On the Density and Subsequent Utility of Attack Graphs in Realistic Environments

Advanced Persistent Threats(APT) are a serious concern to secure an organization. The sophistica- tion of APT attacks is much discussed, and the recent compromising of Google, RSA and Sony using APTs has gained lots of attentions. Successful protection against APTs should complement traditional perimeter and infrastructure security measures and policies. In this paper, we show that adding APTs in our threat landscape, conventional attack graphs for realistic environments are quite dense meaning that their utility is quite limited. This density is a consequence of common, inherent vulnerabilities in conventional computing systems and network environments. Our approach is to formally define a set of vulnerabilities that we call privilege expansion vulnerabilities. A superset of privilege escalation vulnerabilities, privilege expansion refers to cases where an attacker can either earn greater privilege on the current host or use his current privilege to earn privileges on other hosts. Based on our formal definitions, we define a set of rules for adding edges to attack graphs and develop a tool that computes a closure of these rules in the graph. For two example environments, we compute new attack graphs incorporating these new edges and demonstrate the use of the tool by evaluating addressing 4 different privilege expansion vulnerabilities

Intelligent Systems Supporting the Use of Energy Systems and Other Complex Technical Objects, Modeling, Testing and Analysis of Their Reliability in the Operation Process

The book focuses on a novel application of Intelligent Systems for supporting the operation and maintenance of power systems or other technical facilities within wind farms. Indicating a different perception of the reliability of wind farm facilities led to the possibility of extending the operation lifetime and operational readiness of wind farm equipment. Additionally, the presented approach provides a basis for extending its application to the testing and analysis of other technical facilities

Security risk assessment in cloud computing domains

Cyber security is one of the primary concerns persistent across any computing platform. While addressing the apprehensions about security risks, an infinite amount of resources cannot be invested in mitigation measures since organizations operate under budgetary constraints. Therefore the task of performing security risk assessment is imperative to designing optimal mitigation measures, as it provides insight about the strengths and weaknesses of different assets affiliated to a computing platform. The objective of the research presented in this dissertation is to improve upon existing risk assessment frameworks and guidelines associated to different key assets of Cloud computing domains - infrastructure, applications, and users. The dissertation presents various informal approaches of performing security risk assessment which will help to identify the security risks confronted by the aforementioned assets, and utilize the results to carry out the required cost-benefit tradeoff analyses. This will be beneficial to organizations by aiding them in better comprehending the security risks their assets are exposed to and thereafter secure them by designing cost-optimal mitigation measures --Abstract, page iv

Visualizing Contextual Information for Network Vulnerability Management

The threat of data breach rises every day, and many organizations lack the resources to patch every vulnerability they might have. Yet, these organizations do not prioritize what vulnerabilities to patch in an optimal way, in part due to a lack of context needed to make these decisions. Our team proposes the Vulnerability Visualization (VV) tool, a web visualization dashboard for increasing analyst prioritization capabilities through visualization of context for network scans. Evaluations demonstrate that the VV tool enhances the vulnerability management (VM) process through augmenting the discovery and prioritization of vulnerabilities. We show that adding context to the VM process through visualization allows people to make better decisions for vulnerability remediation

Finding and Exploiting Vulnerabilities in Embedded TCP/IP Stacks

In the context of the rapid development of IoT technology, cyber-attacks are becoming more frequent, and the damage caused by cyber-attacks is remaining obstinately high. How to take the initiative in the rivalry with attackers is a major problem in today's era of the Internet. Vulnerability research is of great importance in this contest, especially the study of vulnerability detection and exploitation methodologies. The objective of the thesis is to examine vulnerabilities in DNS client implementations of embedded TCP/IP stacks, specifically in terms of vulnerability detection and vulnerability exploitation research. In the thesis, a detection method is developed for some anti-patterns in DNS client implementations using a static analysis platform. We tested it against 10 embedded TCP/IP stacks, the result shows that the developed detection method has high precision for detecting the vulnerabilities found by the Forescout research labs with a total of 88% accuracy. For different anti-patterns, the method has different detection precision and it is closely related to the implementation of the detection queries. The thesis also conducted vulnerability exploitation research for a heap overflow vulnerability that exists in a DNS client implementation of a popular TCP/IP stack. A proof-of-concept of this exploitation is developed. Though there are many constraints for successful exploitations, the ability to conduct remote code execution attacks still makes exploitation of heap overflow vulnerability dangerous. In addition, attacks against TCP/IP stacks can take advantage of the stacks and make it possible for an attacker to exploit vulnerabilities in other devices. Often it takes a huge amount of time for researchers to have deep knowledge of a codebase and to find vulnerabilities in it. But with the developed detection method, we can automate the process of locating vulnerable code patterns to add support for detecting relevant vulnerabilities. Research on the exploitation of vulnerabilities can allow us to discover the potential impact of a vulnerability from the perspective of an attacker and implement targeted defences

