Logic-based, data-driven enterprise network security analysis Xinming (Simon) Ou Assistant Professor CIS Department Kansas State University COS 598D: Formal.

Slides:



Advertisements
Similar presentations
Implementing Declarative Overlays From two talks by: Boon Thau Loo 1 Tyson Condie 1, Joseph M. Hellerstein 1,2, Petros Maniatis 2, Timothy Roscoe 2, Ion.
Advertisements

Introduction to Prolog, cont’d Lecturer: Xinming (Simon) Ou CIS 505: Programming Languages Fall 2010 Kansas State University 1.
Example One Internet is allowed to access the web server through HTTP protocol and port CVE was identified on web server.
MulVAL: A logic-based network security analyzer Xinming Ou, Sudhakar Govindavajhala, and Andrew W. Appel Princeton University 14th USENIX Security Symposium,
Firewall Query Engine and Firewall Comparison Engine Mohamed Gouda Alex X. Liu Computer Science Department The University of Texas at Austin.
GPN 2009 May 29, Kansas City, Missouri An open security defense architecture for open collaborative cyber infrastructures Xinming (Simon) Ou Kansas State.
CSE 3302 Programming Languages Chengkai Li Spring 2008 Logic Programming: Prolog (II) Lecture 22 – Prolog (II), Spring CSE3302 Programming Languages,
Chapter 8: The Logical Paradigm Lecturer: Xinming (Simon) Ou CIS 505: Programming Languages Fall 2010 Kansas State University 1.
Some general principles in computer security Tomasz Bilski Chair of Control, Robotics and Computer Science Poznań University.
Naming Computer Engineering Department Distributed Systems Course Asst. Prof. Dr. Ahmet Sayar Kocaeli University - Fall 2014.
P REDICTING ZERO - DAY SOFTWARE VULNERABILITIES THROUGH DATA MINING Su Zhang Department of Computing and Information Science Kansas State University 1.
Constraint Logic Programming Ryan Kinworthy. Overview Introduction Logic Programming LP as a constraint programming language Constraint Logic Programming.
CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
AGVI Automatic Generation, Verification, and Implementation of security protocols By: Dawn Song, Adrian Perrig, and Doantam Phan. In: 13 th Conference.
Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.
Generation of Scenario Graphs Using Model Checking
Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.
Security Tools CS-480b Dick Steflik. CACLS Windows NT, W2000, XP Displays or modifies access control lists (ACLs) of files.
Security Issues on Distributed Systems 7 August, 1999 S 1 Prepared by : Lorrien K. Y. Lau Student I.D. : August 1999 The Chinese University.
Lesson 19: Configuring Windows Firewall
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.
Windows Server 2008 Chapter 8 Last Update
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
1 Verification of Global Access Control in Large Scale Networks David M. Nicol University of Illinois at Urbana-Champaign CNLS 2010 Collaborators : Bill.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
1 Security Risk Analysis of Computer Networks: Techniques and Challenges Anoop Singhal Computer Security Division National Institute of Standards and Technology.
LINUX Security, Firewalls & Proxies. Course Title Introduction to LINUX Security Models Objectives To understand the concept of system security To understand.
NW Security and Firewalls Network Security
Computer Security & OS Lab. DKU May 26 Younsik Jeong Ph.D. Student.
Katanosh Morovat.   This concept is a formal approach for identifying the rules that encapsulate the structure, constraint, and control of the operation.
Brad Baker CS526 May 7 th, /7/ Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 4 Finding Network Vulnerabilities By Whitman, Mattord, & Austin© 2008 Course Technology.
CYBERCOG Test Bed Overview. The Experiment Setup 2 Screens per analyst A common projector screen Experimenter observing the interactions and taking notes.
Honeypot and Intrusion Detection System
9/14/2012ISC329 Isabelle Bichindaritz1 Database System Life Cycle.
BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES By: Eric Chien and Peter Szor Presented by: Jesus Morales.
SATAN Presented By Rick Rossano 4/10/00. OUTLINE What is SATAN? Why build it? How it works Capabilities Why use it? Dangers of SATAN Legalities Future.
1 Vulnerability Analysis and Patches Management Using Secure Mobile Agents Presented by: Muhammad Awais Shibli.
October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
1 Firewalls G53ACC Chris Greenhalgh. 2 Contents l Attacks l Principles l Simple filters l Full firewall l Books: Comer ch
Semantics for Cybersecurity and Privacy Tim Finin, UMBC Joint work with Anupam Joshi, Karuna Joshi, Zareen Syed andmany UMBC graduate students
Carnegie Mellon University 10/23/2015 Survivability Analysis via Model Checking Oleg Sheyner Jeannette Wing Carnegie Mellon University.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
Kansas State University Department of Computing and Information Sciences CIS 730: Introduction to Artificial Intelligence Lecture 17 Wednesday, 01 October.
Database as a networked server DB at the centre of the network Network Access Map for DB environment Tracking of tools and apps Remove unnecessary network.
Vulnerability Scanning Vulnerability scanners are automated tools that scan hosts and networks for known vulnerabilities and weaknesses Credentialed vs.
Unix Security Assessing vulnerabilities. Classifying vulnerability types Several models have been proposed to classify vulnerabilities in UNIX-type Oses.
CSE 3302 Programming Languages Chengkai Li Spring 2008 Logic Programming: Prolog Lecture 21 – Prolog, Spring CSE3302 Programming Languages, UT-Arlington.
1 Reasoning with Infinite stable models Piero A. Bonatti presented by Axel Polleres (IJCAI 2001,
MB: 26 Feb 2001CS Lecture 11 Introduction Reading: Read Chapter 1 of Bratko Programming in Logic: Prolog.
A Portrait of the Semantic Web in Action Jeff Heflin and James Hendler IEEE Intelligent Systems December 6, 2010 Hyewon Lim.
1 An infrastructure for context-awareness based on first order logic 송지수 ISI LAB.
Role Of Network IDS in Network Perimeter Defense.
Copyright 2007, Information Builders. Slide 1 iWay Web Services and WebFOCUS Consumption Michael Florkowski Information Builders.
Module 11: Configuring and Managing Distributed File System.
Artificial Intelligence Knowledge Representation.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
CSCE 548 Secure Software Development Risk-Based Security Testing
Data and database administration
Web Development Web Servers.
IMPLEMENTING NAME RESOLUTION USING DNS
Web Servers (IIS and Apache)
Protection Mechanisms in Security Management
Presentation transcript:

