![Page 1: Evaluating Network Security with Two-Layer Attack Graphs Anming Xie Zhuhua Cai Cong Tang Jianbin Hu Zhong Chen ACSAC (Dec., 2009) 2010/6/151](https://reader035.vdocument.in/reader035/viewer/2022062518/56649f145503460f94c29962/html5/thumbnails/1.jpg)
1
Evaluating Network Security with Two-Layer Attack
GraphsAnming XieZhuhua CaiCong TangJianbin Hu
Zhong Chen
ACSAC (Dec., 2009)
2010/6/15
![Page 2: Evaluating Network Security with Two-Layer Attack Graphs Anming Xie Zhuhua Cai Cong Tang Jianbin Hu Zhong Chen ACSAC (Dec., 2009) 2010/6/151](https://reader035.vdocument.in/reader035/viewer/2022062518/56649f145503460f94c29962/html5/thumbnails/2.jpg)
2
Outline
• Introduction• Related Work• Model• Examples• Conclusion
2010/6/15
![Page 3: Evaluating Network Security with Two-Layer Attack Graphs Anming Xie Zhuhua Cai Cong Tang Jianbin Hu Zhong Chen ACSAC (Dec., 2009) 2010/6/151](https://reader035.vdocument.in/reader035/viewer/2022062518/56649f145503460f94c29962/html5/thumbnails/3.jpg)
3
Attack Graphs
• Describe attack scenarios• Play important roles in analyzing network
vulnerabilities
2010/6/15
![Page 4: Evaluating Network Security with Two-Layer Attack Graphs Anming Xie Zhuhua Cai Cong Tang Jianbin Hu Zhong Chen ACSAC (Dec., 2009) 2010/6/151](https://reader035.vdocument.in/reader035/viewer/2022062518/56649f145503460f94c29962/html5/thumbnails/4.jpg)
4
Problems
• Although there are many previous works on attack graphs about evaluating network security, some problems still need to be addressed– Scalability– Several targets for overall security of networks– Inside malicious attackers’ attacks
2010/6/15
![Page 5: Evaluating Network Security with Two-Layer Attack Graphs Anming Xie Zhuhua Cai Cong Tang Jianbin Hu Zhong Chen ACSAC (Dec., 2009) 2010/6/151](https://reader035.vdocument.in/reader035/viewer/2022062518/56649f145503460f94c29962/html5/thumbnails/5.jpg)
5
The Work of The Paper
• Firstly, propose a new generation model– Generate two-layer attack graphs model to reduce
computation costs
• Then, propose a measurement methodology– Evaluate network security based on adjacency
matrixes
2010/6/15
![Page 6: Evaluating Network Security with Two-Layer Attack Graphs Anming Xie Zhuhua Cai Cong Tang Jianbin Hu Zhong Chen ACSAC (Dec., 2009) 2010/6/151](https://reader035.vdocument.in/reader035/viewer/2022062518/56649f145503460f94c29962/html5/thumbnails/6.jpg)
6
Network Security Metrics
• Traditionally, focus on vulnerabilities as static values in different networks
• However, ignore how they could be exploited by the attackers
• An attack graph describe s all the possible ways to break into a network, and reveals actual effect among vulnerabilities
2010/6/15
![Page 7: Evaluating Network Security with Two-Layer Attack Graphs Anming Xie Zhuhua Cai Cong Tang Jianbin Hu Zhong Chen ACSAC (Dec., 2009) 2010/6/151](https://reader035.vdocument.in/reader035/viewer/2022062518/56649f145503460f94c29962/html5/thumbnails/7.jpg)
7
Outline
• Introduction• Related Work• Model• Examples• Conclusion
2010/6/15
![Page 8: Evaluating Network Security with Two-Layer Attack Graphs Anming Xie Zhuhua Cai Cong Tang Jianbin Hu Zhong Chen ACSAC (Dec., 2009) 2010/6/151](https://reader035.vdocument.in/reader035/viewer/2022062518/56649f145503460f94c29962/html5/thumbnails/8.jpg)
8
Related Works
• Resulting attack graphs are sometimes too large to be computed
• Lacks meaningful and efficient suggestions to evaluate network security
2010/6/15
![Page 9: Evaluating Network Security with Two-Layer Attack Graphs Anming Xie Zhuhua Cai Cong Tang Jianbin Hu Zhong Chen ACSAC (Dec., 2009) 2010/6/151](https://reader035.vdocument.in/reader035/viewer/2022062518/56649f145503460f94c29962/html5/thumbnails/9.jpg)
9
Outline
• Introduction• Related Work• Model• Examples• Conclusion
2010/6/15
![Page 10: Evaluating Network Security with Two-Layer Attack Graphs Anming Xie Zhuhua Cai Cong Tang Jianbin Hu Zhong Chen ACSAC (Dec., 2009) 2010/6/151](https://reader035.vdocument.in/reader035/viewer/2022062518/56649f145503460f94c29962/html5/thumbnails/10.jpg)
10
A. Generation Model
• Two assumptions– Preconditions on an exploit would never be
