Intelligent network security assessment with

0 downloads 0 Views 1MB Size Report
Jun 27, 2012 - an example evaluation dealing with Tribe Flood Network. (TFN) attack. ... attacks (e.g., Smurf, SSping, and TCP SYN flood) can be generated ...
SECURITY AND COMMUNICATION NETWORKS Security Comm. Networks 2012; 5:1471–1486 Published online 27 June 2012 in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/sec.591

RESEARCH ARTICLE

Intelligent network security assessment with modeling and analysis of attack patterns Suleyman Kondakci* Faculty of Engineering and Computer Sciences, Izmir University of Economics, Sakarya Cad. No. 156, 35330 Balcova–Izmir, Turkey

ABSTRACT This paper presents a new concept for information security assessments while promoting several areas of its application. Threat generation, attack pattern analysis, quantitative risk computation, and network security monitoring locally or remotely are the major application areas of this concept. Instead of testing assets one by one, by applying separate repetitive attacks and assessments, the presented system generates and executes attacks once on a sample group, composes assessment data, and uses the data for the assessment of an entire network. This unique approach can be used as a model to guide the development of tool-based assessment systems, intelligent network security analysis, monitoring systems, and also as a complementary function in information security test and evaluation laboratories. Copyright © 2012 John Wiley & Sons, Ltd. KEYWORDS network security; risk assessment; information assurance; false attack discrimination *Correspondence Izmir University of Economics, Faculty of Engineering and Computer Sciences Sakarya Cad. No.156, 35330 Balcova–Izmir, Turkey. E-mail: [email protected]

1. INTRODUCTION Any communication system implemented in accordance with the official TCP/IP specifications might continue reincarnating security flaws that have already been causing damages to information systems worldwide. According to the reports from Internet Engineering Task Force (IETF) and SANS Institute, producing a secure TCP/IP implementation nowadays is a very difficult task partly because of no single document can serve as a security roadmap for the implementation of secure protocols. There is clearly a need for additional efforts to the IETF specifications that can analyze the security aspects and implications of the protocols, identify eventual flows and threats, suggest countermeasures, and analyze their respective effectiveness. Although there are a number of protocols and approaches that deal with securing and penetration testing of information systems, this work focuses merely on the security assessment of information systems on the basis of a quantitative risk labeling technique. Showing the security status of a network quantitatively is becoming an important issue among the researchers and also the IT owners. This paper deals with a composite assessment concept covering a wide range of threat families for quantitative network security evaluation and risk management. An introductory version of the composite assessment model is presented in [1]. Quantitative risk assessment plays an Copyright © 2012 John Wiley & Sons, Ltd.

important role to illustrate impact factors of particularly large IT environments. Prior to an assessment process, we define a set of configuration profiles for each homogeneous group and apply the test to only a single asset in a given sample group (e.g., Linux 3.3). This unique approach helps us to perform time-efficient and accuracyefficient assessments, which do not require repeated examination of similar assets separately. That is, attacks are executed on a sample asset only once, and the data generated from the test are applied to the assessment of the remaining assets in the same target group. To simplify the test, attacks, targets (subjects under test), and exploits are categorized within specific groups called sample targets/groups. A homogeneity scaling technique is applied to a sample group of assets to construct pools of assets with identical properties and/or configurations. Following the sample asset evaluation, the examination of a group of assets with similar properties becomes a trivial task. To compute the current risk, a matching risk vector is created for each asset belonging to a certain sample group, which is then used to determine a new set of vulnerabilities for the similar assets, and/or assets with common properties. Security test and evaluation have been often practiced using penetration attacks and intrusion detection systems (IDSs) as the main assessment tools. IDSs process huge volumes of network traffic monitored intensively, along 1471

S. Kondakci

Intelligent network security assessment

with the steadily growing attack activity taking place through public networks [2]. The concept presented here can also be viewed as an augmented intrusion detection system with risk measurement and false alarm detection capabilities, which can be used to study attack dynamics, steadily evolving threat types, and risk growth patterns, as well as providing the ground for risk-driven security evaluations. This methodology can be applied by security and risk assessment facilities to facilitate quantitative risk management tasks. Common Criteria [3] and ISO/ IEC 27005:2011 [4] are internationally recognized standards and approaches that can also benefit from the quantitative assessment functionality of the composite method described here. The composite concept of security evaluation is a unique approach that requires only external threat generation capabilities provided by the RSEP protocol and/or other experimental network packet generators. Current information security technologies consider only a small fraction of problems dealing with information risk. In fact, the evidence increasingly suggests that information security technology does not reduce information risk effectively. The composite method can effectively assess system vulnerabilities on the basis of identifiable attacks such as protocol-based exploits (e.g., ICMP ECHO request), worms, and various intrusions. Indeed, protocol deficiencies are implicitly inserted when the implementation of a protocol conflicts with its formal specifications or the formal specifications are misinterpreted during the protocol implementation. For instance, considering the specifications of the widely known border gateway protocol (BGP), many implementations of BGP are judged to be potentially the most affected routing protocol because of the vulnerability caused by misinterpreting the protocol specifications. BGP is a routing protocol that is widely applied in many router implementations, which relies on a persistent TCP session between BGP peers during the routing information exchange. Resetting the connection between a couple of BGP nodes can result in a medium term unavailability and route flapping because of the need for rebuilding the related routing tables. If route flapping occurs frequently within a short time interval, serious route suppressions could be unavoidable. Additional effects of this anomaly are packet delays, packet discards, and long term unavailabilities of the networks that are controlled by the affected router. The work presented here does not directly deal with protocol-specific anomaly detections; it rather focuses on a composite approach for assessing and quantifying anomalies found in TCP/IPbased networks. A different approach using various families of Markovian models for detecting anomalies in TCP/IP traffic is presented by [5]. The fact that TCP sessions can be reset by sending suitable RST and SYN packets is a design feature of TCP according to RFC 793, but a reset attack is always possible because the source IP address and TCP ports can be easily forged or spoofed. Although the denial of service (DoS) attacks using crafted TCP packets are a well-known 1472

weakness of TCP, whereas until recently, it was believed that successful DoS attacks were not achievable in practice. The reason for this is that the receiving TCP implementation checks the sequence number of the RST or SYN packet, which is a 32-bit number, giving a probability of 1/232 of guessing the sequence number correctly, see the analysis on TCP reset behavior on the Internet [6]. The discoverer of the practicability of the RST attack was Paul A. Watson. He described his research in a technical white paper entitled Slipping In The Window: TCP Reset Attacks. He noticed that the probability of guessing an acceptable sequence number is much higher than 1/232 because the receiving TCP implementation will accept any sequence number in a certain range of the expected sequence number. 1.1. Outline of the paper In the following, Section 2 gives a brief overview of related work. Section 3 introduces the composite assessment model and describes the risk generation machinery. Section 4 deals with risk labeling and quantification algorithms. Section 5 presents the threat pattern modeling and derives the necessary probability distribution functions. It also contains an example evaluation dealing with Tribe Flood Network (TFN) attack. Finally, Section 6 concludes the paper.

