Su Zhang Department of Computing and Information Science Kansas State University 1 Outline Motivation Related work Proposed approach Possible techniques Plan 2 Outline Motivation Related work ID: 439911
Download Presentation The PPT/PDF document "Predicting zero-day software vulnerabili..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Predicting zero-day software vulnerabilities through data mining
Su ZhangDepartment of Computing and Information ScienceKansas State University
1Slide2
Outline
Motivation.Related work.Proposed approach.Possible techniques.Plan.
2Slide3
Outline
Motivation.Related work.Proposed approach.Possible techniques.Plan.
3Slide4
The trend of vulnerability numbers
4Slide5
zero-day vulnerability
What is zero-day vulnerability? It is a vulnerability which is found by underground hackers before being made public.
Increasing threat from zero-day vulnerabilities.
Many attacks are attributed to zero-day vulnerabilities.
E.g. in 2010 Microsoft confirmed a vulnerability in Internet Explorer, which affected some versions that were released in 2001.
5Slide6
Our goal
Risk awareness. The possibility of zero-day vulnerability must be considered for comprehensive risk assessment for enterprise networks.
6Slide7
Enterprise risk assessment framework
7Slide8
Enterprise risk assessment framework
8Slide9
Enterprise risk assessment framework
9Slide10
Enterprise risk assessment framework
10Slide11
Enterprise risk assessment framework
11Slide12
Problem
Predict the information of zero – day vulnerabilities from software configurations.
12Slide13
Outline
Motivation.Related work.Proposed approach.Possible techniques.Plan.
13Slide14
Related work
O. H. Alhazmi and Y. K. Malaiya, 2005.
Andy
Ozment
, 2007.
Kyle
Ingols
, et al, 2009.
Miles A. McQueen, et al, 2009.
14Slide15
Outline
Motivation.Related workProposed approach.Possible techniques.Plan.
15Slide16
Proposed approach
Predict the likelihood of zero-day vulnerabilities for specific software applications.NVDAvailable since 2002.Rich data source including the preconditions and consequences of vulnerabilities. It could be used to build our model and validate our work.
16Slide17
System architecture
17
IE
WinXP
FireFox
…
Target Machine
Scanner (e.g. Nessus or OVAL)
Our Prediction Model
Output(MTTNV&CVSS Metrics)
CPE (common platform enumeration)Slide18
Prediction model
Predictive data: CPE (common platform enumeration)Indicate software configuration on a host. Predicted data: MTTNV (Mean Time to Next Vulnerability) & CVSS Metrics
MTTNV indicates the probability of zero-day vulnerabilities.
CVSS metrics indicate the properties of the predicted vulnerabilities.
18Slide19
CPE (common platform enumeration)
What is CPE?CPE is a structured naming scheme for information technology systems, software, and packages.Example (in primitive format)
cpe:/a:acme:product:1.0:update2:pro:en-us
Professional edition of the "Acme Product 1.0 Update 2 English".
19Slide20
CPE Language
20Slide21
CVSS (Common Vulnerability Scoring System )
An open framework for communicating the characteristics and impacts of IT vulnerabilities. Metric Vector access complexity (H, M, L)
authentication ( R, NR)
confidentiality (N, P, C)
...
CVSS Score: Calculated based on above vector. It indicates the severity of a vulnerability.
21Slide22
CVSS used in risk assessment
We use CVSS to derive a conditional probability. How likely a vulnerability could be successfully exploited, given
all preconditions
fulfilled.
By combining the conditional probability with attack graph one can calculate the cumulative probability, we could obtain a overall estimated likelihood of the given machine being compromised.
22Slide23
Outline
Motivation.Related work.Proposed approach.Possible techniques.Plan.
23Slide24
Possible techniques
Linear Regression ( input are continuous variables).Statistical classification (input are discrete variables).Maximum likelihood and least squares (Determining the parameters of our model).
24Slide25
Validation methodology
Earlier years of NVD: Building our model.Later years of NVD: Validate our model.
Criteria: Closer to the factual value than without considering zero-day vulnerabilities.
25Slide26
Outline
Motivation.Related work.Proposed approach.Possible techniques.Plan.
26Slide27
plan
Next phase: Study data-mining tools (e.g. Support Vector Machine) . Then build up our prediction model. Validate the model on NVD.Final phase:
If the previous phase provides a good model, we will incorporate the generated result into
MulVAL
.
Otherwise, we are going to investigate the problem.
27Slide28
References
[1]Andrew Buttner et al, ”Common Platform Enumeration (CPE) – Specification,” 2008.[2]NVD,
http://nvd.nist.gov/home.cfm
.
[3]O. H.
Alhazmi
et al, “Modeling the Vulnerability Discovery Process,” 2005.
[4]Omar H.
Alhazmi
et al, “Prediction Capabilities of Vulnerability Discovery Models,” 2006.
[5]Andy
Ozment
, “Improving Vulnerability Discovery Models,” 2007.
[6]R.
Gopalakrishna
and E. H.
Spafford
, “A trend analysis of vulnerabilities,” 2005.
[7]Christopher M. Bishop, “Pattern Recognition
andMachine
Learning,” 2006.
[8]
Xinming
Ou
et al, “
MulVAL
: A logic-based network security analyzer,” 2005.
[9] Kyle
Ingols
et al, “Modeling Modern Network Attacks and Countermeasures Using Attack Graphs” 2009.
[10] Miles A. McQueen et al, “Empirical Estimates and Observations of 0Day Vulnerabilities,” 2009.
[11] Alex J.
Smola
et al, “A Tutorial on Support Vector Regression,” 1998.
28Slide29
Thank you!
Q
uestions
&
A
nswers
29