Extending Logical Attack Graphs for Efficient Vulnerability Analysis
一、摘要
本文提供了一个用于攻击图生成和维护的逻辑框架。并且对mulval进行扩展,能定位子目标失败的原因;此外,还提出了一种增量算法,用于响应网络变化并进行分析
二、相关技术介绍
(一)Mulval扩展规则
在mulval中添加一个子目标,实例如下:
/* remote exploit of a server program */
execCode(Attacker, H, Perm) :-
malicious(Attacker),
vulExists(H, _, Software, remoteExploit, privEsc),
networkSvcInfo(H, Software, Protocol, Port, Perm),
netAccess(Attacker, H, Protocol, Port).
execCode(Attacker, H, Perm) :-
malicious(Attacker),
vulExists(H, VulID, Software,
remoteExploit, privEsc),
networkSvcInfo(H, Software, Protocol, Port, Perm),
netAccess(Attacker, H, Protocol, Port),
assert(because( ’remote exploit of a server program’,
[networkService(Host,Program,Protocol,Port,User),
vulExists(H, VulID, Software, remoteExploit, privEsc),
netAccess(Attacker,H,Protocol,Port)])).
想要实现allow,需要实现两个子目标,get_sid和write,由于write谓词的错误调用将会导致allow也出现错误。而write出现错误时由于accessCheck和accesscheck的错误,以此类推。
(二)增量算法
这种增量算法,可以响应不同输入到漏洞分析框架中的变化。输入到漏洞分析框架信息中的更改可以建模为输入相对应的事实和规则的插入和删除。输入的更新可以建模为删除旧事实/规则,添加新事实/规则。
算法包括两个阶段,第一阶段称为无效阶段,无效阶段的目的是确定识别确定哪些调用的结果可能被删除,或者可能会添加新的答案。伪代码如下:
invalidate ( Call , Type )
if Type==INS
Call . falsecount++
oldtype=Call . type
Call . type=compose ( oldtype , TYPE )
if ( oldtype ! = Call . type )
propagate_invalid ( Call , TYPE )
propagate_invalid ( C , TYPE )
enque ( affectedq , C )
if ( C is neg_call )
if ( C has an answer and TYPE=DEL )
or
( C has no answer and TYPE=INS )
check_and_propagate ( C , TYPE )
for C ’ = C . outedge . negative
if TYPE ! = DEL
C ’ . falsecount+ + ;
oldtype = C ’ . type ;
C ’ . type = compose ( oldtype , ! TYPE )
if ( oldtype ! = C ’ . type )
propagate_invalid ( C ’ , ! TYPE )
else
if C is a not call
if ( C has an answer and TYPE=DEL )
or
( C has no answer and TYPE=INS )
check_and_propagate ( C , TYPE )
else
check_and_propagate ( C , TYPE )
check_and_propagate ( C , TYPE )
for all C ’ in C . outedge . positive
if type=INS
C ’ . falsecount++
oldtype = C ’ . type ;
C ’ . type = compose ( oldtype , TYPE )
if ( oldtype ! = C ’ . type )
propagate_invalid ( C ’ , TYPE )
/ ∗ comments :
! ( INS ) = DEL ; ! ( DEL ) = INS
compose ( NO , X ) = X , compose ( INS , DEL ) = BOTH ,
compose ( DEL , INS ) = BOTH , compose ( BOTH , X ) = BOTH
∗ /
第二阶段为重新评估阶段,目的是计算从表中删除并插入的答案,伪代码如下:
re−evaluation phase ()
// affectedq contains the calls
// whose type is changed in the first phase
DRed ()
re−evaluate ()
garbage_collect ()
DRed () / / see Appendix
delete ()
rederive ()
re−evaluate ()
while ( ( c =next_invalid_call ())! = NULL ) {
call ( δc ) ;
}
next_invalid_call ( )
again : C=deque ( affectedq )
if ( C . TYPE ! = DEL ) and C . falsecount>0
return C
else
if ( C is a neg call and C . type ! = INS )
if still has an unmarked answer
propagate_valid ( c . outedge . negative )
goto again :
propagate_valid ( C )
for all C ’ in C . outedge . positive
if C ’ . falsecount>0
C ’ . falsecount−−
if ( C ’ . falsecount==0)
propagate_valid ( C ’ )
answer_check_insert ( Answer )
C=Answer . call ;
if ( Answer ∈ answer_table ( C ) )
if Answer is marked deleted
remove mark from Answer
rederive_answer ( Answer ) / / see Appendix
if C is a neg call
C ’ = C . outedge . negative
C ’ . falsecount = 0 ;
propagate_valid ( C ’ )
else
// new answer is inserted in C
if C is neg call
C ’ = C . outedge . negative
mark_answer ( C ’ . answer ) / / see Appendix
rederive ( )
check_complete_insert ( C )
if ( C . type ! = NO )
if no new answer has been inserted in C
propagate_valid ( C )
三、实验结果
对应不同的拓扑结构依次进行试验,拓扑结构分为星形,环形,分区形和树形。
星型:存在一台中心设备,能访问所有机器的所有协议和端口。
环形:环上的所有机器仅连接两个邻居
分区形:拓扑被模拟为大小相等的完全连接的网络,仅通过一对机器连接,连接的这一对机器分别从各自的网络分区中选取。
树形:树状网络,攻击者的机器会和树的根相连。
图中可以看出,如果把一台主机插入拓扑图中,需要的时间为9%-60%;而从一个拓扑图中删除节点需要的时间不到1%。增量算法在删除节点的性能较好。