Académique Documents
Professionnel Documents
Culture Documents
Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com Volume 2, Issue 4, July August 2013 ISSN 2278-6856
School of Electrical Engineering & Informatics, Institut Teknologi Bandung Jl. Ganesha 10 Bandung 40132, Indonesia
Abstract: Network administrators must rely on labourintensive processes for tracking network configurations and vulnerabilities, which needs a lot of expertise and error prone. Network vulnerabilities and interdependencies are so complex to make traditional vulnerability analysis become inadequate. Capability of decision support let analysts make tradeoffs between security and optimum availability, and explains how best to apply limited security resources. Recent works in network security has focused on the fact that a combination of exploitation is the typical way in which the invader breaks the network security. Researchers have proposed various algorithms to generate graphs based attack tree (or graph). In this paper, a framework, architecture and approach to Vulnerability Analysis are presented.
Keywords: Network Security, Security Analysis, Attack, Attack Graph, Vulnerability Analysis
1. INTRODUCTION
While we cannot predict the origin and the time of attacks, we can reduce their impact by knowing the possible attack paths through the networks. Reliance on manual processes and mental models is inadequate. Automated tools are needed for analysing and visualizing vulnerability dependencies and the path of attacks, for understanding overall security posture [1]. Attack graphs are constructed by starting an adversary at a given network location and, using information about the network topology and host vulnerabilities, examining how the attacker can progressively compromise vulnerable hosts that are reachable from already compromised hosts. A vulnerability scanners and analyses of filtering performed by firewalls and routers are used to obtain information about host vulnerabilities and to determine host-to-host reachability in a network. Almost all approaches have a method of generating recommendations to patch critical vulnerabilities or make firewalls more restrictive. In addition, most of the existing implementations provide some type of attack graph display. However, the abstract nature of attack graphs has proven to be a serious practical weakness in creating an effective display [2]. Recently, in order to analyse the vulnerabilities in a network of hosts, many methods have been proposed. One Volume 2, Issue 4 July August 2013
significant method is attack graph analysis [1,2,3]. The attack graph depicts the attack paths of a potential attacker, for a determined attacker is likely to penetrate deeper into the network by exploiting a chain of vulnerabilities. There are several methods to generate attack graphs. At first, attack graph are produced manually by Red Teams. Later, model checking tools NuSMV and TVA (Topological vulnerability analysis) tools are introduced to generate attack graphs automatically [3]. Network administrators raise major challenges if he confronted with software vulnerabilities on the host network. With the number of vulnerabilities found each year developed rapidly, it is not possible for system administrators to safeguard the software running on their networks free of security bugs. One of the everyday tasks of a system administrator is to read bug reports from various sources (such as CERT, bugtraq etc.) and understand the real bug reported security vulnerabilities in the context of its own network. With the appearance of new vulnerabilities, assessment of their impact on the network security important in choosing the right countermeasures: patch and reboot, reconfigure the firewall, dismount the partition file-server, and so on [5]. In Section II we will discuss the framework, approach and model for vulnerability analysis.
Figure 1 Topological Vulnerability Analysis (TVA) [1] The model is used by Environmental Graphics Engine to simulate multi-step attacks through the network, to attack scenarios defined by user. Analysis of dependencies vulnerabilities, exploits matching preconditions and postconditions, thus generating all possible paths through the network (for a given attack scenario) are done by the engine. The system then provides advanced capabilities for Interactive Visual Analysis of attack graph. It also calculates Optimal Counter Measures, for example, the minimum number of network changes to thwart an attack scenario. 2.2 System architecture of NetSPA tool NetSPA system composed of several software components. Importers, written in PERL, is responsible for reading raw data such as Nessus scan, firewall rule sets, and records NVD database (NVD 2007), and converts the data into the format of a custom binary file for use in the future.
Attack graph is a state transition diagram, which depicts ways in which attackers exploit the possible known vulnerabilities to achieve a desired state. The architecture of the intelligent vulnerability analysis model is illustrated in Figure 3.
Figure 3 Architecture of intelligent vulnerability analysis model [3] The architecture (Figure 3) contains three modules. The vulnerability scanning module scans the host in the network. The vulnerability classification module classifies the found vulnerabilities patterns in the scanning report into two types i.e. the application vulnerability and misconfiguration vulnerability, and the classified vulnerabilities information are input into the deduction engine as fact files. The module of deduction engine generates atomic attacks and attack graphs [3].
