University 2 George Mason University 3 National Institute of Standards and Technology ESORICS 2010

2
Outline Introduction Related Work k-Zero Day Safety Model Algorithms for Computing k-Zero Day Safety Application and Instantiation Conclusion 2

3
Outline Introduction Related Work k-Zero Day Safety Model Algorithms for Computing k-Zero Day Safety Application and Instantiation Conclusion 3

4
The Need for Security Metric 4 Boss, we really need this new firewall, it will make our network much more secure! “Much more secure”? How much more? … …

5
The Need for Security Metric 5 “You cannot improve what you cannot measure” To justify the cost of a security solution, we need to know how much security the solution can bring A security metric will allow for a direct measurement of security before and after deploying the solution Such a capability will make network hardening a science rather than an art

6
The Need for Security Metric 6 “Much more secure”? How much more? SecurityCost 2$5k 3$10k ……

7
Can Security Be Measured? Security metric exists for known vulnerabilities 1 Knowledge about vulnerabilities allow us to measure their relative exploitability, likelihood, impact, etc. But what about unknown vulnerabilities? We are measuring the unmeasurable 2, because there is little ground for such a measurement Vulnerability: No prior knowledge is available Software: Software flaws are much less predictable Attacker: Finding flaws/developing exploits is a chaotic process 7 1 Common Vulnerability Scoring System (CVSS-SIG) v2, 2 J. McHugh. Quality of protection: Measuring the unmeasurable? In Proceedings of the 2 nd ACM workshop on Quality of protection (QoP’06), 2006.

8
The Curse on Security Metric What if we can’t measure unknown vulnerabilities? Attackers can simply step outside and do as he pleases 1 What’s the value of a “more secure” system that is equally susceptible to unknown attacks? Therefore, security is not quantifiable until we can fix all potential flaws But by then we certainly don’t need a security metric! 8 1 J. McHugh. Quality of protection: Measuring the unmeasurable? In Proceedings of the 2 nd ACM workshop on Quality of protection (QoP’06), 2006.

9
9 What if we can’t measure unknown vulnerabilities? Attackers can simply step outside and do as he pleases 1 What’s the value of a “more secure” system that is equally susceptible to unknown attacks? Therefore, security is not quantifiable until we can fix all potential flaws But by then we certainly don’t need a security metric! don’t Instead, we simply count them We count how many unknown vulnerabilities can be resisted by a network A larger count means a more secure network Since more unknown vulnerabilities must all be Available at the same time, Applicable to the same network, and Exploitable by the same attacker Whose likelihood is lower The Curse on Security Metric Our Solution

10
Our Contribution The k-zero day safety metric Formally defined based on an abstract network model Proved to satisfy the required algebra properties Algorithms for computing the metric are proposed Application to network hardening is discussed The first known effort capable of quantifying the risk of unknown attacks It may open up new opportunities to the evaluation, hardening, and design of secure networks 10

11
Outline Introduction Related Work k-Zero Day Safety Model Algorithms for Computing k-Zero Day Safety Application and Instantiation Conclusion 11

12
Related Work NIST ’ s efforts on standardizing security metric Special publication , CVSSv2 and NVD Efforts on measuring known vulnerabilities MTTF-based approach (Dacier et al., TSE’99) Minimum-effort approaches (Balzarotti et al., QoP’05 and Pamula et al., QoP’06) PageRank approach (Mehta et al., RAID’06) Our previous work (DBSec’07-08, QoP’07-08) 12

13
Related Work Attack surface (Howard et al., QoP’06) Measures the security of a single software system Focusing on interfaces instead of internal details k-anonymity (Samarati et al., TKDE’01) Measuring the amount of privacy using an integer regardless of specific application semantic Zero day attack Total number of zero-day vulnerabilities (McQueen et al., HICSS’09) Ranking applications with consequences of having one zero-day vulnerability (Ingols et al., ACSAC’09) 13

14
Outline Introduction Related Work k-Zero Day Safety Model Algorithms for Computing k-Zero Day Safety Application and Instantiation Conclusion 14

15
Network 15 The model H ={0,1,2,F} S={http,ssh,iptables,firewall} P={user,root} conn={, …} serv(1)={http,ssh,ip tables} serv(F)={firewall} priv(1)=priv(2)={use r,root} An example If all services are free of known vulnerabilities, a vulnerability scanner or attack graph will claim the network is secure, and no additional hardening effort (e.g., iptables) is necessary

16
Assumptions However, we shall reach a different conclusion by considering at least how many zero-day attacks are required to compromise the network We assume a zero day vulnerability 1. Cannot be exploited unless a. A network connection exists between source/destination b. A remote service with the vulnerability exists on destination c. The attacker already has a privilege on the source host 2. May lead to any privilege on the destination host (These essentially depict a worst-case scenario) 16

17
Zero Day Vulnerability 17 The model : conn ssh serv(1) : root priv(1) pre( )={,, } post( )={ } pre( )={ } post( )={ } An example

18
k-Zero Day Safety 18 The model C I ={ } A={ } v v v k0d({, })=2 k0d({, })=1 k0d({, }, )=3 An example At least one zero day vulnerability is required to compromise the network

19
Hardening the Network: k=k+1 19 The model v k0d({, })=2 k0d({,, })=2 k0d( )=2 An example With this hardening effort, at least two distinct zero day vulnerabilities are required to compromise the same network

20
In Summary 20 Our metric can help to compare the relative security of “secure networks” that are otherwise indistinguishable by existing techniques (Notice: Many features of the model are not mentioned while discussing this simple example. More details can be found in the paper)

21
Outline Introduction Related Work k-Zero Day Safety Model Algorithms for Computing k-Zero Day Safety Application and Instantiation Conclusion 21

22
What’s the Value of k? 22 The algorithm = = =… (DNF conversion) =( ) ( ) ( ) k=k0d({, })=1 An example Complexity Exponential (in size of the attack graph) The problem is NP-hard Efficient algorithms still exist for practical variations

23
Is k>1 True? 23 The algorithm ) (k>1) ) (k=1) (k>1)=FALSE! An example Complexity Polynomial if k is compared to a constant (in size of the attack graph)

24
Outline Introduction Related Work k-Zero Day Safety Model Algorithms for Computing k-Zero Day Safety Application and Instantiation Conclusion 24

25
Application to Network Hardening We can unfold k based on the model 25 This (mess) tells us (in number) that k may be increased by: Increasing diversity of services Strengthening isolation around services Removing unnecessary services or connections Enforcing stricter access control policies Protecting assets via backups or IDSs Introducing more security services Patching known vulnerabilities ……

26
Application to Network Hardening We can unfold k based on the model 26 Nothing new here? Right, these hardening options match existing practices (e.g., layered defense, security via virtualization, security through diversity, etc.) Which shows the relevance of our metric But their effectiveness can now be quantified! And their cost can be justified In a simple, intuitive way (so simple that even the boss can understand) kCost 2$5k 3$10k ……

27
Instantiating the Model This paper focuses on model and algorithms Instantiating the model from a real world network is a different issue We discuss several key aspects in the paper 27 k=3 Algorithms Model Instantiation

28
Outline Introduction Related Work k-Zero Day Safety Model Algorithms for Computing k-Zero Day Safety Application and Instantiation Conclusion 28

29
Conclusion We can unfold k based on the model 29 We have proposed the k-zero day safety metric discussed algorithms and complexity shown potential application of the metric Future work include extending the model to address various limitations further investigating instantiation of the model studying other applications of the metric

30
Q & A Thank You! 30 Contact Author: Lingyu Wang

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google