ATTACK GRAPH-BASED APPROACH FOR ENTERPRISE NETWORKS SECURITY ANALYSIS

Abstract

Network administrators are always faced with numerous challenges of identifying threats and in retrospect, securing the organization’s network. The classical approach of identifying the vulnerability in the network is by using commercially developed tools that do not take into cognisance vulnerability interaction between network elements and their behavioral pattern. However, not because the system administrators were not aware of those techniques, but rather because, the size of the system makes it impossible for a human being tocapture every possible way the components may interact. Therefore, network administrators have to take a more proactive and hollistic approach to identify vulnerability interrelationships and possible interaction to be captured by an attack graph which will help in identifying all possible ways an attacker would have access to critical resources. The objective therefore is to design an attack graph–based approach for analyzing security vulnerabilities in enterprise networks, implement and evaluate performance of the approach. This thesis proposes an attack graph based on MulVAL toolkits, a network security analyser based on logic programming. The attack graph directly illustrates logical dependencies among attack goals and configuration information. The MulVAL reasoning engine was modified so that besides a “true’ or “false” answer, a Prolog query also records an attack simulation trace as a side effect of the evaluation. In the attack graph, a node in the graph is a logical statement and an edge in the graph is represented by causality relation between network configurations and an attacker’spotential privileges. The running time of MulVAL consists of two parts: time for the scanner to collect configuration information and time for the reasoning engine to analyze the collected data. The performance of the MulVAL scanner on a Linux 9 host (kernel version 2.4.20-8) was measured. The CPU B940 is an Intel(R) Pentium(R) processor with 4.0GB RAM. The benchmark is just a collection of Datalog tuples representing the configuration of the synthesized networks, the graph generation CPU time compared to Sheyner attack graph toolkit. The result in the graph shows the comparison of the graph builder CPU time for the case of a fully connected network and 5 vulnerabilities per host which shows Sheyner’s tools grows exponentially. Some important contributions of this work include establishing an attack graph–based approach for enterprise networks security analysis that can capture generic security interactions and specify security relevant configuration information.