2. RELATED WORK The composite assessment method can be used for quantitative security evaluations of varying areas. By using the RSEP protocol [7], packet generation software such as TCPreplay [8], Network Simulator ns-2, and Scapy, highly realistic network packets containing malicious codes and protocol attacks (e.g., Smurf, SSping, and TCP SYN flood) can be generated and fed into the systems that undergo a security evaluation. To quantify impact ranges, the fabricated attack packets can then be discriminated according to their hazard effects while they were fed into the risk assessment engine of the RSEP protocol [7,9]. RSEP is designed to perform secure test and evaluations of information systems over the Internet and open networks. Basically, as with the composite assessment system presented here, IDSs and penetration test systems rely heavily on accurate pattern matching capability of the systems. Related to this, an IDS using a hybrid pattern matching approach is presented in [10]. Network security assessment is an indispensable task needed for evaluating enterprise networks and also necessary in providing costrelated information assurance. Information security audits provide a degree of assurance to management, customers, and other third parties giving due consideration to information security issues. Hence, accurate modeling and simulation of networks and information security evaluations [11,12] are important issues. To have an overall picture of an entire network environment, often modern simulation tools are needed. Such tools can be effectively used to model and simulate an entire network, including its routers,

Security Comm. Networks 2012; 5:1471–1486 © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

S. Kondakci

switches, protocols, technologies, servers, and the individual applications they support. Because of the exponential growth of the Internet traffic bandwidth, packet-based identifications of threats require intensive resource usage. However, in many cases, repeated packet patterns are significantly suspicious ones, which can be identified by use of Bloom filters with some minor false positives. Especially, this capability can be adapted to detect worms and DoS attacks [13]. Thus, to discriminate effective threat packets, our system is also able to benefit from this capability as well. It is hard to disagree with the arguments from [14], which states that existing risk analysis techniques are often hard to handle in real-world contexts without the use of appropriate software because of their computational complexity. To overcome such limitations, the composite assessment method provides a simple, theoretically and practically sound risk management concept that can simplify the security assessment for evaluation facilities and professionals. Compared with formal specifications of risk assessment, as in [14], the composite assessment method provides rather practical solutions to quantitative risk assessment problems. It does neither provide solutions to risk mitigation [15] nor formalize the general risk assessment methodology. A case study presented in [16] discusses the formalized risk assessment, which further highlights some limitations of quantitative risk assessment and emphasizes that theoretical formulas used in information security risk assessments do not contain the time dimension of the analysis. A formal tool for risk assessment and mitigation, which also considers (to some degree) modeling of elementary attacks and threats, is presented in [17]. It is worthwhile mentioning some of closely related literature regarding network packet analyses and attack/ threat identification. Network intrusion detection is the basic paradigm used for capturing, analyzing, and identifying anomalies in a network traffic. Related to IDSs, a number of modes and algorithms can be found in [18–20]. For example, regarding the modes of IDS operations, [21] considers a pair of controlled experiments that compare two methods for early elicitation of security threats, namely attack trees and misuse cases. There also exist a variety of powerful tools for packet generation, attack identification, and network traffic analyses. Some of these tools are publicly available for mostly research usage, for example, Snort and the tool suite [8] containing Tcpreply, Tcpwrite, and Flowreply are used by numerous firewalls, IDSs, Internet service providers, networking vendors, enterprises, universities, security evaluation facilities, and open source projects. Furthermore, a vast amount of literature covering network packet analysis of varying types [22,23] can be widely found. Most of these focus on protocol decoding [24,25] network traffic monitoring, and bandwidth and throughput [26] analyses. We can mention many more of them, for example, [27] uses a protocol reverse engineering approach for extracting the application-level protocols (DNS, HTTP, IRC, Samba, and

Intelligent network security assessment

ICQ) used by some implementations, without accessing the protocol specification. A multipart lab exercise for researchers who are intended to learn how to create and program Java and MySQL-based applications to monitor the health of software for peer-to-peer networks is presented in [28]. Furthermore, there are various software products used for accurate packet analyses and network traffic simulations, for example, Wireshark Network Protocol Analyzer and CAPSA. The work presented here is also closely related to some known research areas dealing with sensitive data identification, intrusion, and anomaly detection, for example, [29–31]. The reader, if not familiar with stochastic processes, may refer to the literature covering this subject and queueing theory as well, for example [32].

3. RISK ASSESSMENT WITH THE COMPOSITE MODEL The composite model assesses the overall risk of a large network in sample groups by generating, capturing, analyzing, and weighing harms, which are presented in actual threat packets of various attack types. A member from a sample group is used as the representative model for a planned assessment. The assessment of the sample member produces results that contain risk and vulnerability data for many identical assets found in that sample group. This is the composite system’s major feature that runs a single test on a composition of systems with similar attributes. On the other hand, applying a per-asset-based assessment procedure to test and evaluation of larger and nonhomogeneous networks can be cumbersome and often tends to be error prone because of the complexity of networks and ambiguity in assessment planning. There are several other disadvantages with the existing methodologies, especially extreme time and resource usage, increased error (or divergence) rate due to multiple attack generations, packet captures, and assessments that must be executed in different time slots and also under different circumstances. The composite assessment model overcomes these and other related problems by using three operational pools, namely attack, target, and exploit pools. As illustrated in Figure 1, the attack pool can be configured to contain asymptotically all possible attacks including worms, protocol-related, spyware, spam, phishing, and application-related attacks. The target pool consists of sample (or model) groups each containing similar set of assets using similar platforms, operating systems, and/or having similar configurations. Launching attacks against a predefined target space can result in an exploit pool containing various risk ranges (denoted by risk vectors), where each risk vector will contain vulnerabilities related to the target space. It is also assumed that each target has an existing vulnerability vector containing risk data from an earlier assessment process. In case of missing the earlier test data, it can be empirically or analytically obtained.

Security Comm. Networks 2012; 5:1471–1486 © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

1473

S. Kondakci

Intelligent network security assessment

3.1. Modeling the threat machinery

Attack pool Protocol

Application

Procedural

Worm

Target pool Targat Grp 1 Targat Grp 2

Grp N Targat

Exploit pool Range 1 Range 3

Range 2

Range M

Figure 1. The risk profiling system.

As can be obviously seen, this concept provides a complementary task for creating dynamic risk profiles, where the estimated risks are used to build profiles of exploits that can reflect vulnerabilities in different groups of target systems. Target systems with common characteristics are grouped according to their operating systems, versions, and some other common properties and attributes. Once the necessary exploit data about a target system are obtained, then we can perform appropriate security evaluations of other target systems that match the specifications of the sample target within the entire network without ever contacting the targets. To build different types of protocol attacks, many protocol-related attack pools can be generated using any reliable packet generator. A specific protocol-related attack pool can be built to contain crafted packets by using ICMP, UDP, TCP, and IP specifications. For example, the Teardrop attack uses UDP packets with malformed fragments, where the fragments in a UDP packet are assigned overlapping offsets. When these fragments are reassembled at the destination host, some systems will crash, hang, or reboot. This type of a DoS attack can be easily constructed using the specifications of the IP header. For example, one can also build attacks on the basis of smaller fragment sizes with gaps in the IP-fragment offsets. Related fields in the IP headers of the attack packets are then filled in with these malformed data. As known, ICMP has a special role among the protocols, which transmit error and control messages between systems. However, it can be used for nefarious activity. Two specific instances of ICMP are the ECHO_REQUEST and ECHO_RESPONSE datagrams, which can be fabricated with spoofed source and destination identifiers (IP address and port number) to realize DoS attacks. However, it is often used to map a given network as part of the reconnaissance phase to prepare for various attacks. Many DoS attacks make use of malicious ICMP packets encapsulated in IP datagrams. Some of the ICMP-based attacks are SSping, Smurf, WinFreeze, TFN, ICMP Routing Discovery Protocol (IRDP DoS), and Loki. 1474

We describe here the main components of the composite model. Figure 2 shows the machine model via which attack packets are generated and grouped into attacks with different hazard levels. It also illustrates the logical operation of the assessment process, which, in turn, determines risk groups that reflect the different hazard levels. Mainly, the system generates threat packets, classifies, identifies, and tags the threat packets with hazard weights. As the final step, it performs the computation of quantitative risk values that are caused by different types of threats. The assessment does not take the disclosure of private data. Necessary precautions should be taken in nonexperimental testings to ensure the prohibition of sensitive data from network packets collected on a network interface by using additional tools such as TCPDPRIV [33]. Two major network configurations are set up for prototype environments, protected and unprotected, respectively. Additionally, as part of the input data to the risk quantification process, data about attack success and failure rates are collected to fine-tune associated exploit levels. Operations such as random packet generation, attack generation, packet capture, and attack classification can also be realized via custom-designed tools, which may optionally make use of the techniques provided by [8,34] and TCPDUMP. To analyze the dynamic behavior of the composite model and hence the risk generation process, we refer to the logical behavior of the assessment process shown in Figure 2. Functions of the system are indicated by circles; packets that are gathered in data tables, called threat matrices, are represented by rectangles. Elements of the composite system are summarized as follows. RPG.

ATP.

AG.

DTG.

FAG.

PAG.

