A Composite Network Security Assessment - IEEE Xplore

8 downloads 2008 Views 224KB Size Report
A Composite Network Security Assessment. Suleyman Kondakci. Faculty of Computer Sciences, Izmir University of Economics,. 035330 Izmir, Turkey.
The Fourth International Conference on Information Assurance and Security

A Composite Network Security Assessment Suleyman Kondakci Faculty of Computer Sciences, Izmir University of Economics, 035330 Izmir, Turkey [email protected] Abstract

list of the most recent Internet vulnerabilities are categorized as Server–side and client-side vulnerabilities, policy and personnel, application abuse, network devices, and Denial of Server (DoS) attacks [14]. An example of protocol deficiency is the conflicting implementations of a specific protocol specifications. For instance, according to the specifications of Border Gateway Protocol (BGP), BGP is judged to be potentially the most affected routing protocol by this vulnerability. BGP is a routing protocol that is widely applied in the current router implementations, which relies on a persistent TCP session between BGP peers. Resetting the connection can result in a medium term unavailability due to the need to rebuild routing tables and route flapping. Route flapping may result in route suppression, if the route flaps occur frequently within a short time interval. Further effects of this are packet delay, packet discard, and long term unavailabilities of the served networks. The fact that TCP sessions can be reset by sending suitable RST and SYN packets is a design feature of TCP according to RFC 793, but a reset attack is only possible at all, because, the source IP address and TCP ports can be forged or ”spoofed”. Although the denial of service attacks using crafted TCP packets is a well known weakness of TCP, until recently it was believed that successful denial of service attacks were not achievable in practice. The reason for this is that the receiving TCP implementation checks the sequence number of the RST or SYN packet, which is a 32–bit number, giving a probability of 1/232 of guessing the sequence number correctly. The discoverer of the practicability of the RST attack was Paul A. Watson. He describes his research in a paper entitled Slipping In The Window: TCP Reset Attacks [17]. He noticed that the probability of guessing an acceptable sequence number is much higher than 1/232 because the receiving TCP implementation will accept any sequence number in a certain range of the expected sequence number. In the following, Section 2 presents the related work, Section 3 discusses the general model of risk probing, Section 4 presents the quantification of attack effects, where some numerical examples are also given to illustrate the risk levels, and finally, Section 5 concludes the paper.

This paper presents a new concept of security assessment methodology while promoting several areas of its application. Attack pattern analysis, network security monitoring locally or remotely are the major application areas of this concept. Instead of testing each asset or a network node separately by applying repetitive attacks and assessments, the composite system generates and executes attacks once, composes risk data, and uses the risk data for the entire network in order to perform the overall assessment. This unique approach can be used as a model to guide development of intrusion detection systems, intelligent network security analysis, monitoring systems, and also as a complementary function in information security test and evaluation laboratories.

1. Introduction This paper presents a composite system used for quantitative network security assessment. The composite assessment method is a unique and efficient concept, which does not require multiple testing of assets separately; attacks are executed only once and for rest of the assessment, and a matching risk vector is created for each asset under the test in order to compute the current risk and hence a new set of vulnerabilities for the asset. Quantitative risk assessment plays an important role to illustrate impact factors of particularly large IT environments. The unique work presented here can be used to study network dynamics, frequently occurring threat characteristics, and risk growth patterns, as well as providing the ground for risk-driven security evaluations. We must reconsider approaches to information security starting from the risk assessment [2]. Current information security technology, however, deals with only a small fraction of the problem of information risk. In fact, the evidence increasingly suggests that information security technology does not reduce information risk effectively. We assess system vulnerability based on identifiable attacks such as, protocol deficiencies, worms, and various intrusions. A

978-0-7695-3324-7/08 $25.00 © 2008 IEEE DOI 10.1109/IAS.2008.59

249

2. Related Work

networks can be cumbersome. There are several other disadvantages with the existing methodologies; especially extreme time and resource usage, increased error rate due to multiple attack generation, capture, and assessments. We overcome these and other problems by creating three pools, attack, target, and exploit pools. As illustrated in Figure 1, the attack pool contains the all possible attack space, e.g., worm, protocol, spyware, spam, phishing, etc. The target pool contains different assets (computers, applications) using diverse range of operating systems, running all possible applications, and having different configurations. launching

