SECTION I.
Introduction
Smart city depends heavily on frontier information technology, such as bigdata, internet of things and cloud computing. The data volume is huge and involves government affairs, business, life and other aspects. Once information leakage, data loss, infrastructure damage and other security issues occur, it may affect the economic development and the social stability. Therefore, it is of great practical significance to guarantee the security of information infrastructure in smart cities. The first step to protect the network security of smart cities is to identify the current security risks. It is a common practice to enhance the security capability based on risk awareness. However, the security risk assessment of a complex system has always been a challenging issue, especially in the face of advanced and persistence threats (APT), we do not have enough information and effective methods to predict the possible attack vectors, which makes it is difficult to obtain the exact and objective result.
Researchers have proposed a large number of risk analysis methods based on attack path and attack graph for security assessment, trying to link the vulnerability of the system with the feasibility of attack, these methods rely on the known information for analysis, and is affected by the complexity of the algorithms, so its application in reality is difficult. On the other hand, existing security studies focus more on the penetration tests of network and lacks consideration of attack vectors specifically.
According to Mitre's Attack classification, attacks are divided into two stages: before initial access and after obtaining access rights, and the key to connect these two stages is attack vector [1]. How to realize the initial access and lay the foundation for subsequent operations is often the first goal to be achieved. According to the related research survey, there is still a lack of evaluation methods for attack vectors, which is used to obtain initial access for multi-step attack or APT attack. This paper proposes a method to model attack vector more comprehensively.
The main contributions are summarized as follows.
-
A novel innovative attack vector evaluation model is proposed.
-
A new and comprehensive method for predicting the availability of attack vectors with defense is proposed.
-
The experimental analysis is given and its important value in safety risk assessment is proved.
The rest of this paper is organized as follows. In section II, we give a brief introduction on related work, and we propose our model in III section. Then, we present a experiment analysis in section IV.
SECTION II.
Related work
The research on attack vectors is relatively few and previous work is limited to the analysis of attack vectors for specific applications and services [2],[3]. More works are focused on vulnerability analysis to analyze possible attacks, to collect and analyze vulnerability data and other security data of specific target networks, and to synthesize the security of target networks. Researchers use a variety of methods to analyze and quantify vulnerability evaluation.
Among these research methods, vulnerability analysis using attack graphs is one of the most commonly used methods. Researchers have proposed various graph-based algorithms to generate attack trees or attack graphs. Swiler et al. proposed a graph-based network vulnerability analysis method. This method can analyze the risk of a particular network asset or the possible consequences of a successful attack. Graph-based analysis system can identify a group of attack paths, which have a high probability of success for attackers. The analysis system needs to input a database of common attacks and create attack graphs by database matching. By allocating the probability of success or the cost of attack on the arc, and then using various graphic algorithms (such as the shortest path algorithm), the attack path with the highest probability of success can be identified. Thus, the attack path planning and effectiveness evaluation can be realized [4].
The attack graph represents all possible attack sequences, in which any given attack can use the penetration of previous attacks in its chain to achieve the target of the attacker. Attacks are usually directed at vulnerability, so network vulnerability can be linked together, attack graph can be compactly represented, and minimum vulnerability set can be identified [5],[6].
Existing vulnerability analysis methods usually focus on measuring individual vulnerabilities without considering their comprehensive impact, and the evolution nature of vulnerabilities and networks is largely ignored. So, Frigault et al. proposed a model based on Dynamic Bayesian Network (DBN) attack graph to combine time factors, such as the availability of vulnerability exploiting code or patches. The new model provides a theoretical basis and practical framework for continuous assessment of network security in dynamic environment [7]. In [8-10], a vulnerability analysis model based on attack graph is also proposed.
In addition to vulnerability analysis method based on attack graph, researchers have proposed other methods to analyze vulnerability. Madan et al. studied various issues related to quantifying the security attributes of intrusion tolerance systems, and modeled the response of security intrusion and intrusion tolerance systems to attacks. This helps to capture the attacker's behavior and the system's response to intrusions using stochastic modeling techniques. This model can be used to analyze and quantify the security attributes of systems. [11]. Balzarotti et al. discussed how to quantitatively assess the risks faced by a distributed system using information that affects its architecture and vulnerability. This risk assessment method can be used to assess people's trust in system reliability and provide reference for comparing the security costs of different solutions [12].
The above research uses attack graph method, reliability theory method and comprehensive scoring method to study vulnerability analysis, which provides a basis for the research of multilayer dynamic network vulnerability analysis method. However, the previous studies have paid less attention on attack vector analysis, lack of comprehensive understanding of attack vector in detail, so it would limit the accuracy of vulnerability assessment, this paper aims at this problem and focuses on attack vector modeling.
SECTION III.
Our model
A. WPA attack vector model
The main goal of attack vectors is to find and obtain the entry of initial access, which can provide the environment for subsequent operations. This step is often the most challenging part for intruders. The feasibility of attack vectors depends on the existence of target vulnerability, the accessibility of path and the success of intrusion operations. The Wannacry is one of the typical attacks based on network penetration and utilization, the success infection relies on the existence of SMB service vulnerabilities, the route to target is reachable and the is not blocked in the process of intrusion [13].
Therefore, we propose a WAP attack vector evaluation model. As shown in Fig. 1.
Fig. 1.
The relationship of weakness, path and action.
-
Weakness refers to vulnerabilities, configuration problems, lack of management or lack of awareness of the security. We are concerned about the probability of its existence.
-
Path refers to the way to contact the target directly or indirectly. We refer to Mitre ATT&CK classification and classify it into six categories [1]. We are concerned about the issue of accessibility.
