Topological Analysis of Multi-phase Attacks using Expert Systems

With the increasing number and complexity of network attacks, the demand for automatic vulnerability analysis tools has increased. The prerequisite of making these tools is to have a formal and precise model of network configurations and vulnerabilities. Utilizing this model, network administrators can analyze the effects of vulnerabilities on the network and complex attack scenarios can be detected before happening. In this paper, we present a general logic-based framework for modeling network configurations and topologies. Then, a number of important and wide-spread network vulnerabilities are modeled as general inference rules based on the framework definitions. We implemented the approach using an expert system to analyze network configurations and detect how an attacker may exploit chain of vulnerabilities to reach his goal. Our approach explores all attacking paths and generates the closure of access rights that the attacker can gain by exploiting the vulnerabilities. The time complexity of calculating the closure is polynomial. Having the closure, we can test if a user has a special right over a resource in just O(1) time complexity. Moreover, the firewall filtering rules can be modeled and analyzed to determine the initial accesses in the network. Our framework is more flexible than previous ones, as it can model some major parts of Denial of Service (DoS) attacks and infer about network topology. Finally, a case study is also presented to explore the model applicability and show its efficiency and flexibility.

[1]  Timothy W. Finin,et al.  A Target-Centric Ontology for Intrusion Detection , 2003, IJCAI 2003.

[2]  Helayne T. Ray,et al.  Toward an automated attack model for red teams , 2005, IEEE Security & Privacy Magazine.

[3]  Pasi Eronen,et al.  An expert system for analyzing firewall rules , 2001 .

[4]  Stefan Axelsson,et al.  Intrusion Detection Systems: A Survey and Taxonomy , 2002 .

[5]  Hui Tian Network topology discovery and its applications , 2006 .

[6]  Andrew W. Appel,et al.  MulVAL: A Logic-based Network Security Analyzer , 2005, USENIX Security Symposium.

[7]  Jürgen Schönwälder,et al.  How to Keep Track of Your Network Configuration , 1993, LISA.

[8]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[9]  C. R. Ramakrishnan,et al.  Model-Based Analysis of Configuration Vulnerabilities , 2002, J. Comput. Secur..

[10]  Jonathan M. Garibaldi,et al.  Fuzzy Expert Systems , 2018, Fuzzy Logic Theory and Applications.

[11]  Cynthia A. Phillips,et al.  Computer-attack graph generation tool , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[12]  Ulf Lindqvist,et al.  eXpert-BSM: a host-based intrusion detection solution for Sun Solaris , 2001, Seventeenth Annual Computer Security Applications Conference.

[13]  Jaideep Srivastava,et al.  Managing Cyber Threats: Issues, Approaches, and Challenges (Massive Computing) , 2005 .

[14]  Hwa-Chun Lin,et al.  An algorithm for automatic topology discovery of IP networks , 1998, ICC '98. 1998 IEEE International Conference on Communications. Conference Record. Affiliated with SUPERCOMM'98 (Cat. No.98CH36220).

[15]  Thomas R. Gross,et al.  Topology discovery for large ethernet networks , 2001, SIGCOMM '01.

[16]  R. Jalili,et al.  Using CSP to model and analyze Transmission Control Protocol vulnerabilities within the broadcast network , 2004, 2004 International Networking and Communication Conference.

[17]  Sushil Jajodia,et al.  Efficient minimum-cost network hardening via exploit dependency graphs , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[18]  Gavin Lowe,et al.  Using data-independence in the analysis of intrusion detection systems , 2005, Theor. Comput. Sci..

[19]  Marc Dacier,et al.  Privilege Graph: an Extension to the Typed Access Matrix Model , 1994, ESORICS.

[20]  Ulf Lindqvist,et al.  Detecting computer and network misuse through the production-based expert system toolset (P-BEST) , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[21]  Somesh Jha,et al.  Two formal analyses of attack graphs , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[22]  李幼升,et al.  Ph , 1989 .

[23]  Karl N. Levitt,et al.  NetKuang - A Multi-Host Configuration Vulnerability Checker , 1996, USENIX Security Symposium.

[24]  Peter G. Neumann,et al.  EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances , 1997, CCS 2002.

[25]  Duminda Wijesekera,et al.  Scalable, graph-based network vulnerability analysis , 2002, CCS '02.

[26]  R. Jagannathan,et al.  A prototype real-time intrusion-detection expert system , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[27]  Rasool Jalili,et al.  Network Vulnerability Analysis Through Vulnerability Take-Grant Model (VTG) , 2005, ICICS.

[28]  Sushil Jajodia,et al.  Correlating intrusion events and building attack scenarios through attack graph distances , 2004, 20th Annual Computer Security Applications Conference.