maximizing network security given a limited budget

Maximizing Network Security Given a Limited BudgetNwokedi C. Idika, Brandeis H. Marshall, Bharat K. Bhargava

Advisor : Professor Frank Y.S. LinPresented by Yu-Pu Wu

About

• Author• Nwokedi C. Idika, Brandeis H. Marshall, Bharat K. Bhargava

• Title• Maximizing Network Security Given a Limited Budget

• Provenance• (TAPIA ‘09) The Fifth Richard Tapia Celebration of Diversity in

Computing Conference: Intellect, Initiatives, Insight, and Innovations

Agenda

• Introduction• The Attack Graph• Related Work• Providing Network Security• Solving The SMCP• Conclusion and Future Work

Introduction

• Network administrators fulfill the duty of preventing network attacks by identifying vulnerabilities in the network and then systematically removing the identified vulnerabilities.

• The removal of an identified vulnerability from a network may be referred to as a patch or a security measure.

Introduction

• A security measure is any action performed to remove at least one vulnerability from a system.• The set of all security measures is infinite.

• However, practically, a network administrator will consider only a finite set of security measures for possible application to the network she is protecting.• modifying firewall rules, updating software on networked hosts,

shutting down system services, or modifying an authentication routine.

Introduction

• The identification of vulnerabilities is critical to the effective use of security measures.• vulnerability scanners.

• A drawback of this method is that vulnerability scanners do not reveal the interdependencies that may exist between vulnerabilities found on different hosts of the same network.• This shortcoming has been addressed with automated attack

graphs.

Introduction

• In this work, we detail an attack graph analysis that helps network administrators be more effective at the Security Measures Choosing Problem (SMCP).

• Informally, SMCP is the following:• given a limited budget

• choose from a finite set of available security measures a subset of security measures that provide the highest security possible without going over budget.

Introduction

• We propose to provide this analysis by modeling the SMCP as a Binary Knapsack Problem.• We suggest the use of dynamic programming to solve the SMCP.

• Hence, our contribution includes:• A novel approach that combines budget and hardening

recommendations into attack graph analysis, and• Specification of how security metrics can be used to choose

hardening measures.

Agenda


The Attack Graph

• An attack graph is a concise representation of all the ways an attacker may leverage known vulnerabilities to violate a given set of security policies.

• Each path in an attack graph corresponds to at least one attack scenario where the attacker achieves his objective.

The Attack Graph

• An attack scenario is a sequence of actions that moves the network from its initial state to a compromised state.

• The initial state corresponds to the initial configuration of the network.

• The compromised state corresponds to the state where the security policy violation(s) occurs.

The Attack Graph

• Attack graphs have a variety of representations.• Attacks graphs are composed of a series of exploits and security

conditions.

• An exploit is the realization of a vulnerability.• For example, we can describe a ssh vulnerability as sshv1(h1, h2).

If such a vulnerability existed between two actual network hosts such as 128.x.y.2 and 128.x.y.9, then the corresponding exploit would have the form of sshv1 (128.x.y.2, 128.x.y.9).

• In other words, if a vulnerability is instantiated with actual network specific information, then the result is an exploit.

The Attack Graph

• Security conditions are those attributes that are relevant to the vulnerabilities of the network.

• A security condition can be relevant to an exploit in two ways: • (1) the security condition serves as a precondition for a

vulnerability

• (2) the security condition serves as a postcondition of a realized vulnerability

The Attack Graph

• Types of Attack Graphs

• Although attack graphs have different representations, we assert that they rely on common foundational definitions.

• The state space for a network system is given by S, which is a set of binary strings of size q.• Hence, |S| = 2q.

The Attack Graph

• Cond is a function that produces some subset of the system state that represents the relevant security conditions given either a vertex or an edge but not both.

• Hence, Cond(vi (v⊕ k, vl)) S where the vertices v⊆ i , vk , vl V .∈

• A represents the infinite set of possible attacks.

