Maximizing Network Security Given a Limited Budget

decisioncrunchNetworking and Communications

Nov 20, 2013 (3 years and 11 months ago)

68 views

Maximizing

Network

Security

Given

a

Limited

Budget

Nwokedi

C.

Idika
,

Brandeis

H.

Marshall,

Bharat

K.

Bhargava

Advisor : Professor Frank Y.S. Lin

Presented by Yu
-
Pu
Wu

About


Author


Nwokedi

C.

Idika
,

Brandeis

H.

Marshall,

Bharat

K.

Bhargava


Title


Maximizing

Network

Security

Given

a

Limited

Budget


Provenance


(
TAPIA

09
)

The
Fifth Richard Tapia Celebration of Diversity in
Computing Conference: Intellect, Initiatives, Insight, and
Innovations

Agenda


Introduction


The

Attack

Graph


Related

Work


Providing

Network

Security


Solving

The

SMCP


Conclusion

and

Future

Work

Introduction


Network administrators fulfill the duty of preventing
network
attacks by identifying vulnerabilities in the
network and then systematically removing the identified
vulnerabilities.



The removal of an identified vulnerability from a
network
may be referred to as a patch or a security measure
.

Introduction


A security measure is any action performed to remove at
least one vulnerability from a system
.


T
he
set of all security measures is infinite
.



However, practically,
a
network administrator will
consider only a finite set of
security
measures for
possible application to the network she is protecting
.


modifying firewall
rules, updating software on
networked
hosts,
shutting down system services, or modifying an authentication
routine.

Introduction


The identification of vulnerabilities is critical to the
effective use of security measures
.


vulnerability scanners
.



A drawback of this method is that vulnerability scanners
do not reveal the interdependencies that may exist
between vulnerabilities found on different hosts of the
same network
.


This
shortcoming
has been addressed with automated attack
graphs
.

Introduction


In this work, we detail an attack graph analysis that helps
network administrators be more effective at the Security
Measures Choosing Problem (SMCP)
.



Informally, SMCP is the
following:


given
a limited
budget


choose
from a finite set of available security measures a subset of
security measures that provide the highest security possible
without going over
budget.

Introduction


We propose to provide this analysis by modeling the
SMCP as a Binary Knapsack
Problem.


We
suggest the use of dynamic programming to solve the SMCP.



Hence
, our contribution includes:


A

novel approach that combines budget and hardening
recommendations into attack graph analysis, and


S
pecification
of how security metrics can be used to choose
hardening measures.

Agenda


Introduction


The

Attack

Graph


Related

Work


Providing

Network

Security


Solving

The

SMCP


Conclusion

and

Future

Work

The

Attack

Graph


An attack graph is a concise representation of all the
ways an attacker may leverage known vulnerabilities to
violate a given set of security
policies.



Each
path in an
attack
graph corresponds to at least one
attack scenario where the
attacker
achieves his
objective.

The

Attack

Graph


An attack scenario is a sequence of actions that moves
the network from its initial state to a compromised state
.



The
initial state
corresponds to
the initial configuration of
the
network
.



T
he compromised
state corresponds to the state where
the security policy violation(s) occurs
.



The

Attack

Graph


Attack graphs have a variety of
representations.


Attacks
graphs are composed of a series of
exploits

and
security
conditions
.



An exploit is the realization of a vulnerability
.


For example, we can describe a
ssh

vulnerability as sshv1(h1, h2).
If such a vulnerability existed between two actual
network
hosts
such as 128.x.y.2 and 128.x.y.9, then the
corresponding
exploit
would have the form of sshv1 (128.x.y.2, 128.x.y.9)
.


In
other words, if a vulnerability is instantiated with actual
network specific information, then the result is an exploit.

The

Attack

Graph


Security conditions are those attributes that are relevant
to the vulnerabilities of the
network.



A
security condition can be relevant to an exploit in two
ways:


(
1) the security condition serves as a precondition for a
vulnerability


(
2) the security condition serves as a postcondition of a realized
vulnerability

The

Attack

Graph


Types of Attack
Graphs



Although attack graphs have different representations,
we assert that they rely on common foundational
definitions.



The
state space for a network system is given by S, which
is a set of binary strings of size
q.


Hence
, |S| = 2
q
.

The

Attack

Graph


Cond

is a function that produces some subset of the system
state that represents the relevant security conditions given
either a vertex or an edge but not
both.


Hence
,
Cond
(v
i


(v
k
, v
l
))


S where the vertices v
i

, v
k

, v
l



V
.



