International Journal of Emerging Trends & Technology in Computer Science (IJETTCS)

Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com Volume 2, Issue 4, July August 2013 ISSN 2278-6856

A Framework for Analysis A Network Vulnerability

Tito Waluyo Purboyo1, Kuspriyanto2
1,2

School of Electrical Engineering & Informatics, Institut Teknologi Bandung Jl. Ganesha 10 Bandung 40132, Indonesia

Abstract: Network administrators must rely on labourintensive processes for tracking network configurations and vulnerabilities, which needs a lot of expertise and error prone. Network vulnerabilities and interdependencies are so complex to make traditional vulnerability analysis become inadequate. Capability of decision support let analysts make tradeoffs between security and optimum availability, and explains how best to apply limited security resources. Recent works in network security has focused on the fact that a combination of exploitation is the typical way in which the invader breaks the network security. Researchers have proposed various algorithms to generate graphs based attack tree (or graph). In this paper, a framework, architecture and approach to Vulnerability Analysis are presented.

Keywords: Network Security, Security Analysis, Attack, Attack Graph, Vulnerability Analysis

1. INTRODUCTION
While we cannot predict the origin and the time of attacks, we can reduce their impact by knowing the possible attack paths through the networks. Reliance on manual processes and mental models is inadequate. Automated tools are needed for analysing and visualizing vulnerability dependencies and the path of attacks, for understanding overall security posture [1]. Attack graphs are constructed by starting an adversary at a given network location and, using information about the network topology and host vulnerabilities, examining how the attacker can progressively compromise vulnerable hosts that are reachable from already compromised hosts. A vulnerability scanners and analyses of filtering performed by firewalls and routers are used to obtain information about host vulnerabilities and to determine host-to-host reachability in a network. Almost all approaches have a method of generating recommendations to patch critical vulnerabilities or make firewalls more restrictive. In addition, most of the existing implementations provide some type of attack graph display. However, the abstract nature of attack graphs has proven to be a serious practical weakness in creating an effective display [2]. Recently, in order to analyse the vulnerabilities in a network of hosts, many methods have been proposed. One Volume 2, Issue 4 July August 2013

significant method is attack graph analysis [1,2,3]. The attack graph depicts the attack paths of a potential attacker, for a determined attacker is likely to penetrate deeper into the network by exploiting a chain of vulnerabilities. There are several methods to generate attack graphs. At first, attack graph are produced manually by Red Teams. Later, model checking tools NuSMV and TVA (Topological vulnerability analysis) tools are introduced to generate attack graphs automatically [3]. Network administrators raise major challenges if he confronted with software vulnerabilities on the host network. With the number of vulnerabilities found each year developed rapidly, it is not possible for system administrators to safeguard the software running on their networks free of security bugs. One of the everyday tasks of a system administrator is to read bug reports from various sources (such as CERT, bugtraq etc.) and understand the real bug reported security vulnerabilities in the context of its own network. With the appearance of new vulnerabilities, assessment of their impact on the network security important in choosing the right countermeasures: patch and reboot, reconfigure the firewall, dismount the partition file-server, and so on [5]. In Section II we will discuss the framework, approach and model for vulnerability analysis.

2. FRAMEWORK, APPROACH, MODEL FOR VULNERABILITY ANALYSIS

In this section, we will discuss some framework, approach and model for vulnerability analysis. 2.1 Topological Vulnerability Analysis (TVA) Figure 1 is an overview of the approaches to construct and analyse attack graph through TVA. Fetching data network used for build a network models, particularly with respect to the relevant security attributes. Vulnerability Database is a comprehensive repository of a reported vulnerability, the vulnerability of each record list of affected software (and hardware). Exploit conditions of vulnerabilities encode how each can be exploited (preconditions) and results of exploitation (post condition). Fetching data networks is collecting data to a Page 405

International Journal of Emerging Trends & Technology in Computer Science (IJETTCS)

Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com Volume 2, Issue 4, July August 2013 ISSN 2278-6856
network that is maintained, in the form of the corresponding elements in the Database Vulnerability and Exploit Conditions. Together, these inputs are used to build an environment model for multi-stage attack graph simulation [1]. provided). This program uses a pattern-matching algorithm that has been trained on a sample vulnerability data set. The classifier was built using the available LNKNet tool which is a free tool. The engine, written in C++, is responsible for computing reachability, generating attack graphs, and analysing the graphs to generate recommendations. The engine reads the model of network from the custom binary file produced by the importer. The block diagram in Figure 1 gives an review of the design of the NetSPA system [2]. 2.3 C. Architecture analysis model of intelligent vulnerability

Figure 1 Topological Vulnerability Analysis (TVA) [1] The model is used by Environmental Graphics Engine to simulate multi-step attacks through the network, to attack scenarios defined by user. Analysis of dependencies vulnerabilities, exploits matching preconditions and postconditions, thus generating all possible paths through the network (for a given attack scenario) are done by the engine. The system then provides advanced capabilities for Interactive Visual Analysis of attack graph. It also calculates Optimal Counter Measures, for example, the minimum number of network changes to thwart an attack scenario. 2.2 System architecture of NetSPA tool NetSPA system composed of several software components. Importers, written in PERL, is responsible for reading raw data such as Nessus scan, firewall rule sets, and records NVD database (NVD 2007), and converts the data into the format of a custom binary file for use in the future.

Attack graph is a state transition diagram, which depicts ways in which attackers exploit the possible known vulnerabilities to achieve a desired state. The architecture of the intelligent vulnerability analysis model is illustrated in Figure 3.

Figure 3 Architecture of intelligent vulnerability analysis model [3] The architecture (Figure 3) contains three modules. The vulnerability scanning module scans the host in the network. The vulnerability classification module classifies the found vulnerabilities patterns in the scanning report into two types i.e. the application vulnerability and misconfiguration vulnerability, and the classified vulnerabilities information are input into the deduction engine as fact files. The module of deduction engine generates atomic attacks and attack graphs [3].

Figure 2 System architecture of NetSPA tool [2] A small program (created by C) acts as a vulnerability classifier. This program is designed to identify vulnerabilitys locality (remote or local access) and effect (whether root, user, DoS, or other privilege level is Volume 2, Issue 4 July August 2013

Figure 4 Fragment of Deduction Engine [3] Page 406

International Journal of Emerging Trends & Technology in Computer Science (IJETTCS)

Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com Volume 2, Issue 4, July August 2013 ISSN 2278-6856
Figure 4 is the fragment of deduction engine. Prolog language is used to simulate the behaviour of the attacker's invasion and a set of Prolog rules are introduced. Compared to algorithms written by C or Java languages, prolog rules is more concise. Fact files from vulnerability classification module, and rule files from security knowledge library, are input into the deduction engine. According to the target query in the automating interactive interface, GNU prolog interpreter can automatically generate atomic attacks and attack graphs [3]. 2.4 Framework for Efficient Vulnerability Analysis The framework for Efficient Vulnerability Analysis is shown in Figure 5. The framework is very similar to MulVAL framework [5]. The differences of these two frameworks are mainly the extended security policies input to the system and the interaction of attack graph and analysis engine. changes to the graphical environment can affect the actual network and host, or can temporarily affect the facts existed in the Prolog environment without affecting the actual configuration. The user of the system can see the effect first and then decide to push the changes to the actual network [4].

