Transcript RESEARCH PAPER

Research Paper
Course 60-592
Instructor: Dr. Aggrawal
PAPERS

Active Vulnerability Assessment of Computer Networks by
Simulation of Complex Remote Attacks
Igor Kotenko
St. Petersburg Institute for Informatics and Automation, 39, 14th Liniya, Russia

Formal Framework for Modeling and Simulation of DDoS
Attacks Based on Teamwork of Hackers-Agents
Igor Kotenko, Alexey Alexeev, Evgeny Man’kov
St. Petersburg Institute for Informatics and Automation, 39, 14th Liniya, Russia
Network Security
Security Assurance
 We Have seen



Practical tools
We will see
Underlying approach
 Theoretical Concepts


With reference to Attack Simulator
Goal Of Paper

Development
Of General Approach
 Mathematical Models
 Software Simulation Tool

For active analysis of computer network
vulnerabilities
Security Assurance

Important Problem
Increasing Significance of information
 Potentially devastating
Consequences


Complex
Growing Size
 Inter-Connectivity of Networks
 Number of Users
 Availability of Information

Attack Modeling and
Simulation Approach





Malefactors intention and attack task
specification
Application Ontology “Computer Network
Attacks”
Formal Grammar Based Framework
State Machine based representation of
attack generation
Formal Model of Attacked Computer
Network
Malefactors Intentions

R - Reconnaissance


Aiming at getting information about
the network (host)
I – Implantation And Threat
Realization
List of Malefactor’s Intentions
1-6
R type
7-12 I type
Attack Task Specification

A Top Level attack Goal
Specified as <Network (host) address,
Malefactors Intention, Known Data,
Attack Object >
 Known Data specifies the information
about attacked computer network.
 Attack Object corresponds to optional
variable defining more exactly attack
target

Hierarchy of Attacks

Two Subsets

Upper Level ( Macro-level attacks)

Lower Level (Micro Level attacks)
Relations
Part Of – decomposition relationship
 Kind Of – specialization relationship
 Seq Of – specifying sequence of
relationship
 Example Of – type of object (specific
sample of Object)

Mathematical Model of
Attack Intentions

Formal Grammar
Particular intentions inter-connected
through substitution operations
 Ma = < {Gi}, {Su} >
 Gi = < Vn, Vt, S, P, A >
 {Gi} – formal Grammar
 {Su} – substitution

State Machines

States





First (Initial)
Intermediate
End (Final)
Transition Arcs – can be carried out only
under specific circumstances
Examples of State Machines


Implantation and Threat Realization
Identification of Hosts
Factors

Malefactors Strategy

Depends on results of intermediate
actions

Reason – not possible to generate
complete sequence of malefactor’s
actions before-hand
Attack Simulator Implementation

Multi Agent System
Network Agent – simulates a attacked
computer network
 Hacker Agent – performs attacks
against computer networks


Technology- MASDK (Multi Agent
System Development Kit)
Key Components of Hacker Agent






Kernel of Hacker Agent
 It calls specification of attack task
 Computes next state machine transition
Script Component – specifies set of scripts that can be
executed by state machines
Attack Task Specification Component – provides user
with interface to specify attack attributes
Probabilistic decision making model – used to determine
hackers agent further action in attack generation
Network Traffic Generator – forms flow of network
packets
Attack Scenario Visualization – for visual representation
of attack progress
Key Component of Network Agent

Kernel of Network Agent






Functions used for specification of network configuration
through user interface
Computation of network’s response to an attacking action
State Machines Model – specifies the network agent
behavior ( communication functionality)
Network Configuration Specification Component – is
used for a set of user interfaces for configuration of
network to be attacked
Firewall Model component – determines firewall’s
response to action
Network response component – network’s (host’s)
response messages to attack
Component Models of Network Agent and Hacker Agent
Experiments with Attack Simulator

Goals of experiment

Checking a computer network security
policy at stages of conceptual and
logic design network security system.

