Title: A Quantitative Model of the Security Intrusion Process Based on Attacker Behavior
1A Quantitative Model of the Security Intrusion
Process Based on Attacker Behavior
Erland Jonsson and Tomas Olovsson
- IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, VOL.
23 NO. 4, APRIL 1997
Presented by Huan-Ting,Chen 2007/4/30
2Author
- Erland Jonsson
- Chalmers University of Technology, Göteborg,
Sweden - -His major research interests include issues
regarding the quantitative assessment of security.
Tomas Olovsson -Chalmers University of
Technology, Göteborg, Sweden -His current
research areas are security with an emphasis on
assessment of operational security,
fault-tolerance.
3Outline
- Introduction
- Experiment
- Recorded Data
- Modeling the Intrusion Process
- A Hypothesis For The Intrusion Process
- Conclusions
4Outline
- Introduction
- Experiment
- Recorded Data
- Modeling the Intrusion Process
- A Hypothesis For The Intrusion Process
- Conclusions
5Introduction
- The traditional security evaluation is usually
based on the classes of various security
evaluation criteria. - These classes primarily reflect static design
properties and the development process of the
system, but do not incorporate the interaction
with the operational environment.
6Introduction
- We have tried to model intrusion process in
quantitative terms. - We have carried out a practical intrusion
experiment and collected the empirical data. -
7Introduction
- Based on empirical data , we have worked out a
hypothesis on typical attacker behavior. - Another objective of the experiment was to gain
some general knowledge of the intrusion process
and the exploited vulnerabilities.
8Outline
- Introduction
- Experiment
- Recorded Data
- Modeling the Intrusion Process
- A Hypothesis For The Intrusion Process
- Conclusion
9Experiment
- The experiment was conducted during a 4-week
period. - There were three different kinds of actors
involved in the experimentation - - attackers
- - coordinator
- - system administrator
10Experiment
- The target system consisted of a set of 24 SUN
ELC diskless workstations connected to one
file-server, all running SunOS 4.1.2. - The system itself was configured as a standard
configuration.
11Experiment
- We were aiming for attackers that could be
considered to be the normal users of the
system. - We decided to use undergraduate students from our
university. - There were 24 attackers (12 groups) participating
in the experiment.
12Experiment
- Rules for the Attackers
- - A security breach occurs whenever they
- succeed in doing something they were
- not normally allowed to do.
- - The attack teams were forbidden to
- cooperate with other teams.
- - The attackers were not allowed to cause
- physical damage to the system.
13Experiment
- The coordinators role was to monitor and
coordinate all activities during the experiment. - The followings are that the coordinator had to
make sure - - the attackers and the system
- administrator were complying with the
- experimental rules
- - the activities of attackers would not
- interfere with each other
14Experiment
- The system administrator would monitor the system
in the usual way and not intensify his search for
security violations or other unwanted user
behavior.
15Experiment
- In addition to automatically logging and
recording data, the attackers were required to
perform extensive manual reporting. - There were three manual reports of fill-in form
type - - the background report
- - the activity report
- - the evaluation report
16Experiment
- The background report was submitted before the
experiment started. - The attackers were to document their background
together with their interest and motivation for
participating in the experiment.
17Experiment
- Each activity report contained data for one
specific activity, such as working time. - After the experiment, the attackers were asked to
write a evaluation report.
18Outline
- Introduction
- Experiment
- Recorded Data
- Modeling the Intrusion Process
- A Hypothesis For The Intrusion Process
- Conclusions
19Recorded Data
- The most tangible parameters are the time
parameters. - - tA working time for group member A,
- when working alone
- - tB working time for group member B,
- when working alone
- - tAB time when group members A and B
- work together
-
20Recorded Data
- The individual working time parameters can be
combined in two obvious ways to yield a useful
variable for time measurement - - tgw tA tB tAB group working
- time
- - taw tA tB 2 tAB attacker
- working time
21Recorded Data
- Resource Parameters
- - network resources
- - other written media
- - human resources
- - programs developed by the attacker
22Recorded Data
- Resource Parameters
- - existing programs
- - processor usage on the target
- workstation
- - use of external computers
23Recorded Data
- The resource-related data is more difficult to
quantify than the time-related data. - We decided to allow the resources to form a part
of the environment of the system.
