An Approach to Graph-Based Modeling of Network Exploitations
Computer security professionals and researchers are investigating proactive techniques for studying network-based attack behavior. Attack modeling is one of these research areas. In this dissertation, we address a novel attack modeling technique called an exploitation graph (e-graph) for representing attack scenarios. The key assumption in this research is that we can use exploitation graphs to represent attack scenarios, and methods involving e-graphs can be applied to provide vulnerability mitigation strategies. The modeling process consists of three primary steps.
The first step is the creation of a knowledge base of vulnerability graphs (v-graphs) from known system vulnerabilities. Each v-graph shows necessary preconditions in order to make the vulnerability exploitable, and post-conditions that denote effects after a successful exploitation. A template is used to facilitate the definition of preconditions and post-conditions.
The second step involves the association of multiple v-graphs to create an e-graph specific to a system being modeled. Network topology information and security policies (e.g., firewall rules) are encoded during the modeling process. A set of experiments were designed to test the modeling approach in a cluster computing environment consisting of one server node and eight internal computing nodes. Experimental results showed that e-graphs can be used to evaluate vulnerability mitigation solutions, e.g., identifying critical vulnerabilities and evaluating firewall policies.
The third step of this process focuses on devising graph-simplification techniques for large e-graphs. Efficient graph-simplification techniques are described based on host and exploitation similarity. The most distinctive feature of these techniques is that, they help to simplify the most complex graph-generation process and do not require excessive memory storage. Experimental results showed that these techniques can not only reduce the size of e-graphs substantially, but also preserve most information needed for useful attack scenario analysis.
The usefulness of the e-graph approach is shown in this dissertation. As a general approach for system administrators, the proposed techniques can be used in, but is not limited to, the cluster-computing environment in providing proactive Vulnerability Assessment (VA) strategies.
Advisor:Rayford B. Vaughn; Susan Bridges; Edward B. Allen; David Dampier; Mahalingam Ramkumar; Jeff Carver
School:Mississippi State University
School Location:USA - Mississippi
Source Type:Master's Thesis
Date of Publication:08/19/2005