A

represents the infinite set of possible
attacks.


An
attack
a
i



A

where 1 ≤
i

< ∞
.



A
labeling function
L

labels either a vertex or an edge with an
attack.


L
(v
i



(v
k
, v
l
)) = a
j

where v
i
, v
k
, v
l



V and a
j



A
.

The

Attack

Graph


Given either a vertex or edge, a function
Prereq

produces the
necessary conditions required for the exploit to be realized.


That
is,
Prereq
(v
i



(
v
k
, v
l
)) =
v
p
(
Rv
i
)



u


E



,
where R


{

,

}, E is the set of edges, and 1 ≤
i

≤ n with n as the number of
nodes in the
graph.



Given
either a vertex or an edge a function
Post

produces
conditions
provided by the exploit.


This gives
Post
(
v
i



(v
k
, v
l
)) =
v
p
(

v
i
)



u


E



,
where E is the
set of edges and 1 ≤
i

≤ n with n as the number of nodes in the
graph.

The

Attack

Graph


Attack
Tree.



An
attack tree is an undirected acyclic
graph
.


T
he
root node

represents the attacker’s objective or main
goal.


Leaf
nodes

represent different starting states for an attacker
.


The
intermediate nodes

of the graph represent any of the
subgoals that may be used to achieve the
attacker’s
main goal
.


Nodes
in the attack tree may represent security conditions or
exploits.


Edges

in the attack tree
simply
give the parent
-
child (i.e., goal
-
subgoal
) relation between nodes.

The

Attack

Graph


Formally an attack tree is an acyclic graph G = (V,E)
.


There
exists a set of attacker objectives O where |O| = |
V|.


O


S

A.

L(v
i
) =
o
i

and Cond(v
j
) =
o
j

where
o
i
,
o
j



O.


E


{e
k

= (v
i
, v
j
),e
k

= (
v
j
, v
i
)|v
i
, v
j



V

i

j

0 ≤ k <
[
n
2
/
2
]
}.


We
have P(e
k
) = P(v
i
, v
j
) = v
i



v
j
.


P
is a function that yields the parent
-
child relationship existing
between two nodes connected by an
edge.


Given
an edge that connects a goal and
subgoal
, P always returns the
goal
.



v
g



V|if


e
k

where e
k

= (v
g
, v
i
)

P(e
k
) = v
g

then v
g

is the attacker’s
main
objective.


As
for the preconditions and
post conditions, we have
respectively
Prereq
(
v
i



V ) =
v
p
(Rv
i
)






and
Post
(v
j



V ) =
v
p
(

v
i
)

.

The

Attack

Graph

The

Attack

Graph


Condition Dependency
Graph.



A
condition dependency graph is a directed graph where
nodes represent
security
conditions and edges represent
exploits that connect the graph’s security
conditions.


A
condition dependency graph is given by G = (V,E) where

v
i



V,
Cond(v
i
)


S.


E


{e
k

= (v
i
, v
j
)|v
i
, v
j



V


v
i


v
j
}
.


L
(e
k
) =
a
i
, where
a
i



A.


We
also have Prereq(e
k
) =
v
w

and Post(e
k
) =
v
x
, where (
v
w
,v
x
)


E.

The

Attack

Graph

The

Attack

Graph


Exploit Dependency
Graph.



An
exploit dependency graph is a directed graph where nodes
represent exploits and edges represent the security conditions
that connect
exploits.


An incoming edge represents a precondition for the exploit it points
to in the attack graph. An
outgoing edge
represents
a postcondition
for the node (exploit) the edge is
leaving.


An
exploit dependency graph is given by G = (V,E)
where

v
i


V,L(v
i
)=
a
b

where
a
b


A. E

{e
k

= (
v
i
, v
j
)
|v
i
, v
j



V


v
i


v
j
}
. Cond
(e
k
)


S.


We
have Prereq(v
j
) = u


E



.
We also have Post
(v
l
) = u


E



.

The

Attack

Graph

The

Attack

Graph


Hybrid Dependency
Graph.



A
hybrid dependency graph is a directed graph where nodes are
represented as either a security condition or an
exploit.


Edges
reveal the
relationships
between nodes but have no
labels.


Edges
exist only between a security condition and an exploit or
between an exploit and a security
condition.


When
there is more than one edge going from security condition
nodes to an exploit node, then all security condition nodes must be
satisfied in order for the exploit to be
realized.


When
there is more than one edge going from exploit nodes to a
security
condition
node, then any one of the exploit nodes will satisfy
the security condition.

