Maximizing Network Security Given a
Limited Budget
Nwokedi C. Idika, Brandeis H. Marshall, Bharat K. Bhargava
Advisor : Professor Frank Y.S. Lin
Presented by Yu-Pu Wu
About
• Author
• Nwokedi C. Idika, Brandeis H. Marshall, Bharat K. Bhargava
• Title
• Maximizing Network Security Given a Limited Budget
• Provenance
• (TAPIA ‘09) The Fifth Richard Tapia Celebration of Diversity in
Computing Conference: Intellect, Initiatives, Insight, and
Innovations
Agenda
• Introduction
• The Attack Graph
• Related Work
• Providing Network Security
• Solving The SMCP
• Conclusion and Future Work
Introduction
• Network administrators fulfill the duty of preventing
network attacks by identifying vulnerabilities in the
network and then systematically removing the identified
vulnerabilities.
• The removal of an identified vulnerability from a network
may be referred to as a patch or a security measure.
Introduction
• A security measure is any action performed to remove at
least one vulnerability from a system.
• The set of all security measures is infinite.
• However, practically, a network administrator will
consider only a finite set of security measures for
possible application to the network she is protecting.
• modifying firewall rules, updating software on networked hosts,
shutting down system services, or modifying an authentication
routine.
Introduction
• The identification of vulnerabilities is critical to the
effective use of security measures.
• vulnerability scanners.
• A drawback of this method is that vulnerability scanners
do not reveal the interdependencies that may exist
between vulnerabilities found on different hosts of the
same network.
• This shortcoming has been addressed with automated attack
graphs.
Introduction
• In this work, we detail an attack graph analysis that helps
network administrators be more effective at the Security
Measures Choosing Problem (SMCP).
• Informally, SMCP is the following:
• given a limited budget
• choose from a finite set of available security measures a subset of
security measures that provide the highest security possible
without going over budget.
Introduction
• We propose to provide this analysis by modeling the
SMCP as a Binary Knapsack Problem.
• We suggest the use of dynamic programming to solve the SMCP.
• Hence, our contribution includes:
• A novel approach that combines budget and hardening
recommendations into attack graph analysis, and
• Specification of how security metrics can be used to choose
hardening measures.
Agenda
• Introduction
• The Attack Graph
• Related Work
• Providing Network Security
• Solving The SMCP
• Conclusion and Future Work
The Attack Graph
• An attack graph is a concise representation of all the
ways an attacker may leverage known vulnerabilities to
violate a given set of security policies.
• Each path in an attack graph corresponds to at least one
attack scenario where the attacker achieves his objective.
The Attack Graph
• An attack scenario is a sequence of actions that moves
the network from its initial state to a compromised state.
• The initial state corresponds to the initial configuration of
the network.
• The compromised state corresponds to the state where
the security policy violation(s) occurs.
The Attack Graph
• Attack graphs have a variety of representations.
• Attacks graphs are composed of a series of exploits and security
conditions.
• An exploit is the realization of a vulnerability.
• For example, we can describe a ssh vulnerability as sshv1(h1, h2).
If such a vulnerability existed between two actual network hosts
such as 128.x.y.2 and 128.x.y.9, then the corresponding exploit
would have the form of sshv1 (128.x.y.2, 128.x.y.9).
• In other words, if a vulnerability is instantiated with actual
network specific information, then the result is an exploit.
The Attack Graph
• Security conditions are those attributes that are relevant
to the vulnerabilities of the network.
• A security condition can be relevant to an exploit in two
ways:
• (1) the security condition serves as a precondition for a
vulnerability
• (2) the security condition serves as a postcondition of a realized
vulnerability
The Attack Graph
• Types of Attack Graphs
• Although attack graphs have different representations,
we assert that they rely on common foundational
definitions.
• The state space for a network system is given by S, which
is a set of binary strings of size q.
• Hence, |S| = 2q.
The Attack Graph
• Cond is a function that produces some subset of the system
state that represents the relevant security conditions given
either a vertex or an edge but not both.
• Hence, Cond(vi ⊕(vk, vl)) ⊆ S where the vertices vi , vk , vl ∈ V .
• A represents the infinite set of possible attacks.
• An attack ai ∈ A where 1 ≤ i < ∞.
