Presentation is loading. Please wait.

Presentation is loading. Please wait.

K-Zero Day Safety: Measuring the Security Risk of Networks against Unknown Attacks Lingyu Wang 1 Sushil Jajodia 2, Anoop Singhal 3, and Steven Noel 2 1.

Similar presentations


Presentation on theme: "K-Zero Day Safety: Measuring the Security Risk of Networks against Unknown Attacks Lingyu Wang 1 Sushil Jajodia 2, Anoop Singhal 3, and Steven Noel 2 1."— Presentation transcript:

1 k-Zero Day Safety: Measuring the Security Risk of Networks against Unknown Attacks Lingyu Wang 1 Sushil Jajodia 2, Anoop Singhal 3, and Steven Noel 2 1 Concordia University 2 George Mason University 3 National Institute of Standards and Technology ESORICS 2010

2 Outline  Introduction  Related Work  k-Zero Day Safety Model  Algorithms for Computing k-Zero Day Safety  Application and Instantiation  Conclusion 2

3 Outline  Introduction  Related Work  k-Zero Day Safety Model  Algorithms for Computing k-Zero Day Safety  Application and Instantiation  Conclusion 3

4 The Need for Security Metric 4 Boss, we really need this new firewall, it will make our network much more secure! “Much more secure”? How much more? … …

5 The Need for Security Metric 5  “You cannot improve what you cannot measure”  To justify the cost of a security solution, we need to know how much security the solution can bring  A security metric will allow for a direct measurement of security before and after deploying the solution  Such a capability will make network hardening a science rather than an art

6 The Need for Security Metric 6 “Much more secure”? How much more? SecurityCost 2$5k 3$10k ……

7 Can Security Be Measured?  Security metric exists for known vulnerabilities 1  Knowledge about vulnerabilities allow us to measure their relative exploitability, likelihood, impact, etc.  But what about unknown vulnerabilities?  We are measuring the unmeasurable 2, because there is little ground for such a measurement  Vulnerability: No prior knowledge is available  Software: Software flaws are much less predictable  Attacker: Finding flaws/developing exploits is a chaotic process 7 1 Common Vulnerability Scoring System (CVSS-SIG) v2, 2 J. McHugh. Quality of protection: Measuring the unmeasurable? In Proceedings of the 2 nd ACM workshop on Quality of protection (QoP’06), 2006.

8 The Curse on Security Metric  What if we can’t measure unknown vulnerabilities?  Attackers can simply step outside and do as he pleases 1  What’s the value of a “more secure” system that is equally susceptible to unknown attacks?  Therefore, security is not quantifiable until we can fix all potential flaws  But by then we certainly don’t need a security metric! 8 1 J. McHugh. Quality of protection: Measuring the unmeasurable? In Proceedings of the 2 nd ACM workshop on Quality of protection (QoP’06), 2006.

9 9  What if we can’t measure unknown vulnerabilities?  Attackers can simply step outside and do as he pleases 1  What’s the value of a “more secure” system that is equally susceptible to unknown attacks?  Therefore, security is not quantifiable until we can fix all potential flaws  But by then we certainly don’t need a security metric! don’t  Instead, we simply count them  We count how many unknown vulnerabilities can be resisted by a network  A larger count means a more secure network  Since more unknown vulnerabilities must all be  Available at the same time,  Applicable to the same network, and  Exploitable by the same attacker  Whose likelihood is lower The Curse on Security Metric Our Solution

10 Our Contribution  The k-zero day safety metric  Formally defined based on an abstract network model  Proved to satisfy the required algebra properties  Algorithms for computing the metric are proposed  Application to network hardening is discussed  The first known effort capable of quantifying the risk of unknown attacks  It may open up new opportunities to the evaluation, hardening, and design of secure networks 10

11 Outline  Introduction  Related Work  k-Zero Day Safety Model  Algorithms for Computing k-Zero Day Safety  Application and Instantiation  Conclusion 11

12 Related Work  NIST ’ s efforts on standardizing security metric  Special publication ,  CVSSv2 and NVD  Efforts on measuring known vulnerabilities  MTTF-based approach (Dacier et al., TSE’99)  Minimum-effort approaches (Balzarotti et al., QoP’05 and Pamula et al., QoP’06)  PageRank approach (Mehta et al., RAID’06)  Our previous work (DBSec’07-08, QoP’07-08) 12

