Research Paper

Course 60-592Instructor: Dr. Aggrawal

PAPERS

Active Vulnerability Assessment of Computer Networks by Simulation of Complex Remote Attacks

Igor Kotenko St. Petersburg Institute for Informatics and Automation, 39, 14th Liniya, Russia

Formal Framework for Modeling and Simulation of DDoS Attacks Based on Teamwork of Hackers-Agents

Igor Kotenko, Alexey Alexeev, Evgeny Man’kov

St. Petersburg Institute for Informatics and Automation, 39, 14th Liniya, Russia

Network Security

Security Assurance We Have seen

Practical tools We will see

Underlying approach Theoretical Concepts

With reference to Attack Simulator

Goal Of Paper

Development

Of General ApproachMathematical ModelsSoftware Simulation Tool

For active analysis of computer network vulnerabilities

Security Assurance

Important ProblemIncreasing Significance of informationPotentially devastating

Consequences Complex

Growing Size Inter-Connectivity of NetworksNumber of UsersAvailability of Information

Attack Modeling and Simulation Approach Malefactors intention and attack task

specification Application Ontology “Computer Network

Attacks” Formal Grammar Based Framework State Machine based representation of

attack generation Formal Model of Attacked Computer

Network

Malefactors Intentions

R - ReconnaissanceAiming at getting information about

the network (host)

I – Implantation And Threat Realization

List of Malefactor’s Intentions1-6 R type 7-12 I type

Attack Task Specification

A Top Level attack GoalSpecified as <Network (host) address,

Malefactors Intention, Known Data, Attack Object >

Known Data specifies the information about attacked computer network.

Attack Object corresponds to optional variable defining more exactly attack target

Hierarchy of Attacks

Two Subsets

Upper Level ( Macro-level attacks)

Lower Level (Micro Level attacks)

Relations

Part Of – decomposition relationship Kind Of – specialization relationship Seq Of – specifying sequence of

relationship Example Of – type of object (specific

sample of Object)

Mathematical Model of Attack Intentions

Formal GrammarParticular intentions inter-connected

through substitution operationsMa = < {Gi}, {Su} >Gi = < Vn, Vt, S, P, A >{Gi} – formal Grammar{Su} – substitution

State Machines

States First (Initial) Intermediate End (Final)

Transition Arcs – can be carried out only under specific circumstances

Examples of State Machines Implantation and Threat Realization Identification of Hosts

Factors

Malefactors Strategy

Depends on results of intermediate actions

Reason – not possible to generate complete sequence of malefactor’s actions before-hand

Attack Simulator Implementation

Multi Agent SystemNetwork Agent – simulates a attacked

computer networkHacker Agent – performs attacks

against computer networks Technology- MASDK (Multi Agent

System Development Kit)

Key Components of Hacker Agent

Kernel of Hacker Agent It calls specification of attack task Computes next state machine transition

Script Component – specifies set of scripts that can be executed by state machines

Attack Task Specification Component – provides user with interface to specify attack attributes

Probabilistic decision making model – used to determine hackers agent further action in attack generation

Network Traffic Generator – forms flow of network packets

Attack Scenario Visualization – for visual representation of attack progress

Key Component of Network Agent

Kernel of Network Agent Functions used for specification of network configuration

through user interface Computation of network’s response to an attacking action

State Machines Model – specifies the network agent behavior ( communication functionality)

Network Configuration Specification Component – is used for a set of user interfaces for configuration of network to be attacked

Firewall Model component – determines firewall’s response to action

Network response component – network’s (host’s) response messages to attack

Component Models of Network Agent and Hacker Agent

Experiments with Attack Simulator

Goals of experiment

Checking a computer network security policy at stages of conceptual and logic design network security system.

Checking security policy of a real life computer network

Factors affecting attack efficacy

Protection Degree of Network firewall (PNF)

Protection degree of Personal Firewall (PPF)

Protection Parameters of attacked host(PP)

Hackers Knowledge of Network (KN)

Attack outcome parameters

Number of Attack steps (NS) Percentage of Intent realization (PIR) Percentage of Attack realization(PAR) Percentage of Firewall Blocking(PFB) Percentage of Reply Absence (PRA)

Example

Realization of Intention CVR

Protection of attacked host – Strong

Hacker’s Knowledge – Good

Changes of Attack Outcome Parameters

Conclusion (Paper I)

Paper presents formal approach to active vulnerability assessment based on modeling and simulation of remote computer network attacks

Multi agent system Tries to give a standard procedure for

security assurance

PAPER IIFormal Framework for Modeling and Simulation of DDoS Attacks Based on Teamwork of Hackers-Agents Igor Kotenko, Alexey Alexeev, Evgeny Man’kov St. Petersburg Institute for Informatics and Automation, 39, 14th Liniya, Russia

ConcernGrowth of

• Number• Capacity of DDOS attacks

Goals of Paper

Goals Of PaperDevelopment for formal

framework for modelingElaboration of Formal

Specification of a representative spectrum

Implementation of software development tools

Teamwork

Joint Intention Theory

Shared Plans theory

Combined theory of Agents

Creation of Hackers Agent

Forming the subject domain ontology Determining the agents team structure Defining the agents interaction-and-

coordination mechanisms Specifying the agents actions plans Assigning roles and allocating plans

between agents Realizing the teamwork by set of state-

machines

Structure

Client Supervises a sub-team of masters

MastersEach master supervises a group of

demons Demons

Execute immediate attack actions against victim hosts

Suggested Mechanisms

Maintenance and Action coordination Monitoring and restoration of agent

functionality Maintenance of Communication

Selectivity

Plan Of DDoS

PreliminaryReconnaissance and Installation of

Agents Basic

Realization of DDoS attack by joint action of agents

FinalVisualization of attack results

Formal Model of Attacked Networks

Represented as Quadruple MA = <Mcn,{Mhi}, Mp, Mhr> Mcn – model of computer network structure {Mhi} – model of host resources Mp – model of computation of success

probablilites Mhr – model of host reaction in response to

attacks Input -> Output [& post condition]

Attack Simulation Tool Implementation

MASDK – Multi-Agent System Development Kit

Why Use Attack SimulatorChecking a computer network security

policy at stages of conceptual and logical design.

Checking security of real life computer network

Conclusion (Paper II)

Paper presents formal paradigm for modeling and simulation

Presents a structure of team of agents Above approach used for evaluation

of computer network security Analysis of both efficiency and

effectiveness of security policy against DDoS attacks

References

F.Cohen, “Simulating Cyber Attacks, Defenses, and Consequences”, IEEE Symposium on Security and Privacy,Berkeley, CA, 1999

V.Gorodetski, and I.Kotenko, “Attacks against Computer Network: Formal Grammar-based Framework and Simulation Tool”, Lecture

V.Gorodetski, O.Karsayev, I.Kotenko, and A.Khabalov, “Software Development Kit for Multi-agent Systems Design and Implementation”, Lecture Notes in Artificial Intelligence, Vol. 2296, Springer Verlag, 2002.

M.Tambe, “Towards Flexible Teamwork”, Journal ofArtificial Intelligence Research, No.7, 1997.

M.Tambe, and D.V.Pynadath, “Towards Heterogeneous Agent Teams”, Lecture Notes in Artificial Intelligence,Vol.2086, 2001

Questions and Comments

THANK YOU

Presented By Ashutosh Sood