changed from satisfied to unsatisfied– Attackers only need user access privileges at
source host when exploiting vulnerabilities at target host
2010/6/15
![Page 11: Evaluating Network Security with Two-Layer Attack Graphs Anming Xie Zhuhua Cai Cong Tang Jianbin Hu Zhong Chen ACSAC (Dec., 2009) 2010/6/151](https://reader035.vdocument.in/reader035/viewer/2022062518/56649f145503460f94c29962/html5/thumbnails/11.jpg)
11
A. Generation Model
• The two-layer model– Lower layer• Describe all of the detailed attack scenarios between
each host-pair• Set up host-pair attack graphs to describe attack
sequences from one source host to one target host directly• Show how attackers obtain user or root access
privileges at the target host• N * N host-pair attack graphs at most with N hosts
2010/6/15
![Page 12: Evaluating Network Security with Two-Layer Attack Graphs Anming Xie Zhuhua Cai Cong Tang Jianbin Hu Zhong Chen ACSAC (Dec., 2009) 2010/6/151](https://reader035.vdocument.in/reader035/viewer/2022062518/56649f145503460f94c29962/html5/thumbnails/12.jpg)
12
A. Generation Model
• The two-layer model– Upper layer• Set up host access attack graphs to show the direct
access relationships among hosts• A node represents a host in networks, and a directed
edge between two nodes represents the access relationship between the corresponding two hosts
2010/6/15
![Page 13: Evaluating Network Security with Two-Layer Attack Graphs Anming Xie Zhuhua Cai Cong Tang Jianbin Hu Zhong Chen ACSAC (Dec., 2009) 2010/6/151](https://reader035.vdocument.in/reader035/viewer/2022062518/56649f145503460f94c29962/html5/thumbnails/13.jpg)
13
A. Generation Model
• Generation of host-pair attack graphs– Just deal with host’s configurations,
vulnerabilities, its network connection with source host
– Be generated very quickly and the size is small
2010/6/15
![Page 14: Evaluating Network Security with Two-Layer Attack Graphs Anming Xie Zhuhua Cai Cong Tang Jianbin Hu Zhong Chen ACSAC (Dec., 2009) 2010/6/151](https://reader035.vdocument.in/reader035/viewer/2022062518/56649f145503460f94c29962/html5/thumbnails/14.jpg)
14
A. Generation Model
• Generation of hosts access attack graphs– Built on the results of the host-pair attack graphs– Add a directed edge to the corresponding nodes in
hosts access graph– Edge’s label shows the corresponding privilege
which could be obtained
2010/6/15
![Page 15: Evaluating Network Security with Two-Layer Attack Graphs Anming Xie Zhuhua Cai Cong Tang Jianbin Hu Zhong Chen ACSAC (Dec., 2009) 2010/6/151](https://reader035.vdocument.in/reader035/viewer/2022062518/56649f145503460f94c29962/html5/thumbnails/15.jpg)
15
A. Generation Model
2010/6/15
![Page 16: Evaluating Network Security with Two-Layer Attack Graphs Anming Xie Zhuhua Cai Cong Tang Jianbin Hu Zhong Chen ACSAC (Dec., 2009) 2010/6/151](https://reader035.vdocument.in/reader035/viewer/2022062518/56649f145503460f94c29962/html5/thumbnails/16.jpg)
16
B. Analysis on probability of success
• Used in analysis of network security• Firstly– apply probability of success to each atomic exploit
• Secondly– calculate the probabilities of obtaining user and root
privileges successfully for each host-pair attack graph• Finally– change the edges’ label of the hosts access graph as
(HPAGID, Puser, Proot)
2010/6/15
![Page 17: Evaluating Network Security with Two-Layer Attack Graphs Anming Xie Zhuhua Cai Cong Tang Jianbin Hu Zhong Chen ACSAC (Dec., 2009) 2010/6/151](https://reader035.vdocument.in/reader035/viewer/2022062518/56649f145503460f94c29962/html5/thumbnails/17.jpg)
17
B. Analysis on probability of success
2010/6/15
![Page 18: Evaluating Network Security with Two-Layer Attack Graphs Anming Xie Zhuhua Cai Cong Tang Jianbin Hu Zhong Chen ACSAC (Dec., 2009) 2010/6/151](https://reader035.vdocument.in/reader035/viewer/2022062518/56649f145503460f94c29962/html5/thumbnails/18.jpg)
18
C. Analysis on Adjacency Matrixes
• In order to evaluate the overall network, composite these attack probabilities to a global measurement dynamically based on adjacency matrixes
• A network with N nodes, draw a hosts access graph with N +1 nodes
• Use H1, H2, · · ·, Hn to indicate hosts in the target network, and use H0 to indicate an attacker’s host.
