Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Look up keyword
Like this
8Activity
0 of .
Results for:
No results containing your search query
P. 1
A New Approach for Security Risk Assessment Caused by Vulnerabilities of System by Considering the Dependencies

A New Approach for Security Risk Assessment Caused by Vulnerabilities of System by Considering the Dependencies

Ratings:

5.0

(1)
|Views: 273|Likes:
Published by ijcsis
Risk estimation is a necessary step in risk management which is the measurement of impact caused by the probability of exploiting vulnerabilities recognized in the system. At the moment, the qualitative metrics are used for this purpose that is believed to suffer subjectivity. The risk caused by a recognized vulnerability is computed using the values of common vulnerabilities scoring system (CVSS) attributes. But the great challenge in this field is that the dependency between vulnerabilities recognized in the system is not taken into account. In this paper, a new approach to risk assessment for the risks caused by vulnerabilities of system has been proposed which considers the dependencies among vulnerabilities. This approach consists of three steps. In the first step, after recognizing vulnerabilities of system and configuring the system, an attack graph is generated for all the critical resources of the system using MulVAL framework. Using these attack graphs, the dependency among vulnerabilities is extracted. In the second step, using the dependencies extracted among the vulnerabilities and estimated impact and exploitability defined based on CVSS attributes for individual vulnerability, a Markov model is generated. In the third step, using the Markov model, the quantitative security risk is estimated as the attacker keeps progressing in the system. In this paper we introduce the proposed approach, a case study demonstrating the above steps and the results of quantitative security risk estimation.
Risk estimation is a necessary step in risk management which is the measurement of impact caused by the probability of exploiting vulnerabilities recognized in the system. At the moment, the qualitative metrics are used for this purpose that is believed to suffer subjectivity. The risk caused by a recognized vulnerability is computed using the values of common vulnerabilities scoring system (CVSS) attributes. But the great challenge in this field is that the dependency between vulnerabilities recognized in the system is not taken into account. In this paper, a new approach to risk assessment for the risks caused by vulnerabilities of system has been proposed which considers the dependencies among vulnerabilities. This approach consists of three steps. In the first step, after recognizing vulnerabilities of system and configuring the system, an attack graph is generated for all the critical resources of the system using MulVAL framework. Using these attack graphs, the dependency among vulnerabilities is extracted. In the second step, using the dependencies extracted among the vulnerabilities and estimated impact and exploitability defined based on CVSS attributes for individual vulnerability, a Markov model is generated. In the third step, using the Markov model, the quantitative security risk is estimated as the attacker keeps progressing in the system. In this paper we introduce the proposed approach, a case study demonstrating the above steps and the results of quantitative security risk estimation.

More info:

Published by: ijcsis on Jun 12, 2010
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

08/21/2011

pdf

text

original

 
 (IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 2, 2010
A New Approach for Security Risk AssessmentCaused by Vulnerabilities of System by Consideringthe Dependencies
Mohammad Taromi
Performance and Dependability Eng. Lab.School of Computer Engineering, Iran University of Science and TechnologyTehran, Irantaromi@comp.iust.ac.ir 
Mohammad Abdollahi Azgomi
(Corresponding Author)
 
Performance and Dependability Eng. Lab.School of Computer Engineering, Iran University of Science and TechnologyTehran, Iranazgomi@iust.ac.ir 
 Abstract
— Risk estimation is a necessary step in riskmanagement which is the measurement of impact caused by theprobability of exploiting vulnerabilities recognized in the system.At the moment, the qualitative metrics are used for this purposethat is believed to suffer subjectivity. The risk caused by arecognized vulnerability is computed using the values of commonvulnerabilities scoring system (CVSS) attributes. But the greatchallenge in this field is that the dependency betweenvulnerabilities recognized in the system is not taken into account.In this paper, a new approach to risk assessment for the riskscaused by vulnerabilities of system has been proposed whichconsiders the dependencies among vulnerabilities. This approachconsists of three steps. In the first step, after recognizingvulnerabilities of system and configuring the system, an attackgraph is generated for all the critical resources of the systemusing MulVAL framework. Using these attack graphs, thedependency among vulnerabilities is extracted. In the secondstep, using the dependencies extracted among the vulnerabilitiesand estimated impact and exploitability defined based on CVSSattributes for individual vulnerability, a Markov model isgenerated. In the third step, using the Markov model, thequantitative security risk is estimated as the attacker keepsprogressing in the system. In this paper we introduce theproposed approach, a case study demonstrating the above stepsand the results of quantitative security risk estimation.
 Keywords-Security Risk Assessment; Vulnerability; AttackGraph
I.
 