Random packet generator: RPG generates network traffic containing both trusted and malicious packets. All threat pass: ATP collects and passes through raw threat contents needed for extreme case analysis and for the evaluation of unprotected networks. Alarm generator: AG captures, identifies, and generates mostly alarm (attack ready) packets that also contain false positives. Dynamic threat generator: DTG identifies and builds effective threat packets by filtering the false alarms coming from AG. DTG also cooperates with the intelligent false positive database generated by the false alarm generator FAG. False alarm generator: FAG captures accurate false alarm packets and stores necessary false positive pattern indices (packed IDs) into an intelligent database for later access. Perilous alarm generator: PAG generates hazardous threat patterns by composing attack packets that are launched by the remote attacker and generated in DTG.

Security Comm. Networks 2012; 5:1471–1486 © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

S. Kondakci

Intelligent network security assessment

Figure 2. The risk generation system.

RG.

Risk generator: RG generates numerical labels (quantifiable exploits) for various risk factors that are needed for the quantification of impact levels.

Initially, at time t0, a network traffic containing preset attacks (e.g., TCP SYN flood) is generated by a remote agent [34] and the random packet generator RPG, and then, via the input probing unit, random network packets are buffered and fed into the alarm generator AG. AG will then ! ! produce a master pattern M ¼ fm 1 ; . . . ; m n g depicting a set of captured attack vectors (alarms). Alternatively, the open source tool Scapy can be used to generate and insert protocol specific packets directly into the AG module. Ideally, an AG is configured to identify certain attack patterns while passing unidentified ones through and marking them as nonintrusive. It is also assumed that some patterns that were already passed through will not be recognized as threats; however, they may contain unknown or hidden threats. The offspring of a threat pattern is customizable. How a threat from the master pattern is propagated or rejected is configured by using the configuration matrix ! ! C ¼ fc 1 ; . . . ; c n g . The dynamic threat generator DTG captures threat patterns that have been discovered by AG and generates actual threat packets that are hazardous. ! ! The intermix threat matrix T ¼ ft 1 ; . . . ; t n g holds threat

patterns produced by the DTG function. This matrix is supported with an adaptive filter and functions that cooperatively identify known (identifiable) threat patterns. The configuration matrix is also used for fine tuning of threat alarms before entering the input of DTG. Its content is combined with a set of adaptive filter parameters and rules for enabling the mechanisms that are built to withstand the current attack patterns. The all threat pass (ATP) functionality is an important component of the threat generation machinery, which is used to pass all threat packets to the target system for the assessment of extreme cases. The ATP module buffers the threat packets into the hazardous threat matrix H. Two extreme attack cases can be independently generated using the contents of the hazardous threat matrix H and the contents of intermix threat matrix T. First, the contents of H can be directly passed to perilous (dangerous) attack ! ! matrix P ¼ f p 1 ; . . . ; p n g for promiscuous mode testing. Second, by utilizing mapping functions of the perilous alarm generator PAG on the intermix threat matrix T, another hazardous content for the perilous threat matrix P can be assembled. The so-called perilous threats (contents of P), which can cause extremely high risks, contain a negligibly low number of false alarms because of the PAG’s filtering of false alarms that are residing in T.

Security Comm. Networks 2012; 5:1471–1486 © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

1475

S. Kondakci

Intelligent network security assessment

4. LABELING OF RISK LEVELS As shown in Figure 2, current contents of the cumulative threat matrix CT are buffered at the input of the risk generator RG. Initially, RG classifies the attack types by decoding the signatures of the attack packets stored in its buffers. Following this, effective risk tables are built for the assessment of different security configurations the victim system might have, for example, analysis of protected and unprotected networks, respectively. Briefly, for each assessment task, four major operations are simultaneously performed: (i) random network traffic generation; (ii) threat packet creation (attack encoding); (iii) packet capture and decoding; and (iv) generation of risk data. Intentionally, IP packets are specially encoded to form attack packets (e.g., over fragmentation of datagrams). The encoding of the packets carries special threat tags called attack signatures. The risk generator unit identifies and classifies the attacks and related risk values by decoding (resolving) the attack signatures. As depicted in Figure 2, we use three logical switches, Sh, Sf, and Sp to help generation and analyses of various attack patterns and associated risk levels. RG unit produces an extensive set of risk ranges, which are labeled for the quantification of discrete risk values corresponding to different ! ! vulnerabilities. Range 1 is labeled with r 1 , range 2 with r 2 , ! and range n is labeled with r n . On the basis of the default assumption that all unprotected networks operate in the promiscuous mode, the system can be configured to receive raw (contents of the hazardous threat matrix H) packets for various experimentations/simulations. That is, to generate normal threat flows for the promiscuous mode, the all threat pass function ATP can be configured to pass through every packet generated so far to the hazardous threat matrix H. On the other hand, the perilous alarm generator PAG generates highly hazardous attack patterns by composing threat packets from the intermix matrix T. Note that PAG receives intermix flows when there is only pure threat data, of which the false alarms have been considerably filtered. The alarm generator, AG, functions as a passive network intrusion detection mechanism, which has no threat capture intelligence at all. Hence, it will always fail to accurately detect actual malicious contents. To compensate this, false alarms that are escaped from the AG unit will be filtered and saved by the dynamic threat generator DTG and false alarm generator FAG so that DTG will pass out only actual attack data received from the AG unit. Recall that the threat alarms received from AG contain also false alarms that will be processed by FAG. As seen in Figure 2, FAG has a feedback mechanism that feeds the required data to DTG after it has captured the false attack contents and computed false alarm rates. By using this information, DTG filters the false alarm contents and produces new contents for the effective threat matrix ET. Switch Sh has two positions, ⇐ and ⇒, respectively. In position ⇐, it disables DTG and enables the promiscuous mode so that PAG starts producing the perilous threats for testing/simulating unprotected networks, but in position ⇒, it disables the promiscuous mode while enabling the 1476

dynamic threat generation mode, which is the mode used for testing/simulating protected networks. The hazard control switch Sh enables the promiscuous mode; this will, in turn, produce the attack packets that can cause highest possible risk levels by using the perilous threats. On the other hand, depending on the position of Sp, Sh will only push the perilous threat packets into the computation mechanism to compute the cumulative threat and store the result into the cumulative threat (CT) matrix. The output of the CT matrix is connected to the risk generation (RG) module, which is the actual threat contents found on the target of evaluation. The false alarm switch Sf is used to compute failure rates of the attacks and enable the computation of the risk levels corresponding to both fail-free and failed attacks. Positions of the switches combined with the mapping algorithms shown in Table I accomplish the logic for determining the real-time parameters needed for the computation of different risk ranges. For example, the real-time parameters used for the risk ranges 2–4 of Protected Networks are calculated by utilizing contents of the matrices ET and CT (both memoryless) and related data determined by the FAG module. Contents of CT are used for the generation of the final risk vector, that is, which contains the attack-ready packets that can exploit the most recent vulnerabilities if launched against a vulnerable system. The parameters ! applied for the calculation of range 1 ( r 1 ; 0; 0; 0 ) are determined from the master threat pattern without using the FAG parameters. A sample risk vector may contain attack success data from a variety of attack types in the form of attack success ratio as !

rx ¼



 s1 s2 sn 100; 100; . . . ; 100 a1 a2 an

where ai depicts the number of attacks of type i, si depicts the number of successes of that attack type, and 100 normalizes ! each element of vector r x to a percentage value of the attack success ratio. The intermix threat matrix T contains mostly effective attack patterns and some false identifications that can be filtered by FAG. Following the disintegration of the false alarms, there will only remain effective threat patterns, which will be stored in the effective threat matrix ET and passed to the risk generator RG. This is required to determine effective risk values for the final risk quantification. As mentioned earlier, the exploit pool contains vectors of vulnerabilities Table I. Mapping algorithms for the generation of risk labels for protected networks. Sp

Sf

Mapping algorithm

0

0

0

1

1

0

1

1

ðT / MÞ h  i ! CT / ET  f t nh io ! ½ðP∧TÞ / M∨ ðP∧TÞ / MÞ f ti hh ii ! CT / ðP∧ET Þ f t

Risk label (R) !

ð r 1 ; 0; 0; 0Þ !

ð0; r 2 ; 0; 0Þ !

ð0; 0; r 3 ; 0Þ !

