350 rub
Journal Highly available systems №3 for 2013 г.
Article in number:
Toward network access control with Software-Defined Networking
Keywords: analytical attack modeling attack graphs security evaluation security event processing
Authors:
I.V. Kotenko - Ph.D., Professor, Head of the Laboratory of Computer Security Problems, St. Petersburg Institute for Informatics and Automation of the Russian Academy of Sciences (SPIIRAS). E-mail: ivkote@comsec.spb.ru
A.A. Chechulin - Researcher at laboratory of computer security problems, St. Petersburg Institute for Informatics and Automation of the Russian Academy of Sciences (SPIIRAS). E-mail: chechulin@comsec.spb.ru
Abstract:
The paper presents a technique for attack graph construction, modification and analysis for networks security evaluation and security events processing. A set of existing approaches to security evaluation is analyzed in the paper. The current state of research is analyzed for the following areas: techniques for computer network security evaluation; approaches for attack graphs construction; software for security evaluation. The performed analysis showed that analytical attack modeling is used only for offline analysis and cannot be used for real-time systems due to time consumptions. Thus, the time consumption is the main obstacle for applying the analytical modeling in real-time systems. To solve this problem the technique for efficient attack graph construction, modification and analysis is proposed. Three main phases of the technique suggested are as follows: (1) collecting of the source data concerning the analyzed network and the existing vulnerabilities; (2) attack graph construction and security metrics calculation; (3) real-time event processing and modification of the attack graphs in accordance with the changes of the real network. The first phase of data gathering also can be divided into three stages: (1) preparatory; (2) information gathering from the external sources (vulnerability databases, etc.); (3) construction of the models that describe the protected network. The second phase in turn has the following stages: (1) attack graph construction; (2) attack graph analysis and security metrics calculation; (3) report generation. The last phase of event processing can be divided into the following stages: (1) attack graph modification in accordance with the network changes; (2) security event processing and the malefactor model recognition; (3) report generation. The proposed technique is a new theoretical result which, on the one hand, takes into account the advantages of attack graphs usage and, on the other hand, proposes a comprehensive and effective implementation of this approach for near real-time systems. The paper also presents the experiments results that show that the preliminary analysis of the computer network and the construction of the attack graphs takes the most part of the time. The next steps (attack graphs modification, security metrics calculation and event processing) use significantly less amount of time - for the network of 500 hosts it takes just a few seconds. These results confirm the theoretical assumptions of the paper and prove the possibility of applying the proposed technique for the systems operating in near real time mode. The rest of paper contains a comparison of the proposed technique and the existing approaches that are used for security analysis. Comparative analysis showed that the proposed technique is comparable with existing approaches and outperforms them according to some metrics.
Pages: 103-110
References

  1. Kotenko I., Chechulin A. Attack Modeling and Security Evaluation in SIEM Systems // International Transactions on Systems Science and Applications. December 2012. V. 8. P. 129-147.
  2. Kotenko I., Chechulin A., Novikova E. Attack Modelling and Security Evaluation for Security Information and Event Management. SECRYPT 2012. International Conference on Security and Cryptography. Proceedings. Rome, Italy. 24-27 July 2012. P. 391-394.
  3. Kotenko I., Chechulin A. Common Framework for Attack Modeling and Security Evaluation in SIEM Systems // 2012 IEEE International Conference on Green Computing and Communications, Conference on Internet of Things, and Conference on Cyber, Physical and Social Computing. Besançon, France, November 20-23, 2012. Los Alamitos, California // IEEE Computer Society. 2012. P. 94-101.
  4. Kotenko I.V., Dojnikova E.V., Chechulin A.A. Obshhee perechislenie i klassifikacziya shablonov atak (CAPEC): opisanie i primery' primeneniya // Zashhita informaczii. Insajd. 2012. № 4. S. 54-66.
  5. Kotenko I.V., Saenko I.B., Polubelova O.V., Chechulin A.A. Texnologii upravleniya informacziej i soby'tiyami bezopasnosti dlya zashhity' komp'yuterny'x setej // Problemy' informaczionnoj bezopasnosti // Komp'yuterny'e sistemy'. 2012. № 2. S. 57-68.
  6. Kotenko I.V., Saenko I.B., Polubelova O.V., Chechulin A.A. Primenenie texnologii upravleniya informacziej i soby'tiyami bezopasnosti dlya zashhity' informaczii v kriticheski vazhny'x infrastrukturax // Trudy' SPIIRAN. Vy'p.1 (20). SPb.: Nauka. 2012. S. 27-56.
  7. Kotenko I.V., Voronczov V.V., Chechulin A.A., Ulanov A.V. Proaktivny'e mexanizmy' zashhity' ot setevy'x chervej: podxod, realizacziya i rezul'taty' e'ksperimentov // Informaczionny'e texnologii. 2009. № 1. C. 37-42.
  8. Kotenko I.V., Stepashkin M.V. Oczenka zashhishhennosti komp'yuterny'x setej na osnove analiza grafov atak // Problemy' upravleniya riskami i bezopasnost'yu. Trudy' Instituta sistemnogo analiza Rossijskoj akademii nauk (ISA RAN). T. 31, Moskva, URSS. 2007. S.126-207.