I
NTRODUCTION
 Although engineering methods are applied in softwareproduction, with extending use and increasing complexitiesinvolved in information systems and market’s requirements inreducing time and production costs, remarkable vulnerabilitiesremain unresolved in these systems. Furthermore, due to theintruders’ different motivations in obtaining the resources of these systems or disturbing their functionality, the number of methods exploiting these vulnerabilities is also increasing.Despite the patching of vulnerabilities, due to the lack of appropriate patches, or the possibility of losing system’sfunctionality after system reconfiguration, or even financiallimitations in providing patches for specific vulnerabilities, it isimpossible to remove all these vulnerabilities. Moreover,despite using various attacker countermeasures such asfirewalls or anti-viruses, the attackers are not easily recognized,or they are likely to disturb the system’s ordinary operation.Therefore, due to the un-patched vulnerabilities andunrecognized attacks, there might be a security risk in systemthat should be managed [1, 28]. Thus, it is necessary for theadministrator to manage the risk caused by thesevulnerabilities. Risk estimation is a necessary step in risk management which is the measurement of impact caused byprobability exploiting these vulnerabilities. Such estimationcould be carried out either quantitatively or qualitatively.Estimating the quantitative risks using security metrics will bemore useful than using qualitative metrics that are believed tosuffer subjectivity [2].Definition of vulnerability depends on the level of abstraction and the stage of system development. Vulnerabilityis an internal fault that empowers the external fault indamaging the system. In other words, vulnerability is of greatimportance in causing error and probably the resultant failureproduced by the external fault [3]. The vulnerability addressedthroughout this paper is based on the definition given by [4] as“a bug, flaw, weakness, or exposure of an application, system,device, or service that could lead to a failure of confidentiality,integrity, or availability”. At the moment, it is possible to useopen source scanners like OVAL [5] to recognizevulnerabilities in the host. The risk caused by a recognizedvulnerability is computed using the values of commonvulnerabilities scoring system (CVSS) attributes [4]. To do so,two components of risk assessment that are the exploitabilityand the impact due to the vulnerabilities are estimated. Theadvantage of using CVSS is that it employs a common openframework used by the experts for scoring and that it cannot beeasily influenced by subjective judgment.However, to evaluate the scoring of impact andexploitability in CVSS, the dependency between vulnerabilitiesrecognized in the system is not taken into account [4]. Toestimate the risk due to all vulnerabilities, it is necessary to take
338http://sites.google.com/site/ijcsis/ISSN 1947-5500
 
 (IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 2, 2010
the dependence between all vulnerabilities into consideration.By dependency, we mean that the possibility of exploitingvulnerability, after exploiting the other vulnerabilities, is takeninto account. This dependency is usually modeled by attack graphs [6]. For this purpose, we have developed a dependencygraph based on MulVAL [7] in which the exploitation of anyvulnerability is possible by a certain privilege in the system. Asa result of this exploitation, another privilege is provided forthe attacker. The attacker attempts to obtain a critical privilegein the system. This graph is easy to understand in analyzing thevulnerabilities and has a lower presentational complexity thenthat generated in [8]. The study reported in this paper is anattempt to estimate the dependency between vulnerabilities inobtaining critical privilege by the attacker.The impact of any vulnerability can be estimated based onthe security properties (confidentially, availability, integrity),collateral damage potential (CDP) and distribution target (DT)by CVSS. A continuous-time Markov chain (CTMC) model isgenerated using the impact caused by the exploitability of anyvulnerability by itself and the dependency obtained between thevulnerabilities in the system using the attack graph. In eachstate of this CTMC there are vulnerabilities whose impacts aresimilar. Categorizing these vulnerabilities in a particular stateinto groups is due to the fact that the attacker is charged by theminimum cost to obtain privilege or to manipulate the files orto deny services with similar impact. Moreover, the attackerdoes not try to exploit a series of vulnerabilities with similarimpact. As a result, the dependency between these types of vulnerabilities in risk assessment is of little importance. In theproposed approach, the assumption is that there is not thepossibility of repairing these vulnerabilities dynamically. As aresult, it is not possible to transfer from one state with higherimpact to another with lower impact. This assumption iscompletely logical. The reasons are as follows. First, risk assessment for a snapshot of the system is performed. Second,there is a meaningful time interval between the vulnerabilityrecognized and offering a reliable path from software developeror it is not possible to patch the vulnerability because of interference. Having generated the model the quantitative risk assessment is estimated with attacker progress. Based on theresults of this risk assessment, one can determine the best timeto re-evaluate the system. It is worth to mention that modelgeneration is become possible in a time complexity of 
O(N 
3
 )
,where
 N 
is the number of system states.The advantages of the approach proposed in this paper areas follows. (1) It can be used to assess the risk caused by thethreats from several critical parts of the system based on CVSSattributes for any vulnerabilities and dependency between themby considering the progresses of the attacker in the system. (2)In addition, it makes possible security evaluation of the systemconsidering the data vulnerabilities and real environmentalconditions to use the dependability techniques in securitymeasurement. (3) It is possible to use the existing matureddependability evaluation techniques.The rest of this paper is organized as follows. In section 2,the related works and their challenges and differences with thispaper is discussed. In section 3, the existing methods of risk assessment for the risks resulting from any vulnerability aredescribed using the values of CVSS attributes and newdefinitions for exploitability and impact of vulnerability areoffered. Section 4, introduces how the dependency matrix isconstructed based on the attack graph of the system. Section 5,presents how a Markov model is generated based on thedependency matrix, the impact and exploitability of vulnerabilities. Section 6, using the generated Markov model,the security risk of the system is estimated. Finally, in section7, some concluding remarks are mentioned.II.
 