This paper presents a unique approach that can be used for quantitative security evaluations of varying areas. Using the RSEP protocol [10] and packet generation software such as tcpreplay [16] and Network Simulator ns-2 [15], we generate network packets that also contain malicious code and protocol attacks (e.g., TCP SYN–flood attack). Attack packets are categorized by their hazard rates and fed into the risk assessment engine of the RSEP–protocol [10]. RSEP is designed to perform secure test and evaluations of information systems over the Internet and open networks. Application of this protocol can be used by security and risk assessment facilities in order to facilitate risk management. Common Criteria (CC) [4], ISO/IEC [9], and few other (e.g., [3]) are internationally recognized standards and approaches, which can also benefit from the quantitative assessment functionality of the composite method described in this paper. The presented concept of security evaluation is a new approach, which requires only external threat generation capabilities provided by the RSEP protocol and other experimental network packet generators. Network security assessment is becoming an unavoidable issue in evaluating enterprise networks and in academic curricula, e.g., [1] discusses challenges in information assurance courses delivered in an online environment for the development of meaningful hands-on exercises for students. The work in [18] addresses a full network security assessment of working network of five enterprises. Mostly, questionnaire–based assessment proposed in [18], captures summary findings that involve IP address and authentication, Intrusion Detection Systems, Demilitarized Zones, Wireless Network, Virtual Private Networks and most glaring Security Policy problems. A simulation environment, called ITGuru [5], developed by OpNET Corporation is considered as another unique system because of its ability to model the entire network, including its routers, switches, protocols, servers, and the individual applications they support. We agree with the arguments presented in [8] that existing risk analysis techniques are often hard to handle in real world contexts without the use of appropriate software because of their computational complexity. We intend to provide a simple, theoretically and practically sound, and quantitative risk management approach that can simplify the security evaluation for evaluation facilities and professionals. Compared to formal specifications of risk assessment, as in [8], we present a method that would rather provide practical solutions to quantitative risk assessment problems.

3

Attack pool Protocol

Worm Application

Procedural

Target pool Group-1

Group-N

Group-2

Exploit pool Range-1 Range-2

Range-3

Range-M

Figure 1. The risk profiling system. attacks against the target space will result in an exploit pool containing various risk ranges (vectors), where each vector will contain vulnerabilities related to a specific target, i.e., asset or host. We know also that each target has an existing vulnerability vector containing the risk vector from a previous test, or, if not a previous test exists, then it is assumed that the vulnerability vector has been empirically or analytically determined. Indeed, the composite model performs the fundamental task of a dynamic risk profiling system, in which the risks caused by the attacks are ordered to match a set of vulnerability on the target of evaluation. Target systems with common characteristics are grouped according to their operating systems, versions, and some other common features. Once the necessary exploit data about a target group is obtained then we can perform security evaluation of other targets matching the specifications of that target group within the entire network without ever contacting the targets. Below, we describe the concept of the attack generation, capture, and ordering of the exploit pool in order to transfer the exploit data to risk ranges. In the next section, the risk ranges are used to compute the total risk for protected and unprotected networks.

Description of the Composite Model

If a per–asset based assessment procedure is applied, then test and evaluation of larger and non-homogeneous

250

As mentioned earlier, identifiable threat packets are analyzed to determine quantitative risk values. Figure 2 illustrates the overall model that produces threat packets and associated risk levels arranged in risk groups (ranges). Confidential information from network packets collected on a network interface were eliminated using additional tools such as TCPDPRIV [7]. We have two major network configurations, protected and unprotected, respectively. As the input data to the risk quantification process, we collect attack success and failure information, which will be processed to compute associated exploit levels. The operations such as random packet generation, threat generation, packet capture, and attack classification are performed using [12] and [16], tcpdump, and wireshark [6]. To analyze the dynamic behavior of the network traffic hence the related risk figure, we refer to the attack and capture model shown in Figure 2. Functions in the packet cap-