3. ATTACK GRAPH GENERATION

Attack Graph plays a vital role in network security, as it immediately indicate the existence of vulnerabilities in network and how attackers use the vulnerability to implement an effective attack, the analysis on the attack graph or the simulation of dynamic attacks through attack graph can help us easily figure out vulnerabilities in network, and take the corresponding security measures, to reinforce network security. As far as we know, not all the attackers aim to control the target networks. In satellite communication networks, for example, it is really hard to get privileges promoted, account cheat and waste of resource are more effective attacks. Taking network performance into consideration, we introduce loss of performance to attack graph status and define it as Virtual Performance Node [6]. In [6], Zhao et.al. propose a new method for generation of attack graph, based on VPNs mentioned above. Algorithm: AG_Generation(H,R, s0) Input: host attributes (H), attack rules (R), initial status (s0) Output: attack graph AG Begin Step 1. Build the network status queue, named status_que, and add s0 to it. Step 2. Pick up a next status from status_que. Go to step 3 if this status hasnt been dealt with, or quit. Step 3. a) Take every host as attack source and every host as attack target at a time. b) If the value in Link Matrix for these two hosts (maybe is a same host) is 1, check the Attack Rules and identify the eligible attack rules. c) Executing every attack under these rules and generating a new status at a time. If the new status didnt exist in status_que, add it to the queue. d) Generating graphviz codes to plot attack edge and nodes from previous status to the new status. The probability of this attack can also been determined from attack rules. e) Go to step 2 after every host is tried. End

Figure 5 Framework for Efficient Vulnerability Analysis [4] For Windows XP, Saha [4] uses the rules provided by Netra and for SELinux TM he use the rules provided by PAL. Attack graph is shown to the user in the uDrawGraph environment. uDrawGraph is freely available graphical viewing software which has various abstraction functions to hide/view/zoom graphs or part of it which is exposed to the user for easy navigation and view of attack graphs. It also takes graph input as in Prolog term format which is suitable to generate in Prolog environment. It exposes hooks which can be used to define user-defined function on the events. He uses its API to present customized menu functionality for various analyses on attack graphs. He has used these features to expose interactive functionality to the attack graph. User can select facts nodes and delete/undelete it and see the effects on the attack graph. Based on user options, the Volume 2, Issue 4 July August 2013

Page 407

International Journal of Emerging Trends & Technology in Computer Science (IJETTCS)

Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com Volume 2, Issue 4, July August 2013 ISSN 2278-6856 4. THE PROPOSED FRAMEWORK
In the studies conducted until now, we proposed a new framework that can be seen in the Figure 8.
Network Asset Data

Firewall Rules

Network Security Extractor

Network Data

Network Model

Attack Graph Reducer

Network Security Evaluator

Optimal Network Hardening

Figure 6 Architecture of network graph generation [7] In [7], Zhong et. al. explains that after gathering the information of network, they are able to generate a description of the hosts. Associated with the attack rule library and the attacker profiles given by network security analyst, the attacker-graph generator is able to generate an attack graph of network through the algorithm describe in Figure 7. Figure 6 shows the architecture of this system.

Network Vulnerability Data

Attack Graph Generat or

Network Security Hardener

Network Topology Data

Figure 8 The Proposed Framework for Analysis A Network Vulnerability The proposed framework will be implemented using the software that will be developed by the researchers. Explanation of the data network can be seen in the Figure 9.
OVAL Nessus McAfee Foundscan Retina Symantec Discovery Network Asset Data Asset Inventory Altiris

Network Vulnerability Data Network Data Network Topology Data IP Data Adjacency CVE Vulnerability Database Firewall Rule

Checkpoint

Secure Sidewinder

Reachability Connectivity

NVD

OSVDB

Figure 7 Algorithm to generate attack graph [7] Nodes in an attack graph is generated based on the above algorithm represents the host in the network. Attack graph contains attack routes from attacker host to all the victims. The condition in line 7 of the algorithm guarantees that there are no loops in the graph of attacks, and also, each attack is the shortest route. That is, the line of attack in the attack graph is the shortest route from the hosts toward the victim's attacker. Volume 2, Issue 4 July August 2013

Figure 9 The Source of Network Data A simulation study which implementing our framework will be done in the next paper.

