Presentation is loading. Please wait.

Presentation is loading. Please wait.

Yves Deswarte deswarte@laas.fr Contribution of Quantitative Security Evaluation to Intrusion Detection Yves Deswarte deswarte@laas.fr RAID’96 16-19 September.

Similar presentations


Presentation on theme: "Yves Deswarte deswarte@laas.fr Contribution of Quantitative Security Evaluation to Intrusion Detection Yves Deswarte deswarte@laas.fr RAID’96 16-19 September."— Presentation transcript:

1 Yves Deswarte deswarte@laas.fr
Contribution of Quantitative Security Evaluation to Intrusion Detection Yves Deswarte RAID’96 16-19 September 1998

2 Security Evaluation Usual evaluation techniques:
evaluation criteria (TCSEC, ITSEC,...) : ~ qualitative risk analysis: (vulnerabilities, threats, consequences) they are static analyses rather than dynamic: “How was the system designed? ” rather than “How is it used? ” Quantitative evaluation objectives: trade-off security-usability monitor security evolution wrt. configuration changes identify the best possible improvements

3 Quantitative Evaluation Framework
Identification of security objectives: security policy Modeling vulnerabilities Building the possible intrusion process Computation of significative measures

4 Vulnerability Modeling: privilege graph
1) Y’s .rhosts is writable by X 2) X can guess Y's password 3) X can modify Y’s .tcshrc 4) X is a member of Y 5) Y uses a program managed by X 6) X can modify a setuid program owned by Y 7) X is in Y's .rhosts B P 1 A X admin F insider 2 4 5 6 7 3 node = a privilege set arc = a method to transfer privileges = vulnerability path = set of vulnerabilities that can be exploited by a possible intruder to reach a target weight assigned to each arc = assessment of the difficulty to exploit the vulnerability (time, expertise, equipment, collusion, ...)

5 Assumptions on the Intrusion Process
Intrusion Process = all the possible attack scenarios Basic Assumptions: the intruder knows only the vulnerabilities exploitable with his privileges the intruder will not exploit vulnerabilities which would give him privileges he already owns. and either: Total Memory (TM): the intruder considers all the vulnerabilities he has not yet exploited MemoryLess (ML): the intruder only considers the vulnerabilities reachable from the newly acquired privileges

6 Example of Intrusion Process
B P 1 A X admin F insider 2 4 5 6 7 3 ML Assumption TM Assumption 3 6 5 7 4 1 2 1 3 2 6 5 7 4

7 Quantitative Measures
Identify attacker-target couples For each couple, compute: METF-ML : mean effort to reach the target with assumption ML METF-TM : mean effort to reach the target with assumption TM Shortest Path : mean effort to run through the shortest path Number of Paths : number of paths from the attacker node to the target node

8 Experiment Objectives
Validate the approach: assess the measures pertinence wrt. security evolution study the feasibility of evaluation a “real system” Was not an objective: improve the security, correct the vulnerabilities

9 Experiment Context Distributed System: LAN, NFS Unix
700 users computers 21 months (June March 1997) 13 types of vulnerabilities (.rhosts, .*rc, passwords, etc.) 4 effort levels: Objectives:

10 Experiment Results - Example

11 Comparison with other Tools (I)
number of vulnerabilities METF-ML and METF-TM

12 Comparison with other Tools (II)
vulnerability numbers in each class METF-ML and METF-TM

13 Relationship with Intrusion Detection
Quantitative Evaluation Intrusion Detection: Privilege Graph model: to correlate user behavior with progression towards a target alarm rating according to the effort remaining to reach a target Intrusion Detection Quantitative Evaluation: to tune vulnerability weight according to user profile (Trojan Horses)


Download ppt "Yves Deswarte deswarte@laas.fr Contribution of Quantitative Security Evaluation to Intrusion Detection Yves Deswarte deswarte@laas.fr RAID’96 16-19 September."

Similar presentations


Ads by Google