• A labeling function L labels either a vertex or an edge with an
attack.
• L(vi ⊕ (vk, vl)) = aj where vi, vk, vl ∈ V and aj ∈ A.
The Attack Graph
• Given either a vertex or edge, a function Prereq produces the
necessary conditions required for the exploit to be realized.
• That is, Prereq(vi ⊕ (vk, vl)) = vp(Rvi)∗ ⊕u ⊆ E ⊕ ∅, where R ∈
{∨,∧}, E is the set of edges, and 1 ≤ i ≤ n with n as the number of
nodes in the graph.
• Given either a vertex or an edge a function Post produces
conditions provided by the exploit.
• This gives Post(vi ⊕ (vk, vl)) = vp(∨vi)∗ ⊕u ⊆ E ⊕ ∅, where E is the
set of edges and 1 ≤ i ≤ n with n as the number of nodes in the
graph.
The Attack Graph
• Attack Tree.
• An attack tree is an undirected acyclic graph.
• The root node represents the attacker’s objective or main goal.
• Leaf nodes represent different starting states for an attacker.
• The intermediate nodes of the graph represent any of the
subgoals that may be used to achieve the attacker’s main goal.
• Nodes in the attack tree may represent security conditions or
exploits.
• Edges in the attack tree simply give the parent-child (i.e., goalsubgoal) relation between nodes.
The Attack Graph
• Formally an attack tree is an acyclic graph G = (V,E).
•
•
•
•
There exists a set of attacker objectives O where |O| = |V|.
O ⊂ S∪A. ∃L(vi) = oi and Cond(vj) = oj where oi, oj ∈ O.
E ⊆ {ek = (vi, vj),ek = (vj, vi)|vi, vj ∈ V ∧i≠ j∧0 ≤ k < [n2/2]}.
We have P(ek) = P(vi, vj) = vi ⊕ vj.
• P is a function that yields the parent-child relationship existing
between two nodes connected by an edge.
• Given an edge that connects a goal and subgoal, P always returns the
goal.
• ∃vg ∈ V|if ∀ek where ek = (vg, vi)∧P(ek) = vg then vg is the attacker’s
main objective.
• As for the preconditions and post conditions, we have
respectively Prereq(vi ∈ V ) = vp(Rvi)∗ ⊕ ∅ and Post(vj ∈ V ) =
vp(∨vi)∗.
The Attack Graph
The Attack Graph
• Condition Dependency Graph.
• A condition dependency graph is a directed graph where
nodes represent security conditions and edges represent
exploits that connect the graph’s security conditions.
• A condition dependency graph is given by G = (V,E) where ∀vi ∈ V,
Cond(vi) ⊆ S.
• E ⊆ {ek = (vi, vj)|vi, vj ∈ V ∧ vi ≠ vj}.
• L(ek) = ai, where ai ∈ A.
• We also have Prereq(ek) = vw and Post(ek) = vx, where (vw,vx) ∈ E.
The Attack Graph
The Attack Graph
• Exploit Dependency Graph.
• An exploit dependency graph is a directed graph where nodes
represent exploits and edges represent the security conditions
that connect exploits.
• An incoming edge represents a precondition for the exploit it points
to in the attack graph. An outgoing edge represents a postcondition
for the node (exploit) the edge is leaving.
• An exploit dependency graph is given by G = (V,E) where∀vi
∈V,L(vi)=ab where ab ∈A. E⊆{ek = (vi, vj)|vi, vj ∈ V ∧ vi≠ vj}. Cond(ek) ⊆
S.
• We have Prereq(vj) = u ⊆ E ⊕ ∅. We also have Post(vl) = u ⊆ E ⊕ ∅.
The Attack Graph
The Attack Graph
• Hybrid Dependency Graph.
• A hybrid dependency graph is a directed graph where nodes are
represented as either a security condition or an exploit.
• Edges reveal the relationships between nodes but have no labels.
• Edges exist only between a security condition and an exploit or
between an exploit and a security condition.
• When there is more than one edge going from security condition
nodes to an exploit node, then all security condition nodes must be
satisfied in order for the exploit to be realized.
• When there is more than one edge going from exploit nodes to a
security condition node, then any one of the exploit nodes will satisfy
the security condition.
The Attack Graph
•
•
•
•
•
•
•
•
•
The hybrid dependency graph is given by G = (V, E).