• An attack ai ∈ A where 1 ≤ i < ∞.

• A labeling function L labels either a vertex or an edge with an attack.

• L(vi (v⊕ k, vl)) = aj where vi, vk, vl V and a∈ j ∈ A.

The Attack Graph

• Given either a vertex or edge, a function Prereq produces the necessary conditions required for the exploit to be realized.

• That is, Prereq(vi (v⊕ k, vl)) = vp(Rvi)∗ u E , where R ⊕ ⊆ ⊕∅ ∈

{ , }, E is the set of edges, and 1 ≤ i ≤ n with n as the number of ∨ ∧nodes in the graph.

• Given either a vertex or an edge a function Post produces conditions provided by the exploit.

• This gives Post(vi (v⊕ k, vl)) = vp( v∨ i)∗ u E , where E is the ⊕ ⊆ ⊕∅

set of edges and 1 ≤ i ≤ n with n as the number of nodes in the graph.

The Attack Graph

• Attack Tree.

• An attack tree is an undirected acyclic graph.• The root node represents the attacker’s objective or main goal.

• Leaf nodes represent different starting states for an attacker.

• The intermediate nodes of the graph represent any of the subgoals that may be used to achieve the attacker’s main goal.

• Nodes in the attack tree may represent security conditions or exploits.

• Edges in the attack tree simply give the parent-child (i.e., goal-subgoal) relation between nodes.

The Attack Graph• Formally an attack tree is an acyclic graph G = (V,E).• There exists a set of attacker objectives O where |O| = |V|.• O S A. L(v⊂ ∪ ∃ i) = oi and Cond(vj) = oj where oi, oj O.∈

• E {e⊆ k = (vi, vj),ek = (vj, vi)|vi, vj V i≠ j 0 ≤ k < [n∈ ∧ ∧ 2/2]}.

• We have P(ek) = P(vi, vj) = vi v⊕ j.• P is a function that yields the parent-child relationship existing

between two nodes connected by an edge.• Given an edge that connects a goal and subgoal, P always returns the

goal.• ∃vg V|if e∈ ∀ k where ek = (vg, vi) P(e∧ k) = vg then vg is the attacker’s

main objective.• As for the preconditions and post conditions, we have

respectively Prereq(vi V ) = v∈ p(Rvi)∗ and ⊕∅ Post(vj V ) = ∈vp( v∨ i)∗.

The Attack Graph

The Attack Graph

• Condition Dependency Graph.

• A condition dependency graph is a directed graph where nodes represent security conditions and edges represent exploits that connect the graph’s security conditions.

• A condition dependency graph is given by G = (V,E) where v∀ i ∈

V, Cond(vi) S.⊆

• E {e⊆ k = (vi, vj)|vi, vj V v∈ ∧ i ≠ vj}.

• L(ek) = ai, where ai A.∈

• We also have Prereq(ek) = vw and Post(ek) = vx, where (vw,vx) E.∈

The Attack Graph

The Attack Graph

• Exploit Dependency Graph.

• An exploit dependency graph is a directed graph where nodes represent exploits and edges represent the security conditions that connect exploits.• An incoming edge represents a precondition for the exploit it points to

in the attack graph. An outgoing edge represents a postcondition for the node (exploit) the edge is leaving.

• An exploit dependency graph is given by G = (V,E) where v∀ i V,L(v∈ i)=ab

where ab A. E {e∈ ⊆ k = (vi, vj)|vi, vj V v∈ ∧ i≠ vj}. Cond(ek) S.⊆

• We have Prereq(vj) = u E . We also have Post(v⊆ ⊕∅ l) = u E . ⊆ ⊕∅

The Attack Graph

The Attack Graph

• Hybrid Dependency Graph.

• A hybrid dependency graph is a directed graph where nodes are represented as either a security condition or an exploit.• Edges reveal the relationships between nodes but have no labels.

• Edges exist only between a security condition and an exploit or between an exploit and a security condition.