24Recorded Data
- The rationale for this assumption is that the
same resources were equally available to all
attackers, thus forming a fairly uniform
environment.
25Recorded Data
- Skill Level
- - We required that the attackers, before the
experiment started, stated their skill level
denoted, SnX , X ? (A, B) , n ? (1, 12). - - It was necessary to derive a skill level
that was representative for the group, Sn, where
n is the group number.
26Recorded Data
27Outline
- Introduction
- Experiment
- Recorded Data
- Modeling the Intrusion Process
- A Hypothesis For The Intrusion Process
- Conclusions
28Modeling the Intrusion Process
- The figure shows the accumulated working times
for consecutive breaches.
29Modeling the Intrusion Process
- The Low Cluster
- - group 2 and 12
- - the skill level of these groups
- clearly were below all other groups
-
- Our interpretation of these facts is that the two
groups in the low cluster are still in their
learning phase.
30Modeling the Intrusion Process
- The High Cluster
- - 10 groups
- - they show a consistent behavior
- with a short time between breaches
-
31Modeling the Intrusion Process
- We will test the statistical hypothesis that the
times to breach are exponentially distributed. - This test is based on the following necessary
preconditions - - 1. The recorded data refers to the
- same phenomenon
32Modeling the Intrusion Process
- - 2. The data for the different groups
- are independent
- - 3. The breach process is stationary
-
33Modeling the Intrusion Process
- The diagram in Fig. 4 below shows the accumulated
working time (tgw) to breach n for the high
cluster.
34Modeling the Intrusion Process
- We extracted the differential working times for
each breach.
35Modeling the Intrusion Process
intermediate
early
late
36Modeling the Intrusion Process
- Using the mean value of the sample times to
breach, , and the standard deviation,
Sclass , for the three classes with sample sizes
nclass , we calculate the confidence intervals,
Cclass, on the 95 level
class
37Modeling the Intrusion Process
- Testing data for exponential distribution
- - We grouped the sample in intervals
- according to Table 4.
38Modeling the Intrusion Process
- The expectation value E? -1 of the assumed
exponential distribution was estimated to be 4.06
hours. - The chi-square distance can then be calculated as
2.07. - The probability that the chi-square distribution
with k 1 1 4 degrees of freedom will exceed
2.07 is as high as 72.
39Outline
- Introduction
- Experiment
- Recorded Data
- Modeling the Intrusion Process
- A Hypothesis For The Intrusion Process
- Conclusions
40A Hypothesis For The Intrusion Process
- Based on the recorded data, and in particular on
the skill level, we have formulated a generic
hypothesis for the intrusion process.
41A Hypothesis For The Intrusion Process
- The learning phase
- - a low-skilled attacker would have to start
- by raising his skill level
- - his knowledge may be below some minimal
- attacking skill threshold
- - attackers above the attacking skill
- threshold are able to start an active
- attacking process directly
42A Hypothesis For The Intrusion Process
- The standard attack phase
- - test all attack methods
- - search for documented vulnerabilities
- During the standard attack phase, the
goodness-of-fit test performed indicates that the
time to breach is exponentially distributed.
43A Hypothesis For The Intrusion Process
- The innovative attack phase
- - When all standard attack methods have
- been tested, the attacking process enters a
- more complicated phase.
- - The probability for success is expected to
- be much lower and the time to perform a
- successful breach much longer.
44Outline
- Introduction
- Experiment
- Recorded Data
- Modeling the Intrusion Process
- A Hypothesis For The Intrusion Process
- Conclusions
45Conclusions
- We performed a practical intrusion test on a
distributed computer system and collected data
related to the difficulty of making these
intrusions. - These data seem to support our hypothesis that
the intrusion process can be split into three
distinctive phases the learning phase, the
standard attack phase, and the innovative attack
phase.
46Conclusions
- Most of the data collected can be related to the
standard attack phase. - The times between consecutive breaches during the
standard attack phase are exponentially
distributed.
47Thanks for your listening
48(No Transcript)