AG. DTG also cooperates with the intelligent false positives database generated by FAG. FAG False Alarm Generator: FAG captures accurate false alarms and stores the necessary false positive pattern indices in an intelligent database for later use. PAG Perilous Alarm Generator: PAG generates hazardous threat patterns by composing attack packets that are launched by the remote attacker and generated in DTG [12]. RG Risk Generator: RG generates numerical labels (quantifiable exploits) for various risk factors that are used to quantify impact levels. At time t0 a network traffic containing a preset attack (e.g., SYN–flood) is generated by the remote agent [12] and the random packet generator RPG, and then, via the input probing unit, random network packets are buffered and fed into the alarm generator AG. AG will then produce  n } depicting a set of a master pattern M = {m  1, . . . , m captured attack vectors (alarms). Ideally, an AG is configured to identify certain attack patterns while passing others through and marking them as non–intrusive. It is assumed that, the patterns that have already passed through will not be recognized as threats, however, they may contain unknown or hidden threats. The offspring of a threat pattern is customizable. How a threat from the master pattern is propagated or rejected is configured by using the configuration matrix C = {λ1 , . . . , λn }. The dynamic threat generator DTG captures threat patterns that have been discovered by AG, and generates actual threat packets that are hazardous. The intermix threat matrix T = {τ1 , . . . , τn } holds threat patterns produced by the DTG function. This matrix is supported by specific adaptive filter configuration parameters and functions that identify known (identifiable) threat patterns. The configuration matrix, at the input of DTG, is also used for fine tuning the threat alarms. Its content is combined with a set of filter parameters and rules that are needed for mechanisms that are built to withstand the current threat packets. Moreover, utilizing the required mapping functions of perilous (dangerous) alarm generator PAG, the hazardous threat matrix, P = { p1 , . . . , pn }, called perilous attack table, is assembled from the promiscuous matrix, H =  n }. The perilous threats, which can cause ex 1, . . . , Ψ {Ψ tremely high risks, contain negligibly low number of false alarms due to the PAG’s filtering of false alarms coming from the intermix attack table T.

RPG ATP

AG

Promiscuous Threat alarms H = {ψ 1 , ,ψ n } M = {m1 , , mn } Sh

DTG

Perilous threats

P = {p1 ,

Sp = ⎢ ⎥ ⎣0⎦

, pn }

, λn }

⎡1 ⎤ Sf = ⎢ ⎥ ⎣0⎦

Intermix threats Τ= {τ 1 , , τ n } ET ⎡1⎤

PAG

Config. matrix

C = {λ1 ,

CT RG

R = {r1 , r2 ,… , rm }

FAG

f t −1 False alarm f = {ϕ1 , , ϕ n } ft

RPG = Random Packet Generator ATP = All Threat Pass Packet Generator AG = Alarm Generator DTG = Dynamic Threat Generator FAG = False Alarm Generator PAG = Perilous Alarm Generator RG = Risk Generator

Figure 2. The risk generation system. ture model are indicated by circles, the packets gathered in data tables that construct threat matrices are represented by rectangles. The functions are summarized as follows: RPG Random Packet Generator: RPG generates network traffic containing both normal and malicious packets. ATP All Threat Pass: ATP passes through raw threat contents needed for unprotected network evaluations. AG Alarm Generator: AG generates mostly alarm (attack) packets that also contain false positives.

4. Labeling Risk Levels

DTG Dynamic Threat Generator: DTG builds effective threat packets by filtering the false alarms coming from

Now, the packets are queued in the buffer of the risk generator RG, where the analysis of the threat (or attack) ta-

