Master's Defense


Published on

My master's defense which discusses about various visualization techniques in attack graphs. I primarily used prefuse to generate a dynamic and interactive display for attack graphs.

Published in: Technology, Education
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Master's Defense

    1. 1. Visualization techniques in Attack Graphs <ul><ul><li>By: Ashok R Varikuti </li></ul></ul><ul><ul><li>05/18/2009 </li></ul></ul>
    2. 2. Quote “ A picture is worth a thousand words.” – Napoleon Bonaparte
    3. 3. Outline <ul><li>Introduction to Attack Graphs </li></ul><ul><li>Current limitations in Attack Graphs </li></ul><ul><li>Survey of visualization toolkits </li></ul><ul><li>Layered architecture of the model </li></ul><ul><li>Discussion on how the model achieves the desired goal </li></ul><ul><li>Implementation </li></ul><ul><li>Conclusion </li></ul>
    4. 4. Attack Graphs <ul><li>Provides a visual representation of attack paths and potential vulnerabilities in the network </li></ul><ul><li>Makes the life of a system administrator easier by providing a convenient interface to identify vulnerabilities in the network </li></ul><ul><li>MuLVAL generates attack graphs using a logic based approach </li></ul>
    5. 5. Attack Graphs <ul><li>Graph is generated using logic-based approach, hence Logical Attack Graph </li></ul><ul><li>A node in the graph is a logical statement </li></ul><ul><li>The edges in the graph specify the causality relations between network configurations and an attacker’s potential privileges. </li></ul><ul><li>Illustrates “why the attack can happen”. </li></ul>
    6. 6. Logical Attack Graph Generator
    7. 7. 3host network
    8. 8. Tree representation of 3host scenario attack graph
    9. 9. Description <ul><li>The root node is the attack goal meaning “the attacker can execute arbitrary code as user root on machine workStation” </li></ul><ul><li>The edges in the graph represent the “depends on” relation </li></ul><ul><li>Fact Node 2 is enabled either by r2a or r2b, which are the derivation nodes for 2 </li></ul>
    10. 10. Example : Energy Management Network
    11. 11. EMN <ul><li>EMN has 3 subnets, a DMZ (Demilitarized </li></ul><ul><li>Zone), an internal subnet, and an EMS(Energy Management System)‏ </li></ul><ul><li>Host-grouping applied based on similar configurations Ex: workstation </li></ul><ul><li>The web server and the VPN server are directly accessible from the Internet </li></ul><ul><li>The web server can access the file server through the NFS file-sharing protocol </li></ul>
    12. 12. EMN Continued.. <ul><li>VPN server is allowed access to all hosts in the internal subnet </li></ul><ul><li>Access to the EMS subnet is only allowed from the Citrix server in the internal subnet, and even then only to the data historian </li></ul><ul><li>The attacker’s goal is to gain privileges to execute code on the communication Server </li></ul>
    13. 13. MulVAL Logical Attack Graph
    14. 14. Limitations in Attack Graphs <ul><li>Attack Graph Problems: Size & Complexity </li></ul><ul><ul><li>Difficult to quickly identify most important data </li></ul></ul><ul><ul><li>Difficult to assess and act on complete set of possible attack steps </li></ul></ul><ul><ul><li>Not user interactive </li></ul></ul><ul><ul><li>Layout of the graph doesn’t correspond to the underlying topology of the network </li></ul></ul>
    15. 15. Contributions <ul><li>Solutions </li></ul><ul><ul><li>Make the attack graph user interactive </li></ul></ul><ul><ul><li>Provide user interactivity, zooming and action listener features </li></ul></ul><ul><ul><li>Provide different views of the graph for analyzing in different dimensions </li></ul></ul>
    16. 16. Visualization toolkits <ul><li>JUNG – An open source java software library. Mainly used in performing data analysis on relational data sets </li></ul><ul><li>Piccolo – Mainly 2D graphics library with tree and fisheye layouts as salient features </li></ul><ul><li>Graphviz – Open source package generally used to produce static visualizations </li></ul>
    17. 17. Two layered architecture
    18. 18. Static Layer <ul><li>Parse the text file into rich Dot Format </li></ul><ul><li>The dot file is easy to analyze and produces a static image file as output. </li></ul><ul><li>Disadvantages: </li></ul><ul><ul><li>Layout </li></ul></ul><ul><ul><ul><li>Produces static images with random layout </li></ul></ul></ul><ul><ul><li>Scalability </li></ul></ul><ul><ul><ul><li>Difficult to analyze large network's. </li></ul></ul></ul><ul><ul><ul><li>Possibility of edge-subnet, edge-edge and node-node overlapping </li></ul></ul></ul>