The

Attack

Graph


The hybrid dependency graph is given by G = (V, E)
.


V
= V
exploits



V
conditions
.


E
= E
disjunction



E
conjunction
.


Cond
(
v
i
)


S, where v
i



V
conditions
.


L
(
v
i
) =
a
j
, where v
i



V
exploits

and a
j



A
.


E
conjunction



{e
k

=

(v
i
, v
j
)
|
v
i


V
conditions



v
j



V
exploits
}.


E
disjunction



{e
l

= (v
t
, v
s
)
|
v
t



V
exploits



v
s



V
conditions
}.


We have Prereq
(
v
c



V
exploits
) = v
b
(

v
i
)

, where v
b
,
v
i



V
conditions
.


We have Post
(v
c



V
exploits
) = v
a
(

v
j
)

, where v
a
, v
j



V
conditions
.

The

Attack

Graph

Agenda


Introduction


The

Attack

Graph


Related

Work


Providing

Network

Security


Solving

The

SMCP


Conclusion

and

Future

Work

Related

Work


In attack graphs, the application of security measures is
simulated
by removing some subset of vulnerabilities or
exploits from its
representation.



The
literature discussed in this
section
propose analyses that
provide the network
administrator
with hardening suggestions
that if implemented produce a safe network or a more secure
network with respect to a security metric.

Related

Work


Jha
et al. attempt to find the smallest subset of
measures
that
are needed to make the network
safe.



The
authors note that finding such a subset is equivalent to
the minimum hitting set problem which is NP
-
complete.



The
authors approximate a solution using a greedy approach
where the measures preventing the most attacks are chosen
in
descending
order
.


A drawback of this approach is that it is an
approximation
and
yields potentially suboptimal solutions.

Related

Work


Noel
et al. propose a minimum
-
cost hardening
method.



The
authors propose the use of algebraic backwards
substitution
from an attack graph’s goal state to its initial
state
.


This
backwards substitution yields the goal state in terms of the
initial
conditions.



The Boolean
expression
obtained
for the initial conditions is
converted into conjunctive normal form yielding maxterms
that are then evaluated on a lattice
.

Related

Work


Maxterms represent hardening suggestions that will preserve
the safety of the network.



Maxterms
lower in the lattice correspond to hardening
suggestions requiring the least cost or
effort.



The
primary drawback of this approach is that it is
binary. That
is, the effectiveness of this approach hinges on the ability of
the network administrator to implement all hardening
recommendations.


Related

Work


Th
e
assumption is made that the network
administrator
has
all the resources she needs to implement
hardening
recommendations.


However
, a network administrator’s ability to safeguard a
network is often times constrained by a limited
budget.



Our
approach deals with this challenge by incorporating the
network
administrator’s
funding constraint into the attack
graph
analysis
to discover hardening recommendations.

Related

Work


Phillips and
Swiler

incorporate a budget into their attack graph
analysis to generate hardening
suggestions.


However
, their algorithm follows a greedy approach that does not
guarantee
optimality.


Furthermore
, their analysis is based on knowing attacker costs or
attacker success probabilities, which are difficult to ascertain in
practice.



Our
approach guarantees optimality and does not rely on
knowing attacker costs or attacker success probabilities.

Related

Work


Lippmann et al
.

[13]

describe a method for generating
hardening recommendations that are derived from removing
edges from the attack graph and observing its effect on the
system’s Network Compromise Percentage (NCP)
.


A
NCP of 0 percent would suggest a safe
network.


A
NCP of 100 percent would suggest a network that is completely
compromised.



When
the analysis is done, the network administrator is
presented with
recommendations
in ascending order of
NCP.


she
still has no assurance that the recommendations offered
represent optimal usage of her resources.

Related

Work


Coupling
our method with the one in [
13
] gives the network
administrator the
assurance
that she is receiving optimal
recommendations with respect to her
budget.



We
offer an algorithm for generating recommendations that
are guaranteed to optimize network security with respect to a
security metric (e.g., NCP) for the budget specified by the
network administrator.

Related

Work


Chen
et al
.
[6]

use the System Quality Requirements Engineering
(SQUARE) methodology to perform a detailed case
study.


The
researchers used linear programming to determine the best set
of security measures to choose given the budget their client
allocated for
security.


Solving
the problem of choosing security measures as a
combinatorial
optimization is consistent with our approach
;



Our method maintains all discovered optimal solutions, whereas a
single optimal solution is provided in [6]
.


N
etwork
administrator can choose the best hardening
recommendation based on her experience.


