slides: k-zero day safety: a network security metric for measuring the risk of unknown...

8/9/2019 Slides: k-Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown Vulnerabilities

1/19

k

-

Zero Day Safety: A Network

Security

Metric

for Measuring the

Risk of

Unknown Vulnerabilities

Lingyu Wang, Sushil Jajodia, Anoop Singhal, Pengsu Cheng,and Steven Noel

IEEE Transactions on Dependable and Secure Computing, vol. 11, no. 1, pp. 30-44, 2014


2/19

Goal

• Existing efforts on network security metrics typically assign

numeric scores to vulnerabilities based on known facts about vulnerabilities.

• This paper proposes a novel network security metric, k-zero daysafety, to count how many zero-day vulnerabilities are requiredto compromise a network asset.

Instead of measuring which unknown vulnerabilities are more likely to exist

Unknown vulnerabilities are not measurable.

2


3/19

Motivating example

• Policy 1. The iptables rules are left ina default configuration that acceptsall requests.

At least one zero-day attack.

At least two zero-day attacks.

• Policy 2. The iptables rules areconfigured to only allow specific IPs,excluding host 0, to access the sshservice.

3


4/19

Modeling

k

-

zero day safety

• Information about the network:

A collection of hosts {0, 1, 2, F } ( F for the firewall).

The connectivity relation {, , , , , , , , .

Services {http, ssh, iptables} on host 1, {ssh} on host 2, and { firewall } onhost F .

Privileges {user, root }.

4


5/19


6/19

Modeling

k

-

zero day safety

• Attack sequence is any sequence of exploits.

a: as the asset

seq(a): for any attack sequence that leads to a.

• Attack sequences all lead to the asset :

1. ,,

2. ,,

3. ,,,

4. ,,

6


7/19

Modeling k-zero day safety

• The metric function k0d (.) counts how many exploits in their

symmetric difference are distinct. Not related through

• The k-zero day safety metric is defined by applying the metricfunction k0d (.) to the minimal attack sequences leading to anasset.

7


8/19


• Definition 3 (k -Zero day safety). Given the set of zero-day

exploits E 0, we define a relation such that indicates either e and e’

involve the same zero-day vulnerability, or e = and e’ = are true, and exploiting s yields p. e and e’ are said distinctif ;

a function k0d (.):

where |F’’| denotes the cardinality, max (.) the maximum value, andthe symmetric difference ; and

for an asset a, we use k=k0d (a) for ,

where min(.) denotes the minimum value. For any , we say a isk’-zero day safe.

0 0

1 2 1 2

0 (.) : 2 2 [0, ] as

0 ( , ') ({| '' |: '' ( '), ( , '')( )max }),

E E

v

k d

k d F F F F F F e e F e e

× → ∞

= ⊆ ∆ ∀ ∈ ≠

8


9/19


• Assume A = {} then we have k0d ( A) = 2, and the network is 2-zero day safe.

1. ,,

2. ,,

3. ,,

,

4. ,,

9


10/19

Redefining Network Hardening

• Network hardening: rendering a network k-zero day safe for a

larger k.• Under the model, those qualitative approaches essentially

achieve k > 0, meaning that attacks are no longer possible withknown vulnerabilities only.

• Based on those equations of k = k0d ( A), we can see that k may be

increased in many ways, including:

Increasing diversity

Strengthening isolation

Disabling services

Firewalls

Stricter access control

Asset backup

Detection and prevention

Security services

Patching known vulnerabilities

10


11/19

Case study - Diversity

Assume

− Different services or firewalls involve different zero-day vulnerabilities.

− None of the services, except iptables and tcpwrapper, are protected by sufficient isolation.

− No known vulnerabilities are assumed in the services.

− A =

Case1: the three web servers (host 1 through 3) are providing the http serviceusing the same software

−k would remain the same regardless of the degree of diversity in these http services (k = 2)

11


12/19

Case study - Diversity

Case2: the iptables services on host 4 only accept requests from hosts 2 and 3.

− Diversifying the ftp services on hosts 2 and 3 does not help for k. (k = 3)

Case3: ftp x and ftpy indicate two different ways for providing the ftp service onhosts 2 and 3

− The shortest attack sequences do not increase (k = 3).

Increasing diversity in hosts and services would not always help improving anetwork’s security.

12


13/19

Case study - Known Vulnerability andUnnecessary Service

Assume

− An unnecessary rsh service running on host 4 and additionally the effect of introducing a known vulnerability vrsh into that service.

− A =

Case4: without the rsh service on host 4

− Totally four different zero-day vulnerabilities will be needed (k = 4).

13


14/19

Case study - Known Vulnerability andUnnecessary Service

Case5: if service rsh is left running on host 4, but without any known vulnerability

− This does not actually change k (k = 4).

Case6: if vrsh is a known vulnerability

− k will be reduced by one (k = 3).

Case7: if there is a known vulnerability in the ftp service on host 2.

− This does not actually change k (k = 4). And patching this vulnerability will not help to make thenetwork more secure.

14


15/19

Case study - Backup of Asset

Assume

− A known vulnerability exists in the http service on both hosts 1 and 5

− Three candidate positions for placing a backup server for host 4 with location a, b, and c.

− A =

Case8: without introducing any asset backup

− Shortest attack sequences: [,,], [,,],[,].

− Two different zero-day vulnerabilities are needed (k = 2).

15


16/19

Case study - Backup of Asset

Case9: the backup server, host 7, at location a.

− This does not actually change k, because the same zero-day vulnerability of the nfs service cancompromise both hosts 4 and 7 (k = 2).

Case10: the backup server, host 7, at location b, and changing firewall rules suchthat host 4 is directly accessible from host 7 for backup purposes.

− The shortest attack sequence: [,,,]. Only one zero-day vulnerability is required (k = 1).

Case11: the backup server, host 7, at location c

− The shortest attack sequence: [,,,]. Three zero-day vulnerability is required. (k = 3)

16


17/19

Case study - Firewall

Assume

− A =

− the personal firewall service on host 3 has a known vulnerability that may allow attackers to establishconnections to the ftp service running on host 3.

Case12:− Shortest attack sequences: [,,,,,],

[,,,]. Since v p_firewall1 is known, k = 3.

Case13: moving host 3 to location a behind firewall 2, and removing its personalfirewall p firewall1, and adding extra rules to firewall 2 to only allow connectionrequests from 1 to 3 and from 3 to 4.

− Shortest attack sequences: [,,,]. k = 2.

In:1,Out:4 In:3,Out:5 In:5, 7

17


18/19

Conclusion

• The paper proposes a concept of vulnerability relations that would replace some relational attack sequences by the same one with the same vulnerability.

• Many unknown vulnerabilities would appear at the same time toachieve the attack.

• The known vulnerabilities are cut-edge path on the attack graph

which decrease the length of zero-day attack sequence.

18


19/19

slides: k-zero day safety: a network security metric for measuring the risk of unknown...

Documents