Checking security policy of a real life
computer network
Factors affecting attack efficacy
Protection Degree of Network firewall
(PNF)
 Protection degree of Personal Firewall
(PPF)
 Protection Parameters of attacked
host(PP)
 Hackers Knowledge of Network (KN)

Attack outcome parameters
Number of Attack steps (NS)
 Percentage of Intent realization (PIR)
 Percentage of Attack realization(PAR)
 Percentage of Firewall Blocking(PFB)
 Percentage of Reply Absence (PRA)

Example

Realization of Intention CVR

Protection of attacked host – Strong

Hacker’s Knowledge – Good
Changes of Attack Outcome Parameters
Conclusion (Paper I)
Paper presents formal approach to
active vulnerability assessment based
on modeling and simulation of remote
computer network attacks
 Multi agent system
 Tries to give a standard procedure for
security assurance

PAPER II
Formal Framework for Modeling and Simulation of DDoS
Attacks Based on Teamwork of Hackers-Agents
Igor Kotenko, Alexey Alexeev, Evgeny Man’kov
St. Petersburg Institute for Informatics and Automation, 39,
14th Liniya, Russia

Concern

Growth of
• Number
• Capacity of DDOS attacks
Goals of Paper
 Goals
Of Paper
 Development
for formal
framework for modeling
 Elaboration of Formal
Specification of a representative
spectrum
 Implementation of software
development tools
Teamwork

Joint Intention Theory

Shared Plans theory

Combined theory of Agents
Creation of Hackers Agent






Forming the subject domain ontology
Determining the agents team structure
Defining the agents interaction-andcoordination mechanisms
Specifying the agents actions plans
Assigning roles and allocating plans
between agents
Realizing the teamwork by set of statemachines
Structure

Client


Masters


Supervises a sub-team of masters
Each master supervises a group of
demons
Demons

Execute immediate attack actions
against victim hosts
Suggested Mechanisms
Maintenance and Action coordination
 Monitoring and restoration of agent
functionality
 Maintenance of Communication
Selectivity

Plan Of DDoS

Preliminary


Basic


Reconnaissance and Installation of
Agents
Realization of DDoS attack by joint
action of agents
Final

Visualization of attack results
Formal Model of Attacked Networks

Represented as Quadruple





MA = <Mcn,{Mhi}, Mp, Mhr>
Mcn – model of computer network structure
{Mhi} – model of host resources
Mp – model of computation of success
probablilites
Mhr – model of host reaction in response to
attacks Input -> Output [& post condition]
Attack Simulation Tool Implementation
MASDK – Multi-Agent System
Development Kit
 Why Use Attack Simulator

Checking a computer network security
policy at stages of conceptual and
logical design.
 Checking security of real life computer
network

Conclusion (Paper II)
Paper presents formal paradigm for
modeling and simulation
 Presents a structure of team of agents
 Above approach used for evaluation
of computer network security
 Analysis of both efficiency and
effectiveness of security policy against
DDoS attacks

References





F.Cohen, “Simulating Cyber Attacks, Defenses, and
Consequences”, IEEE Symposium on Security and
Privacy,Berkeley, CA, 1999
V.Gorodetski, and I.Kotenko, “Attacks against Computer
Network: Formal Grammar-based Framework and Simulation
Tool”, Lecture
V.Gorodetski, O.Karsayev, I.Kotenko, and A.Khabalov,
“Software Development Kit for Multi-agent Systems Design and
Implementation”, Lecture Notes in Artificial Intelligence, Vol.
2296, Springer Verlag, 2002.
M.Tambe, “Towards Flexible Teamwork”, Journal ofArtificial
Intelligence Research, No.7, 1997.
M.Tambe, and D.V.Pynadath, “Towards Heterogeneous Agent
Teams”, Lecture Notes in Artificial Intelligence,Vol.2086, 2001
Questions and Comments
THANK YOU
Presented By
Ashutosh Sood