Logic-based, data-driven enterprise network security analysis Xinming (Simon) Ou Assistant Professor CIS Department Kansas State University COS 598D: Formal Methods in Networking Princeton University March 08,

Self Introduction Brief Bio –PhD, Princeton University, 2005 –Post-doc, Purdue CERIAS, Idaho National Laboratory, 2006 –Assistant Professor, Kansas State University, 2006-now Research Interests –Computer and network security, especially on formal and quantitative analysis –Programming languages, formal methods Research Group –Argus: 2

Overview of the two lectures Lecture One –Datalog model for network attacks –SLG resolution for Datalog evaluation –Exhaustive proof generation for Datalog Lecture Two –Formulating security hardening problem as a SAT solving problem –Applying MinCostSAT to achieve optimal security configuration –Open research problems 3

Cyber Defender’s Life Security advisories Apache bug! Vulnerability reports Network configuration IDS alerts Users and data assets Reasoning System Automated Situation Awareness 4

Multi-step Attacks Internet Demilitarized zone (DMZ) Corporation webServer workStation webPages fileServer Firewall 2 buffer overrun Trojan horse sharedBinary NFS shell Firewall 1 5

Two Questions Are there potential attack paths in the system? –How can they happen? –How can they be addressed in an optimal way? Are there attacks that are going on/have succeeded in the system? –How do you know? –How to counter the attack? What we are going to focus on 6

MulVAL Datalog Rules from Security Experts Vulnerability Scanner Analyzer Could root be compromised on any of the machines? Ou, Govindavajhala, and Appel. Usenix Security 2005 Answers Network Analyzer Vulnerability Information (e.g. NIST NVD) Network reachability information Vulnerability definition (e.g. OVAL, Nessus Scripting Language) User information Vulnerability Scanner 7

Network config (firewall analyzer) Host access-control lists reachable(internet, webServer, tcp, 80) reachable(webServer, fileserver, nfs, -). 8

Host config scanner File permissions fileOwner(webServer, /bin/apache, root) fileAttr( webServer, /bin/apache, r,w,x,r,0,0,r,0,0 ) 9

Host-based vulnerability scanner Installed software vulExists(webserver, ‘CVE ’, httpd) vulExists(dbServer, 'CVE ', mySQL). … … 10

US-CERT NVD Apache bug! Security advisories vulProperty('CVE ', remote, privEscalation). vulProperty('CVE ', remote, privEscalation). … 11

Security expert Datalog Rules execCode (Host, PrivilegeLevel) :- vulExists (Host, Program, remote, privilegeEscalation), serviceRunning (Host, Program, Protocol, Port, PrivilegeLevel), networkAccess (Host, Protocol, Port). Linux security behavior; Windows security behavior; Common attack techniques The rules are completely independent of any site-specific settings. 12