V = Vexploits ∪ Vconditions.
E = Edisjunction ∪ Econjunction.
Cond(vi) ⊆ S, where vi ∈ Vconditions.
L(vi) = aj, where vi ∈ Vexploits and aj ∈ A.
Econjunction ⊆ {ek = (vi, vj)|vi ∈ Vconditions ∧ vj ∈ Vexploits}.
Edisjunction ⊆ {el = (vt, vs)|vt ∈ Vexploits ∧ vs ∈ Vconditions}.
We have Prereq(vc ∈ Vexploits) = vb(∧vi)∗, where vb, vi ∈ Vconditions.
We have Post(vc ∈ Vexploits) = va(∨vj)∗, where va, vj ∈ Vconditions.
The Attack Graph
Agenda
• Introduction
• The Attack Graph
• Related Work
• Providing Network Security
• Solving The SMCP
• Conclusion and Future Work
Related Work
• In attack graphs, the application of security measures is
simulated by removing some subset of vulnerabilities or
exploits from its representation.
• The literature discussed in this section propose analyses that
provide the network administrator with hardening suggestions
that if implemented produce a safe network or a more secure
network with respect to a security metric.
Related Work
• Jha et al. attempt to find the smallest subset of measures that
are needed to make the network safe.
• The authors note that finding such a subset is equivalent to
the minimum hitting set problem which is NP-complete.
• The authors approximate a solution using a greedy approach
where the measures preventing the most attacks are chosen
in descending order.
• A drawback of this approach is that it is an approximation and
yields potentially suboptimal solutions.
Related Work
• Noel et al. propose a minimum-cost hardening method.
• The authors propose the use of algebraic backwards
substitution from an attack graph’s goal state to its initial
state.
• This backwards substitution yields the goal state in terms of the
initial conditions.
• The Boolean expression obtained for the initial conditions is
converted into conjunctive normal form yielding maxterms
that are then evaluated on a lattice.
Related Work
• Maxterms represent hardening suggestions that will preserve
the safety of the network.
• Maxterms lower in the lattice correspond to hardening
suggestions requiring the least cost or effort.
• The primary drawback of this approach is that it is binary. That
is, the effectiveness of this approach hinges on the ability of
the network administrator to implement all hardening
recommendations.
Related Work
• The assumption is made that the network administrator has
all the resources she needs to implement hardening
recommendations.
• However, a network administrator’s ability to safeguard a
network is often times constrained by a limited budget.
• Our approach deals with this challenge by incorporating the
network administrator’s funding constraint into the attack
graph analysis to discover hardening recommendations.
Related Work
• Phillips and Swiler incorporate a budget into their attack graph
analysis to generate hardening suggestions.
• However, their algorithm follows a greedy approach that does not
guarantee optimality.
• Furthermore, their analysis is based on knowing attacker costs or
attacker success probabilities, which are difficult to ascertain in
practice.
• Our approach guarantees optimality and does not rely on
knowing attacker costs or attacker success probabilities.
Related Work
• Lippmann et al. [13] describe a method for generating
hardening recommendations that are derived from removing
edges from the attack graph and observing its effect on the
system’s Network Compromise Percentage (NCP).
• A NCP of 0 percent would suggest a safe network.
• A NCP of 100 percent would suggest a network that is completely
compromised.
• When the analysis is done, the network administrator is
presented with recommendations in ascending order of NCP.
• she still has no assurance that the recommendations offered
represent optimal usage of her resources.
Related Work
• Coupling our method with the one in [13] gives the network
administrator the assurance that she is receiving optimal
recommendations with respect to her budget.
• We offer an algorithm for generating recommendations that
are guaranteed to optimize network security with respect to a
security metric (e.g., NCP) for the budget specified by the
network administrator.
Related Work
• Chen et al. [6] use the System Quality Requirements Engineering
(SQUARE) methodology to perform a detailed case study.
• The researchers used linear programming to determine the best set
of security measures to choose given the budget their client
allocated for security.
• Solving the problem of choosing security measures as a
combinatorial optimization is consistent with our approach;
• Our method maintains all discovered optimal solutions, whereas a
single optimal solution is provided in [6].
• Network administrator can choose the best hardening
recommendation based on her experience.
