Presentation is loading. Please wait.

Presentation is loading. Please wait.

Yves Deswarte deswarte@laas.fr Contribution of Quantitative Security Evaluation to Intrusion Detection Yves Deswarte deswarte@laas.fr RAID’96 16-19 September.

Published byJessie Sanders Modified over 6 years ago

Similar presentations

Presentation on theme: "Yves Deswarte deswarte@laas.fr Contribution of Quantitative Security Evaluation to Intrusion Detection Yves Deswarte deswarte@laas.fr RAID’96 16-19 September."— Presentation transcript:

1 Yves Deswarte deswarte@laas.fr
Contribution of Quantitative Security Evaluation to Intrusion Detection Yves Deswarte RAID’96 16-19 September 1998

2 Security Evaluation Usual evaluation techniques:
evaluation criteria (TCSEC, ITSEC,...) : ~ qualitative risk analysis: (vulnerabilities, threats, consequences) they are static analyses rather than dynamic: “How was the system designed? ” rather than “How is it used? ” Quantitative evaluation objectives: trade-off security-usability monitor security evolution wrt. configuration changes identify the best possible improvements

3 Quantitative Evaluation Framework
Identification of security objectives: security policy Modeling vulnerabilities Building the possible intrusion process Computation of significative measures

4 Vulnerability Modeling: privilege graph
1) Y’s .rhosts is writable by X 2) X can guess Y's password 3) X can modify Y’s .tcshrc 4) X is a member of Y 5) Y uses a program managed by X 6) X can modify a setuid program owned by Y 7) X is in Y's .rhosts B P 1 A X admin F insider 2 4 5 6 7 3 node = a privilege set arc = a method to transfer privileges = vulnerability path = set of vulnerabilities that can be exploited by a possible intruder to reach a target weight assigned to each arc = assessment of the difficulty to exploit the vulnerability (time, expertise, equipment, collusion, ...)

5 Assumptions on the Intrusion Process
Intrusion Process = all the possible attack scenarios Basic Assumptions: the intruder knows only the vulnerabilities exploitable with his privileges the intruder will not exploit vulnerabilities which would give him privileges he already owns. and either: Total Memory (TM): the intruder considers all the vulnerabilities he has not yet exploited MemoryLess (ML): the intruder only considers the vulnerabilities reachable from the newly acquired privileges

6 Example of Intrusion Process
B P 1 A X admin F insider 2 4 5 6 7 3 ML Assumption TM Assumption 3 6 5 7 4 1 2 1 3 2 6 5 7 4

7 Quantitative Measures
Identify attacker-target couples For each couple, compute: METF-ML : mean effort to reach the target with assumption ML METF-TM : mean effort to reach the target with assumption TM Shortest Path : mean effort to run through the shortest path Number of Paths : number of paths from the attacker node to the target node

8 Experiment Objectives
Validate the approach: assess the measures pertinence wrt. security evolution study the feasibility of evaluation a “real system” Was not an objective: improve the security, correct the vulnerabilities

9 Experiment Context Distributed System: LAN, NFS Unix
700 users computers 21 months (June March 1997) 13 types of vulnerabilities (.rhosts, .*rc, passwords, etc.) 4 effort levels: Objectives:

10 Experiment Results - Example

11 Comparison with other Tools (I)
number of vulnerabilities METF-ML and METF-TM

12 Comparison with other Tools (II)
vulnerability numbers in each class METF-ML and METF-TM

13 Relationship with Intrusion Detection
Quantitative Evaluation Intrusion Detection: Privilege Graph model: to correlate user behavior with progression towards a target alarm rating according to the effort remaining to reach a target Intrusion Detection Quantitative Evaluation: to tune vulnerability weight according to user profile (Trojan Horses)

Download ppt "Yves Deswarte deswarte@laas.fr Contribution of Quantitative Security Evaluation to Intrusion Detection Yves Deswarte deswarte@laas.fr RAID’96 16-19 September."

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

ETHICAL HACKING A LICENCE TO HACK
© Ravi Sandhu www.list.gmu.edu Introduction to Information Security Ravi Sandhu.

© Ravi Sandhu Introduction to Information Security Ravi Sandhu.
Introduction to IRRIIS testing platform IRRIIS MIT Conference ROME 8 February 2007 Claudio Balducelli.

Introduction to IRRIIS testing platform IRRIIS MIT Conference ROME 8 February 2007 Claudio Balducelli.
1 Intrusion Monitoring of Malicious Routing Behavior Poornima Balasubramanyam Karl Levitt Computer Security Laboratory Department of Computer Science UCDavis.

1 Intrusion Monitoring of Malicious Routing Behavior Poornima Balasubramanyam Karl Levitt Computer Security Laboratory Department of Computer Science UCDavis.
TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.

TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.
 Cyber Ecosystem & Data Security Subhro Kar CSCE 824, Spring 2013 University of South Carolina, Columbia.

 Cyber Ecosystem & Data Security Subhro Kar CSCE 824, Spring 2013 University of South Carolina, Columbia.
Ranking of security controlling strategies driven by quantitative threat analysis. Tavolo 2: Big data security evaluation UNIFI-CNR Nicola Nostro, Andrea.

Ranking of security controlling strategies driven by quantitative threat analysis. Tavolo 2: "Big data security evaluation" UNIFI-CNR Nicola Nostro, Andrea.
H.W. Chan, CSE Dept., CUHK1 Quantitative Evaluation for Operational Security - an Experiment [Ortalo et al., IEEE Transactions on Software Engineering,

H.W. Chan, CSE Dept., CUHK1 Quantitative Evaluation for Operational Security - an Experiment [Ortalo et al., IEEE Transactions on Software Engineering,
Cryptography and Network Security Chapter 20 Intruders

Cryptography and Network Security Chapter 20 Intruders
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
1 Telstra in Confidence Managing Security for our Mobile Technology.

1 Telstra in Confidence Managing Security for our Mobile Technology.
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
Introducing Computer and Network Security

Introducing Computer and Network Security
Network Security Testing Techniques Presented By:- Sachin Vador.

Network Security Testing Techniques Presented By:- Sachin Vador.
EECS 598-2 Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
Methods For The Prevention, Detection And Removal Of Software Security Vulnerabilities Jay-Evan J. Tevis Department of Computer Science and Software Engineering.

Methods For The Prevention, Detection And Removal Of Software Security Vulnerabilities Jay-Evan J. Tevis Department of Computer Science and Software Engineering.
Introduction to Network Defense

Introduction to Network Defense
Sam Cook April 18, 2013. Overview What is penetration testing? Performing a penetration test Styles of penetration testing Tools of the trade.

Sam Cook April 18, Overview What is penetration testing? Performing a penetration test Styles of penetration testing Tools of the trade.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Similar presentations

Ads by Google