Figure 2 System architecture of NetSPA tool [2] A small program (created by C) acts as a vulnerability classifier. This program is designed to identify vulnerabilitys locality (remote or local access) and effect (whether root, user, DoS, or other privilege level is Volume 2, Issue 4 July August 2013
Figure 5 Framework for Efficient Vulnerability Analysis [4] For Windows XP, Saha [4] uses the rules provided by Netra and for SELinux TM he use the rules provided by PAL. Attack graph is shown to the user in the uDrawGraph environment. uDrawGraph is freely available graphical viewing software which has various abstraction functions to hide/view/zoom graphs or part of it which is exposed to the user for easy navigation and view of attack graphs. It also takes graph input as in Prolog term format which is suitable to generate in Prolog environment. It exposes hooks which can be used to define user-defined function on the events. He uses its API to present customized menu functionality for various analyses on attack graphs. He has used these features to expose interactive functionality to the attack graph. User can select facts nodes and delete/undelete it and see the effects on the attack graph. Based on user options, the Volume 2, Issue 4 July August 2013
Page 407
Firewall Rules
Network Data
Network Model
Figure 6 Architecture of network graph generation [7] In [7], Zhong et. al. explains that after gathering the information of network, they are able to generate a description of the hosts. Associated with the attack rule library and the attacker profiles given by network security analyst, the attacker-graph generator is able to generate an attack graph of network through the algorithm describe in Figure 7. Figure 6 shows the architecture of this system.
Figure 8 The Proposed Framework for Analysis A Network Vulnerability The proposed framework will be implemented using the software that will be developed by the researchers. Explanation of the data network can be seen in the Figure 9.
OVAL Nessus McAfee Foundscan Retina Symantec Discovery Network Asset Data Asset Inventory Altiris
Network Vulnerability Data Network Data Network Topology Data IP Data Adjacency CVE Vulnerability Database Firewall Rule
Checkpoint
Secure Sidewinder
Reachability Connectivity
NVD
OSVDB
Figure 7 Algorithm to generate attack graph [7] Nodes in an attack graph is generated based on the above algorithm represents the host in the network. Attack graph contains attack routes from attacker host to all the victims. The condition in line 7 of the algorithm guarantees that there are no loops in the graph of attacks, and also, each attack is the shortest route. That is, the line of attack in the attack graph is the shortest route from the hosts toward the victim's attacker. Volume 2, Issue 4 July August 2013
Figure 9 The Source of Network Data A simulation study which implementing our framework will be done in the next paper.
5. Conclusion
This paper discussed some of the framework, architecture and approaches for analyzing the vulnerability of computer networks. Page 408
References
[1] S. Noel, M. Elder, S. Jajodia, P. Kalapa, S. OHare, K. Prole, Advances in Topological Vulnerability Analysis, IEEE CATCH 2009. [2] L. Williams, R. Lippmann, K. Ingols, An Interactive Attack Graph Cascade and Reachability Display, VIZSEC 2007. [3] W. Yi, X. Jinghua, An Intelligent Model for Vulnerability Analysis Using Attack Graph, International Forum on Information Technology and Application, 2009. [4] D. Saha, Extending Logical Attack Graphs for Efficient Vulnerability Analysis, CCS08, Alexandria, Virginia, USA, October 2731, ACM 2008. [5] X. Ou, S. Govindavajhala, A.W. Appel, MulVAL: A Logic-based Network Security Analyzer, In SSYM05: Proceedings of the 14th conference on USENIX Security Symposium, pages 88, Berkeley, CA, USA, 2005. [6] Y. Zhao, Z. Wang, X. Zhang, J. Zheng, An Improved Algorithm for Generation of Attack Graph Based on Virtual Performance Node, International Conference on Multimedia Information Networking and Security, 2009. [7] S. Zhong, D. Yan, C. Liu, Automatic Generation of Host-based Network Attack Graph, World Congress on Computer Science and Information Engineering, 2009. [8] T.W. Purboyo, B. Rahardjo, Kuspriyanto, I.M. Alamsyah, A New Metrics for Predicting Network Security Level, Journal of Global Research in Computer Science, Volume 3, No. 3, March 2012. [9] T.W. Purboyo, B. Rahardjo, Kuspriyanto, Security Metrics: A Brief Survey, 2011 International Conference on Instrumentation, Communication, Information Technology and Biomedical Engineering, Bandung, Indonesia, 8-9 November 2011. [10] Irawati, T.W. Purboyo, Developing Computer Program for Computing Eigen pairs of 2x2 Matrices and 3x3 Upper Triangular Matrices Using The Simple Algorithm, Far East Journal of Volume 2, Issue 4 July August 2013
Page 409