R
ELATED
W
ORKS
 In addition to quantitative and qualitative risk assessment,risk assessment methods are categorized into two groups: thefirst group (e.g. [9]), to which the method used in presentedstudy belongs, takes into account all the possible sequences orthe worst possible sequences as a basis for risk assessmentconsidering all the vulnerabilities in the system andexploitability of them. The second group (e.g. [10]) operatestaking into consideration the attacks succeeded which aregathered by intrusion detection system (IDS). The mainadvantage of the first category is that it takes into account allthe possible sequences of exploitation. The second category, onthe other hand, examines the attacker’s behavior. However, dueto false positive and false negative problems observed in alertsreceived from IDS, the state of system will not be preciselyspecified. Moreover, the more skilled intruders will display adifferent behavior because of their familiarity with how IDSoperates. As a result, the estimated risk will have a lowerreliability.In [11] an initial model has been offered for quantitativemeasurement of security and the mean time and effort requiredfor security breaches have been computed. This paper was oneof first papers that put forward the idea of using dependabilityin security. The main challenge which using dependabilityanalysis methods to achieve the security attributes of thesystem face is that in dependability analysis it is assumed thatthe failure occurred in the system or its components are randomor rare events. However, in security analysis we are faced withfailures caused by humans. The probability of such attacksdepends on human beings’ intelligent behavior and theirlearning through time [12].In [13] the idea of using the attack graph to estimate thequantitative metric for the networks has been offered. This isakin to an often used metric of cryptographic strength whichmeasures the weakest adversary who can break a cryptographicscheme. Since in attack graph to exploit a given vulnerability,certain conditions are required, these conditions cannot beachieved by attacker exploitation. Now, if the minimumrequired conditions to conduct exploitation in a network exceedthose in a similar network but with a different configuration, itis clear that the first network can better fulfill securityconditions than the second. In fact, this method has beenoffered to compare the similar networks with differentconfigurations. Similar procedures are followed in [14] tohardening the network by achieving the minimum set of required conditions to close the paths with which the intrudertries to penetrate the system. In this paper, the severity of meeting all conditions were assumed to be the same. However,
339http://sites.google.com/site/ijcsis/ISSN 1947-5500
 