Related Work
• Chen et al. use attack trees primarily for ancillary
documentation purposes whereas in our approach attack
graphs are integral.
• The network administrator can obtain a visual representation
of the effect each security measure has on the attack graph
and subsequently the network.
• Our approach can capture the effect of making the
exploitation of a particular vulnerability.
• The approach offered in [6] does not capture this form of
vulnerability interdependence.
Agenda
• Introduction
• The Attack Graph
• Related Work
• Providing Network Security
• Solving The SMCP
• Conclusion and Future Work
Providing Network Security
• Safeguarding a network, that is not under attack, begins with
identifying the vulnerabilities of the network.
• This process typically involves using vulnerability analysis
methods. One commonly used method is to leverage vulnerability
scanners to discover vulnerabilities and then provide patches to
these vulnerabilities.
• Because vulnerability scanners do not consider the
interdependencies that may exist between vulnerabilities,
automated attack graph generation techniques have been
proposed to expose such interdependencies.
Providing Network Security
• The removal of security flaws is performed by implementing
one or more security measures; however, the selection of the
appropriate set of security measures is nontrivial.
• For example, discovering the “best” way of removing
vulnerabilities could require the manual analysis of many
combinations of security measures.
• There may be overlap in the vulnerabilities that security
measures remove.
• v1, v2, v3, v4, v5, and v6, sm1, sm2, and sm3.
• sm1 - v1, v5, and v6 | sm2 - v1 and v4 | sm3 - v1 and v3.
Providing Network Security
• The problem of choosing the appropriate combination of
security measures such that the security of the network is
optimized and constrained to a given budget is called the
Security Measures Choosing Problem (SMCP).
• The SMCP formulation is inspired by the classic Binary Knapsack
Problem.
• The Knapsack Problem is a well-known optimization problem
where the goal is to maximize a quantity subject to some
constraint.
Providing Network Security
• The problem can be formally defined as : given a set of n items
and a knapsack with
Providing Network Security
Providing Network Security
• mj may take on different values depending on what security
measures are already in place within the network.
• The model also assumes that the network administrator is
able to assign costs to the hardening measures in terms of
money or time.
Agenda
• Introduction
• The Attack Graph
• Related Work
• Providing Network Security
• Solving The SMCP
• Conclusion and Future Work
Solving The SMCP
• We adopt the dynamic programming approach to solving the
SMCP. We define variables as the following:
Solving The SMCP
• The necessary steps to leverage our approach are:
• (1) determine the budget
• (2) determine the security metric of interest
• (3) generate the attack graph
• (4) determine what security measures are available to safeguard
the network and assign them costs
• (5) apply the dynamic programming algorithm to the inputs given
above.
Solving The SMCP
• However, if we assume that the security metric value can be
obtained from a depth-first search of the attack graph (e.g.,
total number of attack paths), then the dynamic programming
algorithm’s time complexity is O(nH2B)
• otherwise the algorithm has a time complexity of O(nHKB)
where K is the time complexity of ζ.
• The security measures chosen for an optimal hardening
recommendation can be determined by backtracking through
R.
Agenda
• Introduction
• The Attack Graph
• Related Work
• Providing Network Security
• Solving The SMCP
• Conclusion and Future Work
Conclusion and Future Work
• We have modeled the problem of choosing security measures
to harden a computer network as a combinatorial optimization problem.
• We model the problem as the binary knapsack problem where
the goal is to maximize security subject to a limited budget.
• We call this problem the Security Measures Choosing Problem
(SMCP).
• Dynamic programming is used to solve the SMCP.
• This approach to solve the SMCP with attack graphs and security
metrics is novel.
Conclusion and Future Work
• Previous attack graph analyses did not give enough
consideration to the budget the network administrator had for
implementing hardening recommendations.
• Using dynamic programming to solve the SMCP assures the
network administrators that their network’s security is
optimized with respect to the security metric and budget
being used.
Conclusion and Future Work
• An aspect requiring further attention is security metrics.
• If a network administrator decides she wants to use different
security metrics to evaluate the same network, it is possible
that the security metrics will disagree in what is considered
“secure.”
• More work is needed to identify security metrics that have
reliable predictive value.
• We are currently in the process of developing a more robust
security metric for networks.
THANKS FOR YOUR ATTENTION!