Related

Work


Chen et al. use attack trees
primarily
for ancillary
documentation purposes whereas in our approach attack
graphs are
integral.



The
network
administrator
can obtain a visual representation
of the effect each security measure has on the attack graph
and subsequently the
network.



O
ur
approach can capture the effect of making the
exploitation of a particular
vulnerability.


The
approach offered in [6] does not capture this form of
vulnerability interdependence
.

Agenda


Introduction


The

Attack

Graph


Related

Work


Providing

Network

Security


Solving

The

SMCP


Conclusion

and

Future

Work

Providing

Network

Security


Safeguarding a network, that is not under attack, begins with
identifying the vulnerabilities of the
network.


This
process typically involves using vulnerability analysis
methods. One
commonly used method is to leverage vulnerability
scanners
to
discover vulnerabilities and then provide patches to
these
vulnerabilities.



Because
vulnerability
scanners
do not consider the
interdependencies that may exist between vulnerabilities,
automated attack graph generation techniques have been
proposed to expose such
interdependencies
.

Providing

Network

Security


The removal of security flaws is performed by
implementing
one or more security measures
; however
, the selection of the
appropriate set of security measures is
nontrivial.


For
example, discovering the “best” way of removing
vulnerabilities
could require the manual analysis of many
combinations
of security measures
.


T
here
may be overlap in the vulnerabilities that security
measures remove
.



v1
, v2, v3, v4, v5, and
v6
,

sm1,

sm2, and sm3.


sm1
-

v1, v5, and v6

|

sm2
-

v1 and v4

|

sm3
-

v1 and
v3.

Providing

Network

Security


The problem of choosing the appropriate combination of
security measures such that the security of the network is
optimized and constrained to a given budget is called the
Security Measures Choosing
Problem
(SMCP)
.


The
SMCP formulation is inspired by the
classic
Binary Knapsack
Problem
.



The Knapsack Problem is a well
-
known optimization
problem
where the goal is to maximize a quantity subject to some
constraint.

Providing

Network

Security


The problem can be formally defined as
:
given a set of n items
and a knapsack with

Providing

Network

Security

Providing

Network

Security


m
j

may take on different values depending on what
security
measures are already in place within the
network.



The
model also assumes that the network administrator is
able to assign costs to the hardening measures in terms of
money or time.

Agenda


Introduction


The

Attack

Graph


Related

Work


Providing

Network

Security


Solving

The

SMCP


Conclusion

and

Future

Work

Solving

The

SMCP


We
adopt the dynamic programming approach to solving the
SMCP
.

We define variables as the following:

Solving

The

SMCP


The necessary steps to leverage our approach are
:


(
1)
determine
the
budget


(
2) determine the security metric of
interest


(
3) generate the attack
graph


(
4) determine what security measures are available to safeguard
the network and assign them
costs


(
5) apply the dynamic programming algorithm to the inputs given
above
.

Solving

The

SMCP


However, if we assume that the security metric value can be
obtained from a depth
-
first search of the attack graph (e.g.,
total number of attack paths), then the dynamic programming
algorithm’s time complexity is O(nH
2
B
)



otherwise
the
algorithm
has a time complexity of O(nHKB)
where K is
the
time complexity of
ζ
.



The
security measures chosen for an optimal hardening
recommendation can be determined by backtracking through
R.

Agenda


Introduction


The

Attack

Graph


Related

Work


Providing

Network

Security


Solving

The

SMCP


Conclusion

and

Future

Work

Conclusion

and

Future

Work


We have modeled the problem of choosing security measures
to harden a computer network as a combinatorial
optimiza
-
tion

problem.



We
model the problem as the binary knapsack problem where
the goal is to maximize security subject to a limited budget
.


We
call this problem the Security
Measures
Choosing Problem
(SMCP)
.


Dynamic
programming is used to solve the SMCP
.


T
his
approach to solve the SMCP with attack graphs and security
metrics is novel
.

Conclusion

and

Future

Work


Previous
attack graph analyses did not give enough
consideration
to the budget the network administrator had for
implementing hardening
recommendations.



Using
dynamic programming to solve the SMCP assures the
network administrators that their network’s security is
optimized with respect to the
security
metric and budget
being used.

Conclusion

and

Future

Work


An aspect requiring further attention is security
metrics.



If
a network administrator decides she wants to use different
security metrics to evaluate the same network, it is possible
that the security metrics will disagree in what is considered
“secure.




More
work is needed to identify security metrics that have
reliable predictive value
.



We
are currently in the process of developing a more robust
security metric for networks.

THANKS

FOR

YOUR

ATTENTION!