2010/6/15
![Page 19: Evaluating Network Security with Two-Layer Attack Graphs Anming Xie Zhuhua Cai Cong Tang Jianbin Hu Zhong Chen ACSAC (Dec., 2009) 2010/6/151](https://reader035.vdocument.in/reader035/viewer/2022062518/56649f145503460f94c29962/html5/thumbnails/19.jpg)
19
C. Analysis on Adjacency Matrixes
• Element uij indicates the probability of obtaining user privilege from host Hi to host Hj
• C = F(A,B)– A, B, C are matrixes– F is defined as
2010/6/15
Nkji
bababa
bac
NjiNjiji
kjikk
ij
,,0
)*,...*,*max(
)*(max
2100
)*(max kjikk
ij bac )*,...*,*max( 2100 NjiNjiji bababa
Nkji ,,0
![Page 20: Evaluating Network Security with Two-Layer Attack Graphs Anming Xie Zhuhua Cai Cong Tang Jianbin Hu Zhong Chen ACSAC (Dec., 2009) 2010/6/151](https://reader035.vdocument.in/reader035/viewer/2022062518/56649f145503460f94c29962/html5/thumbnails/20.jpg)
20
C. Analysis on Adjacency Matrixes
• Define the power iterations of Function F
• Stable matrix– User adjacency matrix U• maximum
– Root adjacency matrix R• maximum
2010/6/15
R),(UR
1-NM
(U)(U)U
I)U(,0
)U),U(()U(
1
0
1
succsucc
MN-succ
mm
F
FF
Fm
FFF
)U),U(()U( 1 mm FFF I)U(,0 0 Fm
(U)(U)U 1 MN-succ FF
R),(UR succsucc F
1-NM
![Page 21: Evaluating Network Security with Two-Layer Attack Graphs Anming Xie Zhuhua Cai Cong Tang Jianbin Hu Zhong Chen ACSAC (Dec., 2009) 2010/6/151](https://reader035.vdocument.in/reader035/viewer/2022062518/56649f145503460f94c29962/html5/thumbnails/21.jpg)
21
D. Network Security Measurement
• Total prospective damage of whole network brought by this attacker in host Hi is
– the set of important hosts in network is C, C H⊆
• Dangerous Score
– Indicate the security level of a network– use wk rather than duk and drk. For each host Hk in
C, wk is its important factor, where 0 ≤ wk ≤ 12010/6/15
)*(
))*,*(max(
0kkCH
ikkikkCH
i
rwDS
rdruduTDH
k
k
)*( 0kkCH
rwDSk
))*,*(max( ikkikkCH
i rdruduTDHk
![Page 22: Evaluating Network Security with Two-Layer Attack Graphs Anming Xie Zhuhua Cai Cong Tang Jianbin Hu Zhong Chen ACSAC (Dec., 2009) 2010/6/151](https://reader035.vdocument.in/reader035/viewer/2022062518/56649f145503460f94c29962/html5/thumbnails/22.jpg)
22
D. Network Security Measurement
• Transition score, which evaluates the host’s action as a stepping stone when an outside attacker attacks the network
2010/6/15
CHkk
CHikki
k
k
rw
rwr
TSi)*(
)*(*
0
0
CHkk
CHikki
k
k
rw
rwr
TSi)*(
)*(*
0
0
![Page 23: Evaluating Network Security with Two-Layer Attack Graphs Anming Xie Zhuhua Cai Cong Tang Jianbin Hu Zhong Chen ACSAC (Dec., 2009) 2010/6/151](https://reader035.vdocument.in/reader035/viewer/2022062518/56649f145503460f94c29962/html5/thumbnails/23.jpg)
23
Outline
• Introduction• Related Work• Model• Examples• Conclusion
2010/6/15
![Page 24: Evaluating Network Security with Two-Layer Attack Graphs Anming Xie Zhuhua Cai Cong Tang Jianbin Hu Zhong Chen ACSAC (Dec., 2009) 2010/6/151](https://reader035.vdocument.in/reader035/viewer/2022062518/56649f145503460f94c29962/html5/thumbnails/24.jpg)
24
A. Network Environment
2010/6/15
![Page 25: Evaluating Network Security with Two-Layer Attack Graphs Anming Xie Zhuhua Cai Cong Tang Jianbin Hu Zhong Chen ACSAC (Dec., 2009) 2010/6/151](https://reader035.vdocument.in/reader035/viewer/2022062518/56649f145503460f94c29962/html5/thumbnails/25.jpg)
25
A. Network Environment
2010/6/15
![Page 26: Evaluating Network Security with Two-Layer Attack Graphs Anming Xie Zhuhua Cai Cong Tang Jianbin Hu Zhong Chen ACSAC (Dec., 2009) 2010/6/151](https://reader035.vdocument.in/reader035/viewer/2022062518/56649f145503460f94c29962/html5/thumbnails/26.jpg)
26
B. Result Attack Graphs
