A Quantitative Model of the Security Intrusion Process Based on Attacker Behavior

1
A Quantitative Model of the Security Intrusion
Process Based on Attacker Behavior
Erland Jonsson and Tomas Olovsson

• IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, VOL.
  23 NO. 4, APRIL 1997

Presented by Huan-Ting,Chen 2007/4/30
2
Author

• Erland Jonsson
• Chalmers University of Technology, Göteborg,
  Sweden
• -His major research interests include issues
  regarding the quantitative assessment of security.

Tomas Olovsson -Chalmers University of
Technology, Göteborg, Sweden -His current
research areas are security with an emphasis on
assessment of operational security,
fault-tolerance.
3
Outline

• Introduction
• Experiment
• Recorded Data
• Modeling the Intrusion Process
• A Hypothesis For The Intrusion Process
• Conclusions

4
Outline

• Introduction
• Experiment
• Recorded Data
• Modeling the Intrusion Process
• A Hypothesis For The Intrusion Process
• Conclusions

5
Introduction

• The traditional security evaluation is usually
  based on the classes of various security
  evaluation criteria.
• These classes primarily reflect static design
  properties and the development process of the
  system, but do not incorporate the interaction
  with the operational environment.

6
Introduction

• We have tried to model intrusion process in
  quantitative terms.
• We have carried out a practical intrusion
  experiment and collected the empirical data.

7
Introduction

• Based on empirical data , we have worked out a
  hypothesis on typical attacker behavior.
• Another objective of the experiment was to gain
  some general knowledge of the intrusion process
  and the exploited vulnerabilities.

8
Outline

• Introduction
• Experiment
• Recorded Data
• Modeling the Intrusion Process
• A Hypothesis For The Intrusion Process
• Conclusion

9
Experiment

• The experiment was conducted during a 4-week
  period.
• There were three different kinds of actors
  involved in the experimentation
• - attackers
• - coordinator
• - system administrator

10
Experiment

• The target system consisted of a set of 24 SUN
  ELC diskless workstations connected to one
  file-server, all running SunOS 4.1.2.
• The system itself was configured as a standard
  configuration.

11
Experiment

• We were aiming for attackers that could be
  considered to be the normal users of the
  system.
• We decided to use undergraduate students from our
  university.
• There were 24 attackers (12 groups) participating
  in the experiment.

12
Experiment

• Rules for the Attackers
• - A security breach occurs whenever they
• succeed in doing something they were
• not normally allowed to do.
• - The attack teams were forbidden to
• cooperate with other teams.
• - The attackers were not allowed to cause
• physical damage to the system.

13
Experiment

• The coordinators role was to monitor and
  coordinate all activities during the experiment.
• The followings are that the coordinator had to
  make sure
• - the attackers and the system
• administrator were complying with the
• experimental rules
• - the activities of attackers would not
• interfere with each other

14
Experiment

• The system administrator would monitor the system
  in the usual way and not intensify his search for
  security violations or other unwanted user
  behavior.

15
Experiment

• In addition to automatically logging and
  recording data, the attackers were required to
  perform extensive manual reporting.
• There were three manual reports of fill-in form
  type
• - the background report
• - the activity report
• - the evaluation report

16
Experiment

• The background report was submitted before the
  experiment started.
• The attackers were to document their background
  together with their interest and motivation for
  participating in the experiment.

17
Experiment

• Each activity report contained data for one
  specific activity, such as working time.
• After the experiment, the attackers were asked to
  write a evaluation report.

18
Outline

• Introduction
• Experiment
• Recorded Data
• Modeling the Intrusion Process
• A Hypothesis For The Intrusion Process
• Conclusions

19
Recorded Data

• The most tangible parameters are the time
  parameters.
• - tA working time for group member A,
• when working alone
• - tB working time for group member B,
• when working alone
• - tAB time when group members A and B
• work together

20
Recorded Data

• The individual working time parameters can be
  combined in two obvious ways to yield a useful
  variable for time measurement
• - tgw tA tB tAB group working
• time
• - taw tA tB 2 tAB attacker
• working time

21
Recorded Data

• Resource Parameters
• - network resources
• - other written media
• - human resources
• - programs developed by the attacker

22
Recorded Data

• Resource Parameters
• - existing programs
• - processor usage on the target
• workstation
• - use of external computers

23
Recorded Data

• The resource-related data is more difficult to
  quantify than the time-related data.
• We decided to allow the resources to form a part
  of the environment of the system.

