Maximizing
Network
Security
Given
a
Limited
Budget
Nwokedi
C.
Idika
,
Brandeis
H.
Marshall,
Bharat
K.
Bhargava
Advisor : Professor Frank Y.S. Lin
Presented by Yu

Pu
Wu
About
•
Author
•
Nwokedi
C.
Idika
,
Brandeis
H.
Marshall,
Bharat
K.
Bhargava
•
Title
•
Maximizing
Network
Security
Given
a
Limited
Budget
•
Provenance
•
(
TAPIA
‘
09
)
The
Fifth Richard Tapia Celebration of Diversity in
Computing Conference: Intellect, Initiatives, Insight, and
Innovations
Agenda
•
Introduction
•
The
Attack
Graph
•
Related
Work
•
Providing
Network
Security
•
Solving
The
SMCP
•
Conclusion
and
Future
Work
Introduction
•
Network administrators fulfill the duty of preventing
network
attacks by identifying vulnerabilities in the
network and then systematically removing the identified
vulnerabilities.
•
The removal of an identified vulnerability from a
network
may be referred to as a patch or a security measure
.
Introduction
•
A security measure is any action performed to remove at
least one vulnerability from a system
.
•
T
he
set of all security measures is infinite
.
•
However, practically,
a
network administrator will
consider only a finite set of
security
measures for
possible application to the network she is protecting
.
•
modifying firewall
rules, updating software on
networked
hosts,
shutting down system services, or modifying an authentication
routine.
Introduction
•
The identification of vulnerabilities is critical to the
effective use of security measures
.
•
vulnerability scanners
.
•
A drawback of this method is that vulnerability scanners
do not reveal the interdependencies that may exist
between vulnerabilities found on different hosts of the
same network
.
•
This
shortcoming
has been addressed with automated attack
graphs
.
Introduction
•
In this work, we detail an attack graph analysis that helps
network administrators be more effective at the Security
Measures Choosing Problem (SMCP)
.
•
Informally, SMCP is the
following:
•
given
a limited
budget
•
choose
from a finite set of available security measures a subset of
security measures that provide the highest security possible
without going over
budget.
Introduction
•
We propose to provide this analysis by modeling the
SMCP as a Binary Knapsack
Problem.
•
We
suggest the use of dynamic programming to solve the SMCP.
•
Hence
, our contribution includes:
•
A
novel approach that combines budget and hardening
recommendations into attack graph analysis, and
•
S
pecification
of how security metrics can be used to choose
hardening measures.
Agenda
•
Introduction
•
The
Attack
Graph
•
Related
Work
•
Providing
Network
Security
•
Solving
The
SMCP
•
Conclusion
and
Future
Work
The
Attack
Graph
•
An attack graph is a concise representation of all the
ways an attacker may leverage known vulnerabilities to
violate a given set of security
policies.
•
Each
path in an
attack
graph corresponds to at least one
attack scenario where the
attacker
achieves his
objective.
The
Attack
Graph
•
An attack scenario is a sequence of actions that moves