2010/6/15
![Page 27: Evaluating Network Security with Two-Layer Attack Graphs Anming Xie Zhuhua Cai Cong Tang Jianbin Hu Zhong Chen ACSAC (Dec., 2009) 2010/6/151](https://reader035.vdocument.in/reader035/viewer/2022062518/56649f145503460f94c29962/html5/thumbnails/27.jpg)
27
B. Result Attack Graphs
2010/6/15
![Page 28: Evaluating Network Security with Two-Layer Attack Graphs Anming Xie Zhuhua Cai Cong Tang Jianbin Hu Zhong Chen ACSAC (Dec., 2009) 2010/6/151](https://reader035.vdocument.in/reader035/viewer/2022062518/56649f145503460f94c29962/html5/thumbnails/28.jpg)
28
C. Network Security Evaluation
2010/6/15
![Page 29: Evaluating Network Security with Two-Layer Attack Graphs Anming Xie Zhuhua Cai Cong Tang Jianbin Hu Zhong Chen ACSAC (Dec., 2009) 2010/6/151](https://reader035.vdocument.in/reader035/viewer/2022062518/56649f145503460f94c29962/html5/thumbnails/29.jpg)
29
C. Network Security Evaluation
2010/6/15
![Page 30: Evaluating Network Security with Two-Layer Attack Graphs Anming Xie Zhuhua Cai Cong Tang Jianbin Hu Zhong Chen ACSAC (Dec., 2009) 2010/6/151](https://reader035.vdocument.in/reader035/viewer/2022062518/56649f145503460f94c29962/html5/thumbnails/30.jpg)
30
C. Network Security Evaluation
• Assume the set of important hosts in network is C = {F,D}
• Obtain user privilege– Prospective damage du = {200, 2000}
• Obtain root privilege– Prospective damage dr = {2000, 10000}
2010/6/15
![Page 31: Evaluating Network Security with Two-Layer Attack Graphs Anming Xie Zhuhua Cai Cong Tang Jianbin Hu Zhong Chen ACSAC (Dec., 2009) 2010/6/151](https://reader035.vdocument.in/reader035/viewer/2022062518/56649f145503460f94c29962/html5/thumbnails/31.jpg)
31
C. Network Security Evaluation
• Total prospective damage potentially caused by outside attackers
• Total prospective damage potentially caused by inside attackers
2010/6/15 1
![Page 32: Evaluating Network Security with Two-Layer Attack Graphs Anming Xie Zhuhua Cai Cong Tang Jianbin Hu Zhong Chen ACSAC (Dec., 2009) 2010/6/151](https://reader035.vdocument.in/reader035/viewer/2022062518/56649f145503460f94c29962/html5/thumbnails/32.jpg)
32
C. Network Security Evaluation
• Set important factors wk for each host Hk in C– set w = {0.2, 1}– 0.2 for host F, 1 for host D
• Dangerous Score
• Transition Score
2010/6/15
![Page 33: Evaluating Network Security with Two-Layer Attack Graphs Anming Xie Zhuhua Cai Cong Tang Jianbin Hu Zhong Chen ACSAC (Dec., 2009) 2010/6/151](https://reader035.vdocument.in/reader035/viewer/2022062518/56649f145503460f94c29962/html5/thumbnails/33.jpg)
33
Outline
• Introduction• Related Work• Model• Examples• Conclusion
2010/6/15
![Page 34: Evaluating Network Security with Two-Layer Attack Graphs Anming Xie Zhuhua Cai Cong Tang Jianbin Hu Zhong Chen ACSAC (Dec., 2009) 2010/6/151](https://reader035.vdocument.in/reader035/viewer/2022062518/56649f145503460f94c29962/html5/thumbnails/34.jpg)
34
Conclusion
• A novel generation approach and a measurement methodology
• Apply the probability of success to our attack graphs
• Results not only describe the potential attack probabilities of success launched from an outside attacker, but also describe the potential attack probabilities launched from inside malicious users
• Draw gray scale images to indicate the overall network security
2010/6/15
![Page 35: Evaluating Network Security with Two-Layer Attack Graphs Anming Xie Zhuhua Cai Cong Tang Jianbin Hu Zhong Chen ACSAC (Dec., 2009) 2010/6/151](https://reader035.vdocument.in/reader035/viewer/2022062518/56649f145503460f94c29962/html5/thumbnails/35.jpg)
35
Q & A
Thank you!
2010/6/15