• When there is more than one edge going from security condition nodes to an exploit node, then all security condition nodes must be satisfied in order for the exploit to be realized.

• When there is more than one edge going from exploit nodes to a security condition node, then any one of the exploit nodes will satisfy the security condition.

The Attack Graph• The hybrid dependency graph is given by G = (V, E).• V = Vexploits V∪ conditions.

• E = Edisjunction E∪ conjunction.

• Cond(vi) S, where v⊆ i V∈ conditions.

• L(vi) = aj, where vi V∈ exploits and aj A.∈

• Econjunction {e⊆ k = (vi, vj)|vi V∈ conditions v∧ j V∈ exploits}.

• Edisjunction {e⊆ l = (vt, vs)|vt V∈ exploits v∧ s V∈ conditions}.

• We have Prereq(vc V∈ exploits) = vb( v∧ i)∗, where vb, vi V∈ conditions.

• We have Post(vc V∈ exploits) = va( v∨ j)∗, where va, vj V∈ conditions.

The Attack Graph

Agenda


Related Work

• In attack graphs, the application of security measures is simulated by removing some subset of vulnerabilities or exploits from its representation.

• The literature discussed in this section propose analyses that provide the network administrator with hardening suggestions that if implemented produce a safe network or a more secure network with respect to a security metric.

Related Work

• Jha et al. attempt to find the smallest subset of measures that are needed to make the network safe.

• The authors note that finding such a subset is equivalent to the minimum hitting set problem which is NP-complete.

• The authors approximate a solution using a greedy approach where the measures preventing the most attacks are chosen in descending order.• A drawback of this approach is that it is an approximation and

yields potentially suboptimal solutions.

Related Work

• Noel et al. propose a minimum-cost hardening method.

• The authors propose the use of algebraic backwards substitution from an attack graph’s goal state to its initial state.• This backwards substitution yields the goal state in terms of the

initial conditions.

• The Boolean expression obtained for the initial conditions is converted into conjunctive normal form yielding maxterms that are then evaluated on a lattice.

Related Work

• Maxterms represent hardening suggestions that will preserve the safety of the network.

• Maxterms lower in the lattice correspond to hardening suggestions requiring the least cost or effort.

• The primary drawback of this approach is that it is binary. That is, the effectiveness of this approach hinges on the ability of the network administrator to implement all hardening recommendations.

Related Work

• The assumption is made that the network administrator has all the resources she needs to implement hardening recommendations.• However, a network administrator’s ability to safeguard a

network is often times constrained by a limited budget.

• Our approach deals with this challenge by incorporating the network administrator’s funding constraint into the attack graph analysis to discover hardening recommendations.

Related Work

• Phillips and Swiler incorporate a budget into their attack graph analysis to generate hardening suggestions.• However, their algorithm follows a greedy approach that does not

guarantee optimality.

• Furthermore, their analysis is based on knowing attacker costs or attacker success probabilities, which are difficult to ascertain in practice.

• Our approach guarantees optimality and does not rely on knowing attacker costs or attacker success probabilities.

Related Work

• Lippmann et al. [13] describe a method for generating hardening recommendations that are derived from removing edges from the attack graph and observing its effect on the system’s Network Compromise Percentage (NCP).• A NCP of 0 percent would suggest a safe network.

• A NCP of 100 percent would suggest a network that is completely compromised.

• When the analysis is done, the network administrator is presented with recommendations in ascending order of NCP.• she still has no assurance that the recommendations offered

represent optimal usage of her resources.

Related Work

• Coupling our method with the one in [13] gives the network administrator the assurance that she is receiving optimal recommendations with respect to her budget.

• We offer an algorithm for generating recommendations that are guaranteed to optimize network security with respect to a security metric (e.g., NCP) for the budget specified by the network administrator.

Related Work

• Chen et al. [6] use the System Quality Requirements Engineering (SQUARE) methodology to perform a detailed case study.• The researchers used linear programming to determine the best set

of security measures to choose given the budget their client allocated for security.