Rule for NFS dmz corp webServer webPages fileServer sharedBinary NFS shell accessFile (Server, Access, Path) :- nfsExport (Server, Path, Access, Client), reachable (Client, Server, nfs, -), execCode (Client, _Perm). 13

Rule for Trojan Horse corp workStation webPages fileServer Trojan horse projectPlan sharedBinary execCode (H, User) :- accessFile (H, write, Path), fileOwner (H, Path, User). 14

Deducing new facts execCode (Host, PrivilegeLevel) :- vulExists (Host, Program, remote, privilegeEscalation), serviceRunning (Host, Program, Protocol, Port, PrivilegeLevel), networkAccess (Host, Protocol, Port). internet dmz webServer Firewall 1 vulExists (webServer, httpd, remote, privilegeEscalation). serviceRunning (webServer, httpd, tcp, 80, apache). networkAccess (webServer, tcp, 80). execCode (attacker, webServer, apache). Oops! From Vulnerability Scanner & NVD From Vulnerability Scanner Derived 15

Advantages of using Prolog Prolog’s goal-oriented evaluation is potentially more efficient. Prolog provides more programming flexibility. Can we evaluate Datalog programs in Prolog? 16

However… Prolog as a programming language cannot be directly used to evaluate Datalog ancestor(X,Y) :- parent(X,Y). ancestor(X,Y) :- parent(X,Z), ancestor(Z,Y). parent(bill,mary). parent(mary,john). ?- ancestor(X,Y). 17

However… Prolog as a programming language cannot be directly used to evaluate Datalog ancestor(X,Y) :- parent(X,Y). ancestor(X,Y) :- ancestor(Z,Y), parent(X,Z). parent(bill,mary). parent(mary,john). ?- ancestor(X,Y). 18

However… Prolog as a programming language cannot be directly used to evaluate Datalog ancestor(X,Y) :- ancestor(Z,Y), parent(X,Z). ancestor(X,Y) :- parent(X,Y). parent(bill,mary). parent(mary,john). ?- ancestor(X,Y). 19

Z2=john X=mary Y=john X=bill Y=mary Problem of SLD resolution ancestor(X,Y) :- parent(X,Y). ancestor(X,Y) :- parent(X,Z), ancestor(Z,Y). parent(bill,mary). parent(mary,john).  parent(X,Y).  Success  Success  parent(X,Z), ancestor(Z,Y).  ancestor(X, Y). X=bill Z=mary  ancestor(mary,Y).  parent(mary,Y).  Success  parent(mary,Z2), ancestor(Z2,Y). … Failure … Failure  ancestor(john,Y). X=mary Z=john  ancestor(john,Y). 20

Problem of SLD resolution  ancestor(X, Y). ancestor(X,Y) :- ancestor(Z,Y), parent(X,Z). ancestor(X,Y) :- parent(X,Y). parent(bill,mary). parent(mary,john).  ancestor(Z, Y), parent(X, Z).  ancestor(Z1, Y), parent(Z, Z1), parent(X, Z).  ancestor(Z2, Y), parent(Z1, Z2), parent(Z, Z1), parent(X, Z). … 21

Problem of SLD resolution Termination of cyclic Datalog programs not only depends on logical semantics, but also the order of the clauses and subgoals. –This creates problems since in network security analysis, such cyclic rules are common place. e.g. after compromising one machine, the attacker can use it as a stepping stone to compromise another. –Datalog is a declarative language; thus order should not matter. –A pure Datalog program shall always terminate due to the bound on the number of tuples. 22

Bottom-up Evaluation Semi-naïve Evaluation: Step(1) (base case) ancestor(bill,mary),ancestor(mary,john) Step(2) Iteration 1 ancestor(bill, john) Iteration 2 No new tuples (“fixpoint”) ancestor(X,Y) :- ancestor(Z,Y), parent(X,Z). ancestor(X,Y) :- parent(X,Y). parent(bill,mary). parent(mary,john). 23

SLG Resolution Goal-oriented evaluation Predicates can be “tabled” –A table stores the evaluation results of a goal. –The results can be re-used later, i.e. dynamic programming. –Entering an active table indicates a cycle. –Fixpoint operation is taken at such tables. The XSB system implements SLG resolution –Developed by Stony Brook ( ). –Provides full ISO Prolog compatibility. 24

Z=bill Y=mary SLG resolution example  ancestor(X, Y). ancestor(X,Y) :- ancestor(Z,Y), parent(X,Z). ancestor(X,Y) :- parent(X,Y). parent(bill,mary). parent(mary,john).  ancestor(Z, Y), parent(X, Z). 25 generator node new table created for ancestor(X,Y) active node resolve ancestor(Z,Y) against the results in the table for ancestor(X,Y)  parent(X, bill).  parent(X,Y). X=mary Y=john X=bill Y=mary  Success  Success Failure Z=mary Y=john  parent(X, mary). X=bill  Success Z=bill Y=john  parent(X, bill). Failure