-
Action refers to the ability to exploit vulnerability to obtain initial access on the basis of path accessibility.
Next, we give a formal definition of the feasible possibility of a target attack vector.
P(attvec)=P(weakness,path,action)P(weakness, path, action))=P(weakness, path)P(action|weakness,path)P(weakness,path)=p(weakness)∗P(path|weakness)(1)(2)(3)
View Source
The definition (1) describes that the success possibility of an attack vector is affected by existed weakness, the reachable path and feasible action. By using Bayesian probability graph division in Fig. 1, we can deduct the formulation (2) and (3).
For a specific target T, its vulnerability can be expressed as a three-dimensional vector, in which the length of each vector is variable, the feature include vulnerability vul, configuration conf, and management man:
T_weakness[]=[vul,conf,man](4)
View Source
According to the way of accessing the target, the path vector is a six-dimensional vector, and the length and value of each vector are different.
T_path[ ]=[network,file,hardware,software,channel,people](5)
View Source
-
For network vectors, we store the scope of accessing the target through the network, including 5 tuples: [src_ip, src_port, protocol, des_ip, des_port], in which src_ip and dst_ip are not allowed to null.
-
The file vector is composed of [file_source, file channel, file_type, file_size, extension features]. The file_source feature represents the source of the file, the person, the organization or the public service resource, the file_channel represents the way of file delivery, including mail, system download, instant messaging, etc., and the file_type and file_size represent the filetype and size. For example, if a stranger sends an exe program by e-mail, the probability of its files being executed is lower.
-
Hardware includes portable device, supply chain, maintenance, outboard connection, wireless card, etc.
-
Software includes software update, supply chain, third party custom developed software, and other ways to achieve malicious code implantation of software to obtain system access;
-
Tapping is mainly aimed at information stealing, traffic hijacking, data tampering, electromagnetic attacks and other operations through link interception. Links include wired and wireless links, wired also includes optical fiber, cable, etc.
-
Physical refers to the way of physical contact to obtain access to the target, so as to achieve physical damage to the target, hard disk theft, photography and so on.
-
The action set can be classified into six types, each correspond to a type of action for launch specific behavior for deriving initial access, they are defined as:
T_action []=[exploit,execution,implant,install,tapping,physical](6)
View Source
This is the last step needed to obtain access rights, including vulnerability exploitation, malicious file execution, additional hardware installation, malicious code implantation, wiretapping, physical contact and other specific operations.
B. Attack Vector Analysis Based on Known Vulnerability Information
Aiming at specific targets, based on WPA model, by the combination of W, P, A, as illustrated in Fig. 2, the attack vector space is analyzed, so that the way in which the target may be invaded is defined.
if(weakness.existed&path.reachable&action.success), the attack_vector is feasible.(7)
View Source
For a given attack derived from threat intelligence, by learning its intrude method, then we could evaluate the compromise possibility of our system with auxiliary of our model. For Wannacry ransom attack, it uses Eternal Blue vulnerability, intruding with network access and get the access authority of system, we can represent it as:
if(Eternal - Blue.existed&network.reachable&expolit.success),thenattack_vectorofWannacryisfeasible(8)
View Source
Fig. 2
WPA model demonstration
C. Modeling of Unknown Weaknesses
Interestingly, the WPA model can support the analysis of unknown vulnerabilities, such as 0day vulnerabilities. By assuming the possible weakness type of the target and combining the features of weakness, path and action, we can construct attack modes that have never appeared before. This is an important supplement to attack vector analysis based on known vulnerability information.
The combination of weakness, path, action can be weakness, path1, path2, a, or weakness, path, action1, action2, etc. for example, remote access services are embedded through the hardware supply chain to support remote access.
D. Attack Vector Analysis Model with Defense Conditions
In the previous WPA model, defensive measures were not considered. In reality, the system often receives the protection of firewall, IPS, anti-virus, host security reinforcement and other software, so as to prevent intrusion. This is a dynamic game process. Attackers often need to investigate the defense situation of the target, based on different success priority, cost priority, time priority decision. Policy basis, so as to develop the optimal attack mode.
The relationship between defense mechanism and WPA model is as follows:
Fig. 3
WPA model with defense
Weaknesses exist objectively, so defense focuses on blockade of path and detection and blocking capabilities of action. Then the feasible possibility of a target attack vector with defense is:
P(att_vec)=P(weakness,action,path,defense)(9)
View Source
Decomposition based on probability graph method, because weakness, path, action satisfies the conditional independence:
P(defense)∗P(weakness,path,action|defense)=P(defense)∗P(weakness|defense)∗P(path|defense)∗p(action|defense)=P(defense)∗P(weakness)∗P(path | defense)∗p(action | defense)(10)
View Source
Quantification of P (path | defense) and P (action | defense) is a tough task. It is difficult to assess whether anti-virus software can detect and kill malicious files, whether IPS can prevent vulnerability exploitation, whether WAF can protect against SQL injection attacks, and so on. A feasible method is based on probability assignment of factors such as data collection of product public evaluation and time of attack.
SECTION IV.
Experiment and evaluation
In this chapter, we give a abstract enterprise network topology, for illustrating the usage of our model, as shown in Fig. 5.
By analyzing the possible combination of weakness, path and action, we can deduct the feasible attack vector of the network, the analysis result can be seen in Table 1. With WPA model, we can launch comprehensive evaluations of attack vectors the network confronted, furthermore, we also give the prediction and qualification method. However, the accurate prediction of success possibility of a specific attack vector is limited by defense knowledge we can derived, and this will be the focus of our future research.
Fig. 5
Topology of a simple enterprise internal network
TABLE I. WPA ANALYSIS SAMPLE
6297
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
