Attack graph approach to dynamic network vulnerability analysis and countermeasures
Name:
REPOSITORY Thaier Hamid received ...
Size:
4.734Mb
Format:
PDF
Description:
PhD Thesis
Authors
Hamid, Thaier K.A.Issue Date
2014-03Subjects
attack graphdynamic network
attack graphs
computer networking
Dynamic Vulnerability Scoring System
G490 Computing Science not elsewhere classified
network attacks
network vulnerability
Metadata
Show full item recordAbstract
It is widely accepted that modern computer networks (often presented as a heterogeneous collection of functioning organisations, applications, software, and hardware) contain vulnerabilities. This research proposes a new methodology to compute a dynamic severity cost for each state. Here a state refers to the behaviour of a system during an attack; an example of a state is where an attacker could influence the information on an application to alter the credentials. This is performed by utilising a modified variant of the Common Vulnerability Scoring System (CVSS), referred to as a Dynamic Vulnerability Scoring System (DVSS). This calculates scores of intrinsic, time-based, and ecological metrics by combining related sub-scores and modelling the problem’s parameters into a mathematical framework to develop a unique severity cost. The individual static nature of CVSS affects the scoring value, so the author has adapted a novel model to produce a DVSS metric that is more precise and efficient. In this approach, different parameters are used to compute the final scores determined from a number of parameters including network architecture, device setting, and the impact of vulnerability interactions. An attack graph (AG) is a security model representing the chains of vulnerability exploits in a network. A number of researchers have acknowledged the attack graph visual complexity and a lack of in-depth understanding. Current attack graph tools are constrained to only limited attributes or even rely on hand-generated input. The automatic formation of vulnerability information has been troublesome and vulnerability descriptions are frequently created by hand, or based on limited data. The network architectures and configurations along with the interactions between the individual vulnerabilities are considered in the method of computing the Cost using the DVSS and a dynamic cost-centric framework. A new methodology was built up to present an attack graph with a dynamic cost metric based on DVSS and also a novel methodology to estimate and represent the cost-centric approach for each host’ states was followed out. A framework is carried out on a test network, using the Nessus scanner to detect known vulnerabilities, implement these results and to build and represent the dynamic cost centric attack graph using ranking algorithms (in a standardised fashion to Mehta et al. 2006 and Kijsanayothin, 2010). However, instead of using vulnerabilities for each host, a CostRank Markov Model has developed utilising a novel cost-centric approach, thereby reducing the complexity in the attack graph and reducing the problem of visibility. An analogous parallel algorithm is developed to implement CostRank. The reason for developing a parallel CostRank Algorithm is to expedite the states ranking calculations for the increasing number of hosts and/or vulnerabilities. In the same way, the author intends to secure large scale networks that require fast and reliable computing to calculate the ranking of enormous graphs with thousands of vertices (states) and millions of arcs (representing an action to move from one state to another). In this proposed approach, the focus on a parallel CostRank computational architecture to appraise the enhancement in CostRank calculations and scalability of of the algorithm. In particular, a partitioning of input data, graph files and ranking vectors with a load balancing technique can enhance the performance and scalability of CostRank computations in parallel. A practical model of analogous CostRank parallel calculation is undertaken, resulting in a substantial decrease in calculations communication levels and in iteration time. The results are presented in an analytical approach in terms of scalability, efficiency, memory usage, speed up and input/output rates. Finally, a countermeasures model is developed to protect against network attacks by using a Dynamic Countermeasures Attack Tree (DCAT). The following scheme is used to build DCAT tree (i) using scalable parallel CostRank Algorithm to determine the critical asset, that system administrators need to protect; (ii) Track the Nessus scanner to determine the vulnerabilities associated with the asset using the dynamic cost centric framework and DVSS; (iii) Check out all published mitigations for all vulnerabilities. (iv) Assess how well the security solution mitigates those risks; (v) Assess DCAT algorithm in terms of effective security cost, probability and cost/benefit analysis to reduce the total impact of a specific vulnerability.Citation
Hamid, T. (2014) 'Attack graph approach to dynamic network vulnerability analysis and countermeasures'. PhD thesis. University of Bedfordshire.Publisher
University of BedfordshireType
Thesis or dissertationLanguage
enDescription
A thesis submitted to the University of Bedfordshire, in partial fulfilment of the requirements for the degree of Doctor of PhilosophyCollections
The following license files are associated with this item:
Related items
Showing items related by title, author, creator and subject.