SLG in MulVAL netAccess(H2, Protocol, Port) :- execCode(H1, User), reachable(H1, H2, Protocol, Port). netAccess(…) Possible instantiations table for goal execCode(…) Possible instantiations table for first subgoal from input tuples 26

SLG complexity for Datalog Total time dominated by the rule that has the maximum number of instantiations –Time for computing one table = Computation of the subgoals + retrieving information from input tuples + matching results in the rules bodies –Time for computing all tables = retrieving information from input tuples + matching results in the rules’ bodies See “On the Complexity of Tabled Datalog Programs”

MulVAL complexity in SLG execCode(Attacker, Host, User) :- vulExists(Host, _, Program, remote, privilegeEscalation), networkService(Host, Program, Protocol, Port, User), netAccess(Attacker, Host, Protocol, Port). Scale with network size O(N) different instantiations 28

netAccess(Attacker, H2, Protocol, Port) :- execCode(Attacker, H1, _), reachable(H1, H2, Protocol, Port). MulVAL complexity in SLG Scale with network size O(N 2 ) different instantiations Complexity of MulVAL 29

Datalog proof generation In security analysis, not only do we want to know what attacks could happen, but also we want to know how attacks can happen –Thus, we need more than an yes/no answer for queries. –We need the proofs for the true queries, which in the case of security analysis will be attack paths. –We also want to know all possible attack paths; thus we need exhaustive proof generation. 30

An obvious approach 31 execCode (Host, PrivilegeLevel) :- vulExists (Host, Program, remote, privilegeEscalation), serviceRunning (Host, Program, Protocol, Port, PrivilegeLevel), networkAccess (Host, Protocol, Port). execCode (Host, PrivilegeLevel, Pf) :- vulExists (Host, Program, remote, privilegeEscalation, Pf1), serviceRunning (Host, Program, Protocol, Port, PrivilegeLevel, Pf2), networkAccess (Host, Protocol, Port, Pf3), Pf=( execCode (Host, PrivilegeLevel), [Pf1, Pf2, Pf3]). This will break the bounded-term property and result in non-termination for cyclic Datalog programs

MulVAL Attack-Graph Toolkit Datalog representation Machine configuration Network configuration Security advisories XSB reasoning engine Datalog Proof Steps Graph Builder Datlog proof graph Datalog rules Ou, Boyer, and McQueen. ACM CCS 2006 Joint work with Idaho National Laboratory 32 Translated rules

netAccess(H2, Protocol, Port, ProofStep) :- execCode(H1, User), reachable(H1, H2, Protocol, Port), ProofStep= because( ‘multi-hop network access', netAccess(H2, Protocol, Port), [execCode(H1, User), reachable(H1, H2, Protocol, Port)] ). Stage 1: Record Proof Steps Proof step 33

netAccess(fileServer, rpc, ) Stage 2: Build the Exhaustive Proof because(‘multi-hop network access', netAccess(fileServer, rpc, ), [execCode(webServer, apache), reachable(webServer, fileServer, rpc, )]) 1 multi-hop network access 0 execCode(webServer, apache) reachable(webServer, fileServer, rpc, ) 23 34

Complexity of Proof Building O(N 2 ) to complete Datalog evaluation –With proof steps generated O(N 2 ) to build a proof graph from proof steps –Need to build O(N 2 ) graph components –Building of one component Find the predecessor: table lookup Find the successors: table lookup Total time: O(N 2 ), if table lookup is constant time 35

Logical Attack Graphs : OR : AND : ground fact execCode(attacker,workStation,root) Trojan horse installation accessFile(attacker,workStation, write,/usr/local/share) NFS semantics networkService (webServer,httpd,tcp,80,apache) vulExists(webServer, CAN , httpd, remoteExploit, privEscalation) netAccess(attacker,webServer, tcp,80) Remote exploit execCode(attacker, webServer,apache) accessFile(attacker,fileServer, write,/export) NFS shell 36

Performance and Scalability 37

Related Work Sheyner’s attack graph tool (CMU) –Based on model-checking Cauldron attack graph tool (GMU) –Based on graph-search algorithms NetSPA attack graph tool (MIT LL) –Graph-search based on a simple attack model 38

Advantages of the Logic- programming Approach Publishing and incorporation of knowledge/information through well- understood logical semantics Efficient and sound analysis by leveraging the reasoning power of well-developed logic-deduction systems 39

Next Lecture How to make use of the proof graph –Optimizing mitigation measures through SAT solving Open problems –Uncertainty in reasoning 40