the network from its initial state to a compromised state
.
•
The
initial state
corresponds to
the initial configuration of
the
network
.
•
T
he compromised
state corresponds to the state where
the security policy violation(s) occurs
.
The
Attack
Graph
•
Attack graphs have a variety of
representations.
•
Attacks
graphs are composed of a series of
exploits
and
security
conditions
.
•
An exploit is the realization of a vulnerability
.
•
For example, we can describe a
ssh
vulnerability as sshv1(h1, h2).
If such a vulnerability existed between two actual
network
hosts
such as 128.x.y.2 and 128.x.y.9, then the
corresponding
exploit
would have the form of sshv1 (128.x.y.2, 128.x.y.9)
.
•
In
other words, if a vulnerability is instantiated with actual
network specific information, then the result is an exploit.
The
Attack
Graph
•
Security conditions are those attributes that are relevant
to the vulnerabilities of the
network.
•
A
security condition can be relevant to an exploit in two
ways:
•
(
1) the security condition serves as a precondition for a
vulnerability
•
(
2) the security condition serves as a postcondition of a realized
vulnerability
The
Attack
Graph
•
Types of Attack
Graphs
•
Although attack graphs have different representations,
we assert that they rely on common foundational
definitions.
•
The
state space for a network system is given by S, which
is a set of binary strings of size
q.
•
Hence
, S = 2
q
.
The
Attack
Graph
•
Cond
is a function that produces some subset of the system
state that represents the relevant security conditions given
either a vertex or an edge but not
both.
•
Hence
,
Cond
(v
i
⊕
(v
k
, v
l
))
⊆
S where the vertices v
i
, v
k
, v
l
∈
V
.
•
A
represents the infinite set of possible
attacks.
•
An
attack
a
i
∈
A
where 1 ≤
i
< ∞
.
•
A
labeling function
L
labels either a vertex or an edge with an
attack.
•
L
(v
i
⊕
(v
k
, v
l
)) = a
j
where v
i
, v
k
, v
l
∈
V and a
j
∈
A
.
The
Attack
Graph
•
Given either a vertex or edge, a function
Prereq
produces the
necessary conditions required for the exploit to be realized.
•
That
is,
Prereq
(v
i
⊕
(
v
k
, v
l
)) =
v
p
(
Rv
i
)
∗
⊕
u
⊆
E
⊕
∅
,
where R
∈
{
∨
,
∧
}, E is the set of edges, and 1 ≤
i
≤ n with n as the number of
nodes in the
graph.
•
Given
either a vertex or an edge a function
Post
produces
conditions
provided by the exploit.
•
This gives
Post
(
v
i
⊕
(v
k
, v
l
)) =
v
p
(
∨
v
i
)
∗
⊕
u
⊆
E
⊕
∅
,
where E is the
set of edges and 1 ≤
i
≤ n with n as the number of nodes in the
graph.
The
Attack
Graph
•
Attack
Tree.
•
An
attack tree is an undirected acyclic
graph
.
•
T
he
root node
represents the attacker’s objective or main
goal.
•
Leaf
nodes
represent different starting states for an attacker
.
•
The
intermediate nodes
of the graph represent any of the
subgoals that may be used to achieve the
attacker’s
main goal
.
•
Nodes
in the attack tree may represent security conditions or
exploits.
•
Edges
in the attack tree
simply
give the parent

