Transcript Vulnerability Analysis & Patches Management Using Secure Mobile

Vulnerability Analysis and
Patches Management
Using Secure Mobile Agents
Presented by: Muhammad Awais Shibli
1
Outline






Introduction
The problem and our proposal
Structure of The System
Operation of The System
Conclusions
Future Work
2
Introduction



Nowadays, computers and internet are
everywhere.
This resulted in a huge number of
security threats.
Attacks and attack tools are becoming
everyday more complex and
sophisticated.
3
Introduction (cont’d)


Traditional point solutions like antivirus,
firewalls, anti-spyware, etc. are not
enough anymore to face the current
security challenge.
Another layer of security is needed.
4
Vulnerability problem


Basically, vulnerability is a weakness in a
system that can be a potential vector of an
attack performed by a malicious user
Two different possibilities to face the
vulnerability problem:


Build secure software that does not have
vulnerabilities
Detect and eliminate all the vulnerabilities before
an attacker can discover and exploit them
5
Vulnerability problem (cont’d)


The first option is clearly infeasible, due to
several factors like cost, bad programming
practices, programming language limitation
and inherent OS bugs, etc.
Therefore, the best way is to detect those
vulnerabilities in advance and apply patches
before an attack can occur.
6
Our proposal


A system based on MAs technology, moving
from the usual passive/reactive approach to a
proactive one.
The approach includes the following aspects:



Autonomously vulnerabilities detection on different
hosts (in a distributed network) before an attacker
can exploit them;
When a vulnerability is discovered, applying
patches automatically;
Perform tasks related to security management.
7
Structure of the System
1.
2.
3.
4.
5.
Comprehensive Vulnerability DataBase (CVDB)
DataBase Management Engine (DBME)
MAgNet Vulnerability Management Console
(MVMC)
Mobile Agents
Sensors
8
Structure of the System (cont’d)
9
CVDB



To achieve a high level of vulnerability
assessment, we need a very
Comprehensive Vulnerability DataBase
(CVDB)
Comprehensive in terms of quantity of
data and quality of data.
CVDB is composed of two layers of
information.
10
CVDB - 1st (static) Layer
11
CVDB - 2nd layer
12
DB Management Engine (DBME)



Provides SysAdmin with up-to-date and rich
information about vulnerabilities.
It can be achieved by analyzing any db in xml format
and whose structure is defined by a XML Schema
Definition (xsd) or sql/mysql schema file.
Moreover, this “engine” scans the securityfocus web
database, storing all the information needed in the
CVDB.
13
MAgNet Vulnerability
Management Console (MVMC)

The GUI that interacts with the system and
allows the system administrator to manage
all the functionalities available
14
Mobile Agent: brief overview




It is a particular software agent that can works
autonomously towards a specific goal
It comprises of code and data
It can interact with other agents
It can sospend its execution on a host, save
the state, move to another host, then come
back and resume its execution from the
previous point and complete it
15
Advantages of using MAs

MAs and Vulnerability Analysis




Automatically vulnerability scan at remote hosts
MAs write the host profile, check this profile
against the CVDB, fetch the relative patches from
patch db and execute these patches at the target
machine autonomously
MAs increase the ability of SysAdmin to add
quickly and easily distributed components to
existing systems
This whole process will help SysAdmin to keep
secure the entire network in an efficient, effective
and, more than everything else, timely manner.
16
Advantages of using MAs (cont’d)





Overcoming Network Latency
Reducing Network Load
Robust and Fault-tolerant Behaviour
Scalability
Etc…
17
Sensors


We have used Nessus as sensor to scan
vulnerabilities.
Nessus is a vulnerability scanner able to
detect known and unknown weaknesses. It
performs several kinds of analyses on the
target system from the port scan until the
malformed packet test.
18
Operation of the System



CVDB generation
Vulnerability Analysis
Patches Management and Enforcement
19
CVDB Generation
20
Vulnerability Analysis




Two ways to do it
Security
administrator
launches
Agent_Vulnerability_Analyzer from his computer
to a host or multiple hosts in the network through
MVMC.
Once agent reaches the remote host, it fetches host
profile containing information about the every
software installed and their attributes.
This agent will check the host profile against the
vulnerability database, looking for known
vulnerabilities present in the remote machine.
21
Vulnerability Analysis (cont’d)



The other way is to send Agent_Host_Scanning to
the desired hosts.
It executes local Nessus daemon in the
background that scans the target.
After its execution ends, Nessus generates a report
in xml format. Once the scanning is completed,
Agent_Host_Scanning launches an
Agent_Scanning_Report through which it will
send the detailed scanning report back to the
administrator.
22
Vulnerability Analysis (cont’d)


When Agent_Scanning_Report reaches the
security administrator’s workstation, it notifies the
administrator how many vulnerabilities have been
found, allowing the administrator to check the
report immediately or later.
In case the administrator wants to check the report
immediately, it will be transformed into the more
“human-readable” html format by using XSL
Transformer and then showed in the web browser
integrated in MAgNet.
23
Patches Management and
Enforcement



When MA finds a vulnerability, in the
corresponding CVDB entry there are info
regarding the eventual availability of patch
and the url where to download from
MA autonomously downloads it, carries and
install it to the target host
From now on, the patch is stored in the server
in case in the future it will be needed
24
Conclusions


The solution proposed shows the great
advantage to use MAs interacting with a
comprehensive vulnerability database and
other external tools.
The design shows that, with MA, is possible
to decrease considerably the big amount of
time needed to a system admin to perform
vulnerabiltiy management.
25
Conclusions (cont’d)


Moreover, scanning with Nessus and
through MAs the scans take place locally on
each host.
Hence the system uses the computational
power of all the hosts without overloading a
single central workstation, and it does not
flood either the network with a lot of
packets.
26
Future Work


Patch installation requires deeper
feasibility study.
The currently system delivers patches
and is able to install only those one for
which human being interaction is not
required
27
Future Work (cont’d)


A future research can be conducted to see
how, with the help of mobile agents, could be
possible to “deliver” the input request to the
system administrator whenever it is required
during the installation process, and then
bringing back the response.
Moreover it could save administrator
responses and use them to perform
autonomously future execution on other
hosts, without bothering the administrator
anymore.
28