1

Evaluating Network Security with Two-Layer Attack

GraphsAnming XieZhuhua CaiCong TangJianbin Hu

Zhong Chen

ACSAC (Dec., 2009)

2010/6/15

2

Outline

• Introduction• Related Work• Model• Examples• Conclusion

2010/6/15

3

Attack Graphs

• Describe attack scenarios• Play important roles in analyzing network

vulnerabilities

2010/6/15

4

Problems

• Although there are many previous works on attack graphs about evaluating network security, some problems still need to be addressed– Scalability– Several targets for overall security of networks– Inside malicious attackers’ attacks

2010/6/15

5

The Work of The Paper

• Firstly, propose a new generation model– Generate two-layer attack graphs model to reduce

computation costs

• Then, propose a measurement methodology– Evaluate network security based on adjacency

matrixes

2010/6/15

6

Network Security Metrics

• Traditionally, focus on vulnerabilities as static values in different networks

• However, ignore how they could be exploited by the attackers

• An attack graph describe s all the possible ways to break into a network, and reveals actual effect among vulnerabilities

2010/6/15

7

Outline

• Introduction• Related Work• Model• Examples• Conclusion

2010/6/15

8

Related Works

• Resulting attack graphs are sometimes too large to be computed

• Lacks meaningful and efficient suggestions to evaluate network security

2010/6/15

9

Outline

• Introduction• Related Work• Model• Examples• Conclusion

2010/6/15

10

A. Generation Model

• Two assumptions– Preconditions on an exploit would never be

changed from satisfied to unsatisfied– Attackers only need user access privileges at

source host when exploiting vulnerabilities at target host

2010/6/15

11

A. Generation Model

• The two-layer model– Lower layer• Describe all of the detailed attack scenarios between

each host-pair• Set up host-pair attack graphs to describe attack

sequences from one source host to one target host directly• Show how attackers obtain user or root access

privileges at the target host• N * N host-pair attack graphs at most with N hosts

2010/6/15

12

A. Generation Model

• The two-layer model– Upper layer• Set up host access attack graphs to show the direct

access relationships among hosts• A node represents a host in networks, and a directed

edge between two nodes represents the access relationship between the corresponding two hosts

2010/6/15

13

A. Generation Model

• Generation of host-pair attack graphs– Just deal with host’s configurations,

vulnerabilities, its network connection with source host

– Be generated very quickly and the size is small

2010/6/15

14

A. Generation Model

• Generation of hosts access attack graphs– Built on the results of the host-pair attack graphs– Add a directed edge to the corresponding nodes in

hosts access graph– Edge’s label shows the corresponding privilege

which could be obtained

2010/6/15

15

A. Generation Model

2010/6/15

16

B. Analysis on probability of success

• Used in analysis of network security• Firstly– apply probability of success to each atomic exploit

• Secondly– calculate the probabilities of obtaining user and root

privileges successfully for each host-pair attack graph• Finally– change the edges’ label of the hosts access graph as

(HPAGID, Puser, Proot)

2010/6/15

17

B. Analysis on probability of success

2010/6/15

18

C. Analysis on Adjacency Matrixes

• In order to evaluate the overall network, composite these attack probabilities to a global measurement dynamically based on adjacency matrixes

• A network with N nodes, draw a hosts access graph with N +1 nodes

• Use H1, H2, · · ·, Hn to indicate hosts in the target network, and use H0 to indicate an attacker’s host.

2010/6/15

19

C. Analysis on Adjacency Matrixes

• Element uij indicates the probability of obtaining user privilege from host Hi to host Hj

• C = F(A,B)– A, B, C are matrixes– F is defined as

2010/6/15

Nkji

bababa

bac

NjiNjiji

kjikk

ij

,,0

)*,...*,*max(

)*(max

2100

)*(max kjikk

ij bac )*,...*,*max( 2100 NjiNjiji bababa

Nkji ,,0

20

C. Analysis on Adjacency Matrixes

• Define the power iterations of Function F

• Stable matrix– User adjacency matrix U• maximum

– Root adjacency matrix R• maximum

2010/6/15

R),(UR

1-NM

(U)(U)U

I)U(,0

)U),U(()U(

1

0

1

succsucc

MN-succ

mm

F

FF

Fm

FFF

)U),U(()U( 1 mm FFF I)U(,0 0 Fm

(U)(U)U 1 MN-succ FF

R),(UR succsucc F

1-NM

21

D. Network Security Measurement

• Total prospective damage of whole network brought by this attacker in host Hi is

– the set of important hosts in network is C, C H⊆

• Dangerous Score

– Indicate the security level of a network– use wk rather than duk and drk. For each host Hk in

C, wk is its important factor, where 0 ≤ wk ≤ 12010/6/15

)*(

))*,*(max(

0kkCH

ikkikkCH

i

rwDS

rdruduTDH

k

k

)*( 0kkCH

rwDSk

))*,*(max( ikkikkCH

i rdruduTDHk

22

D. Network Security Measurement

• Transition score, which evaluates the host’s action as a stepping stone when an outside attacker attacks the network

2010/6/15

CHkk

CHikki

k

k

rw

rwr

TSi)*(

)*(*

0

0

CHkk

CHikki

k

k

rw

rwr

TSi)*(

)*(*

0

0

23

Outline

• Introduction• Related Work• Model• Examples• Conclusion

2010/6/15

24

A. Network Environment

2010/6/15

25

A. Network Environment

2010/6/15

26

B. Result Attack Graphs

2010/6/15

27

B. Result Attack Graphs

2010/6/15

28

C. Network Security Evaluation

2010/6/15

29

C. Network Security Evaluation

2010/6/15

30

C. Network Security Evaluation

• Assume the set of important hosts in network is C = {F,D}

• Obtain user privilege– Prospective damage du = {200, 2000}

• Obtain root privilege– Prospective damage dr = {2000, 10000}

2010/6/15

31

C. Network Security Evaluation

• Total prospective damage potentially caused by outside attackers

• Total prospective damage potentially caused by inside attackers

2010/6/15 1

32

C. Network Security Evaluation

• Set important factors wk for each host Hk in C– set w = {0.2, 1}– 0.2 for host F, 1 for host D

• Dangerous Score

• Transition Score

2010/6/15

33

Outline

• Introduction• Related Work• Model• Examples• Conclusion

2010/6/15

34

Conclusion

• A novel generation approach and a measurement methodology

• Apply the probability of success to our attack graphs

• Results not only describe the potential attack probabilities of success launched from an outside attacker, but also describe the potential attack probabilities launched from inside malicious users

• Draw gray scale images to indicate the overall network security

2010/6/15

35

Q & A

Thank you!

2010/6/15