• Solving the problem of choosing security measures as a combinatorial optimization is consistent with our approach;

• Our method maintains all discovered optimal solutions, whereas a single optimal solution is provided in [6].• Network administrator can choose the best hardening

recommendation based on her experience.

Related Work

• Chen et al. use attack trees primarily for ancillary documentation purposes whereas in our approach attack graphs are integral.

• The network administrator can obtain a visual representation of the effect each security measure has on the attack graph and subsequently the network.

• Our approach can capture the effect of making the exploitation of a particular vulnerability.• The approach offered in [6] does not capture this form of

vulnerability interdependence.

Agenda


Providing Network Security

• Safeguarding a network, that is not under attack, begins with identifying the vulnerabilities of the network.• This process typically involves using vulnerability analysis

methods. One commonly used method is to leverage vulnerability scanners to discover vulnerabilities and then provide patches to these vulnerabilities.

• Because vulnerability scanners do not consider the interdependencies that may exist between vulnerabilities, automated attack graph generation techniques have been proposed to expose such interdependencies.


• The removal of security flaws is performed by implementing one or more security measures; however, the selection of the appropriate set of security measures is nontrivial.• For example, discovering the “best” way of removing

vulnerabilities could require the manual analysis of many combinations of security measures.

• There may be overlap in the vulnerabilities that security measures remove.

• v1, v2, v3, v4, v5, and v6, sm1, sm2, and sm3.

• sm1 - v1, v5, and v6 | sm2 - v1 and v4 | sm3 - v1 and v3.


• The problem of choosing the appropriate combination of security measures such that the security of the network is optimized and constrained to a given budget is called the Security Measures Choosing Problem (SMCP).• The SMCP formulation is inspired by the classic Binary Knapsack

Problem.

• The Knapsack Problem is a well-known optimization problem where the goal is to maximize a quantity subject to some constraint.


• The problem can be formally defined as : given a set of n items and a knapsack with


• mj may take on different values depending on what security

measures are already in place within the network.

• The model also assumes that the network administrator is able to assign costs to the hardening measures in terms of money or time.

Agenda


Solving The SMCP

• We adopt the dynamic programming approach to solving the SMCP. We define variables as the following:

Solving The SMCP

• The necessary steps to leverage our approach are:• (1) determine the budget

• (2) determine the security metric of interest

• (3) generate the attack graph

• (4) determine what security measures are available to safeguard the network and assign them costs

• (5) apply the dynamic programming algorithm to the inputs given above.

Solving The SMCP

• However, if we assume that the security metric value can be obtained from a depth-first search of the attack graph (e.g., total number of attack paths), then the dynamic programming algorithm’s time complexity is O(nH2B)

• otherwise the algorithm has a time complexity of O(nHKB) where K is the time complexity of ζ.

• The security measures chosen for an optimal hardening recommendation can be determined by backtracking through R.

Agenda


Conclusion and Future Work

• We have modeled the problem of choosing security measures to harden a computer network as a combinatorial optimiza-tion problem.

• We model the problem as the binary knapsack problem where the goal is to maximize security subject to a limited budget.• We call this problem the Security Measures Choosing Problem

(SMCP).

• Dynamic programming is used to solve the SMCP.

• This approach to solve the SMCP with attack graphs and security metrics is novel.


• Previous attack graph analyses did not give enough consideration to the budget the network administrator had for implementing hardening recommendations.

• Using dynamic programming to solve the SMCP assures the network administrators that their network’s security is optimized with respect to the security metric and budget being used.


• An aspect requiring further attention is security metrics.

• If a network administrator decides she wants to use different security metrics to evaluate the same network, it is possible that the security metrics will disagree in what is considered “secure.”

• More work is needed to identify security metrics that have reliable predictive value. • We are currently in the process of developing a more robust

security metric for networks.

THANKS FOR YOUR ATTENTION!

maximizing network security given a limited budget

Documents