13 Related Work  Attack surface (Howard et al., QoP’06)  Measures the security of a single software system  Focusing on interfaces instead of internal details  k-anonymity (Samarati et al., TKDE’01)  Measuring the amount of privacy using an integer regardless of specific application semantic  Zero day attack  Total number of zero-day vulnerabilities (McQueen et al., HICSS’09)  Ranking applications with consequences of having one zero-day vulnerability (Ingols et al., ACSAC’09) 13

14 Outline  Introduction  Related Work  k-Zero Day Safety Model  Algorithms for Computing k-Zero Day Safety  Application and Instantiation  Conclusion 14

15 Network 15  The model  H ={0,1,2,F}  S={http,ssh,iptables,firewall}  P={user,root}  conn={, …}  serv(1)={http,ssh,ip tables}  serv(F)={firewall}  priv(1)=priv(2)={use r,root}  An example If all services are free of known vulnerabilities, a vulnerability scanner or attack graph will claim the network is secure, and no additional hardening effort (e.g., iptables) is necessary

16 Assumptions  However, we shall reach a different conclusion by considering at least how many zero-day attacks are required to compromise the network  We assume a zero day vulnerability 1. Cannot be exploited unless a. A network connection exists between source/destination b. A remote service with the vulnerability exists on destination c. The attacker already has a privilege on the source host 2. May lead to any privilege on the destination host (These essentially depict a worst-case scenario) 16

17 Zero Day Vulnerability 17  The model  :  conn  ssh  serv(1)  : root  priv(1)  pre( )={,, }  post( )={ }  pre( )={ }  post( )={ }  An example

18 k-Zero Day Safety 18  The model  C I ={ }  A={ }   v   v   v  k0d({, })=2  k0d({, })=1  k0d({, }, )=3  An example At least one zero day vulnerability is required to compromise the network

19 Hardening the Network: k=k+1 19  The model   v  k0d({, })=2  k0d({,, })=2  k0d( )=2  An example With this hardening effort, at least two distinct zero day vulnerabilities are required to compromise the same network

20 In Summary 20 Our metric can help to compare the relative security of “secure networks” that are otherwise indistinguishable by existing techniques (Notice: Many features of the model are not mentioned while discussing this simple example. More details can be found in the paper)

21 Outline  Introduction  Related Work  k-Zero Day Safety Model  Algorithms for Computing k-Zero Day Safety  Application and Instantiation  Conclusion 21

22 What’s the Value of k? 22  The algorithm  =  =    =… (DNF conversion) =(  )  (  )  (  )  k=k0d({, })=1  An example  Complexity  Exponential (in size of the attack graph)  The problem is NP-hard  Efficient algorithms still exist for practical variations

23 Is k>1 True? 23  The algorithm   ) (k>1)  ) (k=1) (k>1)=FALSE!  An example  Complexity  Polynomial if k is compared to a constant (in size of the attack graph)

24 Outline  Introduction  Related Work  k-Zero Day Safety Model  Algorithms for Computing k-Zero Day Safety  Application and Instantiation  Conclusion 24

25 Application to Network Hardening  We can unfold k based on the model 25  This (mess) tells us (in number) that k may be increased by:  Increasing diversity of services  Strengthening isolation around services  Removing unnecessary services or connections  Enforcing stricter access control policies  Protecting assets via backups or IDSs  Introducing more security services  Patching known vulnerabilities  ……

26 Application to Network Hardening  We can unfold k based on the model 26  Nothing new here?  Right, these hardening options match existing practices (e.g., layered defense, security via virtualization, security through diversity, etc.)  Which shows the relevance of our metric  But their effectiveness can now be quantified!  And their cost can be justified  In a simple, intuitive way (so simple that even the boss can understand) kCost 2$5k 3$10k ……

27 Instantiating the Model  This paper focuses on model and algorithms  Instantiating the model from a real world network is a different issue  We discuss several key aspects in the paper 27 k=3 Algorithms Model Instantiation

28 Outline  Introduction  Related Work  k-Zero Day Safety Model  Algorithms for Computing k-Zero Day Safety  Application and Instantiation  Conclusion 28

29 Conclusion  We can unfold k based on the model 29  We have  proposed the k-zero day safety metric  discussed algorithms and complexity  shown potential application of the metric  Future work include  extending the model to address various limitations  further investigating instantiation of the model  studying other applications of the metric

30 Q & A Thank You! 30 Contact Author: Lingyu Wang


Download ppt "K-Zero Day Safety: Measuring the Security Risk of Networks against Unknown Attacks Lingyu Wang 1 Sushil Jajodia 2, Anoop Singhal 3, and Steven Noel 2 1."

Similar presentations


Ads by Google