Securing Networks Against Unpatchable and Unknown Vulnerabilities Using Heterogeneous Hardening Options

The administrators of a mission critical network usually have to worry about non-traditional threats, e.g., how to live with known, but unpatchable vulnerabilities, and how to improve the network’s resilience against potentially unknown vulnerabilities. To this end, network hardening is a well-knowfn preventive security solution that aims to improve network security by taking proactive actions, namely, hardening options. However, most existing network hardening approaches rely on a single hardening option, such as disabling unnecessary services, which becomes less effective when it comes to dealing with unknown and unpatchable vulnerabilities. There lacks a heterogeneous approach that can combine different hardening options in an optimal way to deal with both unknown and unpatchable vulnerabilities. In this paper, we propose such an approach by unifying multiple hardening options, such as firewall rule modification, disabling services, service diversification, and access control, under the same model. We then apply security metrics designed for evaluating network resilience against unknown and unpatchable vulnerabilities, and consequently derive optimal hardening solutions that maximize security under given cost constraints.

[1]  Indrajit Ray,et al.  Optimal security hardening on attack tree models of networks: a cost-benefit analysis , 2012, International Journal of Information Security.

[2]  Karen Scarfone,et al.  Common Vulnerability Scoring System , 2006, IEEE Security & Privacy.

[3]  Fatih Alagoz,et al.  Cost-Aware Network Hardening with Limited Budget Using Compact Attack Graphs , 2014, 2014 IEEE Military Communications Conference.

[4]  Sushil Jajodia,et al.  Network Diversity: A Security Metric for Evaluating the Resilience of Networks Against Zero-Day Attacks , 2016, IEEE Transactions on Information Forensics and Security.

[5]  Indrajit Ray,et al.  Dynamic Security Risk Management Using Bayesian Attack Graphs , 2012, IEEE Transactions on Dependable and Secure Computing.

[6]  Debin Gao,et al.  Behavioral Distance Measurement Using Hidden Markov Models , 2006, RAID.

[7]  Sushil Jajodia,et al.  k-Zero Day Safety: Measuring the Security Risk of Networks against Unknown Attacks , 2010, ESORICS.

[8]  Jackie Rees Ulmer,et al.  Matching information security vulnerabilities to organizational security profiles: a genetic algorithm approach , 2006, Decis. Support Syst..

[9]  Sushil Jajodia,et al.  Measuring the Overall Security of Network Configurations Using Attack Graphs , 2007, DBSec.

[10]  John McHugh Quality of protection: measuring the unmeasurable? , 2006, QoP '06.

[11]  K. Deb An Efficient Constraint Handling Method for Genetic Algorithms , 2000 .

[12]  Sushil Jajodia,et al.  Modeling Network Diversity for Evaluating the Robustness of Networks against Zero-Day Attacks , 2014, ESORICS.

[13]  Sushil Jajodia,et al.  Topological analysis of network attack vulnerability , 2006, PST.

[14]  H. Md. Azamathulla,et al.  Comparison between genetic algorithm and linear programming approach for real time operation , 2008 .

[15]  Tom Fifield,et al.  OpenStack Operations Guide , 2014 .

[16]  Duminda Wijesekera,et al.  Scalable, graph-based network vulnerability analysis , 2002, CCS '02.

[17]  Sushil Jajodia,et al.  Minimum-cost network hardening using attack graphs , 2006, Comput. Commun..

[18]  Indrajit Ray,et al.  Using Attack Trees to Identify Malicious Attacks from Authorized Insiders , 2005, ESORICS.

[19]  Indrajit Ray,et al.  Optimal security hardening using multi-objective optimization on attack tree models of networks , 2007, CCS '07.

[20]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[21]  Sushil Jajodia,et al.  Time-efficient and cost-effective network hardening using attack graphs , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012).

[22]  Sushil Jajodia,et al.  k-Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown Vulnerabilities , 2014, IEEE Transactions on Dependable and Secure Computing.

[23]  Youki Kadobayashi,et al.  Exploring attack graph for cost-benefit security hardening: A probabilistic approach , 2013, Comput. Secur..

[24]  Alysson Neves Bessani,et al.  OS diversity for intrusion tolerance: Myth or reality? , 2011, 2011 IEEE/IFIP 41st International Conference on Dependable Systems & Networks (DSN).

[25]  Sushil Jajodia,et al.  Network Hardening: An Automated Approach to Improving Network Security , 2014 .

[26]  David Evans,et al.  N-Variant Systems: A Secretless Framework for Security through Diversity , 2006, USENIX Security Symposium.

[27]  Sushil Jajodia,et al.  Diversifying Network Services Under Cost Constraints for Better Resilience Against Unknown Attacks , 2016, DBSec.