251

bles are rearranged for the assessment of different security configurations, e.g., analysis of protected and unprotected networks, respectively. Briefly, for each of the assessment tasks, three main operations are simultaneously performed; random packet (network traffic) generation, packet capture and decoding, and generation of risk data. As shown in Figure 2, we use three logical switches, Sh , Sf , and Sp , to demonstrate the analyses of various attack patterns and associated risk levels. The risk generator, RG, produces an expandable set of risk ranges, where each risk range is labeled to quantify an expected risk value corresponding to a specific vulnerability. Range 1 is labeled with r1 , range 2 with r2 , and range n is labeled with rn . The all threat pass function ATP passes every packet generated so far to produce threat flows for the promiscuous mode. In turn, the perilous alarm generator PAG generates highly hazardous attack patterns by composing threat packets from the promiscuous matrix H and the intermix matrix T. Note that, PAG takes intermix flow when there is only pure threat information which has been considerably eliminated from the false alarms. The system is configured by default to assume that all unprotected networks operate in the promiscuous mode. The alarm generator, AG, functions as a passive network intrusion detection mechanism, which has no threat capture intelligence at all. Hence, it will always fail to perfectly discriminate actual malicious contents. Nevertheless, the escaped false alarms from AG will be filtered and saved by the dynamic threat generator DTG and false alarm generator FAG so that DTG produces approximately actual attack information received from AG. Recall that, the data received from AG contains also false alarms that are processed by FAG. As seen in Figure 2, FAG has a feedback mechanism that feeds the required data to DTG after it has captured the false attack contents and computed false alarm rates. Using this information, DTG filters the false alarm contents and produces the effective threat matrix ET .

parameters for range 2 are calculated by the master threat pattern without applying the FAG parameters, and so on. To produce the effective threat, initially, at time t = 0, the effective threat matrix ET derived from the threat matrix T is ET = T. Thus, at time t = t + i, for all i = 0, · · · , n, threat matrix T will be transferred into matrix ET by the following mapping algorithm,   ET = T  (ft ∧ Sf )   (1) ET ∝ (T  ft−1 ∧ Sf ) ∝ (M ∧ Sh ) , . . . ∀t+i .

The hazard control switch Sh enables the promiscuous mode, this will, in turn, produce the highest risk levels using the perilous threats. On the other hand, depending on the position of Sp , Sh will only push the perilous threats into the computation mechanism to compute the cumulative threat and store the result in the CT matrix. The false alarm switch Sf is used to compute failure rates of the attacks and enable the computation of the risk levels corresponding to both fail–free and failed attacks. Switch Sh has two positions, ⇐ and ⇒ , respectively. In position ⇐ , it disables DTG and enables the promiscuous mode in which PAG starts to produce the perilous threats. But, in position ⇒ it disables the promiscuous mode while enabling the dynamic threat generation mode, which is the mode used for testing protected networks.

where, the operator → means ”mapping to”, X stands for ”don’t care”, and the maximum risk value rm denotes the highest achievable risk value reflecting the current threat pattern in the haphazard (promiscuous) matrix H. As seen in Figure 2, the All Threat Pass (ATP) function works like an all pass filter that passes every input threat packet onto its output without modification. Depending on the position of switch Sh , the output will consist of the threat pattern of a haphazard situation. Obviously, this implies that the main actor is the perilous threat matrix P containing the entire threat space modified by the associated mapping functions from PAG.

The operator  is a composition function, which selects an associated vector, say a, from T and makes a transformation utilizing function ft and the threat vector a based on the current condition of Sf , and inserts the resultant vector back into T replacing the previous content of vector a. The operator ∝ denotes a joint relation between its left and right hand side operands. Bearing this in mind, the effective risk matrix ET is dependent on T  ft−1 , which, in turn, is modified by the master matrix M and the positions of the switches Sh and Sf . Another important matrix is the cumulative threat matrix CT , which contains a cumulative threat pattern that generates the final risk output. The threat patterns that are generated will exploit the most recent vulnerabilities. A list of the most recent Internet vulnerabilities for the Windows and Unix based operating systems is given in [14]. For convenience, we consider two extreme cases for the same network, unprotected and protected, to derive risk levels.

4.1. Unprotected Networks Let us assume that assets in a given network are unprotected, then a special mapping producing the maximum risk range is given by a simple algorithm as [P ∝ (H ∧ Sh )] → R ≡ (X, X, X, X, rm ),

(2)

4.2. Protected Networks Considering the case of the protected network, threat values and associated risk ranges given by R ≡

Real–time parameters for the risk range 1 are calculated by utilizing the required functions and parameters of FAG,

252

(r1 , r2 , r3 , r4 , rm ) are easily generated based on the positions of the switches Sp and Sf . The algorithm is shown in Table 1.