-
Spatial diversity for wireless LANsBrito, Rodrigo; Allen, Ben; Dohler, Mischa; Aghvami, A.Hamid; University of Bristol (IEEE-INST ELECTRICAL ELECTRONICS ENGINEERS INC, 2004-05)Wireless local area networks (W-LAN) are widely used as a means of providing broadband access for high-speed wireless data services. The maximization of the system performance independent of the transceiver technology and the operating environment is of utmost importance to the hotspot system designer. This paper reports on the performance of single input and multiple output (SIMO) W-LAN systems and shows that a circular array topology located at the access point provides the best performance improvement compared to other candidate technologies when operating in an indoor office environment.
-
Cross-validation based man-in-the-middle attack protectionCui, Xiaofei (University of Bedfordshire, 2017-03)In recent years, computer network has widely used in almost all areas of our social life. It has been profoundly changing the way of our living. However, various network attacks have become an increasingly problem at the same time. In local area networks, Man-in-the-Middle attack, as one kind of ARP attack, is the most common attack. This research implemented a cross-validation based Man-in-the-Middle attack protection method (CVP). This approach enables a host to check whether another host that responds the initialising host with an ARP reply packet is genuine. It then allows the ARP cache table of the initialising hosts to be updated with the MAC address and IP address pairs of the genuine host and to place the MAC address of inauthentic hosts into a blacklist. This research introduced ARP and ICMP firstly, including the structure of ARP and ICMP packets, and their workflows. Secondly, this research discussed the types of ARP attacks and the existing ARP attacks protection methods, including their principles, applicable environment, advantages and disadvantages. Then, this research proposed and implemented a cross-validation based Man-in-the-Middle attack protection method. Simulations and experiments were performed to examine the effect of CVP method. The results show the effectiveness of the proposed cross-validation based method in protecting network from Man-in-the-Middle attack. Compared with the existing Man-in-the-Middle attack protection methods, CVP requires no extra devices and administration, leading to more secure local area networks and low cost. It also has made a “tabu” to attackers. That is, it places the MAC address of attackers into a blacklist. So they will be identified immediately if they try to attack the network again.
-
Spectrum sensing and occupancy prediction for cognitive machine-to-machine wireless networksChatziantoniou, Eleftherios (University of BedfordshireUniversity of Bedfordshire, 2014-12)The rapid growth of the Internet of Things (IoT) introduces an additional challenge to the existing spectrum under-utilisation problem as large scale deployments of thousands devices are expected to require wireless connectivity. Dynamic Spectrum Access (DSA) has been proposed as a means of improving the spectrum utilisation of wireless systems. Based on the Cognitive Radio (CR) paradigm, DSA enables unlicensed spectrum users to sense their spectral environment and adapt their operational parameters to opportunistically access any temporally unoccupied bands without causing interference to the primary spectrum users. In the same context, CR inspired Machine-to-Machine (M2M) communications have recently been proposed as a potential solution to the spectrum utilisation problem, which has been driven by the ever increasing number of interconnected devices. M2M communications introduce new challenges for CR in terms of operational environments and design requirements. With spectrum sensing being the key function for CR, this thesis investigates the performance of spectrum sensing and proposes novel sensing approaches and models to address the sensing problem for cognitive M2M deployments. In this thesis, the behaviour of Energy Detection (ED) spectrum sensing for cognitive M2M nodes is modelled using the two-wave with dffi use power fading model. This channel model can describe a variety of realistic fading conditions including worse than Rayleigh scenarios that are expected to occur within the operational environments of cognitive M2M communication systems. The results suggest that ED based spectrum sensing fails to meet the sensing requirements over worse than Rayleigh conditions and consequently requires the signal-to-noise ratio (SNR) to be increased by up to 137%. However, by employing appropriate diversity and node cooperation techniques, the sensing performance can be improved by up to 11.5dB in terms of the required SNR. These results are particularly useful in analysing the eff ects of severe fading in cognitive M2M systems and thus they can be used to design effi cient CR transceivers and to quantify the trade-o s between detection performance and energy e fficiency. A novel predictive spectrum sensing scheme that exploits historical data of past sensing events to predict channel occupancy is proposed and analysed. This approach allows CR terminals to sense only the channels that are predicted to be unoccupied rather than the whole band of interest. Based on this approach, a spectrum occupancy predictor is developed and experimentally validated. The proposed scheme achieves a prediction accuracy of up to 93% which in turn can lead to up to 84% reduction of the spectrum sensing cost. Furthermore, a novel probabilistic model for describing the channel availability in both the vertical and horizontal polarisations is developed. The proposed model is validated based on a measurement campaign for operational scenarios where CR terminals may change their polarisation during their operation. A Gaussian approximation is used to model the empirical channel availability data with more than 95% confi dence bounds. The proposed model can be used as a means of improving spectrum sensing performance by using statistical knowledge on the primary users occupancy pattern.