child (i.e., goal

subgoal
) relation between nodes.
The
Attack
Graph
•
Formally an attack tree is an acyclic graph G = (V,E)
.
•
There
exists a set of attacker objectives O where O = 
V.
•
O
⊂
S
∪
A.
∃
L(v
i
) =
o
i
and Cond(v
j
) =
o
j
where
o
i
,
o
j
∈
O.
•
E
⊆
{e
k
= (v
i
, v
j
),e
k
= (
v
j
, v
i
)v
i
, v
j
∈
V
∧
i
≠
j
∧
0 ≤ k <
[
n
2
/
2
]
}.
•
We
have P(e
k
) = P(v
i
, v
j
) = v
i
⊕
v
j
.
•
P
is a function that yields the parent

child relationship existing
between two nodes connected by an
edge.
•
Given
an edge that connects a goal and
subgoal
, P always returns the
goal
.
•
∃
v
g
∈
Vif
∀
e
k
where e
k
= (v
g
, v
i
)
∧
P(e
k
) = v
g
then v
g
is the attacker’s
main
objective.
•
As
for the preconditions and
post conditions, we have
respectively
Prereq
(
v
i
∈
V ) =
v
p
(Rv
i
)
∗
⊕
∅
and
Post
(v
j
∈
V ) =
v
p
(
∨
v
i
)
∗
.
The
Attack
Graph
The
Attack
Graph
•
Condition Dependency
Graph.
•
A
condition dependency graph is a directed graph where
nodes represent
security
conditions and edges represent
exploits that connect the graph’s security
conditions.
•
A
condition dependency graph is given by G = (V,E) where
∀
v
i
∈
V,
Cond(v
i
)
⊆
S.
•
E
⊆
{e
k
= (v
i
, v
j
)v
i
, v
j
∈
V
∧
v
i
≠
v
j
}
.
•
L
(e
k
) =
a
i
, where
a
i
∈
A.
•
We
also have Prereq(e
k
) =
v
w
and Post(e
k
) =
v
x
, where (
v
w
,v
x
)
∈
E.
The
Attack
Graph
The
Attack
Graph
•
Exploit Dependency
Graph.
•
An
exploit dependency graph is a directed graph where nodes
represent exploits and edges represent the security conditions
that connect
exploits.
•
An incoming edge represents a precondition for the exploit it points
to in the attack graph. An
outgoing edge
represents
a postcondition
for the node (exploit) the edge is
leaving.
•
An
exploit dependency graph is given by G = (V,E)
where
∀
v
i
∈
V,L(v
i
)=
a
b
where
a
b
∈
A. E
⊆
{e
k
= (
v
i
, v
j
)
v
i
, v
j
∈
V
∧
v
i
≠
v
j
}
. Cond
(e
k
)
⊆
S.
•
We
have Prereq(v
j
) = u
⊆
E
⊕
∅
.
We also have Post
(v
l
) = u
⊆
E
⊕
∅
.
The
Attack
Graph
The
Attack
Graph
•
Hybrid Dependency
Graph.
•
A
hybrid dependency graph is a directed graph where nodes are
represented as either a security condition or an
exploit.
•
Edges
reveal the
relationships
between nodes but have no
labels.
•
Edges
exist only between a security condition and an exploit or
between an exploit and a security
condition.
•
When
there is more than one edge going from security condition
nodes to an exploit node, then all security condition nodes must be
satisfied in order for the exploit to be
realized.
•
When
there is more than one edge going from exploit nodes to a
security
condition
node, then any one of the exploit nodes will satisfy
the security condition.
The
Attack
Graph
•
The hybrid dependency graph is given by G = (V, E)
.
•
V
= V
exploits
∪
V
conditions
.
•
E
= E
disjunction
∪
E
conjunction
.
•
Cond
(
v
i
)
⊆
S, where v
i
∈
V
conditions
.
•
L
(
v
i
) =
a
j
, where v
i
∈
V
exploits
and a
j
∈
A
.
•
E
conjunction
⊆
{e
k
=
(v
i
, v
j
)

v
i
∈
V
conditions
∧
v
j
∈
V
exploits
}.
•
E
disjunction
⊆
{e
l
= (v
t
, v
s
)

v
t
∈
V
exploits
∧
v
s
∈
V
conditions
}.
•
We have Prereq
(
v
c
∈
V
exploits
) = v
b
(
∧
v
i
)
∗
, where v
b
,
v
i
∈
V
conditions
.
•
We have Post
(v
c
∈
V
exploits
) = v
a
(
∨
v
j
)
∗
, where v
a
, v
j
∈
V
conditions
.
The
Attack
Graph
Agenda
•
Introduction
•
The
Attack
Graph
•
Related
Work
•
Providing
Network
Security
•
Solving
The
SMCP
•
Conclusion
and
Future
Work
Related
Work
•
In attack graphs, the application of security measures is
simulated
by removing some subset of vulnerabilities or
exploits from its
representation.
•
The
literature discussed in this
section
propose analyses that
provide the network
administrator
with hardening suggestions
that if implemented produce a safe network or a more secure
network with respect to a security metric.
Related
Work
•
Jha
et al. attempt to find the smallest subset of
measures
that
are needed to make the network
safe.
•
The
authors note that finding such a subset is equivalent to
the minimum hitting set problem which is NP

complete.
•
The
authors approximate a solution using a greedy approach
where the measures preventing the most attacks are chosen
in
descending
order
.
•
A drawback of this approach is that it is an
approximation
and
yields potentially suboptimal solutions.
Related
Work
•
Noel
et al. propose a minimum

