Master's Defense
Upcoming SlideShare
Loading in...5
×
 

Master's Defense

on

  • 2,177 views

My master's defense which discusses about various visualization techniques in attack graphs. I primarily used prefuse to generate a dynamic and interactive display for attack graphs.

My master's defense which discusses about various visualization techniques in attack graphs. I primarily used prefuse to generate a dynamic and interactive display for attack graphs.

Statistics

Views

Total Views
2,177
Views on SlideShare
2,172
Embed Views
5

Actions

Likes
0
Downloads
18
Comments
0

1 Embed 5

http://www.slideshare.net 5

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Master's Defense Master's Defense Presentation Transcript

  • Visualization techniques in Attack Graphs
      • By: Ashok R Varikuti
      • 05/18/2009
  • Quote “ A picture is worth a thousand words.” – Napoleon Bonaparte
  • Outline
    • Introduction to Attack Graphs
    • Current limitations in Attack Graphs
    • Survey of visualization toolkits
    • Layered architecture of the model
    • Discussion on how the model achieves the desired goal
    • Implementation
    • Conclusion
    View slide
  • Attack Graphs
    • Provides a visual representation of attack paths and potential vulnerabilities in the network
    • Makes the life of a system administrator easier by providing a convenient interface to identify vulnerabilities in the network
    • MuLVAL generates attack graphs using a logic based approach
    View slide
  • Attack Graphs
    • Graph is generated using logic-based approach, hence Logical Attack Graph
    • A node in the graph is a logical statement
    • The edges in the graph specify the causality relations between network configurations and an attacker’s potential privileges.
    • Illustrates “why the attack can happen”.
  • Logical Attack Graph Generator
  • 3host network
  • Tree representation of 3host scenario attack graph
  • Description
    • The root node is the attack goal meaning “the attacker can execute arbitrary code as user root on machine workStation”
    • The edges in the graph represent the “depends on” relation
    • Fact Node 2 is enabled either by r2a or r2b, which are the derivation nodes for 2
  • Example : Energy Management Network
  • EMN
    • EMN has 3 subnets, a DMZ (Demilitarized
    • Zone), an internal subnet, and an EMS(Energy Management System)‏
    • Host-grouping applied based on similar configurations Ex: workstation
    • The web server and the VPN server are directly accessible from the Internet
    • The web server can access the file server through the NFS file-sharing protocol
  • EMN Continued..
    • VPN server is allowed access to all hosts in the internal subnet
    • Access to the EMS subnet is only allowed from the Citrix server in the internal subnet, and even then only to the data historian
    • The attacker’s goal is to gain privileges to execute code on the communication Server
  • MulVAL Logical Attack Graph
  • Limitations in Attack Graphs
    • Attack Graph Problems: Size & Complexity
      • Difficult to quickly identify most important data
      • Difficult to assess and act on complete set of possible attack steps
      • Not user interactive
      • Layout of the graph doesn’t correspond to the underlying topology of the network
  • Contributions
    • Solutions
      • Make the attack graph user interactive
      • Provide user interactivity, zooming and action listener features
      • Provide different views of the graph for analyzing in different dimensions
  • Visualization toolkits
    • JUNG – An open source java software library. Mainly used in performing data analysis on relational data sets
    • Piccolo – Mainly 2D graphics library with tree and fisheye layouts as salient features
    • Graphviz – Open source package generally used to produce static visualizations
  • Two layered architecture
  • Static Layer
    • Parse the text file into rich Dot Format
    • The dot file is easy to analyze and produces a static image file as output.
    • Disadvantages:
      • Layout
        • Produces static images with random layout
      • Scalability
        • Difficult to analyze large network's.
        • Possibility of edge-subnet, edge-edge and node-node overlapping
  • Data Format
    • Node (V):- The node is the most basic data type. It maps to an actual node in the real world enterprise network
    • Gateway (G):- A gateway G typically maps to a firewall in a real world enterprise network.
    • Subnet(S):- A subnet S is defined as :-
  • Data Format
    • Connection (C):- A connection C is defined as the link between <subnet, gateway>.
    • AttackStep (AS):- An attack step AS is defined as the link between <node,node>.
  • Topology-Mapped Attack Graph Improving Attack Graph Visualization through Data Reduction and Attack Grouping. John Homer, et al . In 5th International Workshop on Visualization for Cyber Security.
  • Untrimmed Attack Graph Improving Attack Graph Visualization through Data Reduction and Attack Grouping. John Homer, et al . In 5th International Workshop on Visualization for Cyber Security.
  • Trimmed Attack Graph Improving Attack Graph Visualization through Data Reduction and Attack Grouping. John Homer, et al . In 5th International Workshop on Visualization for Cyber Security.
  • Dynamic Layer
    • Parse the Dot file using a dot grammar
    • Prefuse conversion:-
      • Import prefuse packages
      • Prefuse graph object construction
        • Map the parsed dot attributes with the prefuse attributes
        • Construct the graph object based on the attribute values
  • The prefuse toolkit
    • A java user interface toolkit for constructing interactive information visualization applications
    • Supports visualization, animation, and interaction
    • Application building by stringing together fine-grained, reusable components
    • Layers of indirection between source data, visualized data and rendering.
  • System architecture
  • Toolkit features
    • Data structures and I/O libraries
    • Multiple visualizations, multiple views
    • Application design through composable modules
    • A library of provided layout and distortion techniques
    • Animation and time-based processing
    • Graphics transforms, including panning and zooming
    • A full force simulator for physics-based interfaces
    • Interactor components for common interactions
    • Integrated color maps and search functionality
    • Event logging to support visualization evaluation
  • Architecture
    • Filtering is the process of mapping abstract data to a representation suitable for visualization
    • Actions are used to select visualized data and set visual properties such as location, font. Also used to perform tasks such as filtering, layout and color assignment
    • Actionlists are used to enforce ordered execution of actions
  • Architecture Cont..
    • Renderer's draw the visual items on to the screen by rendering the visual attributes
    • The Display component draws all the visible items using appropriate renderer's onto the screen
    • Display provides support to mouse and keyboard events on visible items
  • Useful features
    • Panning and zooming allows the user to concentrate on the essential parts of the graph
    • Expression techniques allows the user to visualize specific areas of graph with particular attributes Ex: The user can filter the graph to display information specific to the top three vulnerabilities
    • Interactor components for common interactions such as showing the predicates attached with an edge
  • Extendible features
    • Search functionality to search for a particular edge/node in the graph with a specific property.
    • Overview feature allows to capture the whole view of network in a small dialog box
  • Implementation
  • Impl Contd..
  • Future Work
  • Two layered architecture
  • Conclusion
    • The architecture generates an interactive display of the attack graphs.
    • This provides a convenient way for the researcher's to enhance the tool in a better way.
    • Provides a convenient way for network administrator to map the attack graph's into real network topology.
  • References
    • http://prefuse.org
    • John Homer, Ashok Varikuti, Xinming Ou, and Miles A. McQueen. Improving attack graph visualization through data reduction and attack grouping . In 5th International Workshop on Visualization for Cyber Security (VizSEC 2008), Cambridge, MA, U.S.A., September 2008.
  • Demo of Energy Management Network