    19. 19. Data Format <ul><li>Node (V):- The node is the most basic data type. It maps to an actual node in the real world enterprise network </li></ul><ul><li>Gateway (G):- A gateway G typically maps to a firewall in a real world enterprise network. </li></ul><ul><li>Subnet(S):- A subnet S is defined as :- </li></ul>
    20. 20. Data Format <ul><li>Connection (C):- A connection C is defined as the link between <subnet, gateway>. </li></ul><ul><li>AttackStep (AS):- An attack step AS is defined as the link between <node,node>. </li></ul>
    21. 21. Topology-Mapped Attack Graph Improving Attack Graph Visualization through Data Reduction and Attack Grouping. John Homer, et al . In 5th International Workshop on Visualization for Cyber Security.
    22. 22. Untrimmed Attack Graph Improving Attack Graph Visualization through Data Reduction and Attack Grouping. John Homer, et al . In 5th International Workshop on Visualization for Cyber Security.
    23. 23. Trimmed Attack Graph Improving Attack Graph Visualization through Data Reduction and Attack Grouping. John Homer, et al . In 5th International Workshop on Visualization for Cyber Security.
    24. 24. Dynamic Layer <ul><li>Parse the Dot file using a dot grammar </li></ul><ul><li>Prefuse conversion:- </li></ul><ul><ul><li>Import prefuse packages </li></ul></ul><ul><ul><li>Prefuse graph object construction </li></ul></ul><ul><ul><ul><li>Map the parsed dot attributes with the prefuse attributes </li></ul></ul></ul><ul><ul><ul><li>Construct the graph object based on the attribute values </li></ul></ul></ul>
    25. 25. The prefuse toolkit <ul><li>A java user interface toolkit for constructing interactive information visualization applications </li></ul><ul><li>Supports visualization, animation, and interaction </li></ul><ul><li>Application building by stringing together fine-grained, reusable components </li></ul><ul><li>Layers of indirection between source data, visualized data and rendering. </li></ul>
    26. 26. System architecture
    27. 27. Toolkit features <ul><li>Data structures and I/O libraries </li></ul><ul><li>Multiple visualizations, multiple views </li></ul><ul><li>Application design through composable modules </li></ul><ul><li>A library of provided layout and distortion techniques </li></ul><ul><li>Animation and time-based processing </li></ul><ul><li>Graphics transforms, including panning and zooming </li></ul><ul><li>A full force simulator for physics-based interfaces </li></ul><ul><li>Interactor components for common interactions </li></ul><ul><li>Integrated color maps and search functionality </li></ul><ul><li>Event logging to support visualization evaluation </li></ul>
    28. 28. Architecture <ul><li>Filtering is the process of mapping abstract data to a representation suitable for visualization </li></ul><ul><li>Actions are used to select visualized data and set visual properties such as location, font. Also used to perform tasks such as filtering, layout and color assignment </li></ul><ul><li>Actionlists are used to enforce ordered execution of actions </li></ul>
    29. 29. Architecture Cont.. <ul><li>Renderer's draw the visual items on to the screen by rendering the visual attributes </li></ul><ul><li>The Display component draws all the visible items using appropriate renderer's onto the screen </li></ul><ul><li>Display provides support to mouse and keyboard events on visible items </li></ul>
    30. 30. Useful features <ul><li>Panning and zooming allows the user to concentrate on the essential parts of the graph </li></ul><ul><li>Expression techniques allows the user to visualize specific areas of graph with particular attributes Ex: The user can filter the graph to display information specific to the top three vulnerabilities </li></ul><ul><li>Interactor components for common interactions such as showing the predicates attached with an edge </li></ul>
    31. 31. Extendible features <ul><li>Search functionality to search for a particular edge/node in the graph with a specific property. </li></ul><ul><li>Overview feature allows to capture the whole view of network in a small dialog box </li></ul>
    32. 32. Implementation
    33. 33. Impl Contd..
    34. 34. Future Work
    35. 35. Two layered architecture
    36. 36. Conclusion <ul><li>The architecture generates an interactive display of the attack graphs. </li></ul><ul><li>This provides a convenient way for the researcher's to enhance the tool in a better way. </li></ul><ul><li>Provides a convenient way for network administrator to map the attack graph's into real network topology. </li></ul>
    37. 37. References <ul><li> </li></ul><ul><li>John Homer, Ashok Varikuti, Xinming Ou, and Miles A. McQueen. Improving attack graph visualization through data reduction and attack grouping . In 5th International Workshop on Visualization for Cyber Security (VizSEC 2008), Cambridge, MA, U.S.A., September 2008. </li></ul>
    38. 38. Demo of Energy Management Network