Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Measuring Network Security Using Attack Graphs Anoop Singhal National Institute of Standards and Technology Coauthors: Lingyu Wang and Sushil Jajodia.

Published byMadison Watson Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Measuring Network Security Using Attack Graphs Anoop Singhal National Institute of Standards and Technology Coauthors: Lingyu Wang and Sushil Jajodia."— Presentation transcript:

1 1 Measuring Network Security Using Attack Graphs Anoop Singhal National Institute of Standards and Technology Coauthors: Lingyu Wang and Sushil Jajodia Concordia University George Mason University Metricon ’ 07

2 2 Outline Background and Related Work Application Examples Attack Resistance Metric Conclusion and Future Work

3 3 Motivation Typical issues addressed in the literature Is that database server secure from intruders? Can the database server be secured from intruders? How do I stop an ongoing intrusion? Notice that they all have a qualitative nature Better questions to ask: How secure is the database server? How much security does a new configuration provide? What is the least-cost option to stop the attack? For this we need a network security metric

4 4 Challenges Measuring each vulnerability Impact, exploitability, etc. Temporal, environmental factors E.g., the Common Vulnerability Scoring System (CVSS) v2 released on June 20, 2007 1 Composing such measures for the overall security of a network Our work focuses on this problem

5 5 Related Work NIST ’ s efforts on standardizing security metric Special publication 500-133 1985, 800-55 2003 NVD and CVSSv2 Markov model and MTTF for security Dacier et. al TSE 1999 Minimum-effort approaches Balzarotti et. al QoP ’ 05 Pamula et. al QoP ’ 06 Attack surface (Howard et. al QoP ’ 06) PageRank (Mehta et. Al RAID ’ 06)

6 6 Related Work (Cont ’ d) Attack graph Model checker-based (Ritchey et. al S&P ’ 00, Sheyner et. al S&P ’ 02) Graph-based (Ammann et. al CCS ’ 02, Ritchey et. al ACSAC ’ 02, Noel et. al ACSAC ’ 03, Wang et. al ESORICS ’ 05, Wang et. al DBSEC ’ 06)

7 7 Attack Graph To measure combined effect of vulnerabilities We need to understand the interplay between them How can an attacker combine them for an intrusion Attack graph is a model of potential sequences of attacks compromising given resources

8 8 Attack Graph Example

9 9 Attack Graph from machine 0 to DB Server

10 10 Attack Graph with Probabilities Numbers are estimated probabilities of occurrence for individual exploits, based on their relative difficulty. The ftp_rhosts and rsh exploits take advantage of normal services in a clever way and do not require much attacker skill A bit more skill is required for ftp_rhosts in crafting a.rhost file. sshd_bof and local_bof are buffer-overflow attacks, which require more expertise.

11 11 Probabilities Propagated Through Attack Graph When one exploit must follow another in a path, this means both are needed to eventually reach the goal, so their probabilities are multiplied: p(A and B) = p(A)p(B) When a choice of paths is possible, either is sufficient for reaching the goal: p(A or B) = p(A) + p(B) – p(A)p(B).

12 12 Network Hardening When we harden the network, this changes the attack graph, along with the way its probabilities are propagated. Our options are to block traffic from the Attacker: Make no change to the network (baseline) Block ftp traffic to prevent ftp_rhosts(0,1) and ftp_rhosts(0,2) Block rsh traffic to prevent rsh(0,1) and rsh(0,2) Block ssh traffic to prevent sshd_bof(0,1)

13 13 Comparison of Options We can make comparisons of relative security among the options Blocking ftp traffic from Attacker leaves a remaining 4-step attack path with total probability p = 0.1∙0.8∙0.9∙0.1 = 0.0072 Blocking rsh traffic leaves the same 4-step attack path But blocking ssh traffic leaves 2 attack paths, with total probability p ≈ 0.0865, i.e., compromise is 10 times more likely with this option.

14 14 A Generic Attack Resistance Metric Given an attack graph G(E  C,Req  Imp), define r(): E  D, R(): E  D  and  : D  D  D D is the domain of attack resistance For any exploit e r(e) is its individual resistance, and R(e) is the cumulative resistance

15 15 A Generic Attack Resistance Metric  and  are two operators used to calculate cumulative resistances from individual resistances Corresponding to the disjunctive and conjunctive dependency relationships between exploits, respectively

16 16 Conclusion Based on attack graphs, we have proposed a metric for measuring the overall security of networks The metric meets intuitive requirements derived from common senses The metric can be instantiated for different applications, and it generalizes previous proposals

17 17 Future Work Study of metric for other aspects of network security, e.g., risk and cost Applying the metric to vulnerability analysis, network hardening, etc.

Download ppt "1 Measuring Network Security Using Attack Graphs Anoop Singhal National Institute of Standards and Technology Coauthors: Lingyu Wang and Sushil Jajodia."

Similar presentations

Aggregating CVSS Base Scores for Semantics-Rich Network Security Metrics Lingyu Wang 1 Pengsu Cheng 1, Sushil Jajodia 2, Anoop Singhal 3 1 Concordia University.

