2008 Technical Reports

Department of Computing and Information Sciences
Kansas State University

Report 2008-1 Report 2008-1. From attack graphs to automated configuration management --- an iterative approach by John Homer, Xinming Ou, and Miles A. McQueen
Abstract: Various tools exist to analyze enterprise network systems and to produce attack graphs detailing how attackers might penetrate into the system. These attack graphs, however, are often complex and difficult to comprehend fully,and a human user may find it problematic to reach appropriate configuration decisions. This paper presents methodologies that can 1) automatically identify portions of an attack graph that do not help a user to understand the core security problems and so can be trimmed, and 2) enable a user to use the information in an attack graph to reach appropriate configuration decisions,through a configuration generator that can be iteratively trained by the user to understand a wide range of constraints in configuring an enterprise system, such as usability requirements and trade-offs that need to be made between the cost of security hardening measures and the cost of potential damage. We believe both methods are important steps toward achieving automatic configuration management for large enterprise networks. We implemented our methods using one of the existing attack-graph toolkits. Initial experimentation shows that the proposed approaches can 1) significantly reduce the complexity of attack graphs by trimming a large portion of the graph that is not needed for a user to understand the security problem,and 2) automatically provide reasonable suggestions for resolving the security problem.

Report 2008-2 A Practical Approach to Modeling Uncertainty in Intrusion Analysis by Xinming Ou, Raj Rajagopalan, and Sakthiyuvaraja Sakthivelmurugan
Abstract: Uncertainty is an innate feature of intrusion analysis due to the limited views provided by system monitoring tools, including intrusion detection systems (IDS) and the numerous types of logs. Attackers are essentially invisible in cyber space and those monitoring tools can only observe the symptoms produced by malicious activities, mingled with the same effects produced by non-malicious activities. Thus the conclusions one can draw from these observations inevitably suffer from varying degrees of uncertainty, which is the major source of false positives/false negatives in intrusion analysis. This paper presents a practical approach to modeling such uncertainty so that the various security implications from those low-level observations are captured in a simple logical language augmented with certainty tags. We design an automated reasoning process so that the model can combine multiple sources of system monitoring data and identify highly-confident attack traces from the numerous possible interpretations of low-level observations. We develop our model formulation through studying a true intrusion that happened on a campus network, using a Datalog-like language to encode the model and a Prolog system to carry out the reasoning process. Our model and reasoning system can reach the same conclusions the human administrator did regarding which machines were certainly compromised. We then apply the developedmodel to the Treasure Hunt (TH) data set, which contains large amounts of system monitoring data collected during a live cyber attack exercise in a graduate course taught at University of California, Santa Barbara. Our results show that the reasoning model developed from the true intrusion is effective to the TH data set as well, and our reasoning system can identify high-confidence attack traces automatically. Such a model thus has the potential of codifying the seemingly ad-hoc human reasoning of uncertain events, and can yield useful tools for automated intrusion analysis.