Network Security Analysis Based on Security Status Space

Presented by

N.Vijaya Durga III/IV CSE Sri Vasavi Engineering College, Engineering College,

K.Kiranmai III/IV CSE Sri Vasavi

Tadepalligudem, Tadepalligudem, E-mail: vijji.5a0@gmail.com kiranmai.kadamati@gmail.com

Abstract As an important method to analyze the security status of computer network, generating of network attack graph is a hot topic in this domain. After analyzing network security attributes including the host, user privilege, connection relation, etc., the model of computer network security status space is built. The node of attack graph expresses the network security status, and the directed-line expresses the attack rule. We use a forward-search, breadth-first and depthlimited algorithm to produce attack route, and utilize the tools Graphviz to generate the attack graph. The experiment validates the prototype of network attack graph automatic generating tools based on security status space. Introduction The rapid growth of the network influences the economy, politics, culture and many aspects of the society. The deeper and wider the network applications is, the more obvious and more complex the computer and networks security problems are. Hackers and virus can find more ways to launch attack with the development of the network technology. The security problem of computer network is more complex. As an important aspect of network security, evaluating the computer security through the analysis to the computer network is very important and could protect us form being hacked. Vulnerability scanning is a traditional way to conduct network security analysis. This method can check whether or not there are any known vulnerabilities, for example COPS [1], Nmap [2], Nessus [3], ISS [4], and etc. This technique is just suitable to check system security

qualitatively partially but cannot check a whole system. We cant conclude describe about the whole target networks security status without thinking of the correlation of the vulnerabilities, host, and network topology etc. The ways to find the complex attack paths or list which can lead to changes of the system status are presented by analyzing the security model. For example, Phillips and Swiler presented the earliest concept of attack graph [5], [6]. The France Scholar Dacier and Rodolphe Ortalo developed a method named Privilege Graph [7]. Templeton and Levitt proposed a requires/provides model for modeling chains of network exploits [8]. Ramakrishnan analyzed these Unix-based systems security using model-checking technique [9]. In this paper, we use attack graph to provide a view of network security status. This article presents a method to generate attack graph for network security analysis based on security status space. Computer Network Security Status Space Since security analysis mainly aims at the current computer network, it needs a simple, flexible and complete model to reduce complexity of system status space. In this paper we build a model for the network security analysis. Computer Network Security Status User Privilege In actual implementation environment of the host computer, the system visitors can be classified according to the capability to access the system resource. A lot of researchers have described on

this direction [15]. This article proposes to rearrange the visitors and so the possible privilege can be classified according to user's roles, as described in Table1. Assume the possible privilege set is P={Access, Guest, User, Supuser, Root}, pi(i=1, 2, 5) which presents a visitor privilege.

network devices are distributed on different layers. Ritchery has analyzed the host connectivity for network security [16]. In the paper these connection relations can be expressed as a set, and then the connection relation between two devices is a sub-set of this set. Assume the connection relations set between host and devices is Protocol= {pro1, pro2, pron}, proi (i=1, 2, n ) which presents a connection relation. The connection relations between hosts are represented by a triad (HSRC, HDST, Protocols). HSRC represents the source host. HDST represents the destination host. Protocols are sub-sets of connection relations sets exist between the source host and the destination host. When there is no relation between the source host and the destination host, Protocols is an empty set. When the source host is the same as the destination host, the connection relation is local connection, at this time, Protocols = {localhost}. Vulnerability Vulnerability is a fault caused by an error in the design, development, configuration, or using of software, malicious attacker may utilize this fault to access unauthorized system resource and misuse, violate the security policy, and may be produce security incident. We use a set V={vul1, vul2, vulm}, vuli (i=1, 2, ,n) to represent vulnerability, and every vulnerability is represented by a tuple BIDNAMEOSDATE. We use BID to represent the unique identifier, NAME to represent the name of the vulnerability, OS to represent the type and version of operation system which is affected by the vulnerability,

