Evaluating Network Security with Two-Layer Attack Graphs Anming Xie Zhuhua Cai Cong Tang Jianbin Hu Zhong Chen ACSAC (Dec., 2009) 2010/6/151

Outline Introduction Related Work Model Examples Conclusion 2010/6/152

Attack Graphs Describe attack scenarios Play important roles in analyzing network vulnerabilities 2010/6/153

Problems Although there are many previous works on attack graphs about evaluating network security, some problems still need to be addressed – Scalability – Several targets for overall security of networks – Inside malicious attackers’ attacks 2010/6/154

The Work of The Paper Firstly, propose a new generation model – Generate two-layer attack graphs model to reduce computation costs Then, propose a measurement methodology – Evaluate network security based on adjacency matrixes 2010/6/155

Network Security Metrics Traditionally, focus on vulnerabilities as static values in different networks However, ignore how they could be exploited by the attackers An attack graph describe s all the possible ways to break into a network, and reveals actual effect among vulnerabilities 2010/6/156

Outline Introduction Related Work Model Examples Conclusion 2010/6/157

Related Works Resulting attack graphs are sometimes too large to be computed Lacks meaningful and efficient suggestions to evaluate network security 2010/6/158

Outline Introduction Related Work Model Examples Conclusion 2010/6/159

A. Generation Model Two assumptions – Preconditions on an exploit would never be changed from satisfied to unsatisfied – Attackers only need user access privileges at source host when exploiting vulnerabilities at target host 2010/6/1510

A. Generation Model The two-layer model – Lower layer Describe all of the detailed attack scenarios between each host-pair Set up host-pair attack graphs to describe attack sequences from one source host to one target host directly Show how attackers obtain user or root access privileges at the target host N * N host-pair attack graphs at most with N hosts 2010/6/1511

A. Generation Model The two-layer model – Upper layer Set up host access attack graphs to show the direct access relationships among hosts A node represents a host in networks, and a directed edge between two nodes represents the access relationship between the corresponding two hosts 2010/6/1512

A. Generation Model Generation of host-pair attack graphs – Just deal with host’s configurations, vulnerabilities, its network connection with source host – Be generated very quickly and the size is small 2010/6/1513

A. Generation Model Generation of hosts access attack graphs – Built on the results of the host-pair attack graphs – Add a directed edge to the corresponding nodes in hosts access graph – Edge’s label shows the corresponding privilege which could be obtained 2010/6/1514

A. Generation Model 2010/6/1515

B. Analysis on probability of success Used in analysis of network security Firstly – apply probability of success to each atomic exploit Secondly – calculate the probabilities of obtaining user and root privileges successfully for each host-pair attack graph Finally – change the edges’ label of the hosts access graph as (HPAGID, Puser, Proot) 2010/6/1516

B. Analysis on probability of success 2010/6/1517

C. Analysis on Adjacency Matrixes In order to evaluate the overall network, composite these attack probabilities to a global measurement dynamically based on adjacency matrixes A network with N nodes, draw a hosts access graph with N +1 nodes Use H 1, H 2, · · ·, H n to indicate hosts in the target network, and use H 0 to indicate an attacker’s host. 2010/6/1518

C. Analysis on Adjacency Matrixes Element u ij indicates the probability of obtaining user privilege from host H i to host H j C = F(A,B) – A, B, C are matrixes – F is defined as 2010/6/1519

C. Analysis on Adjacency Matrixes Define the power iterations of Function F Stable matrix – User adjacency matrix U maximum – Root adjacency matrix R maximum 2010/6/1520

D. Network Security Measurement Total prospective damage of whole network brought by this attacker in host H i is – the set of important hosts in network is C, C ⊆ H Dangerous Score – Indicate the security level of a network – use w k rather than d uk and d rk. For each host H k in C, w k is its important factor, where 0 ≤ w k ≤ /6/1521

D. Network Security Measurement Transition score, which evaluates the host’s action as a stepping stone when an outside attacker attacks the network 2010/6/1522

Outline Introduction Related Work Model Examples Conclusion 2010/6/1523

A. Network Environment 2010/6/1524

A. Network Environment 2010/6/1525

B. Result Attack Graphs 2010/6/1526

B. Result Attack Graphs 2010/6/1527

C. Network Security Evaluation 2010/6/1528

C. Network Security Evaluation 2010/6/1529

C. Network Security Evaluation Assume the set of important hosts in network is C = {F,D} Obtain user privilege – Prospective damage du = {200, 2000} Obtain root privilege – Prospective damage dr = {2000, 10000} 2010/6/1530

C. Network Security Evaluation Total prospective damage potentially caused by outside attackers Total prospective damage potentially caused by inside attackers 2010/6/1531 1

C. Network Security Evaluation Set important factors w k for each host H k in C – set w = {0.2, 1} – 0.2 for host F, 1 for host D Dangerous Score Transition Score 2010/6/1532

Outline Introduction Related Work Model Examples Conclusion 2010/6/1533

Conclusion A novel generation approach and a measurement methodology Apply the probability of success to our attack graphs Results not only describe the potential attack probabilities of success launched from an outside attacker, but also describe the potential attack probabilities launched from inside malicious users Draw gray scale images to indicate the overall network security 2010/6/1534

Q & A Thank you! 2010/6/1535