Though, there exists other approaches, e.g., the probabilistic approach used in [11], to quantitative risk assessment, we use a simple scoring scheme to represent quantitative values for vulnerabilities, risks, and asset weights. By convention a default scoring metric ranging from 0 to 5 is used, where 5 depicts the highest value. Considering Table 1. Mapping algorithm for the risk labels. the weighing of assets, each asset is represented by a seSp Sf Mapping Algorithm Risk Label (R) curity attribute [12] which contains weighed items in order 0 0 (T ∝ M) (r1 , 0, 0, 0) to compute an average score used to determine a security  0 1 [CT ∝  (ET  ft )]  (0, r2 , 0, 0) parameter (strength or weakness) for a given asset.  1 0 [(P ∧ T) ∝ M] ∨ [(P ∧ T) ∝ M)  ft−i ] (0, 0, r3 , 0)   Final computation algorithm consists of two sets of oper [CT ∝ (P ∧ ET )  ft ] 1 1 (0, 0, 0, r4 ) ations: (1) current risk computation, (2) replacing the previous vulnerability vectors with the newly computed vectors and computing the risk difference between the previous total risk and the newly computed total risk. The scoring 4.3. Quantitative Risk Factors scheme from [12] is used to compute the total risk normalized to 5: Here we derive a simple formula to determine quantifin m able risk factor rk for asset k and a total risk for the entire ri si 1   , wj , ri , Rtot ∈ [0, 5]. wj 1 − i=1 Rtot = network. The set of risk ranges defined as m j=1 5n R ≡ (r1 , r2 , r3 , r4 , rm ) (3) (4) Where, wj denotes the asset weight of the jth asset, ri is is transferred to an associative model of a cross product usthe current risk corresponding to previous value vi of the jth ing n vulnerabilities and the asset weight associated with asset, and si , (0 < si ≤ 1), is the relative strength parameter the asset under evaluation. Current risk factor of asset of ith vulnerability. Updating of the previous vulnerabilities aj with weight wj and parameter sj denoting the relative with the current result is defined as strengths of vulnerabilities of this asset is defined as Raj ≡ (aj , wj , sj ),

(Raj , wj ) ∈ [0, 5], sj [i] ∈ [0, 1].

input : Risk matrix: R[˜ ri , · · · , ˜ rn ], ˜n ], Previous Vulnerabilities V[˜ vj , · · · v Current (Rtot ) and previous (Rprv ) total risks. ˜n ], output: Updated Vulnerability: V[˜ vj , · · · , v Improvement Status [TRUE ∨ FALSE].

The relative strength vector contains strengths of vulnerabilities relative to each other present in the vulnerability vector of the related asset. Figure 3, shows risk vectors that correspond to eventual exploit levels associated with asset vulnerabilities, where each asset contains n vulnerabilities. The risk label (or vector) ri contains scalar risk factors comRisk Ge ne ra tor (RG)

v1 (a1 , w1 ) v2 ( a2 , w2 )

vm ( am , wm )

r1

v1

v1

v1

r2

v2

v2

v2

vn

 vn



rm

vn

if ( Rtot − Rprv ≤ 0 ) then improve = F ALSE; else improve = T RU E; end for j ← 1 to m do for i ← 1 to n do vj [i] ← rj [i] ; end end   vj , · · · , v ˜n ], improve return Rtot − Rprv , V[˜

Algorithm 1: Updating the assessment results. As can be seen, this simplified algorithm updates the old vulnerability data with the new data and compares the previous and current total risks in order to determine whether the overall security is improved. Some vulnerabilities and their relative strengths identified earlier on a Windows based operating system are shown in Table 2.

Figure 3. Vectors of the exploit pool. puted from the attack results, where each risk factor exploits a vulnerability in the vulnerability vector vi of asset ai . If a risk vector does not contain a risk factor corresponding to a vulnerability in the vulnerability list of an asset, then there is no risk associated to that vulnerability.

253

target, and exploit pools can be formalized and updated systematically. In a future work, we need to define formalized data structures, parameters, attack generation, capture, and mapping algorithms in order to incorporate internationally recognized network security standards and methodologies.