ð0; 0; 0; r 4 Þ

Security Comm. Networks 2012; 5:1471–1486 © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

S. Kondakci

Intelligent network security assessment

related to various attack groups. Direct and stealth attacks such as DoS, SQL injection, and cross-site scripting can only be discovered when the attacks have already shown their effects on the victim systems. Besides, some malware attacks that are activated by user intervention (e.g., e-mail attachments, network file shares, Trojans, and instant messengers) are also discovered and reported by the user at random upon discovering the harm. The index of the most recent top cyber security risks related to a wide variety of the Internet vulnerabilities for the Windows-based and Unix-based operating systems is given in [35]. To produce an effective threat level, initially at time t = 0, the effective threat matrix ET will be initialized with the contents of the intermix threat matrix T. Further, at time t = t + i, for all i = 0, . . ., n, threat matrix T will be transformed into the effective threat matrix ET by the following mapping algorithms   ! !  ET ¼ T f ðv t ; a Þ∧Sf ;   ! ET / Tf ðv t1 Þ∧Sf / ðM∧Sh Þ ; . . . 8tþi

(1)

4.1. Unprotected networks For convenience, we consider in the following text only two extreme cases, the assessment of protected and unprotected network, which can be easily applied to assessing networks with other ranges of security levels as appropriate. Let us first assume that a set of homogeneous assets in a given network is configured to work unprotected, and then the required mapping algorithm producing a maximum risk range can be expressed as !

4.2. Protected networks Considering the assessment of a protected network, threat values and associated risk ranges defined by R  ! ! ! ! ! ð r 1 ; r 2 ; r 3 ; r 4 ; r m Þ can be automatically generated depending on the positions of the logical switches Sp and Sf and the contents of the main matrix M and the configuration matrix C. The algorithm shown in Table I defines four risk levels: low R(0, 0), medium R(0, 1), medium-to-high R(1, 0), and high R(1, 1). For example, the mapping of medium-tohigh risk level (R(1, 0)) is expressed as Rð1;0Þ ¼ ½ðP∧TÞ / M∨f½ðP∧TÞ / MÞ! f ti g

The operator  is a composition function, which selects ! an associated vector, say v, from T and makes a transfor! mation utilizing function f and the threat vector a on the basis of the current condition of Sf, and inserts the resultant vector back into T replacing the previous content of vector ! ! v , that is, v t1 . The operator / denotes a joint relation between its left-hand and right-hand side operands, where the joining is performed from right to left. Bearing this in mind, the effective risk matrix ET is modified by ! Tf ð v t1 Þ , which, in turn, is modified by the master matrix M and the positions of the switches Sh and Sf. As ! ! depicted in Figure 2, the FAG operation Tf ð v t ; a Þ ! performed on the vector v t at time t is denoted by ft, and at time t  1, it is denoted by ft  1, that is, by the operation ! Tf ð v t1 Þ.

½P / ðH∧Sh Þ↦R  ðX; X; X; X; r m Þ

position of switch Sh, the output will contain some threat patterns of a the haphazard type. Obviously, this implies that the main actor is the perilous threat matrix P containing the entire threat space.

(2)

where the operator ↦ means mapping to, X stands for don’t ! care, and the vector r m contains the highest achievable risk values reflecting the effect of the current threat patterns stored in the haphazard (promiscuous) matrix H. Referring to Figure 2, the all threat pass (ATP) function works like an all pass filter that passes every incoming threat packet onto its output without modification. Depending on the

The remaining risk values can be easily verified by referring to Figure 2 and the related mapping algorithms given in Table I. 4.3. Quantitative risk model Contents of the risk vectors that are generated by RG are used to compute scalar risk quantities. Here, we present a ! simple model to determine a quantitative risk factor r for a single asset and an overall risk level for the entire network together with the most recent impact factors. The set of risk ranges defined as !

!

!

!

!

R  ð r 1; r 2; r 3; r 4; . . . ; r mÞ

(3)

is transferred to an associative model of a cross product by using n vulnerability coefficients and an asset weight associated with the asset under evaluation. The risk model of asset aj with weight wj and the associative vulnerability ! vector v j is defined as  ! !  Rja  aj ; wj ; v j ; r k ;



 ! Rja ; wj 2 ½0; 5; v j ½i 2 ½0; 1

Each vulnerability is presented as a strength factor and defined as a coefficient relative to other factors of the vulnerabilities found in a vulnerability vector. Thus, for a ! given asset, the relative strength vector v contains the strength coefficients of vulnerabilities relative to each other. Figure 3 shows risk vectors that correspond to eventual exploit levels associated with vulnerabilities of asset ai, where each asset contains n vulnerabilities. ! The risk label (or vector) r i contains scalar risk factors computed from the attack results for asset ai. Cumulative effect is dependent on the number of effective attack packets. The higher the number of effective attack packets in the RGbuffer, the higher the associated risk factor. Although there exist other approaches to quantitative risk assessments, for example, the probabilistic approach

Security Comm. Networks 2012; 5:1471–1486 © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

1477

S. Kondakci

Intelligent network security assessment

v1 (a1 , w1 ) v2 ( a2 , w2 )

v1

r1

v1

v1

r2

v2

v2

v2

rm

vn

vn

vn

r1 , r2 ,

, rm

a j , wj

v1 , v2 ,

Raj

, vn

Figure 3. The quantitative risk model.

used in [36], we use a simple scoring scheme to represent quantitative values for vulnerabilities, risks, and asset weights. By convention, a default scoring metric ranging from 0 to 5 is used, where 5 depicts the highest value. Considering the weighing of assets, each asset is represented by a security attribute [34], which contains weighed items that are used to compute an average weight (representing strength or weakness) for the asset. The final operation in the risk assessment proceeds with two sets of tasks: (i) current risk computation and (ii) update of impact factors. The update operation computes the risk difference between the previous total risk and the newly computed total risk and replaces the previous vulnerability vectors with the newly determined vectors. A slightly modified version of the scoring scheme from [34] is used here to compute the total risk normalized to 5: Rtot ¼

Pm Pn !

u ½ r k vi 1X wj 1  k¼1 i¼1 u j¼1 5m

(4)

This formula computes the total risk of an entity (e.g., a node) that has u assets, where each asset aj has a constant ! weight wj, a risk vector r k , and n vulnerability coefficients, ! that is, vi 2 v j , (0 < vi ≤ 1), as the relative strength parameter of ith vulnerability of this asset. The probability distribution functions discussed in Section 5 are applied to estimating the threat prevalence and risk tendencies for the entities/assets of the assessed network. The prevalence estimation process requires the up-to-date vulnerability data about the entities assessed so far. This operation updates the recent vulnerability data with the newly obtained and computes the difference between the recent and current total risks. This helps us to determine whether the overall security of the tested system is improved. Some examples of quantitative risk values are shown in Table II, where the risk levels are associated with vulnerability 1478

Table II. A vulnerability–risk table.

vu ( au , wu ) Threat

Risk

Vulnerability

Risk level

W32/Mydoom Witty Worm RPC exploit W32/Nimda IIS WebDav Exploit Backdoor-Sub7 SQL Slammer W32/Kriz.3863 Win95/CIH

2.25 1.6 1.28 4.48 1.28 2.28 2.0 3.2 1.2

0.2 0.6 0.5 0.8 0.3 0.75 0.92 1.0 0.45

Medium low Low High–outbreak Low Medium Medium Medium–high High

coefficients that are determined earlier on a Windows-based operating system. The impact levels shown on the right-most column are specified by Avert Labs Vulnerability Risk Assessment Program from the McAfee Corporation [37]. Risk levels for the threats are computed by using the number of identified effective attacks on the target and the number of exploits caused by these attacks. For example, 100 attacks have led to 20 exploits because of existing vulnerabilities, and eight other exploits have been observed because of newly discovered vulnerabilities. Hence, the vulnerability vector was updated with newly computed coefficients because of the increase in the number of vulnerabilities. Test results of an experiment with eight different attacks on the same target group are shown in Figure 4. First, the target group has been configured as unprotected, and then the same group has been configured with a protection level of medium-to-high. For each configuration, a test was performed, and also a risk vector and accompanying vulnerability coefficients for each asset in the test group were determined. Additional increases in the risk levels of the unprotected (upper curve) assets were observed. This was due to some causal effects [38], whereas the consecutive attacks were trigging other inherent vulnerabilities. For example, after successfully performing an SQL injection, some other inherent or implanted attacks (e.g., injected scripts) have been activated as a result of this exploit. These, in turn, have increased the risk levels and the associated vulnerability coefficients for the unprotected assets. Obviously, this type of experiments is useful because it enables us to observe

Figure 4. Assessment of the same target pool configured as (a) unprotected and (b) protected.