  9. Dacier M. Towards Quantitative Evaluation of Computer Security. PhD thesis, Institut National Polytechnique de Toulouse. 1994.
  10. Ortalo R., Deswarte Y., Kaaniche M. Experimenting with quantitative evaluation tools for monitoring operational security // IEEE Trans. Software Eng. 1999. V. 25. № 5. P. 633-650.
  11. Zerkle D., Levitt K. Netkuang - a multi-host configuration vulnerability checker // Proceedings of the 6th USENIX Unix Security Symposium (USENIX-96). 1996.
  12. Phillips C., Swiler L. A graph-based system for network-vulnerability analysis // Proceedings of the New Security Paradigms Workshop (NSPW-98). 1998.
  13. Swiler L.P., Phillips C., Ellis D., Chakerian S. Computer-attack graph generation tool // DISCEX '01. Proceedings. Anaheim, CA. 2001. V. 2. P. 307-321.
  14. Ritchey R.W., Ammann P. Using model checking to analyze network vulnerabilities // Proc. of the 2000 IEEE Symposium on Security and Privacy, Washington, D.C. 2000.
  15. Jha S., Linger R., Longstaff T., Wing J. Survivability Analysis of Network Specifications // Proceedings of the International Conference on Dependable Systems and Networks. IEEE CS Press. 2000.
  16. Jha S., Sheyner O., Wing J. Minimization and reliability analysis of attack graphs // Technical Report CMU-CS-02-109. Carnegie Mellon University. 2002.
  17. Hariri S., Qu G., Dharmagadda T., Ramkishore M., Raghavendra C.S. Impact Analysis of Faults and Attacks in Large-Scale Networks // IEEE Security and Privacy. 2003. V. 1. P. 49-54.
  18. Singh S., Lyons J., Nicol D.M. Model-based Penetration Testing // Proceedings of the 36th Conf. on Winter simulation, Washington, D.C. 2004. P. 309-317.
  19. Rieke R. Tool based formal Modelling, Analysis and Visualisation of Enterprise Network Vulnerabilities utilizing Attack Graph Exploration // EICAR 2004 Conf., Best Paper Proceedings. 2004.
  20. Dantu R., Loper K., Kolan P. Management using Behavior based Attack Graphs // Proceedings of the International Conference on Information Technology: Coding and Computing. Washington, D.C. 2004.
  21. Rothmaier G., Krumm H. A Framework Based Approach for Formal Modeling and Analysis of Multi-level Attacks in Computer Networks // Lecture Notes in Computer Science. Springer-Verlag. 2005. V. 3731. P. 247-260.
  22. Lye K., Wing J. Game Strategies in Network Security // International Journal of Information Security. 2005.
  23. Ou X., Govindavajhala S. MulVAL: A Logic-based Network Security Analyzer // Proceedings of the 14th conference on USENIX Security Symposium, Baltimore, MD. 2005. P. 113-128.
  24. Noel S., Jajodia S. Understanding complex network attack graphs through clustered adjacency matrices // Proc. of the 21st Annual Computer Security Applications Conference, Washington, DC. 2005. P. 160-169.
  25. Mehta V., Bartzis C., et al. Ranking Attack Graphs // Lecture Notes in Computer Science, Springer-Verlag. 2006. V. 4219. P. 127-144.
  26. Kotenko I., Stepashkin M. Network Security Evaluation based on Simulation of Malefactor's Behavior // SECRYPT 2006. International Conference on Security and Cryptography. Proceedings. Portugal. 2006. R. 339-344.
  27. Kotenko I., Stepashkin M. Attack Graph based Evaluation of Network Security // Lecture Notes in Computer Science. 2006. V. 4237. P. 216-227.
  28. Kotenko I., Stepashkin M., Doynikova E. Security Analysis of Computer-aided Systems taking into account Social Engineering Attacks // Proceedings of the 19th Euromicro International Conference on Parallel, Distributed and network-based Processing (PDP 2011). Ayia Napa, Cyprus, 9-11 February, 2011. Los Alamitos, California. IEEE Computer Society. 2011. P. 611-618.
  29. Lippmann R., Ingols K. Validating and Restoring Defense in Depth Using Attack Graphs // Proceedings of MILCOM 2006. Washington, DC. 2006.
  30. Ingols K., Chu M., Lippmann R., Webster S., Boyer S. Modeling modern network attacks and countermeasures using attack graphs // Proceedings of the 2009 Annual Computer Security Applications Conference (ACSAC - 09), Washington, D.C., USA, IEEE Computer Society. 2009. P. 117-126.
  31. Gamal M. M., Hasan D., Hegazy A. F. A Security Analysis Framework Powered by an Expert System // International Journal of Computer Science and Security. 2011, V. 4. P. 505-526.
  32. CACI Products Company. http://www.caciasl.com/
  33. OPNET Technologies, Inc. http://www.opnet.com/
  34. SecurITree ? programmnoe sredstvo dlya modelirovaniya sistem na osnove derev'ev atak. Amenaza Technologies Limited. http://www.amenaza.com/
  35. TANAT - Threat ANd Attack Tree Modeling plus Simulation; Dipl.-Inform. Harald Gorl. http://www13.informatik.tu-muenchen.de:8080/tanat/