Table 2. A vulnerability-risk table. Threat W32/Mydoom Witty Worm RPC exploit W32/Nimda IIS WebDav Exploit Backdoor-Sub7 SQL Slammer W32/Kriz.3863 Win95/CIH

vi 2.25 1.6 1.28 4.48 1.28 2.28 2.0 3.2 1.2

si 0.2 0.6 0.5 0.8 0.3 0.75 0.92 1.0 0.45

Risk Level Medium low Low High-Outbreak Low Medium Medium Medium-High High

References [1] Bhagyavati. Laboratory exercises in online information assurance courses. J. Educ. Resour. Comput., 6(4):4, 2006. [2] B. Blakley, E. McDermott, and D. Geer. Information security is information risk management. In Proceedings of the 2001 workshop on New security paradigms, pages 97–104. ACM Press, 2001. [3] BS7799:PD3002. Guide to bs7799 risk assessment and risk management (pd3002), 2000. [4] CC/ISO and CC/ISO-IS:15408. Common criteria/iso is 15408, version 2.1, October 1999. [5] V. Clincy. Using a simulation environment for teaching and researching networking topics. In ACM-SE 43: Proceedings of the 43rd annual Southeast regional conference, pages 11– 11, New York, NY, USA, 2005. ACM. [6] G. Combs. Stinga ss7 test instruments, 2008. [7] P. Danzig, J. Mogul, V. Paxson, and M. Schwartz. Acmsigcomm: The internet traffic archive, Apr. 2008. [8] M. Hamdi and N. Boudriga. Algebraic specification of network security risk management. In FMSE ’03: Proc. of the 2003 ACM workshop on Formal methods in security engineering, pages 52–60, New York, NY, 2003. ACM. [9] ISO/IEC:17799. Iso/iec 17799:2000 code of practice for information security management, 2000. [10] S. Kondakci. A remote IT security evaluation scheme: A proactive approach to risk management. In IEEE Proceedings of IWIA, volume 1, pages 93–102, Los Alamitos, CA, USA, 2006. IEEE Computer Society. [11] S. Kondakci. A new assessment and improvement model of risk propagation in information security. Int. J. Information and Computer Security, 1(3):341–366, 2007. [12] S. Kondakci. Remote security evaluation agent for the RSEP protocol. In Int. Conf. on Security of Information and Networks, volume 1, pages 186–195. Trafford Pub., 2007. [13] McAfee. Assessing the risk of virus infection, 2004. [14] SANS. The twenty most critical internet security vulnerabilities, 2006. [15] Sourceforge. The network simulator ns-2, Apr. 2008. [16] A. Turner. The internet traffic generator, Apr. 2008. [17] P. A. Watson. Slipping in the window: TCP reset attacks, november 2003. [18] G. L. Wooley. Results of classroom enterprise security assessment of five large enterprise networks. J. Comput. Small Coll., 18(3):185–195, 2003.

The impact levels shown on the right most column are specified by Anti-Virus Emergency Response Team (AVERT) of virus security specialists from McAfee Corporation [13]. An example of the vulnerability lists of two assets, a gateway and a Web–server, is given in Table 3.

Table 3. The Risk vectors of a gateway and a Web-server. GW (wgw = 4.5) Web (wws = 4.0) Risk Vuln. Risk Vuln. Item name Operating system 1.2 1.0 2.0 2.8 1.0 1.8 2.5 Simple point failure 0.0 2.5 2.2 3.0 IP & DNS spoofing 3.2 1.0 1.0 0.0 0.0 Source routing 3.0 2.8 2.8 3.2 Remote Access 4.0 3.5 3.0 2.0 DoS Attack 3.0 1.0 0.5 Protocol Ambiguity 2.8 1.8 2.5 1.2 2.2 Accounting

Using the data in Table 3, assuming equal relative importance of si = 1 for both assets, and applying Eq. (4), we obtain a total risk of 2.6 for the gateway and Web–server.

5. Conclusions Quantitative risk assessment has a crucial role for the design of solid security solutions and efficient management of lifecycle security operations. The composite system can efficiently demonstrate impact factors of particularly large IT environments with insignificant amount of effort compared to per-asset based assessments. Quantitative risk assessment methods are much harder to realize than the qualitative approaches. We presented a practically applicable quantitative method for network security risk analysis which can be used for simulation modeling, security experiments, and network security evaluation laboratories. The composite concept can also provide us the means to keep track of previous vulnerabilities and risks so that a taxonomy for attack,

254