Security Comm. Networks 2012; 5:1471–1486 © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

S. Kondakci

eventual chain effects caused by some unknown/hidden threats [38,39].

5. THREAT PATTERN MODELING Network intrusion detection has been used as the key technique in providing effective proactive security mechanisms. Intrusion detection approaches are often based on the use of data-mining techniques that analyze network traffic collected from a set of nodes mostly using TCPDUMP and the Simple Network Management Protocol (SNMP). However, more recently, we find some new approaches adopting clustering techniques [40–42] to accurately distinguish benign traffic from malicious network activities. Threat patterns generally occur at random times modeled as random arrivals of service requests in a stochastic queueing system. Hence, probing and discovering attack patterns are assumed to be stochastic processes. Undoubtedly, most of a network traffic contains harmful data of varying threat context called malicious data packets. Malicious network packets present stochastic threat patterns in different periods. It is very difficult to capture exact threat patterns in sporadically occurring network traffics [43], especially, in the exponentially growing the Internet bandwidth because of the scale-free property of the Internet. However, in most cases, it is likely to observe and capture malicious contents at different network layers. A packet-level worm simulation presented in [44] is an example of this technique, which considers realistic network characteristics that include queuing delay, packet loss, and link delays. Modeling the entire threat spectrum with dynamically changing Internet topology and floods of information is an extremely resource-intensive task. This limitation can be partly eliminated by splitting the threat-contaminated network traffic into more realizable subsequent threat domains each pertaining to a particular category of threat patterns or by applying distributed learning algorithms [19] combined with a load balancer that splits the network packets and forwards them to different threat generators (DTGs). A vast amount of work has been put forward to deal with new [45] and effective network intrusion detection methods and implementations; however, real-time performance of these methods may be argued [46,47]. Especially, optimum sensor deployments [2] and agent cooperations of many threat identification engines are process intensive that require faster response times and data storage management to minimize packet leakages. Thus, it is important to determine where in the spectrum the malicious packets are hidden and on which family of the network assets the malicious packets have their maximum realizable impacts. 5.1. Massive attacks Automatically distributed malware attacks, for example, the Slammer worm or other scan worms, spread quickly in the form of a branching process. The discovery of instantaneous harms, covering all the attack branches, becomes very

Intelligent network security assessment

difficult. Depending on the protection level, these attack groups present varying probability distributions. For example, the scan worm attack is modeled as a branching process [48], whereas the distribution of the impact on protected systems is more likely Poisson distributed, but on the protected systems, the impact is much more higher and thus approximated to a binomial distribution. That is, although the attack density (or rate of spread) is very high, the probability of attack successes is relatively small. Considering the random variable x equal to the total number of successes in n attack trials, the event {x = k} has probability Pf x ¼ k g ¼

ak a e k!

(5)

where a = np is the average number of successes in n independent attacks each with the success probability of p. The exponential term can be expressed as  a n lim 1  ¼ ea n!1 n On the other hand, because of the higher rate of its success, impact of the Slammer worm attacking a single node is modeled as a binomial process. Thus, the probability of having {x = k} successful attacks in n independent attacks is given by Pfx ¼ kg ¼

n k nk pq k

(6)

where k denotes the number of successful attacks and n  k denotes the number of failures among n independent attacks. The probability of successful independent attacks on identical systems is denoted by p, and q = 1  p. Because p varies with the type of target group, we need to experimentally determine its value for each group of target systems. Denial of service attacks are also massive attacks; some of them utilize ICMP echo request (e.g., Smurf, Teardrop, and Ping O’death), SYN flood, and UDP flood. Because the victim nodes break down and recover in small time units, their states can be modeled as an Erlang process with either binomial or Poisson distribution, depending on the attack density and the impact rate of the attacks. DoS attacks can be conducted with a few attackers, or they can be arranged in extremely large attack groups. Attacks to a single unprotected host tend to show binomially distributed results, whereas larger attacks on a single protected host have the characteristics of a Poisson distribution. Hence, as considered in the following text, the identification of attack events (both effective and false attacks) is modeled as a stochastic process. It is assumed that intermix threat packets are under constant surveillance and inspected at random times and then discovered in negligibly small time slots. Inspection and discovery of attack patterns can then be modeled as a simple Markov process.

Security Comm. Networks 2012; 5:1471–1486 © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

1479

S. Kondakci

Intelligent network security assessment

Preliminary remarks At this point, it is necessary to introduce the basic terminology and definitions to better understand stochastic processes used for modeling both the threat generation and packet capture processes of the system presented here. A Markov-based network queueing process with stationary probabilities assumes the following properties: • The process of threat packet arrivals can have a finite number of states s1, s2, . . ., each state representing the number of observed events found in a certain time slot. We say that the process is in state n if n specific type of events occurs (e.g., receipt of n infected messages) in the system at an epoch of a given observation time. Consider a random flow of network packets with density l, and let x(t) be the number of a specific threat packet arrivals occurring during time t. Then, clearly, x(t) is a Markov process whose states can be described by integer values 0, 1, 2,. . .. The evolution of the process in time is described by the random function x(t) for any fixed t and its state variables i, j = 1, 2, . . ., n. Because of the Markovian property, x(t) can only leave the state si by going into state si + 1 (or more generally into state sj). The parameter l is called the density of transition out of any state. More specifically, l represents the density of the threat packets, which affects the state (number) of the threat packets currently found in the system. If l = 0, the process remains forever in the current state. If, on the other hand, l > 0, the probability of the process undergoing a change of its state in a small time interval Δt is lΔt þ oðΔt Þ where o(Δt) denotes an infinitesimal of higher order than Δt having the property lim

Δt !0

oðΔtÞ !0 Δt

• At time t = 0, the process occupies state si with the initial probability p0i ¼ Pfxð0Þ ¼ si g;

i ¼ 1; 2; . . .

(7)

• The transition probability that a process (or system) goes, at time t, from state si to sj after time t is defined as pij ðt Þ ¼ P xðt þ tÞ ¼ sj jxðtÞ ¼ si g; i; j ¼ 1; 2; . . . (8) independent of its behavior before time t. • Let



pj ðt Þ ¼ P xðt Þ ¼ sj ;

j ¼ 1; 2; . . .

be the probability that a system will be in the state sj at time t, and then we obtain a recursion formulae with initial probability at time t = 0, 1480

pj ð0Þ ¼ p0j ; j ¼ 1; 2; . . . and the intermediate probability after time t + t as X pj ðt þ t Þ ¼ pk ðtÞpkj ðtÞ; j ¼ 1; 2; . . .

(9)

k

Assuming

 pij ð0Þ ¼

1; if 0; if

j¼i j 6¼ i

(10)

the recursive formula, Equation (9), denoting the probability that the process will be in the state sj following the state si becomes X pij ðt þ tÞ ¼ pik ðtÞpkj ðt Þ; i; j ¼ 1; 2; . . . (11) k

for arbitrary t and t. • Let z be the probability of threat packet arrivals with arrival rate l, and then by referring to the property of a general Poisson process [49], it can be easily verified that the probability of n threat packets being captured in t time units is pn ðt Þ ¼

ðlzt Þn lzt e n!

(12)

5.2. Effective threat packets Launching of many DoS/distributed DoS (DDoS) attacks, for example, Tribe flood, Trinoo, Smurf, Land, Fraggle, and WinFreeze, can be scheduled to occur in a stochastic manner. Attacks with stochastic behavior are more efficient compared with those of easily detectable contentious or periodic ones. Thus, analysis of effective threat packets launched by this manner is modeled as a stochastic process with the focus on the fact that the number of attacks are high, whereas each attack has a small probability of success. Therefore, the following discussion assumes (1) Identical attack packets of a known threat type, where each packet arrives independent of the others. (2) Packets arrive in a single sequential Poisson process with exponential arrival rate l and an exponential effect rate. To estimate the number of effective threat packets being captured at any time, we need to determine the limiting probabilities of randomly occurring attack packets. In other words, the packet capture process of individual exploit groups is a Markov process assumed that we have m identical packets (because they come from a common exploit group), each being captured independently, and each arrival of such packets has probability lΔt + o(Δt) of being captured. That is, the probability that at least one threat packet arrives in a small time interval Δt is lΔt + o(Δt), whereas the probability that more than one threat packet occurs in Δt is o(Δt).