5. Conclusion
This paper discussed some of the framework, architecture and approaches for analyzing the vulnerability of computer networks. Page 408

International Journal of Emerging Trends & Technology in Computer Science (IJETTCS)

Web Site: www.ijettcs.org Email: editor@ijettcs.org, editorijettcs@gmail.com Volume 2, Issue 4, July August 2013 ISSN 2278-6856
Attack graph provides a powerful way to understand the context and the relative importance of vulnerabilities in systems and networks. Attack graph analysis depends on complete and accurate model of the network. Such models are usually built using data from network (remote) vulnerability scanners such as Nessus. However, the scanning range has a fundamental limitation on the information available about the target host. Our future work is to improve the framework and developing a model for vulnerability analysis including metrics in [8, 11, 12, 13]. A simulation study also will be improved in our next paper. Mathematical Sciences (FJMS), Volume 56, Issue 2, p. 185-200, September 2011. [11] T.W. Purboyo, Kuspriyanto, New Non Path Metrics for Evaluating Network Security Based on Vulnerability, International Journal of Computer Science Issue, Volume 9, Issue 4, July 2012. [12] T.W. Purboyo, Kuspriyanto, Attack Graph Based Security Metrics: State of The Art, International Journal of Science and Engineering Investigations, Volume 1, Issue 7, August 2012. [13] T.W. Purboyo, Kuspriyanto, Some Algorithm for Generating Attack Graph, International Journal of Advanced Research in Computer Science and Software Engineering, Volume 2, Issue 8, August 2012.A. Bonnaccorsi, On the Relationship between Firm Size and Export Intensity, Journal of International Business Studies, XXIII (4), pp. 605635, 1992. (journal style) AUTHORS
Tito Waluyo Purboyo is currently a Ph.D. student at Institut Teknologi Bandung since August 2010. He received his Master's degree in mathematics from Institut Teknologi Bandung in 2009. He is currently a research assistant at Department of Computer Engineering, School of Electrical Engineering and Informatics, Institut Teknologi Bandung. His research interest includes security, cryptography, physics and mathematics. Kuspriyanto is Professor of Computer Engineering at Institut Teknologi Bandung. He received his D.E.A. in Automatic System (1979) from USTL France and Ph.D. in Automatic System (1981) from the same university. He is working as a lecturer in Computer Engineering Department, School of Electrical Engineering and Informatics, Institut Teknologi Bandung, Indonesia. His field of interest includes network security, neural network, genetic algorithm, robotics, real time system etc.

References
[1] S. Noel, M. Elder, S. Jajodia, P. Kalapa, S. OHare, K. Prole, Advances in Topological Vulnerability Analysis, IEEE CATCH 2009. [2] L. Williams, R. Lippmann, K. Ingols, An Interactive Attack Graph Cascade and Reachability Display, VIZSEC 2007. [3] W. Yi, X. Jinghua, An Intelligent Model for Vulnerability Analysis Using Attack Graph, International Forum on Information Technology and Application, 2009. [4] D. Saha, Extending Logical Attack Graphs for Efficient Vulnerability Analysis, CCS08, Alexandria, Virginia, USA, October 2731, ACM 2008. [5] X. Ou, S. Govindavajhala, A.W. Appel, MulVAL: A Logic-based Network Security Analyzer, In SSYM05: Proceedings of the 14th conference on USENIX Security Symposium, pages 88, Berkeley, CA, USA, 2005. [6] Y. Zhao, Z. Wang, X. Zhang, J. Zheng, An Improved Algorithm for Generation of Attack Graph Based on Virtual Performance Node, International Conference on Multimedia Information Networking and Security, 2009. [7] S. Zhong, D. Yan, C. Liu, Automatic Generation of Host-based Network Attack Graph, World Congress on Computer Science and Information Engineering, 2009. [8] T.W. Purboyo, B. Rahardjo, Kuspriyanto, I.M. Alamsyah, A New Metrics for Predicting Network Security Level, Journal of Global Research in Computer Science, Volume 3, No. 3, March 2012. [9] T.W. Purboyo, B. Rahardjo, Kuspriyanto, Security Metrics: A Brief Survey, 2011 International Conference on Instrumentation, Communication, Information Technology and Biomedical Engineering, Bandung, Indonesia, 8-9 November 2011. [10] Irawati, T.W. Purboyo, Developing Computer Program for Computing Eigen pairs of 2x2 Matrices and 3x3 Upper Triangular Matrices Using The Simple Algorithm, Far East Journal of Volume 2, Issue 4 July August 2013

Page 409