quantitative evaluation for operational security an experiment n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Quantitative Evaluation for Operational Security - an Experiment PowerPoint Presentation
Download Presentation
Quantitative Evaluation for Operational Security - an Experiment

Loading in 2 Seconds...

play fullscreen
1 / 17

Quantitative Evaluation for Operational Security - an Experiment - PowerPoint PPT Presentation


  • 59 Views
  • Uploaded on

Quantitative Evaluation for Operational Security - an Experiment. [Ortalo et al., IEEE Transactions on Software Engineering, Sept/Oct 1999] Group Meeting, Mar 7, 2000. Outline. Introduction The Approach: Privilege graphs Attack state graphs Mathematical model The experiment

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Quantitative Evaluation for Operational Security - an Experiment' - minya


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
quantitative evaluation for operational security an experiment

Quantitative Evaluation for Operational Security -an Experiment

[Ortalo et al., IEEE Transactions on Software Engineering, Sept/Oct 1999]

Group Meeting, Mar 7, 2000

H.W. Chan, CSE Dept., CUHK

outline
Outline
  • Introduction
  • The Approach:
    • Privilege graphs
    • Attack state graphs
    • Mathematical model
  • The experiment
    • setup and results
  • Discussion

H.W. Chan, CSE Dept., CUHK

introduction
Introduction
  • System security has been usually discussed in terms of security requirements and policy
    • requires cooperation of all users
    • difficult for ordinary users to comprehend
  • A quantitative measure for system security is easier to comprehend
    • a figure representing the ‘degree of security’ of the system can be useful

H.W. Chan, CSE Dept., CUHK

quantifying security
Quantifying security
  • Borrowing software reliability theory:
    • In reliability, a piece of software fails upon time of usage; the Mean Time To Failure quantify the reliability of the software
    • Similar, in security, a system can be breached upon effort of attacks; the Mean Effort to Breach can quantify the security of the system

H.W. Chan, CSE Dept., CUHK

the approach
The Approach
  • Privilege graph:
    • node: a set of privileges owned by a user or set of users (e.g., a group in Unix)
    • arc: a vulnerability that cause a user owning one privilege to obtain another, e.g.,

Y

X

There is a method allowing a user owning privilege X to obtain privilege Y.

H.W. Chan, CSE Dept., CUHK

examples of vulnerabilities
Examples of vulnerabilities
  • Privilege subsets directly issued from the protection scheme
  • Direct security flaws, e.g., Trojan horse
  • System features exploited for attack
    • .rhosts, .xinitrc, setuid programs

hwchan1

gds

H.W. Chan, CSE Dept., CUHK

privilege graph example
Privilege graph - example

A

6

3

P

B

Xadmin

Key

1: Y’s .rhosts is writable by X

2: X can guess Y’s password

3: X can modify Y’s .tcshrc

4: X is a member of Y

5: Y uses a program managed by X

6: X can modify a setuid program owned by Y

7: X is in Y’s .rhosts

7

5

1

4

insider

F

2

H.W. Chan, CSE Dept., CUHK

quantifying vulnerabilities
Quantifying vulnerabilities
  • Each arc in the privilege graph should be assigned a weight to quantify the effort required for exploiting the vulnerability
  • Different factors should be considered, e.g., expertise, time and equipment
  • No good methods to do this yet!

H.W. Chan, CSE Dept., CUHK

attacker behavior
Attacker behavior
  • In an attack, an attacker begins with some minimal privileges, and wants to obtain some protected privileges.
  • In a privilege graph, the path from the attacker node to the target node describes the progress of attack:

target

attacker

H.W. Chan, CSE Dept., CUHK

slide10
There can be more than one paths from the attacker node to the target node
    • assumption: attacker does not know the shortest path
  • Two assumptions for attacker behavior
    • Total memory (TM): all possibilities of attack are considered at any stage of attack
    • Memoryless (ML): at each newly visited node, only attacks possible from that node are considered

H.W. Chan, CSE Dept., CUHK

attack state graphs ml
Attack state graphs (ML)

I

FI

ABFIPX

IP

FIX

BFIPX

AIP

BFIX

AFIX

H.W. Chan, CSE Dept., CUHK

attack state graph tm
Attack state graph (TM)

I

FI

ABFIPX

IP

FIX

FIP

BFIPX

AIP

BFIX

AFIX

AFIP

H.W. Chan, CSE Dept., CUHK

mathematical model
Mathematical Model
  • Assume the Markov model:
    • Probability of success in an attack before an amount of effort ‘e’ is spent is:

P(e) = 1 - exp(-Le)

    • L is the rate of attack, and can be assigned as the weight of the vulnerability
    • thus, mean effort to succeed is 1/L

H.W. Chan, CSE Dept., CUHK

slide14
mean effort spent in state j is

Ej = 1/summation(Lji), for all i belongs to out(j)

  • Mean Effort To security Failure (METF) from initial state k to state i is

METFk = Ek + summation(Lki*Ek*METFi),

for all i belongs to out(k)

H.W. Chan, CSE Dept., CUHK

the experiment
The experiment
  • Setup:
    • Several hundred different workstations
    • 700 users sharing one global file system
    • privilege graphs, attacker state graph and METF computed every day from June 95 to Mar 97 (674 days)
    • vulnerabilities are classified into four levels and given rates 10^-1, 10^-2, 10^-3, 10^-4

H.W. Chan, CSE Dept., CUHK

results
Results

H.W. Chan, CSE Dept., CUHK

conclusion and discussion
Conclusion and discussion
  • A preliminary investigation about the security evaluation of operational systems
  • The assignment of rates of the vulnerabilities is pretty arbitrary, but is key to the validity of the measurement

H.W. Chan, CSE Dept., CUHK