Security Comm. Networks 2012; 5:1471–1486 © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

S. Kondakci

Intelligent network security assessment

Regarding the assessment process, the incoming traffic to the intermix threat matrix T is a Poisson process with attack density l, where each packet has probability lΔt + o(Δt) of being an actual attack packet among the benign ones. Packets are captured, identified (whether a false positive or an effective attack), and transmitted to either RG for buffering or to FAG for the discriminating of false alarms. Obviously, for conducting a probabilistic risk assessment with the aim of establishing a heuristic vulnerability repository, stochastic modeling plays an important role. By analyzing a finite set of attack and counter response activities, we can determine appropriate probability distributions, which can be applied to estimating the risk-impact figure of any existing protection configuration. Thus, the tendency analysis of future attack evolutions and design of suitable defense mechanisms can be facilitated. Because the arrival of attack packets is modeled as a Poisson process with exponentially distributed parameter l, the probability of identifying k attack packets at a node can be determined by

Proof. It follows from Equation (11) that pij ðt þ Δt Þ ¼

pik ðt Þpkj ðΔt Þ ¼

X

k

pik ðΔt Þpkj ðt Þ (17)

k

Using Equation (13) and condition (14), we obtain   pij ðt þ Δt Þ  pij ðt Þ X oðΔt Þ ¼ pik ðt Þ lkj þ Δt Δt k  X oðΔt Þ pkj ðt Þ lik þ ¼ Δt k

(18)

Both of the aforementioned sums have definite limits as Δt ! 0. That is,   X X oðΔt Þ ¼ pik ðt Þ lkj þ pik ðt Þlkj (19) lim Δt!0 Δt k k  X X oðΔtÞ pkj ðt Þ ¼ lik þ lik pkj ðtÞ Δt!0 Δt k k

(20)

lim

k

ðlt Þ lt e ; k ¼ 0; 1; 2; . . . k! This can be justified as follows. The arrivals of the threat packets at the victim machine are assumed to be a random flow of events with density l and x(t) the number of attack events occurring in time t. The occurrence of x(t) events is a Poisson-distributed Markov process, whose states are denoted by integral state values k 2 [0, . . ., n]. Suppose the transition probabilities pij(t) for a Markov process with finite number of states are expressed as

X

Pfxðt Þ ¼ kg ¼

pij ðΔtÞ ¼ lij Δt þ oðΔt Þ; i; j ¼ 1; 2; . . . ;

1  pii ðΔtÞ ¼ li Δt þ oðΔt Þ;

Consequently, lim

Δt!0

pij ðt þ ΔtÞ  pij ðt Þ 0 ¼ pij ðt Þ Δt

also exists, which leads to Equations (19) and (20).□ Remark 1. Note that it follows from Equation (13) and the condition X

(13)

pij ðΔt Þ ¼ 1

j

i ¼ 1; 2; . . .

Let

that lii ¼ li ; i ¼ 1; 2; . . .

where li gives the density of the transition out of state si and lij gives the density of the transition from state si to state sj. The continuous Markov process x(t) can only move from state i to state i + 1. Corollary 1. Given transition probabilities (13) and initial conditions (14), the transition probabilities satisfy two systems of linear differential equations, namely for forward Kolmogorov equations 0

pij ðt Þ ¼

X

pik ðt Þlkj ; i; j ¼ 1; 2; . . .

X

(14)

(15)

k

pij ðt Þ ¼

X

oðΔt Þ ! 0 as Δt ! 0 Δt uniformly distributed in all i and j. Then, the forward equations (15) hold if for any fixed j there exists a constant C < 1 such that

lik pkj ðt Þ; i; j ¼ 1; 2; . . .

lij < C; (16)

k

given that the differentiations are carried out with respect to t.

(21)

Remark 2. The Kolmogorov equations hold both for finite number of states and for a countably infinite number of states given that additional assumptions are made. Consider the error terms o(Δt) in Equation (13) are such that

and backward Kolmogorov equations 0

lij ¼ li

j6¼i

i ¼ 1; 2; . . .

However, backward equation (16) will hold only if series (21) converges. On the basis of the assumption that a Markov process x(t) can only leave the state i by going into state i + 1, we can

Security Comm. Networks 2012; 5:1471–1486 © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

1481

S. Kondakci

Intelligent network security assessment

easily determine the transition densities of the random flows of threat packets as  l; if j ¼ i þ 1 lij ¼ 0; if j 6¼ i; i þ 1 and

pj ðt Þ ¼

ðlt Þj lt e ; j!

and equivalently, the probability of j successful attack packets occurring in time t is given by Pfxðt Þ ¼ jg ¼

lii ¼ l The transition probabilities pij(t) of the Poisson process x(t) satisfy the condition pij ðtÞ ¼ p0;ji ðtÞ

j ¼ 0; 1; 2; . . .

ðlt Þj lt e ; j!

j ¼ 0; 1; 2; . . .

(27)

Because lt ¼ Exðt Þ the parameter l is just the average number of successful attack packets occurring per unit time.

and let pj ðt Þ ¼ p0j ðtÞ;

j ¼ 0; 1; 2; . . .

5.3. Example: Tribe Flood Network

then the forward Kolmogorov equations will evolve as 0

p0 ðt Þ ¼ lp0 ðt Þ; 0

pj ðt Þ ¼ lpj1 ðt Þ  lpj ðt Þ;

j ¼ 1; 2; . . .

(22)

Assuming the exponential arrival rate for the threat packets, and let the function fj ðt Þ ¼ elt pj ðt Þ;

j ¼ 0; 1; 2; . . .

then we obtain 0

0

f0 ðt Þ ¼ lf0 ðt Þ þ elt p0 ðt Þ

(23)

¼ lf0 ðt Þ  lelt p0 ðt Þ ¼ 0 0

0

fj ðtÞ ¼ lfj ðt Þ þ elt pj ðt Þ ¼ lfj ðt Þ þ lelt pj1 ðt Þ  lelt pj ðtÞ ¼ lfj1 ðt Þ;

(24)

j ¼ 1; 2; . . .

where because of  pij ð0Þ ¼

1; 0;

if if

j¼i j 6¼ i

and initially f0 ð0Þ ¼ 1; fj ð0Þ ¼ 0;

(25)

j ¼ 1; 2; . . .

Using these initializations, the system of differential equations 0

f0 ðt Þ ¼ 0; 0

fj ðtÞ ¼ lfj1 ðt Þ;

(26)

j ¼ 1; 2; . . .

can be easily solved as f0 ðt Þ ¼ 1; f1 ðtÞ ¼ lt; . . . ; fn ðt Þ ¼

ðltÞn n!

Considering the original functions pj(t) = e ltfj(t), we obtain 1482

Tribe Flood Network attack is a DDoS attack where the attacker can launch simultaneous attacks against a victim network often by using spoofed source IPs to overwhelm the victim with Smurf attacks, SYN, or UDP floods. Regarding our simulated experiment, four groups of hosts were involved in the experiment: (i) TFN master host planning and initiating the attack; (ii) some clients to control attackers; (iii) a network of daemon hosts (attackers); and (iv) a single victim host. As the main actor, the master host instructs the demon hosts to attack the victim host. We have used two types of strategies for scheduling the attacks, confusion and straight. The confusion strategy (or schedule) uses randomly launched small bursts of attacks scheduled in different time slots, whereas the straight one uses a single long burst of simultaneous attacks, see Figure 5 for the timing of the attacks. Thousands of malicious packets have been simultaneously used during the attacks. In total, the number of attack packets and the number of attackers were chosen to be equal for both of the strategies. With the straight schedule, all the demon hosts (attackers) are instructed to attack the victim host simultaneously in a single long burst until the victim resets the connection or it breaks down. On the contrary, the attackers of the confusion schedule were grouped into several battalions, where each battalion was scheduled to attack at different time slots, even with arbitrarily overlapping times (Figure 5). The number of attackers in each battalion was also chosen to be random. Hence, the attack packets were made to arrive stochastically. Figure 6 shows the results, as the probabilities of down times of the victim, obtained from these two strategies. As can be seen, the effect of the confusion schedule is higher than that of the straight (simultaneous) one. This is due to the fact that the victim host was able to discover the signature of the TFN attack after a certain time. Upon the discovery of the TFN signature, the victim system resets the connection. However, with the confusion schedule, the victim was unable to discover many of the stochastically arriving attack packets, even though the attacks have successfully degraded the system availability.