cost hardening
method.
•
The
authors propose the use of algebraic backwards
substitution
from an attack graph’s goal state to its initial
state
.
•
This
backwards substitution yields the goal state in terms of the
initial
conditions.
•
The Boolean
expression
obtained
for the initial conditions is
converted into conjunctive normal form yielding maxterms
that are then evaluated on a lattice
.
Related
Work
•
Maxterms represent hardening suggestions that will preserve
the safety of the network.
•
Maxterms
lower in the lattice correspond to hardening
suggestions requiring the least cost or
effort.
•
The
primary drawback of this approach is that it is
binary. That
is, the effectiveness of this approach hinges on the ability of
the network administrator to implement all hardening
recommendations.
Related
Work
•
Th
e
assumption is made that the network
administrator
has
all the resources she needs to implement
hardening
recommendations.
•
However
, a network administrator’s ability to safeguard a
network is often times constrained by a limited
budget.
•
Our
approach deals with this challenge by incorporating the
network
administrator’s
funding constraint into the attack
graph
analysis
to discover hardening recommendations.
Related
Work
•
Phillips and
Swiler
incorporate a budget into their attack graph
analysis to generate hardening
suggestions.
•
However
, their algorithm follows a greedy approach that does not
guarantee
optimality.
•
Furthermore
, their analysis is based on knowing attacker costs or
attacker success probabilities, which are difficult to ascertain in
practice.
•
Our
approach guarantees optimality and does not rely on
knowing attacker costs or attacker success probabilities.
Related
Work
•
Lippmann et al
.
[13]
describe a method for generating
hardening recommendations that are derived from removing
edges from the attack graph and observing its effect on the
system’s Network Compromise Percentage (NCP)
.
•
A
NCP of 0 percent would suggest a safe
network.
•
A
NCP of 100 percent would suggest a network that is completely
compromised.
•
When
the analysis is done, the network administrator is
presented with
recommendations
in ascending order of
NCP.
•
she
still has no assurance that the recommendations offered
represent optimal usage of her resources.
Related
Work
•
Coupling
our method with the one in [
13
] gives the network
administrator the
assurance
that she is receiving optimal
recommendations with respect to her
budget.
•
We
offer an algorithm for generating recommendations that
are guaranteed to optimize network security with respect to a
security metric (e.g., NCP) for the budget specified by the
network administrator.
Related
Work
•
Chen
et al
.
[6]
use the System Quality Requirements Engineering
(SQUARE) methodology to perform a detailed case
study.
•
The
researchers used linear programming to determine the best set
of security measures to choose given the budget their client
allocated for
security.
•
Solving
the problem of choosing security measures as a
combinatorial
optimization is consistent with our approach
;
•
Our method maintains all discovered optimal solutions, whereas a
single optimal solution is provided in [6]
.
•
N
etwork
administrator can choose the best hardening
recommendation based on her experience.
Related
Work
•
Chen et al. use attack trees
primarily
for ancillary
documentation purposes whereas in our approach attack
graphs are
integral.
•
The
network
administrator
can obtain a visual representation
of the effect each security measure has on the attack graph
and subsequently the
network.
•
O
ur
approach can capture the effect of making the
exploitation of a particular
vulnerability.
•
The
approach offered in [6] does not capture this form of
vulnerability interdependence
.
Agenda
•
Introduction
•
The
Attack
Graph
•
Related
Work
•
Providing
Network
Security
•
Solving
The
SMCP
•
Conclusion
and
Future
Work
Providing
Network
Security
•
Safeguarding a network, that is not under attack, begins with
identifying the vulnerabilities of the
network.
•
This
process typically involves using vulnerability analysis
methods. One
commonly used method is to leverage vulnerability
scanners
to
discover vulnerabilities and then provide patches to
these
vulnerabilities.
•
Because
vulnerability
scanners
do not consider the
interdependencies that may exist between vulnerabilities,
automated attack graph generation techniques have been
proposed to expose such
interdependencies
.
Providing
Network
Security
•
The removal of security flaws is performed by
implementing
one or more security measures
; however
, the selection of the
appropriate set of security measures is
nontrivial.
•
For
example, discovering the “best” way of removing
vulnerabilities
could require the manual analysis of many
combinations
of security measures
.
•
T
here
may be overlap in the vulnerabilities that security
measures remove
.
•
v1
, v2, v3, v4, v5, and
v6
,
sm1,
sm2, and sm3.
•
sm1

