Report 2008-1
Report 2008-1.
From attack graphs to automated configuration management --- an iterative
approach
by John Homer, Xinming Ou, and Miles A. McQueen
Abstract:
Various tools exist to analyze enterprise network systems and to produce
attack graphs detailing how attackers might penetrate into the system.
These attack graphs, however, are often complex and difficult to
comprehend fully,and a human user may find it problematic to reach
appropriate configuration decisions. This paper presents methodologies
that can 1) automatically identify portions of an attack graph that do not
help a user to understand the core security problems and so can be
trimmed, and 2) enable a user to use the information in an attack graph to
reach appropriate configuration decisions,through a configuration
generator that can be iteratively trained by the user to understand a wide
range of constraints in configuring an enterprise system, such as
usability requirements and trade-offs that need to be made between the
cost of security hardening measures and the cost of potential damage. We
believe both methods are important steps toward achieving automatic
configuration management for large enterprise networks. We implemented our
methods using one of the existing attack-graph toolkits. Initial
experimentation shows that the proposed approaches can 1) significantly
reduce the complexity of attack graphs by trimming a large portion of the
graph that is not needed for a user to understand the security problem,and
2) automatically provide reasonable suggestions for resolving the security
problem.
Report 2008-2
A Practical Approach to Modeling Uncertainty in Intrusion Analysis
by
Xinming Ou, Raj Rajagopalan, and Sakthiyuvaraja Sakthivelmurugan
Abstract:
Uncertainty is an innate feature of intrusion analysis due to the limited views provided by system
monitoring tools, including intrusion detection systems (IDS) and the numerous types of logs. Attackers
are essentially invisible in cyber space and those monitoring tools can only observe the symptoms
produced by malicious activities, mingled with the same effects produced by non-malicious activities.
Thus the conclusions one can draw from these observations inevitably suffer from varying degrees of
uncertainty, which is the major source of false positives/false negatives in intrusion analysis. This paper
presents a practical approach to modeling such uncertainty so that the various security implications from
those low-level observations are captured in a simple logical language augmented with certainty tags.
We design an automated reasoning process so that the model can combine multiple sources of system
monitoring data and identify highly-confident attack traces from the numerous possible interpretations
of low-level observations. We develop our model formulation through studying a true intrusion that happened
on a campus network, using a Datalog-like language to encode the model and a Prolog system
to carry out the reasoning process. Our model and reasoning system can reach the same conclusions
the human administrator did regarding which machines were certainly compromised. We then apply the
developedmodel to the Treasure Hunt (TH) data set, which contains large amounts of system monitoring
data collected during a live cyber attack exercise in a graduate course taught at University of California,
Santa Barbara. Our results show that the reasoning model developed from the true intrusion is effective
to the TH data set as well, and our reasoning system can identify high-confidence attack traces automatically.
Such a model thus has the potential of codifying the seemingly ad-hoc human reasoning of
uncertain events, and can yield useful tools for automated intrusion analysis.