Aggregating CVSS Base Scores for Semantics-Rich Network Security Metrics Lingyu Wang 1 Pengsu Cheng 1, Sushil Jajodia 2, Anoop Singhal 3 1 Concordia University.
Enhancing Security Using Mobile Based Anomaly Detection in Cellular Mobile Networks Bo Sun, Fei Yu, KuiWu, Yang Xiao, and Victor C. M. Leung. Presented.

Enhancing Security Using Mobile Based Anomaly Detection in Cellular Mobile Networks Bo Sun, Fei Yu, KuiWu, Yang Xiao, and Victor C. M. Leung. Presented.
Lingyu Wang1 Sushil Jajodia2, Anoop Singhal3, and Steven Noel2

Lingyu Wang1 Sushil Jajodia2, Anoop Singhal3, and Steven Noel2
A Unified Framework for Measuring a Network’s Mean Time-to-Compromise

A Unified Framework for Measuring a Network’s Mean Time-to-Compromise
1 Intrusion Monitoring of Malicious Routing Behavior Poornima Balasubramanyam Karl Levitt Computer Security Laboratory Department of Computer Science UCDavis.

1 Intrusion Monitoring of Malicious Routing Behavior Poornima Balasubramanyam Karl Levitt Computer Security Laboratory Department of Computer Science UCDavis.
Example One Internet is allowed to access the web server through HTTP protocol and port CVE-2006-3747 was identified on web server.

Example One Internet is allowed to access the web server through HTTP protocol and port CVE was identified on web server.
Sushil Jajodia, George Mason U Witold Litwin, U Paris Dauphine Thomas Schwarz, S.J., U Católica Uruguay.

Sushil Jajodia, George Mason U Witold Litwin, U Paris Dauphine Thomas Schwarz, S.J., U Católica Uruguay.
“A Map of Security Risks Associated with Using COTS” Ulf Lindqvist, Erland Jonssson IEEE Computer, June 1998 “Combining Internet connectivity and COTS-based.

“A Map of Security Risks Associated with Using COTS” Ulf Lindqvist, Erland Jonssson IEEE Computer, June 1998 “Combining Internet connectivity and COTS-based.
Operational Security Risk Metrics: Definitions, Calculations, Visualizations Metricon 2.0 Alain Mayer CTO RedSeal Systems

Operational Security Risk Metrics: Definitions, Calculations, Visualizations Metricon 2.0 Alain Mayer CTO RedSeal Systems
Beyond Reactive Management of Network Intrusions Professor Sushil Jajodia Professor Sushil Jajodia Center for Secure Information Systems

Beyond Reactive Management of Network Intrusions Professor Sushil Jajodia Professor Sushil Jajodia Center for Secure Information Systems
1 SANS Technology Institute - Candidate for Master of Science Degree 1 A Preamble into Aligning Systems Engineering and Information Security Risk Dr. Craig.

1 SANS Technology Institute - Candidate for Master of Science Degree 1 A Preamble into Aligning Systems Engineering and Information Security Risk Dr. Craig.
22 May 2006 Wu, Goel and Davison Models of Trust for the Web (MTW) WWW2006 Workshop L EHIGH U NIVERSITY.

22 May 2006 Wu, Goel and Davison Models of Trust for the Web (MTW) WWW2006 Workshop L EHIGH U NIVERSITY.
Edith C. H. Ngai1, Jiangchuan Liu2, and Michael R. Lyu1

Edith C. H. Ngai1, Jiangchuan Liu2, and Michael R. Lyu1
P REDICTING ZERO - DAY SOFTWARE VULNERABILITIES THROUGH DATA MINING Su Zhang Department of Computing and Information Science Kansas State University 1.

P REDICTING ZERO - DAY SOFTWARE VULNERABILITIES THROUGH DATA MINING Su Zhang Department of Computing and Information Science Kansas State University 1.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
A Kolmogorov Complexity Approach for Measuring Attack Path Complexity By Nwokedi C. Idika & Bharat Bhargava Presented by Bharat Bhargava.

A Kolmogorov Complexity Approach for Measuring Attack Path Complexity By Nwokedi C. Idika & Bharat Bhargava Presented by Bharat Bhargava.
Mobility Improves Coverage of Sensor Networks Benyuan Liu*, Peter Brass, Olivier Dousse, Philippe Nain, Don Towsley * Department of Computer Science University.

Mobility Improves Coverage of Sensor Networks Benyuan Liu*, Peter Brass, Olivier Dousse, Philippe Nain, Don Towsley * Department of Computer Science University.
Author: Jason Weston et., al PANS Presented by Tie Wang Protein Ranking: From Local to global structure in protein similarity network.

Author: Jason Weston et., al PANS Presented by Tie Wang Protein Ranking: From Local to global structure in protein similarity network.
Dominance Principles in Social Network Dynamics and Terrorism DIMACS Working Group on Modeling Social Responses to Bio-terrorism Involving Infectious Agents,

Dominance Principles in Social Network Dynamics and Terrorism DIMACS Working Group on Modeling Social Responses to Bio-terrorism Involving Infectious Agents,
Fast Detection of Denial-of-Service Attacks on IP Telephony Hemant Sengar, Duminda Wijesekera and Sushil Jajodia Center for Secure Information Systems,

Fast Detection of Denial-of-Service Attacks on IP Telephony Hemant Sengar, Duminda Wijesekera and Sushil Jajodia Center for Secure Information Systems,

Similar presentations

Ads by Google