Documente Academic
Documente Profesional
Documente Cultură
1
generate attack graph for network
security analysis based on security status
space.
User Privilege
In actual implementation
environment of the host computer, the
system visitors can be classified
according to the capability to access the
system resource. A lot of researchers
have described on this direction [15].
This article proposes to rearrange the
visitors and so the possible privilege can
be classified according to user's roles, as Connection Relation between Devices
described in Table1. Assume the
possible privilege set is P={Access, The Internet is structured based on
Guest, User, Supuser, Root}, pi(i=1, 2, TCP/IP protocol family, and the current
…5) which presents a visitor privilege. computer networks are generally based
on this protocol. TCP/IP protocol family
includes a lot of protocols which are in
different layers. According to this
technology principle, the connections of
network devices are distributed on
different layers. Ritchery has analyzed
the host connectivity for network
security [16]. In the paper these
connection relations can be expressed as
a set, and then the connection relation
between two devices is a sub-set of this
set.
Assume the connection relations set
between host and devices is
2
Protocol= {pro1, pro2, … pron}, proi H={h1, h2, … hm} to represent these
(i=1, 2, … n ) which presents a devices, and hi(i=1, 2, … m) to represent
connection relation. a single network device.
The connection relations between A host on the network is represented
hosts are represented by a triad (HSRC, by a tuple (HOSTID, OS, SVCS,
HDST, Protocols). HSRC represents the VULS). HOSTID is the unique identifier
source host. HDST represents the of host on the network, it can be the IP
destination host. Protocols are sub-sets address or host name. OS is the type and
of connection relations sets exist version of operation system. SVCS is the
between the source host and the list of network service types with
destination host. When there is no respective network port numbers which
relation between the source host and the describe the services on the host and the
destination host, Protocols is an empty information on service monitor ports.
set. When the source host is the same as VULS is the host computer vulnerability
the destination host, the connection list which may include the security bug
relation is local connection, at this time, information of installed software.
Protocols = {localhost}. In summary, to a system user, the
computer network should be a set which
Vulnerability consists of the above parts, and the SS
( Security Status ) can be described
Vulnerability is a fault caused by an as:
error in the design, development, SS= {(pl, hi), (hj, hk, protocols)}, l=0, 1
configuration, or using of software, …4; i, j, k=1, 2,….m。
malicious attacker may utilize this fault (pl, hi) represents the privilege pl of the
to access unauthorized system resource user to the host hi.
and misuse, violate the security policy, (hj, hk, protocols) represents the
and may be produce security incident. connection relation between hj and hk
We use a set V={vul1, vul2, … witch is known to the user.
vulm}, vuli (i=1, 2, …,n) to represent
vulnerability, and every vulnerability is
represented by a tuple
(BID,NAME,OS,DATE). Attack Process
We use BID to represent the unique
identifier, NAME to represent the name To the attacker who attempts to
of the vulnerability, OS to represent the exploit the target it is a process, which
type and version of operation system needs to be performed step by step. The
which is affected by the vulnerability, harvest of each step may be a singular
and DATE to represent the publish data discrete event, and it presents the
of the vulnerability. escalation of user privilege or addition of
connection relation, so the above
System Devices computer network security status
change.
The devices in the network are the Basically, using a vulnerability to
basic elements of an information system, attack can be seen as a map from a set of
for example, computers, routers, preconditions to a set of results. So an
switches and the like. We use a set attack can be represented by a two-tuples
3
Attack_rule=(Preconditions,Postconditio Attack_rule= ({Src_privilege,
ns ), in which Preconditions is the Dst_privilege, Vuls, Protocols},
preconditions set, Postconditions is {Rslt_privilege, Rslt_protocols,
corresponded results set. Rslt_vuls}).