v1, v5, and v6

sm2

v1 and v4

sm3

v1 and
v3.
Providing
Network
Security
•
The problem of choosing the appropriate combination of
security measures such that the security of the network is
optimized and constrained to a given budget is called the
Security Measures Choosing
Problem
(SMCP)
.
•
The
SMCP formulation is inspired by the
classic
Binary Knapsack
Problem
.
•
The Knapsack Problem is a well

known optimization
problem
where the goal is to maximize a quantity subject to some
constraint.
Providing
Network
Security
•
The problem can be formally defined as
:
given a set of n items
and a knapsack with
Providing
Network
Security
Providing
Network
Security
•
m
j
may take on different values depending on what
security
measures are already in place within the
network.
•
The
model also assumes that the network administrator is
able to assign costs to the hardening measures in terms of
money or time.
Agenda
•
Introduction
•
The
Attack
Graph
•
Related
Work
•
Providing
Network
Security
•
Solving
The
SMCP
•
Conclusion
and
Future
Work
Solving
The
SMCP
•
We
adopt the dynamic programming approach to solving the
SMCP
.
We define variables as the following:
Solving
The
SMCP
•
The necessary steps to leverage our approach are
:
•
(
1)
determine
the
budget
•
(
2) determine the security metric of
interest
•
(
3) generate the attack
graph
•
(
4) determine what security measures are available to safeguard
the network and assign them
costs
•
(
5) apply the dynamic programming algorithm to the inputs given
above
.
Solving
The
SMCP
•
However, if we assume that the security metric value can be
obtained from a depth

first search of the attack graph (e.g.,
total number of attack paths), then the dynamic programming
algorithm’s time complexity is O(nH
2
B
)
•
otherwise
the
algorithm
has a time complexity of O(nHKB)
where K is
the
time complexity of
ζ
.
•
The
security measures chosen for an optimal hardening
recommendation can be determined by backtracking through
R.
Agenda
•
Introduction
•
The
Attack
Graph
•
Related
Work
•
Providing
Network
Security
•
Solving
The
SMCP
•
Conclusion
and
Future
Work
Conclusion
and
Future
Work
•
We have modeled the problem of choosing security measures
to harden a computer network as a combinatorial
optimiza

tion
problem.
•
We
model the problem as the binary knapsack problem where
the goal is to maximize security subject to a limited budget
.
•
We
call this problem the Security
Measures
Choosing Problem
(SMCP)
.
•
Dynamic
programming is used to solve the SMCP
.
•
T
his
approach to solve the SMCP with attack graphs and security
metrics is novel
.
Conclusion
and
Future
Work
•
Previous
attack graph analyses did not give enough
consideration
to the budget the network administrator had for
implementing hardening
recommendations.
•
Using
dynamic programming to solve the SMCP assures the
network administrators that their network’s security is
optimized with respect to the
security
metric and budget
being used.
Conclusion
and
Future
Work
•
An aspect requiring further attention is security
metrics.
•
If
a network administrator decides she wants to use different
security metrics to evaluate the same network, it is possible
that the security metrics will disagree in what is considered
“secure.
”
•
More
work is needed to identify security metrics that have
reliable predictive value
.
•
We
are currently in the process of developing a more robust
security metric for networks.
THANKS
FOR
YOUR
ATTENTION!
Comments 0
Log in to post a comment