 (IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 2, 2010
the main challenge in such papers is that this problem is NPconsidering the very conditions.The attack graph introduced in [15] whose nodes eitherdescribe the exploitation which are likely to be successfulgiven all the conditions are met (as a result, it is called a ANDnode) or are pre- or post-conditions of the exploitations thatcould be assumed as OR nodes. According to the logic of thesenodes, and using the intersection and conjunction operatorscorresponding to these nodes, and assuming that theseconditions are independent of one another, and finally using theCVSS metric, the probability of reaching the target nodeexamining all the paths available in the graph could becalculated. The difference between dependency graphgenerated in [16] and the one generated in the presented paperis that the graph offered in this study contains a vulnerabilitynode that, if exploited, enables attacker’s privilege. Therefore,the attack graph introduced in the current paper, the privilege,and vulnerability node follow the OR logic.For the first time in [17], the idea of using web pageranking algorithm to score attack graph’s nodes [18] wasproposed. In this algorithm the significance of each node, likethe webpage, depends on the number of paths the attackercould achieve. In [19], the changed web pages rankingalgorithm has been applied onto the attack graph [8] thatcontains AND and OR nodes. In this way, the priority of eachvulnerability for patching along with CVSS privilege iscomputed considering the dependency with othervulnerabilities. In our dependency graph the web page rankingalgorithm can be employed but with fewer complexities.In [9], the methodology for risk assessment of a potentialthreat which has been modeled using an attacker tree, firstcomputes the dependency between the vulnerabilities tofacilitate the exploitation of one vulnerability or another.Generating a dependency graph and the rate of facilitationbetween two vulnerabilities is determined by the expert. Usingthis dependency graph and the rate of facilitating eachvulnerability based on such an updated exploitability andimpact, the number of days when the service is not availablehas been defined, the risk resulting from each vulnerability hasbeen estimated, and finally the total risk of threat has beenestimated using the attack tree. The difference between themethod used and one introduced in the present study lies indefining dependency. The dependency defined in [9] reliesheavily on subjective judgment, whereas the dependencydefined in the present paper is systematic that can be easilycomputed. In addition, in this paper, to estimate theexploitability and impact due to these vulnerabilities, the CVSShas been used. The approach taken is able to estimate the risk of several threats.In [20], through combining the vulnerability attributes of CVSS using Bayesian networks, its impact and frequency havebeen estimated. Through combining these components, theresulting security risk has been computed. To achieve the totalsecurity for a given system, the use of Bayesian’s algorithmshas been suggested. In [21], a method has been offered toestimate the total security risk in a system. In this method, thevulnerabilities of the system have been divided into differentgroups based on their impact. Then the groups have beenordered considering the impact of vulnerability. The systemstarts with a sound state until it encounters a failure. In ourstudy, a different method of risk assessment has been proposedconsidering the dependencies between vulnerabilities.
TABLE I. CVSS
 
M
ETRIC
G
ROUPS
[4]
 Base Metric GroupTemporal MetricGroup Environmental  Metric Group
AccessVector(AV)Confidentialityimpact(B_C)Exploitability(T_E)Confidentiality(E_C), Integrity(E_I),Availability(E_A)AccessComplexity(AC)Integrityimpact(B_I)Remediation Level(T_RL)Collateral DamagePotential (CDP)Authentication(Au)Availabilityimpact(B_A)Report Confidence(T_RC)Target Distribution(TD)
III.
 
C
ALCULATING THE RISK OF ANY VULNERABILITY
 CVSS [4] was introduced in 2004 and at the present secondversion is supported by Forum of Incident Response andSecurity Teams. It assigns a number to each vulnerabilitywhich is in vulnerability database like NVD [22]. In fact,CVSS is an open framework to determine the attribute andimpact of vulnerability based on predefined and conceptablevalues to estimate the security risk due to this vulnerability.CVSS is consisted of three groups of metric: basic, temporary,and environmental.The basic group metric is consisted of attributes thatrepresent the inherent quality of vulnerability. The temporarygroup displays the attributes that changes over time and theenvironmental group shows those attributes that are unique tothe user’s immediate environment. The attributes of each grouphave been summarized in TABLE I. The metric for each groupreceives a value ranging from 0 to 10 and the content vectorcontains the values assigned to the attributes of thevulnerability that generate this numerical value.CVSS offers a common set of attributes for vulnerabilities.All these attributes include presupposed qualitative values thatare needed to select the values of the attributes of thevulnerability. For example, the attribute access vector frommetric group that represents the way a vulnerability accessedand exploited, receives
 L
value, this value indicates that theintruder is required to have physical access or a local accountto exploit this vulnerability. The value of 
 A
suggests that theintruder should access local network of the host. Finally, thevalue of 
 N 
indicates that the intruder can exploit thevulnerability without having a remote local access. To estimatethe CVSS scores, for a given qualitative value a quantitativevalue has been assigned and using the equations that representthe relationships between these attributes, the basic groupmetric (the values of impact, and exploitability separately), thetemporary group metric, and the environmental groupmetric(along with the adjusted impact) are estimated. Toestimate these metrics, the CVSS calculator in NVD can beused. Due to the fact that in estimating basic exploitability inCVSS, the attributes of temporary group, all of which canaffect the exploitability, are not considered, the exploitabilityaddressed in this paper is defined as follows:
340http://sites.google.com/site/ijcsis/ISSN 1947-5500

Activity (8)

You've already reviewed this. Edit your review.
1 thousand reads
1 hundred reads
Nisrine Enyinda liked this
darty2000 liked this
Barabanov liked this
michaelfuring liked this
dumpetrus liked this
mtaromi liked this

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->