The preconditions set include four After analyzing the computer network
elements which is represented as security status and attack process, the
Preconditions= {Src_privilege, computer network security status space
Dst_privilege, Vuls, Protocols}. SSP(Security Status Space) should be
Src_privilege represents the lowest represented by the following tuple:
privilege class which attacker should SSP= (SS, AR)
have on the host where the attacks are SS=Security Space.
launched. Dst_privilege represents the It represents all the available sets of
highest privilege class which attacker attack process.
should have on the object host. Vuls AR=Attack Rules=(attack_rule1,
represents the vulnerability which the attack_rule2, …attack_rulen ).
attack rule depend on. Protocols describe It represents the reason of the change
the needed connection relation between security status.
the attack host and the object host.
The results set include three elements
which is represented as Generation of Attack Graph
Preconditions={Rslt_privilege,
Rslt_protocols, Rslt_vuls}. The Node and Edge of Attack Graph
Rslt_privilege describes the privilege
which attacker can get on object host Synthesizing the attacker's
after an attack is successfully completed. starting point and object, host
Rslt_protocols is the network protocols information and network topology
set which is added by attacks. If the information, the graph-based description
attacked host can use the network represents the threat to security of
protocols in this set to access a host on information system, and it is called an
the network, the current attacking host attack graph. According the definition of
can get the ability to access this host. If SSP, the SSP may be used to describe
the attack rule doesn't influence the the attack graph. In this paper, we use
current network connection relation, nodes of attack graphs to represent the
Rslt_protocols will be an empty set. SS. When the node transfers, the SS of
When Rslt_ protocols={all}, this attacker is changed. The directed edges
represents that the current attacking host of attack graphs present the mapping
can get the attacked host's total ability to relations which change with SS.
access the object network. Rslt_vuls is When attack_rule=({Src_consumer,
the newly added vulnerability set on Dst_consumer, Vul,Conn_proto},
attacked host after attack is successfully {Rslt_consummer, Rslt_conn,
implemented, and it describes the Rslt_vuls}),
dependent relation between the directed edge is represented as:
vulnerabilities. (Hsrc, Hdst, attack_rule).
According to the analysis above, the
attack rule can be represented as: Algorithm to Generate Attack route
4
To analyze the network Experiments
security, based on the analysis of
network security incidents and attacker’s We carried out our method in the
actions, we make assumptions as sample networkthat is the same as
follows: Sheyner’s [13].
5
the host IP2 to enter the internal
network, but interdicts other packets. In
the internal network, connection relation
won't be controlled by firewall, so it can
be assumed that the internal host can
make connection with any remote server.
The connection relation with each other
is described as the following Table 4.
6
To investigate the size of the
attack graph with different attack steps
limited, in this paper, we conduct an
experiment in a network environment
that includes ten hosts, and sixteen
vulnerabilities on the different host. We
assume that the attacker could only
access two network services in the
network. At last, we get the relationship
between the number of the nodes and the
attack steps as shown in Fig. 4, the
relationship between the number of the
edges and the attack steps as shown in
Fig. 5, and the relationship between the
number of the new capability to access
network and the attack steps as shown in
Fig. 6.
7
In the Fig. 4 and the Fig. 5, the number limit the size of the attack graph, and we
of the nodes and the number of the edges could use the attack graph to analyze
increase when the attack step increases. larger network.
In the Fig. 6, we can see that the number
of the new capability to access network Conclusion
increase rapidly in the beginning, but
keeps steady subsequently as the attack The tools to generate attack
steps increase. At present the size of the graph based on security status space for
attack graph will be tremendous when network security analysis are designed
the network is lager [12]. From the Fig. and implemented, and the experiment
4, the Fig.5, and Fig. 6, when we limit indicates the method is usable and
the attack steps in an acceptable scale, effective. Many related research should
although the generated attack graph will be done in the future, the results from
not be complete, we could assure to get network scan tools should be used in the
all of the new capability to access the tools. The generating algorithm should
network. And when the size of the attack be optimized and the method to analyze
graph is larger, the probability of the attack graph should be further studied.
attack arrives at the last nodes becomes
less. So the acceptable attack steps could
References