24
Recorded Data

• The rationale for this assumption is that the
  same resources were equally available to all
  attackers, thus forming a fairly uniform
  environment.

25
Recorded Data

• Skill Level
• - We required that the attackers, before the
  experiment started, stated their skill level
  denoted, SnX , X ? (A, B) , n ? (1, 12).
• - It was necessary to derive a skill level
  that was representative for the group, Sn, where
  n is the group number.

26
Recorded Data

• Skill Level

27
Outline

• Introduction
• Experiment
• Recorded Data
• Modeling the Intrusion Process
• A Hypothesis For The Intrusion Process
• Conclusions

28
Modeling the Intrusion Process

• The figure shows the accumulated working times
  for consecutive breaches.

29
Modeling the Intrusion Process

• The Low Cluster
• - group 2 and 12
• - the skill level of these groups
• clearly were below all other groups
• Our interpretation of these facts is that the two
  groups in the low cluster are still in their
  learning phase.

30
Modeling the Intrusion Process

• The High Cluster
• - 10 groups
• - they show a consistent behavior
• with a short time between breaches

31
Modeling the Intrusion Process

• We will test the statistical hypothesis that the
  times to breach are exponentially distributed.
• This test is based on the following necessary
  preconditions
• - 1. The recorded data refers to the
• same phenomenon

32
Modeling the Intrusion Process

• - 2. The data for the different groups
• are independent
• - 3. The breach process is stationary

33
Modeling the Intrusion Process

• The diagram in Fig. 4 below shows the accumulated
  working time (tgw) to breach n for the high
  cluster.

34
Modeling the Intrusion Process

• We extracted the differential working times for
  each breach.

35
Modeling the Intrusion Process
intermediate
early
late
36
Modeling the Intrusion Process

• Using the mean value of the sample times to
  breach, , and the standard deviation,
  Sclass , for the three classes with sample sizes
  nclass , we calculate the confidence intervals,
  Cclass, on the 95 level

class
37
Modeling the Intrusion Process

• Testing data for exponential distribution
• - We grouped the sample in intervals
• according to Table 4.

38
Modeling the Intrusion Process

• The expectation value E? -1 of the assumed
  exponential distribution was estimated to be 4.06
  hours.
• The chi-square distance can then be calculated as
  2.07.
• The probability that the chi-square distribution
  with k 1 1 4 degrees of freedom will exceed
  2.07 is as high as 72.

39
Outline

• Introduction
• Experiment
• Recorded Data
• Modeling the Intrusion Process
• A Hypothesis For The Intrusion Process
• Conclusions

40
A Hypothesis For The Intrusion Process

• Based on the recorded data, and in particular on
  the skill level, we have formulated a generic
  hypothesis for the intrusion process.

41
A Hypothesis For The Intrusion Process

• The learning phase
• - a low-skilled attacker would have to start
• by raising his skill level
• - his knowledge may be below some minimal
• attacking skill threshold
• - attackers above the attacking skill
• threshold are able to start an active
• attacking process directly

42
A Hypothesis For The Intrusion Process

• The standard attack phase
• - test all attack methods
• - search for documented vulnerabilities
• During the standard attack phase, the
  goodness-of-fit test performed indicates that the
  time to breach is exponentially distributed.

43
A Hypothesis For The Intrusion Process

• The innovative attack phase
• - When all standard attack methods have
• been tested, the attacking process enters a
• more complicated phase.
• - The probability for success is expected to
• be much lower and the time to perform a
• successful breach much longer.

44
Outline

• Introduction
• Experiment
• Recorded Data
• Modeling the Intrusion Process
• A Hypothesis For The Intrusion Process
• Conclusions

45
Conclusions

• We performed a practical intrusion test on a
  distributed computer system and collected data
  related to the difficulty of making these
  intrusions.
• These data seem to support our hypothesis that
  the intrusion process can be split into three
  distinctive phases the learning phase, the
  standard attack phase, and the innovative attack
  phase.

46
Conclusions

• Most of the data collected can be related to the
  standard attack phase.
• The times between consecutive breaches during the
  standard attack phase are exponentially
  distributed.

47
Thanks for your listening
48
(No Transcript)