Su Zhang Computing and Information Science Kansas State University Background Two ways of presenting potential network security issues Attack graph Quantitative value Probability of being compromised of some asset hosts server workstation etc ID: 550007
Download Presentation The PPT/PDF document "Abstracted Model Generator (AMG): Anoth..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Abstracted Model Generator (AMG): Another Perspective Of Mitigating Scalability Issues
Su Zhang
Computing and Information Science
Kansas State UniversitySlide2
BackgroundTwo ways of presenting (potential) network security issues.Attack graph.
Quantitative value
Probability of being compromised of some “asset” (hosts, server, workstation, etc.)
Loss expectation (Usually in terms of monetary).
12/7/2010
2
Final Project Presentation for CIS 890Slide3
Attack GraphsState Enumerate
Carnegie Mellon University, Oleg
Sheyner
, et al. 2002Extremely poor scalability (exponential).
Logical Dependency GraphsMIT Lincoln Lab Attack Graphs (MIT-LL-AG)(Lippmann et al. 2006)(Lippmann et al. 2005)
Uncertain for large scale networks. [6]George Mason University (Ammann,Wijesekera, & Kaushik2002)(
Jajodia
, Noel, &
O’Berry 2003)Poor scalability (O(N6)). [6]Kansas State University Attack Graph (KSU-AG)(Xinming Ou, et al. 2006)Fastest so far (between O(N2) and O(N3)). [6]
12/7/2010
3
Final Project Presentation for CIS 890Slide4
Quantitative Risk AssessmentLingyu Wang, et al. (GMU)
Not scalable (Bayesian Network)
Teodor
Sommestad, et al. (Royal Institute of Technology (KTH))
Not scalable (Bayesian Network)John Homer and Xinming
Ou. (KSU)De-separate set (Faster than the other two, but still not fast enough).
12/7/2010
4
Final Project Presentation for CIS 890Slide5
Current LimitationsAccuracyDatabase limitation.
Vendors don’t publish vulnerability information until it gets patched.
Centralized databases (e.g. NVD and OSVDB) have lots of errors and maintained inconsistently.
Scalability
Couldn’t be finished fast enough for large scale networks’ quantitative risk assessment.
12/7/2010
5
Final Project Presentation for CIS 890Slide6
How to Mitigate Scalability Issue? – Network AbstractionDownscale enterprise-size networks into small ones.
Easier for SAs to do some basic analysis.
Provide trimmed input for analyzers to mitigate the scalability issues.
Attack-graph analyzer.Quantitative risk assessment analyzer.
12/7/2010
6
Final Project Presentation for CIS 890Slide7
Network Abstraction StepsReachability-based grouping
Grouping all unfiltered nodes (don’t have inter-subnet connections) into one.
Grouping all filtered nodes having same inter-subnet
reachability (same in terms of inbound and outbound connections).
Configuration-based breakdownFurther breakdown both unfiltered and filtered nodes based on their configurations.
12/7/2010
7
Final Project Presentation for CIS 890Slide8
Network Abstraction-Beginning Stage
In subnet
Internet
12/7/2010
8
Final Project Presentation for CIS 890Slide9
Network Abstraction- Identifying the Reachability Information
In subnet
Filtered
Unfiltered
Internet
Hosts without inter-subnet connections
Hosts including inter-subnet connections. Different colors suggest different inter-subnet
reachabilities
.
12/7/2010
9
Final Project Presentation for CIS 890Slide10
Network Abstraction-Merging Unfiltered Nodes into One
In subnet
Filtered
Merged unfiltered nodes into one
Internet
Hosts without inter-subnet connections
Hosts including inter-subnet connections. Different colors suggest different
reachabilities
.
12/7/2010
10
Final Project Presentation for CIS 890Slide11
Reachability-based Grouping
In subnet
Filtered
Merged unfiltered nodes into one
Internet
Hosts without inter-subnet connections
Hosts including inter-subnet connections. Different colors suggest different
reachabilities
. Same-colored nodes are merged.
12/7/2010
11
Final Project Presentation for CIS 890Slide12
Configuration-based Breakdown
In subnet
Filtered
Further breakdown unfiltered network based on configuration
Internet
Hosts without inter-subnet connections
Hosts including inter-subnet connections. Different colors suggest different configurations.
12/7/2010
12
Final Project Presentation for CIS 890Slide13
Case Study--ConfigurationConfiguration3 subnets (file servers, work stations and normal user desktops (say subnet1))
10 Hosts per subnet (Divided by two types of configurations (Windows and Linux)).
2 vulnerabilities on each host. The type of vulnerability could be local, remote server and remote client based on CVSS vectors in National Vulnerability Database (NVD).
12/7/2010
13
Final Project Presentation for CIS 890Slide14
Case Study--Topology12/7/2010
14
Final Project Presentation for CIS 890Slide15
Case Study—Original Attack graph (41K)
12/7/2010
15
Final Project Presentation for CIS 890Slide16
Case Study—Attack graph (27K)
12/7/2010
16
Final Project Presentation for CIS 890Slide17
Quantitative Results ComparisonThis part is to be done soon.
Comparing the results from original model and abstracted model is meaningful if the two value are close enough, then we can conclude with that our ANM is useful.
12/7/2010
17
Final Project Presentation for CIS 890Slide18
ConclusionsAMG
can provide SAs a clearer overview of entire network.
A
MG will help SAs to get smaller –sized attack graphs and hence reduce the workload of SAs.
AMG can mitigate scalability issue for quantitative risk assessment.
12/7/2010
18
Final Project Presentation for CIS 890Slide19
References[1]
Automated generation and analysis of attack graphs.
Oleg
Sheyner, Joshua Haines, Somesh
Jha, Richard Lippmann, and Jeannette M. Wing. In Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, May 2002.
[2] Evaluating and strengthening enterprise network security using attack graphs.
R.P. Lippmann, K.W.
Ingols, C. Scott, K. Piwowarski, K.J. Kratkiewicz, M. Artz, and R.K. Cunningham. Technical Report, MIT Lincoln Laboratory, October, 2005.[3] Practical attack graph generation for network defense. Kyle Ingols
, Richard Lippmann, and Keith Piwowarski. ACSAC 2006.
[4] Minimum-cost network hardening using attack graphs.
Lingyu
Wang, Steven Noel and
Sushil
Jajodia
.
Computer Communications.
[5]
Modeling modern network attacks and countermeasures using attack graphs.
Kyle
Ingols
, Matthew Chu, Richard Lippmann,
et al.
In
25th Annual Computer Security Applications Conference (ACSAC),
2009.
[6]
Intelligent Cyber Security Analysis in Enterprise Networks.
Jason H. Li and
Peng
Liu. In
Association for the Advancement of Artificial Intelligence (www.aaai.org),
2007.
[7]
Advanced Cyber Attack Modeling, Analysis, And Visualization.
Sushil
Jajodia and Steven Noel. Final Technical Report, March 2010.[8]
Measuring network security using Dynamic Bayesian Network. Marcel Frigault, Lingyu Wang, Anoop Singhal, and Sushil Jajodia
. In Proceedings of the 4th ACM workshop on Quality of Protection (QoP), 2008.[9]
A probabilistic relational model for security risk analysis. Teodor Sommestad*, Mathias
Ekstedt and Pontus Johnson. Journal of Computer & Security 29, 2010 pp 659-679.
12/7/201019
Final Project Presentation for CIS 890Slide20
Questions & Discussions
Thank you!
12/7/2010
20
Final Project Presentation for CIS 890