1 / 20

Abstracted Model Generator (AMG): Another Perspective Of Mitigating Scalability Issues

Su Zhang Computing and Information Science Kansas State University. Abstracted Model Generator (AMG): Another Perspective Of Mitigating Scalability Issues . Background. Two ways of presenting (potential) network security issues. Attack graph. Quantitative value

garnet
Download Presentation

Abstracted Model Generator (AMG): Another Perspective Of Mitigating Scalability Issues

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Su Zhang Computing and Information Science Kansas State University Abstracted Model Generator (AMG): Another Perspective Of Mitigating Scalability Issues

  2. Background • Two ways of presenting (potential) network security issues. • Attack graph. • Quantitative value • Probability of being compromised of some “asset” (hosts, server, workstation, etc.) • Loss expectation (Usually in terms of monetary). Final Project Presentation for CIS 890

  3. Attack Graphs • State Enumerate • Carnegie Mellon University, Oleg Sheyner, et al. 2002 • Extremely poor scalability (exponential). • Logical Dependency Graphs • MIT Lincoln Lab Attack Graphs (MIT-LL-AG)(Lippmann et al. 2006)(Lippmann et al. 2005) • Uncertain for large scale networks. [6] • George Mason University (Ammann,Wijesekera, & Kaushik2002)(Jajodia, Noel, & O’Berry 2003) • Poor scalability (O(N6)). [6] • Kansas State University Attack Graph (KSU-AG)(XinmingOu, et al. 2006) • Fastest so far (between O(N2) and O(N3)). [6] Final Project Presentation for CIS 890

  4. Quantitative Risk Assessment • Lingyu Wang, et al. (GMU) • Not scalable (Bayesian Network) • TeodorSommestad, et al. (Royal Institute of Technology (KTH)) • Not scalable (Bayesian Network) • John Homer and XinmingOu. (KSU) • De-separate set (Faster than the other two, but still not fast enough). Final Project Presentation for CIS 890

  5. Current Limitations • Accuracy • Database limitation. • Vendors don’t publish vulnerability information until it gets patched. • Centralized databases (e.g. NVD and OSVDB) have lots of errors and maintained inconsistently. • Scalability • Couldn’t be finished fast enough for large scale networks’ quantitative risk assessment. Final Project Presentation for CIS 890

  6. How to Mitigate Scalability Issue? – Network Abstraction • Downscale enterprise-size networks into small ones. • Easier for SAs to do some basic analysis. • Provide trimmed input for analyzers to mitigate the scalability issues. • Attack-graph analyzer. • Quantitative risk assessment analyzer. Final Project Presentation for CIS 890

  7. Network Abstraction Steps • Reachability-based grouping • Grouping all unfiltered nodes (don’t have inter-subnet connections) into one. • Grouping all filtered nodes having same inter-subnet reachability (same in terms of inbound and outbound connections). • Configuration-based breakdown • Further breakdown both unfiltered and filtered nodes based on their configurations. Final Project Presentation for CIS 890

  8. Network Abstraction-Beginning Stage In subnet Internet Final Project Presentation for CIS 890

  9. Network Abstraction- Identifying the Reachability Information Hosts without inter-subnet connections In subnet Unfiltered Internet Filtered Hosts including inter-subnet connections. Different colors suggest different inter-subnet reachabilities. Final Project Presentation for CIS 890

  10. Network Abstraction-Merging Unfiltered Nodes into One Hosts without inter-subnet connections In subnet Merged unfiltered nodes into one Internet Filtered Hosts including inter-subnet connections. Different colors suggest different reachabilities. Final Project Presentation for CIS 890

  11. Reachability-based Grouping Hosts without inter-subnet connections In subnet Merged unfiltered nodes into one Internet Filtered Hosts including inter-subnet connections. Different colors suggest different reachabilities. Same-colored nodes are merged. Final Project Presentation for CIS 890

  12. Configuration-based Breakdown Hosts without inter-subnet connections In subnet Further breakdown unfiltered network based on configuration Internet Filtered Hosts including inter-subnet connections. Different colors suggest different configurations. Final Project Presentation for CIS 890

  13. Case Study--Configuration • Configuration • 3 subnets (file servers, work stations and normal user desktops (say subnet1)) • 10 Hosts per subnet (Divided by two types of configurations (Windows and Linux)). • 2 vulnerabilities on each host. The type of vulnerability could be local, remote server and remote client based on CVSS vectors in National Vulnerability Database (NVD). Final Project Presentation for CIS 890

  14. Case Study--Topology Final Project Presentation for CIS 890

  15. Case Study—Original Attack graph (41K) Final Project Presentation for CIS 890

  16. Case Study—Attack graph (27K) Final Project Presentation for CIS 890

  17. Quantitative Results Comparison • This part is to be done soon. • Comparing the results from original model and abstracted model is meaningful if the two value are close enough, then we can conclude with that our ANM is useful. Final Project Presentation for CIS 890

  18. Conclusions • AMG can provide SAs a clearer overview of entire network. • AMG will help SAs to get smaller –sized attack graphs and hence reduce the workload of SAs. • AMG can mitigate scalability issue for quantitative risk assessment. Final Project Presentation for CIS 890

  19. References • [1] Automated generation and analysis of attack graphs. Oleg Sheyner, Joshua Haines, SomeshJha, Richard Lippmann, and Jeannette M. Wing. In Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, May 2002. • [2] Evaluating and strengthening enterprise network security using attack graphs.R.P. Lippmann, K.W. Ingols, C. Scott, K. Piwowarski, K.J. Kratkiewicz, M. Artz, and R.K. Cunningham. Technical Report, MIT Lincoln Laboratory, October, 2005. • [3] Practical attack graph generation for network defense.Kyle Ingols, Richard Lippmann, and Keith Piwowarski. ACSAC 2006. • [4] Minimum-cost network hardening using attack graphs.Lingyu Wang, Steven Noel and SushilJajodia. Computer Communications. • [5] Modeling modern network attacks and countermeasures using attack graphs.Kyle Ingols, Matthew Chu, Richard Lippmann, et al. In 25th Annual Computer Security Applications Conference (ACSAC), 2009. • [6] Intelligent Cyber Security Analysis in Enterprise Networks.Jason H. Li and Peng Liu. In Association for the Advancement of Artificial Intelligence (www.aaai.org), 2007. • [7] Advanced Cyber Attack Modeling, Analysis, And Visualization.SushilJajodia and Steven Noel. Final Technical Report, March 2010. • [8] Measuring network security using Dynamic Bayesian Network.Marcel Frigault, Lingyu Wang, AnoopSinghal, and SushilJajodia. In Proceedings of the 4th ACM workshop on Quality of Protection (QoP), 2008. • [9] A probabilistic relational model for security risk analysis.TeodorSommestad*, Mathias Ekstedt and Pontus Johnson. Journal of Computer & Security 29, 2010 pp 659-679. Final Project Presentation for CIS 890

  20. Questions & Discussions Thank you! Final Project Presentation for CIS 890

More Related