Automating Cyber Analytics

Model based security metrics are a growing area of cyber security research concerned with measuring the risk exposure of an information system. These metrics are typically studied in isolation, with the formulation of the test itself being the primary finding in publications. As a result, there is a flood of metric specifications available in the literature but a corresponding dearth of analyses verifying results for a given metric calculation under different conditions or comparing the efficacy of one measurement technique over another. The motivation of this thesis is to create a systematic methodology for model based security metric development, analysis, integration, and validation. In doing so we hope to fill a critical gap in the way we view and improve a system’s security. In order to understand the security posture of a system before it is rolled out and as it evolves, we present in this dissertation an end to end solution for the automated measurement of security metrics needed to identify risk early and accurately. To our knowledge this is a novel capability in design time security analysis which provides the foundation for ongoing research into predictive cyber security analytics. Modern development environments contain a wealth of information in infrastructure-as-code repositories, continuous build systems, and container descriptions that could inform security models, but risk evaluation based on these sources is ad-hoc at best, and often simply left until deployment. Our goal in this work is to lay the groundwork for security measurement to be a practical part of the system design, development, and integration lifecycle. In this thesis we provide a framework for the systematic validation of the existing security metrics body of knowledge. In doing so we endeavour not only to survey the current state of the art, but to create a common platform for future research in the area to be conducted. We then demonstrate the utility of our framework through the evaluation of leading security metrics against a reference set of system models we have created. We investigate how to calibrate security metrics for different use cases and establish a new methodology for security metric benchmarking. We further explore the research avenues unlocked by automation through our concept of an API driven S-MaaS (Security Metrics-as-a-Service) offering. We review our design considerations in packaging security metrics for programmatic access, and discuss how various client access-patterns are anticipated in our implementation strategy. Using existing metric processing pipelines as reference, we show how the simple, modular interfaces in S-MaaS support dynamic composition and orchestration. Next we review aspects of our framework which can benefit from optimization and further automation through machine learning. First we create a dataset of network models labeled with the corresponding security metrics. By training classifiers to predict security values based only on network inputs, we can avoid the computationally expensive attack graph generation steps. We use our findings from this simple experiment to motivate our current lines of research into supervised and unsupervised techniques such as network embeddings, interaction rule synthesis, and reinforcement learning environments. Finally, we examine the results of our case studies. We summarize our security analysis of a large scale network migration, and list the friction points along the way which are remediated by this work. We relate how our research for a large-scale performance benchmarking project has influenced our vision for the future of security metrics collection and analysis through dev-ops automation. We then describe how we applied our framework to measure the incremental security impact of running a distributed stream processing system inside a hardware trusted execution environment

Quantitative Method for Network Security Situation Based on Attack Prediction

Multistep attack prediction and security situation awareness are two big challenges for network administrators because future is generally unknown. In recent years, many investigations have been made. However, they are not sufficient. To improve the comprehensiveness of prediction, in this paper, we quantitatively convert attack threat into security situation. Actually, two algorithms are proposed, namely, attack prediction algorithm using dynamic Bayesian attack graph and security situation quantification algorithm based on attack prediction. The first algorithm aims to provide more abundant information of future attack behaviors by simulating incremental network penetration. Through timely evaluating the attack capacity of intruder and defense strategies of defender, the likely attack goal, path, and probability and time-cost are predicted dynamically along with the ongoing security events. Furthermore, in combination with the common vulnerability scoring system (CVSS) metric and network assets information, the second algorithm quantifies the concealed attack threat into the surfaced security risk from two levels: host and network. Examples show that our method is feasible and flexible for the attack-defense adversarial network environment, which benefits the administrator to infer the security situation in advance and prerepair the critical compromised hosts to maintain normal network communication