Connection Relation between Devices The Internet is structured based on TCP/IP protocol family, and the current computer networks are generally based on this protocol. TCP/IP protocol family includes a lot of protocols which are in different layers. According to this technology principle, the connections of

and DATE to represent the publish data of the vulnerability. System Devices The devices in the network are the basic elements of an information system, for example, computers, routers, switches and the like. We use a set H={h1, h2, hm} to represent these devices, and hi(i=1, 2, m) to represent a single network device. A host on the network is represented by a tuple (HOSTID, OS, SVCS, VULS). HOSTID is the unique identifier of host on the network, it can be the IP address or host name. OS is the type and version of operation system. SVCS is the list of network service types with respective network port numbers which describe the services on the host and the information on service monitor ports. VULS is the host computer vulnerability list which may include the security bug information of installed software. In summary, to a system user, the computer network should be a set which consists of the above parts, and the SS Security Status can be described as SS= {(pl, hi), (hj, hk, protocols)}, l=0, 1 4; i, j, k=1, 2,.m (pl, hi) represents the privilege pl of the user to the host hi. (hj, hk, protocols) represents the connection relation between hj and hk witch is known to the user.

Attack Process To the attacker who attempts to exploit the target it is a process, which needs to be performed step by step. The

harvest of each step may be a singular discrete event, and it presents the escalation of user privilege or addition of connection relation, so the above computer network security status change. Basically, using a vulnerability to attack can be seen as a map from a set of preconditions to a set of results. So an attack can be represented by a two-tuples Attack_rule=(Preconditions,Postconditio ns ), in which Preconditions is the preconditions set, Postconditions is corresponded results set. The preconditions set include four elements which is represented as Preconditions= {Src_privilege, Dst_privilege, Vuls, Protocols}. Src_privilege represents the lowest privilege class which attacker should have on the host where the attacks are launched. Dst_privilege represents the highest privilege class which attacker should have on the object host. Vuls represents the vulnerability which the attack rule depend on. Protocols describe the needed connection relation between the attack host and the object host. The results set include three elements which is represented as Preconditions={Rslt_privilege, Rslt_protocols, Rslt_vuls}. Rslt_privilege describes the privilege which attacker can get on object host after an attack is successfully completed. Rslt_protocols is the network protocols set which is added by attacks. If the attacked host can use the network protocols in this set to access a host on the network, the current attacking host can get the ability to access this host. If the attack rule doesn't influence the current network connection relation, Rslt_protocols will be an empty set. When Rslt_ protocols={all}, this represents that the current attacking host can get the attacked host's total ability to access the object network. Rslt_vuls is

the newly added vulnerability set on attacked host after attack is successfully implemented, and it describes the dependent relation between vulnerabilities. According to the analysis above, the attack rule can be represented as: Attack_rule= ({Src_privilege, Dst_privilege, Vuls, Protocols}, {Rslt_privilege, Rslt_protocols, Rslt_vuls}). After analyzing the computer network security status and attack process, the computer network security status space SSPSecurity Status Space should be represented by the following tuple: SSP= (SS, AR) SS=Security Space. It represents all the available sets of attack process. AR=Attack Rules=(attack_rule1, attack_rule2, attack_rulen ). It represents the reason of the change security status. Generation of Attack Graph The Node and Edge of Attack Graph Synthesizing the attacker's starting point and object, host information and network topology information, the graph-based description represents the threat to security of information system, and it is called an attack graph. According the definition of SSP, the SSP may be used to describe the attack graph. In this paper, we use nodes of attack graphs to represent the SS. When the node transfers, the SS of attacker is changed. The directed edges of attack graphs present the mapping relations which change with SS. When attack_rule=({Src_consumer, Dst_consumer, Vul,Conn_proto},

{Rslt_consummer, Rslt_conn, Rslt_vuls}), the directed edge is represented as: (Hsrc, Hdst, attack_rule). Algorithm to Generate Attack route To analyze the network security, based on the analysis of network security incidents and attackers actions, we make assumptions as follows: Assumption 1: The attacker has the powerful attack ability, namely attacker who knows the vulnerability well in system has the ability to attack these vulnerabilities. Assumption 2: The attacker is sophisticated so that he doesnt launch an attack to get the privilege that he has possessed. In this paper we use a forward-search, breadth-first and depth-limited (attack steps limited) attack route producing algorithm to find the attack routes, then utilize the tools Graphviz [17] to generate attack graph. The attack route producing algorithm is described as following: (1) From the initial network state, it finds all network states the attacker could get directly, and add these network states into State queue. (2) It chooses a state from State queue as Cur state, and finds all network states which could be got directly from Cur state as New states. If a state is new, then it would be added into State queue. (3) When the State queue is not empty, it would return to (2). If the State queue is empty, the algorithm finishes. When each attack depends on the previous attack on attack route, the attack route is called minimal attack route. Contrast to the method that has been previous used [13], our method can

