Professional Documents
Culture Documents
Goal
Existing efforts on network security metrics typically assign
numeric scores to vulnerabilities based on known facts about
vulnerabilities.
This paper proposes a novel network security metric, k-zero day
safety, to count how many zero-day vulnerabilities are required
to compromise a network asset.
Instead of measuring which unknown vulnerabilities are more likely to exist
Unknown vulnerabilities are not measurable.
Motivating example
and privileges
where |F| denotes the cardinality, max(.) the maximum value, and
the symmetric difference
; and
for an asset a, we use k=k0d(a) for
where min(.) denotes the minimum value. For any
k-zero day safe.
, we say a is
1. <vhttp,0,1>,<vssh,1,2>, <vroot,2,2>
2. <viptables,0,1>,<vssh,1,2>, <vroot,2,2>
3. <viptables,0,1>,<vssh,0,1>,
<vssh,1,2>,<vroot,2,2>
4. <vfirewall,0,F>,<vssh,0,2>, <vroot,2,2>
Assume A = {<root,2>} then we have k0d(A) = 2, and the network is 2-zero day
safe.
9
Asset backup
Strengthening isolation
Disabling services
Security services
Firewalls
10
Assume
None of the services, except iptables and tcpwrapper, are protected by sufficient isolation.
A = <root, 4>
Case1: the three web servers (host 1 through 3) are providing the http service
using the same software
k would remain the same regardless of the degree of diversity in these http services (k = 2)
11
Case2: the iptables services on host 4 only accept requests from hosts 2 and 3.
Diversifying the ftp services on hosts 2 and 3 does not help for k. (k = 3)
Case3: ftpx and ftpy indicate two different ways for providing the ftp service on
hosts 2 and 3
Increasing diversity in hosts and services would not always help improving a
networks security.
12
Assume
An unnecessary rsh service running on host 4 and additionally the effect of introducing a known
vulnerability vrsh into that service.
A = <root, 5>
13
Case5: if service rsh is left running on host 4, but without any known
vulnerability
This does not actually change k (k = 4). And patching this vulnerability will not help to make the
network more secure.
14
Assume
Three candidate positions for placing a backup server for host 4 with location a, b, and c.
A = <root, 4>
This does not actually change k, because the same zero-day vulnerability of the nfs service can
compromise both hosts 4 and 7 (k = 2).
Case10: the backup server, host 7, at location b, and changing firewall rules such
that host 4 is directly accessible from host 7 for backup purposes.
[<vsmtp,0,2>,<vftp,2,6>,<vnfs,6,7>,<vnfs,7,4>].
Three
16
zero-day
In:3,Out:5
In:5, 7
Assume
A = <root, 6>
the personal firewall service on host 3 has a known vulnerability that may allow attackers to establish
connections to the ftp service running on host 3.
Case12:
Case13: moving host 3 to location a behind firewall 2, and removing its personal
firewall p firewall1, and adding extra rules to firewall 2 to only allow connection
requests from 1 to 3 and from 3 to 4.
17
Conclusion
The paper proposes a concept of vulnerability relations that
would replace some relational attack sequences by the same one
with the same vulnerability.
Many unknown vulnerabilities would appear at the same time to
achieve the attack.
The known vulnerabilities are cut-edge path on the attack graph
which decrease the length of zero-day attack sequence.
18
19