Security Comm. Networks 2012; 5:1471–1486 © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

S. Kondakci

Intelligent network security assessment

t1

t3 t7

t1

t2 t6

t5

t4 t8

t9

r

Risk range for s Risk range for

rc

Connection reset

Figure 5. Timing of Tribe Flood Network attack schedules: confusion mode (t1  t2, t3  t4, t5  t6, t7  t8) and straight mode (t1  t9).

100

AðsÞ ¼

(a)

90 80

(28)

Here, w*(s) and g*(s) are the Laplace transforms of the failure-time and repair-time distributions, respectively. Results produced from these two distinct attack strate! gies are both labeled with risk label r 4 (the highest risk range), which are defined in the risk mapping algorithm (Table I) as hh ii ! ! CT / ðP∧ET Þ f t ð0; 0; 0; r 4 Þ

70 60 (b)

50 40 30 20

1  w ðsÞ s½1  w ðsÞg ðsÞ

(c)

10 0

2

4

6

8

10

12

14

16

Time Figure 6. Tribe Flood Network attack results: (a) total, (b) successful confusion mode, and (c) successful straight mode attacks.

The reason of choosing the confusion mode is to mislead the victim to unawarenesses so that it will not reset the connection. To avoid the connection resets, the victim system can be decoyed if the attacks of the battalions were randomly scheduled on different time slots. With this schedule, one battalion terminates attacking before a connection resets, whereas the other battalions have either been started just a few time slot ahead or will start sooner. Because the sequence numbers and the source addresses of the attack packets change rapidly with the confusion mode, the victim node gets confused for computing the connection reset intervals. Consequently, the victim host had difficulties in detecting the stochastic behavior of the randomly scheduled burst attacks because many intrusion detection systems (as was the case here) do not maintain state information. 5.3.1. Measuring the risk of TFN To assess the effect of these two distinct attack strategies, we measure the instantaneous availability of the victim node while the attacks take place. Assuming that the victim system is modeled as an alternating renewal process, we can compute the probability that the victim is operational at any random time t. Simply, an alternating renewal system is a system that stochastically breaks down and recovers relatively quickly in a continuous time space. We use the following reliability equation to estimate the instantaneous (point) availability:

In accordance with this risk range, two different risk ! vectors are determined, r c denoting the results from the ! attacks of the confusion model and r s denoting the results from the straight model, see Figure 5. By assuming 1 for the vulnerability coefficients and 4.0 for the asset weight for the victim system and using Equation (4), two different risk values are computed: 4.0432 caused by the confusion strategy and 3.7918 caused by the straight strategy. Comparing the strengths of these two strategies, we immediately find a factor of 0.2514 as the difference, which makes a great sense for victim systems with higher asset values. Estimated point availabilities of the separate attacks are shown in Figure 7. Curves labeled t1–t2, t3–t4, t5–t6, and t7–t8 depict the effect of the confusion mode attacks. Average value of these effects is shown by Mean Confusion curve. The curve t1–t9 shows the effect of the straight mode attack. 1 0.9

Straight

0.8

Point Availability

0

t1−t2, t3−t4, t5−t6, t7−t8

0.7 0.6

t1−t9

Mean Confusion

0.5 0.4 0.3 0.2 0.1 0

0

5

10

15

20

25

30

35

Time Figure 7. Estimated point availability: confusion mode attacks within t1–t8 and the straight mode attacks through t1-t9.

Security Comm. Networks 2012; 5:1471–1486 © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

1483

S. Kondakci

Intelligent network security assessment

6. CONCLUSION Quantitative risk assessment has a crucial role for the determination of proactive security solutions and efficient management of lifecycle security operations. The composite system can effectively demonstrate threat prevalence of particularly large IT environments with considerably small amount of effort compared with per-asset-based assessments. Quantitative risk assessment methods are much harder to realize than the qualitative approaches. We presented a quantitative method for the analysis of risks in modern networks. The method can be used for simulation modeling, security experiments, and in network security evaluation laboratories. The composite concept also provides the heuristic means to keep track of past vulnerabilities and risks so that a taxonomy for attack, target, and exploit pools can be formalized and updated systematically. Finally, there remain some additional works for future research. First, some real-world experiments will be conducted with various types of attacks. Second, detection and rejection of outliers for each type of threat packets should be analyzed and compared with different packet capturing and identification algorithms. It can also be useful, in a future work, to define formalized victim states, data structures, functions, and parameters for attack generation, capture, and mapping algorithms to contribute to internationally recognized network security standards and methodologies.

REFERENCES 1. Kondakci S. A composite network security assessment. IAS ’08: Proceedings of the 2008 The Fourth International Conference on Information Assurance and Security, IEEE Computer Society: Washington, DC, USA, 2008; 249–254. DOI: http://dx.doi.org/10.1109/IAS. 2008.59 2. Shaikh SA, Chivers H, Nobles P, Clark JA, Chen H. Towards scalable intrusion detection. Network Security 2009; 2009(6): 12–16. DOI: 10.1016/S1353-4858(09) 70064-9 3. CC Team. Common Criteria for Information Technology Security Evaluation, V. 3.1/Rev. 3 2009. URL http:// www.commoncriteriaportal.org/ 4. Central Secretariat I. ISO/IEC 17799:2005 Code of Practice for Information Security Management 2005. URL http://www.iso.org/iso/catalogue 5. Callegari C, Vaton S, Pagano M. A new statistical method for detecting network anomalies in TCP traffic. European Transactions on Telecommunications 2010; 21(7): 575–588. DOI: 10.1002/ett.1432 6. Arlitt M, Williamson C. An analysis of TCP reset behaviour on the internet. SIGCOMM Computer Communication Review January 2005; 35: 37–44. DOI: http://doi.acm.org/10.1145/1052812.1052823 1484

7. Kondakci S. A remote IT security evaluation scheme: a proactive approach to risk management. IWIA ’06: Proceedings of the Fourth IEEE International Workshop on Information Assurance, Vol. 1, IEEE Computer Society: Washington, DC, USA, 2006; 93–102. DOI: http://doi. ieeecomputersociety.org/10.1109/IWIA.2006.1 8. Turner A. The internet traffic generator Apr 2008. URL http://tcpreplay.synfin.net/trac/ 9. Kondakci S, Yilmaz G. Implementation and performance evaluation of the RSEP protocol on ARM and Intel platforms. Proceedings of the 3rd International Conference on Security of Information and Networks, ACM: New York, NY, USA, 2010; 194–202. DOI: http://doi. acm.org/10.1145/1854099.1854139 10. Soewito B, Vespa L, Weng N, Wang H. Hybrid pattern matching for trusted intrusion detection. Security and Communication Networks 2011; 4(1): 33–43. DOI: 10. 1002/sec.175 11. Nicol DM. Modeling and simulation in security evaluation. IEEE Security and Privacy 2005; 3(5): 71–74, DOI: http://dx.doi.org/10.1109/MSP.2005.129 12. Cui Y, Zou T, Zhang L, Zhao J. Network security simulation and evaluation. CSTST ’08: Proceedings of the 5th International Conference on Soft Computing as Transdisciplinary Science and Technology, ACM: New York, NY, USA, 2008; 55–58. DOI: http://doi. acm.org/10.1145/1456223.1456239 13. van Oorschot PC, Robert JM, Martin MV. A monitoring system for detecting repeated packets with applications to computer worms. International Journal of Information Security 2006; 5(3): 186–199. 14. Hamdi M, Boudriga N. Algebraic specification of network security risk management. FMSE ’03: Proc. of the 2003 ACM Workshop on Formal Methods in Security Engineering, ACM: New York, NY, 2003; 52–60. DOI: http://doi.acm.org/10.1145/1035429.1035435 15. Dunham K, Honors G. Mitigating malicious code. Information System Security 2007; 16(4): 233–238. DOI: http://dx.doi.org/10.1080/10658980701585314. 16. Munteanu A, Fotache D, Dospinescu O. Information systems security risk assessment: harmonization with international accounting standards. CIMCA ’08: Proceedings of the 2008 International Conference on Computational Intelligence for Modelling Control & Automation, IEEE Computer Society: Washington, DC, USA, 2008; 1111–1117. DOI: http://dx.doi.org/ 10.1109/CIMCA.2008.26 17. Baiardi F, Ricci L, Martinelli F, Telmon C. Constrained automata: a formal tool for risk assessment and mitigation. Journal of Information Assurance and Security 2008; 4(3): 304–312. 18. Shyu ML, Quirino T, Xie Z, Chen SC, Chang L. Network intrusion detection through adaptive sub-eigenspace

Security Comm. Networks 2012; 5:1471–1486 © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

S. Kondakci

19.