directly find all minimal attack route. At the same time, in attacker's point of view, breadth-search guarantees to find all of the attack routes. Experiments We carried out our method in the sample networkthat is the same as Sheyners [13]. Network Environment The example network is shown as Fig. 1. There are two hosts in the internal network, IP1 and IP2, and the firewall islated the internal network from external network. The attackers host is IP0 in the external network. The host information in the internal network is shown as Table 3. The firewall allows the ftp and the ssh packets to communicate with the host IP1 to enter the internal network, and allows ftp packets to communicate with the host IP2 to enter the internal network, but interdicts other packets. In the internal network, connection relation won't be controlled by firewall, so it can be assumed that the internal host can make connection with any remote server. The connection relation with each other is described as the following Table 4.

Experiments Results Contrast In this experiment, the attacker will attack the internal network using host IP0, and the attacker has the highest privilege of ROOT on IP0, However, on the other host he just has the lowest privilege of ACCESS. The attack object is that obtaining the privilege of ROOT on IP2 according to the Sheyners [13]. After implementing the attack graph

generate tools, the attack graphs we got are shown as Fig. 2 and Fig. 3. Fig. 2 is the result of Sheyners and Fig. 3 is our result.

The attack graph with limited attack steps To investigate the size of the attack graph with different attack steps limited, in this paper, we conduct an experiment in a network environment that includes ten hosts, and sixteen vulnerabilities on the different host. We assume that the attacker could only access two network services in the network. At last, we get the relationship between the number of the nodes and the attack steps as shown in Fig. 4, the relationship between the number of the edges and the attack steps as shown in Fig. 5, and the relationship between the number of the new capability to access network and the attack steps as shown in Fig. 6.

Contrasting the result of Sheyner [13], our attack graph with attack object is simpler. There are three reasons: Sheyner takes the IDS as a network element, so the space of his model is lager than ours. Sheyner doesnt consider that the attacker is sophisticated and the attacker doesnt launch an attack to get the privilege that he have possessed, so the model checking tool used by Sheyner also cant resolve this condition, so that the attack graph generated have much redundancy. The execution efficiency of the tools modified NuSMV is lower, so the speed of attack graph generating is slower.

In the Fig. 4 and the Fig. 5, the number of the nodes and the number of the edges increase when the attack step increases. In the Fig. 6, we can see that the number of the new capability to access network increase rapidly in the beginning, but keeps steady subsequently as the attack steps increase. At present the size of the attack graph will be tremendous when the network is lager [12]. From the Fig. 4, the Fig.5, and Fig. 6, when we limit the attack steps in an acceptable scale, although the generated attack graph will not be complete, we could assure to get all of the new capability to access the network. And when the size of the attack graph is larger, the probability of the attack arrives at the last nodes becomes less. So the acceptable attack steps could limit the size of the attack graph, and we could use the attack graph to analyze larger network. Conclusion The tools to generate attack graph based on security status space for network security analysis are designed and implemented, and the experiment indicates the method is usable and effective. Many related research should be done in the future, the results from network scan tools should be used in the tools. The generating algorithm should be optimized and the method to analyze attack graph should be further studied.

References [1] Computer Oracle and Password System (COPS).ftp.cert.org/pub/tools/cop s. [2] NMAP. http://www.insecure.org/nmap/ind ex.html, 2005. [3] Nessus. http://www.nessus.org/, 2005. [4] ISS. http://www.iss.com/, 2005. [5] C.A.Phillips and L.P.Swiler, A graph-based system for Network vulnerability analysis, In New Security Paradigms Workshop, 1998, pp. 71-79. [6] R.Ritchey and P.Ammann, Using model checking to analyze network vulnerabilities, In Proceedings of the IEEE Symposium on Security and Privacy, MAY 2001, pp 156-165.