20.

21.

22.

23.

24.

25.

26.

27.

28.

modeling in multiagent systems. ACM Transactions on Autonomous Adaptive System 2007; 2(3): Article 9. DOI: http://doi.acm.org/10.1145/1278460.1278463 Tian D, Liu Y, Xiang Y. Large-scale network intrusion detection based on distributed learning algorithm. International Journal of Information Security 2009; 8(1): 25–35. Lee H, Chung Y, Park D. An Adaptive Intrusion Detection Algorithm Based on Clustering and KernelMethod, Vol. 3918. Springer-Verlag, 2006. DOI: 10. 1007/11731139_70 Opdahl AL, Sindre G. Experimental comparison of attack trees and misuse cases for security threat identification. Information and Software Technology 2009; 51(5): 916–932. DOI: http://dx.doi.org/10.1016/ j.infsof.2008.05.013 Rahman A, Kennedy P, Simmonds A, Edwards J. Fuzzy logic based modelling and analysis of network traffic. Proceedings of 2008 IEEE 8th International Conference on Computer and Information Technology, 2008; 652–657. DOI: 10.1109/CIT.2008.4594752 Apiletti D, Baralis E, Cerquitelli T, D’Elia V. Network digest analysis by means of association rules. Intelligent Systems, 2008. IS ’08. 4th International IEEE Conference, Vol. 2. 2008; 11–32–11–37. DOI: 10.1109/IS.2008.4670505 Barakat C, Altman E. A markovian model for TCP analysis in a differentiated services network. QofIS ’00 Proceedings of the First COST 263 International Workshop on Quality of Future Internet Services, 2000; 55–67. Altman E, Barakat C, Laborde E, Brown P, Collange D. Fairness analysis of TCP/IP. Proceedings of the 39th IEEE Conference on Decision and Control Vol. 1. 2000; 61–66 vol.1. DOI: 10.1109/CDC.2000.912733 Padhye J, Firoiu V, Towsley D, Krusoe J. Modeling TCP throughput: a simple model and its empirical validation. Proceedings of the ACM SIGCOMM ’98 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication 1998; 303–314. Caballero J, Yin H, Liang Z, Song D. Polyglot: automatic extraction of protocol message format using dynamic binary analysis. CCS ’07: Proceedings of the 14th ACM Conference on Computer and Communications Security, ACM: New York, NY, USA, 2007; 317–329. DOI: http://doi.acm.org/10.1145/1315245.1315286 Wagner B, Renshaw S, Broadbent K. A multi-part lab exercise for analyzing the effect of peer-to-peer software on a university network. SIGITE ’07: Proceedings of the 8th ACM SIGITE Conference on Information Technology Education, ACM: New York, NY, USA, 2007; 233–238. DOI: http://doi.acm.org/10.1145/1324302. 1324352

Intelligent network security assessment

29. Florez-Larrahondo G, Liu Z, Dandass YS, Bridges SM, Vaughn R. Integrating intelligent anomaly detection agents into distributed monitoring systems. Journal of Information Assurance and Security 2006; 1(1): 59–77. 30. Thorat SA, Khandelwal AK, Bruhadeshwar B, Kishore K. Anomalous packet detection using partitioned payload. Journal of Information Assurance and Security 2008; 3(3): 195–202. 31. Neji NB, Bouhoula A. Dynamic scheme for packet classification using splay trees. Journal of Information Assurance and Security 2009; 4(2): 133–141. 32. Nadarajah S. Probabilities for queueing systems with embedded Markov chains. Stochastic Analysis and Applications 2008; 26(3): 526–536. 33. Danzig P, Mogul J, Paxson V, Schwartz M. ACMSIGCOMM: The Internet Traffic Archive Apr 2008. 34. Kondakci S. Remote security evaluation agent for the RSEP protocol. Int. Conf. on Security of Information and Networks, Vol. 1, Trafford Pub: Victoria, BC, Canada, 2007; 186–195. 35. SANS. The Twenty Most Critical Internet Security Vulnerabilities 2010. URL http://www.sans.org/top20 36. Kondakci S. Dependency analysis of risks in information security. International Review on Computers and Software 2008; 3(1): 11–19. 37. McAfee. Avert Labs Vulnerability Risk Assessment Program 2009. URL http://www.avertlabs.com 38. Kondakci S. A causal model for information security risk assessment. Sixth International Conference on Information Assurance and Security (IAS), Atlanta, US, 2010; 143–148. DOI: 10.1109/ISIAS.2010.5604039 39. Kondakci S. Network security risk assessment using Bayesian belief networks. IEEE Second International Conference on Social Computing (SocialCom), Minneapolis, MN, USA, 2010; 952–960. DOI: 10.1109/SocialCom.2010.141 40. Lee H, Chung Y, Park D. Network Attack Detection Based on Peer-to-Peer Clustering of SNMP Data, Vol. 22. Springer: Berlin Heidelberg, 2009. DOI: 10.1007/978-3-642-10625-5_26 41. Lee K, Kim J, Kwon KH, Han Y, Kim S. DDoS attack detection method using cluster analysis. Expert Systems with Applications 2008; 34(3): 1659–1665. DOI: 10.1016/j.eswa.2007.01.040 42. Kompella RR, Singh S, Varghese G. On scalable attack detection in the network. IEEE/ACM Transactions on Networking 2007; 15(1): 14–25. DOI: http://dx.doi.org/ 10.1109/TNET.2006.890115 43. Ballani H, Francis P. Conman: a step towards network manageability. SIGCOMM Computer Communication Review 2007; 37(4): 205–216. DOI: http://doi.acm. org/10.1145/1282427.1282404

Security Comm. Networks 2012; 5:1471–1486 © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

1485

S. Kondakci

Intelligent network security assessment

44. Sharif MI, Riley GF, Lee W. Comparative study between analytical models and packet-level worm simulations. PADS ’05: Proceedings of the 19th Workshop on Principles of Advanced and Distributed Simulation, IEEE Computer Society: Washington, DC, USA, 2005; 88–98. DOI: http://dx.doi.org/ 10.1109/PADS.2005.5 45. Ozyer T, Alhajj R, Barker K. Intrusion detection by integrating boosting genetic fuzzy classifier and data mining criteria for rule pre-screening. Journal of Network and Computer Applications 2007; 30(1): 99–113. DOI: 10.1016/j.jnca.2005.06.002

1486

46. Ptacek T, Newsham T, Simpson HJ. Insertion, evasion, and denial of service: eluding network intrusion detection. Secure Networks Janury 1998; Tech. Rep. 47. Paxson V. Bro: a system for detecting network intruders in real-time. Computer Networks December 1999; 31(23–24): 2435–2463. 48. Kondakci S. A concise cost analysis of Internet malware. Computers & Security 2009; 28(7): 648–659. DOI: 10.1016/j.cose.2009.03.007 49. Ghahraman S. Fundamentals of Probability with Stochastic Processes (3rd ed edn). Pearson Education, Inc.: USD, NJ 07458, USA, 2005.

Security Comm. Networks 2012; 5:1471–1486 © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec