A Quantitative Model of the Security Intrusion Process

Author Erland Jonsson -Chalmers University of Technology, Göteborg, Sweden -His major research interests include

Outline o o o Introduction Experiment Recorded Data Modeling the Intrusion Process A Hypothesis

Introduction o o The traditional security evaluation is usually based on the classes of

Introduction o o We have tried to model intrusion process in quantitative terms. We

Introduction o o Based on empirical data , we have worked out a hypothesis

Experiment o o The experiment was conducted during a 4 -week period. There were

Experiment o o The target system consisted of a set of 24 SUN ELC

Experiment o o o We were aiming for attackers that could be considered to

Experiment o Rules for the Attackers : - A security breach occurs whenever they

Experiment o o The coordinator’s role was to monitor and coordinate all activities during

Experiment o The system administrator would monitor the system in the usual way and

Experiment o o In addition to automatically logging and recording data, the attackers were

Experiment o o The background report was submitted before the experiment started. The attackers

Experiment o o Each activity report contained data for one specific activity, such as

Recorded Data o The most tangible parameters are the time parameters. - t. A

Recorded Data o The individual working time parameters can be combined in two obvious

Recorded Data o Resource Parameters - network resources - other written media - human

Recorded Data o Resource Parameters - existing programs - processor usage on the target

Recorded Data o o The resource-related data is more difficult to quantify than the

Recorded Data o The rationale for this assumption is that the same resources were

Recorded Data o Skill Level - We required that the attackers, before the experiment

Recorded Data o Skill Level 9/6/2021 OPLab, IM, NTU 26

Modeling the Intrusion Process o The figure shows the accumulated working times for consecutive

Modeling the Intrusion Process o o The Low Cluster - group 2 and 12

Modeling the Intrusion Process o The High Cluster - 10 groups - they show

Modeling the Intrusion Process o o We will test the statistical hypothesis that the

Modeling the Intrusion Process - 2. The data for the different groups are independent

Modeling the Intrusion Process o The diagram in Fig. 4 below shows the accumulated

Modeling the Intrusion Process o We extracted the differential working times for each breach.

Modeling the Intrusion Process early 9/6/2021 intermediate OPLab, IM, NTU late 35

Modeling the Intrusion Process o Using the mean value of the sample times to

Modeling the Intrusion Process o Testing data for exponential distribution - We grouped the

Modeling the Intrusion Process o o o The expectation value E[ξ] = -1 of

A Hypothesis For The Intrusion Process o Based on the recorded data, and in

A Hypothesis For The Intrusion Process o The learning phase - a low-skilled attacker

A Hypothesis For The Intrusion Process o o The standard attack phase - test

A Hypothesis For The Intrusion Process o The innovative attack phase - When all

Conclusions o o We performed a practical intrusion test on a distributed computer system

Conclusions o o Most of the data collected can be related to the standard

Thanks for your listening 9/6/2021 OPLab, IM, NTU 47

Slides: 48

Download presentation

A Quantitative Model of the Security Intrusion Process Based on Attacker Behavior Erland Jonsson and Tomas Olovsson IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, VOL. 23 NO. 4, APRIL 1997 Presented by Huan-Ting, Chen 2007/4/30 OPLab, IM, NTU

Author Erland Jonsson -Chalmers University of Technology, Göteborg, Sweden -His major research interests include issues regarding the quantitative assessment of security. Tomas Olovsson -Chalmers University of Technology, Göteborg, Sweden -His current research areas are security with an emphasis on assessment of operational security, fault-tolerance. 9/6/2021 OPLab, IM, NTU 2

Outline o o o Introduction Experiment Recorded Data Modeling the Intrusion Process A Hypothesis For The Intrusion Process Conclusions 9/6/2021 OPLab, IM, NTU 3

Outline o o o Introduction Experiment Recorded Data Modeling the Intrusion Process A Hypothesis For The Intrusion Process Conclusions 9/6/2021 OPLab, IM, NTU 4

Introduction o o The traditional security evaluation is usually based on the classes of various security evaluation criteria. These classes primarily reflect static design properties and the development process of the system, but do not incorporate the interaction with the operational environment. 9/6/2021 OPLab, IM, NTU 5

Introduction o o We have tried to model intrusion process in quantitative terms. We have carried out a practical intrusion experiment and collected the empirical data. 9/6/2021 OPLab, IM, NTU 6

Introduction o o Based on empirical data , we have worked out a hypothesis on typical attacker behavior. Another objective of the experiment was to gain some general knowledge of the intrusion process and the exploited vulnerabilities. 9/6/2021 OPLab, IM, NTU 7

Outline o o o Introduction Experiment Recorded Data Modeling the Intrusion Process A Hypothesis For The Intrusion Process Conclusion 9/6/2021 OPLab, IM, NTU 8

Experiment o o The experiment was conducted during a 4 -week period. There were three different kinds of actors involved in the experimentation: - attackers - coordinator - system administrator 9/6/2021 OPLab, IM, NTU 9

Experiment o o The target system consisted of a set of 24 SUN ELC diskless workstations connected to one file-server, all running Sun. OS 4. 1. 2. The system itself was configured as a “standard” configuration. 9/6/2021 OPLab, IM, NTU 10

Experiment o o o We were aiming for attackers that could be considered to be the “normal” users of the system. We decided to use undergraduate students from our university. There were 24 attackers (12 groups) participating in the experiment. 9/6/2021 OPLab, IM, NTU 11

Experiment o Rules for the Attackers : - A security breach occurs whenever they succeed in doing something they were not normally allowed to do. - The attack teams were forbidden to cooperate with other teams. - The attackers were not allowed to cause physical damage to the system. 9/6/2021 OPLab, IM, NTU 12

Experiment o o The coordinator’s role was to monitor and coordinate all activities during the experiment. The followings are that the coordinator had to make sure - the attackers and the system administrator were complying with the experimental rules - the activities of attackers would not interfere with each other 9/6/2021 OPLab, IM, NTU 13

Experiment o The system administrator would monitor the system in the usual way and not intensify his search for security violations or other unwanted user behavior. 9/6/2021 OPLab, IM, NTU 14

Experiment o o In addition to automatically logging and recording data, the attackers were required to perform extensive manual reporting. There were three manual reports of “fill-in form” type: - the background report - the activity report - the evaluation report 9/6/2021 OPLab, IM, NTU 15

Experiment o o The background report was submitted before the experiment started. The attackers were to document their background together with their interest and motivation for participating in the experiment. 9/6/2021 OPLab, IM, NTU 16

Experiment o o Each activity report contained data for one specific activity, such as working time. After the experiment, the attackers were asked to write a evaluation report. 9/6/2021 OPLab, IM, NTU 17

Outline o o o Introduction Experiment Recorded Data Modeling the Intrusion Process A Hypothesis For The Intrusion Process Conclusions 9/6/2021 OPLab, IM, NTU 18

Recorded Data o The most tangible parameters are the time parameters. - t. A = working time for group member A, when working alone - t. B = working time for group member B, when working alone - t. A+B = time when group members A and B work together 9/6/2021 OPLab, IM, NTU 19

Recorded Data o The individual working time parameters can be combined in two obvious ways to yield a useful variable for time measurement: - tgw = t. A + t. B+ t. A+B = group working time - taw = t. A + t. B + 2 · t. A+B = attacker working time 9/6/2021 OPLab, IM, NTU 20

Recorded Data o Resource Parameters - network resources - other written media - human resources - programs developed by the attacker 9/6/2021 OPLab, IM, NTU 21

Recorded Data o Resource Parameters - existing programs - processor usage on the target workstation - use of external computers 9/6/2021 OPLab, IM, NTU 22

Recorded Data o o The resource-related data is more difficult to quantify than the timerelated data. We decided to allow the resources to form a part of the environment of the system. 9/6/2021 OPLab, IM, NTU 23

Recorded Data o The rationale for this assumption is that the same resources were equally available to all attackers, thus forming a fairly uniform environment. 9/6/2021 OPLab, IM, NTU 24

Recorded Data o Skill Level - We required that the attackers, before the experiment started, stated their skill level denoted, Sn. X , X ∈ (A, B) , n ∈ (1, 12). - It was necessary to derive a skill level that was representative for the group, Sn, where n is the group number. 9/6/2021 OPLab, IM, NTU 25

Recorded Data o Skill Level 9/6/2021 OPLab, IM, NTU 26

Outline o o o Introduction Experiment Recorded Data Modeling the Intrusion Process A Hypothesis For The Intrusion Process Conclusions 9/6/2021 OPLab, IM, NTU 27

Modeling the Intrusion Process o The figure shows the accumulated working times for consecutive breaches. 9/6/2021 OPLab, IM, NTU 28

Modeling the Intrusion Process o o The Low Cluster - group 2 and 12 - the skill level of these groups clearly were below all other groups Our interpretation of these facts is that the two groups in the low cluster are still in their learning phase. 9/6/2021 OPLab, IM, NTU 29

Modeling the Intrusion Process o The High Cluster - 10 groups - they show a consistent behavior with a short time between breaches 9/6/2021 OPLab, IM, NTU 30

Modeling the Intrusion Process o o We will test the statistical hypothesis that the times to breach are exponentially distributed. This test is based on the following necessary preconditions: - 1. The recorded data refers to the same phenomenon 9/6/2021 OPLab, IM, NTU 31

Modeling the Intrusion Process - 2. The data for the different groups are independent - 3. The breach process is stationary 9/6/2021 OPLab, IM, NTU 32

Modeling the Intrusion Process o The diagram in Fig. 4 below shows the accumulated working time (tgw) to breach n for the high cluster. 9/6/2021 OPLab, IM, NTU 33

Modeling the Intrusion Process o We extracted the differential working times for each breach. 9/6/2021 OPLab, IM, NTU 34

Modeling the Intrusion Process early 9/6/2021 intermediate OPLab, IM, NTU late 35

Modeling the Intrusion Process o Using the mean value of the sample times to breach, class , and the standard deviation, Sclass , for the three classes with sample sizes nclass , we calculate the confidence intervals, Cclass, on the 95% level : 9/6/2021 OPLab, IM, NTU 36

Modeling the Intrusion Process o Testing data for exponential distribution - We grouped the sample in intervals according to Table 4. 9/6/2021 OPLab, IM, NTU 37

Modeling the Intrusion Process o o o The expectation value E[ξ] = -1 of the assumed exponential distribution was estimated to be 4. 06 hours. The chi-square distance can then be calculated as 2. 07. The probability that the chi-square distribution with k – 1 = 4 degrees of freedom will exceed 2. 07 is as high as 72%. 9/6/2021 OPLab, IM, NTU 38

Outline o o o Introduction Experiment Recorded Data Modeling the Intrusion Process A Hypothesis For The Intrusion Process Conclusions 9/6/2021 OPLab, IM, NTU 39

A Hypothesis For The Intrusion Process o Based on the recorded data, and in particular on the skill level, we have formulated a generic hypothesis for the intrusion process. 9/6/2021 OPLab, IM, NTU 40

A Hypothesis For The Intrusion Process o The learning phase - a low-skilled attacker would have to start by raising his skill level - his knowledge may be below some minimal attacking skill threshold - attackers above the attacking skill threshold are able to start an active attacking process directly 9/6/2021 OPLab, IM, NTU 41

A Hypothesis For The Intrusion Process o o The standard attack phase - test all attack methods - search for documented vulnerabilities During the standard attack phase, the goodness-of-fit test performed indicates that the time to breach is exponentially distributed. 9/6/2021 OPLab, IM, NTU 42

A Hypothesis For The Intrusion Process o The innovative attack phase - When all “standard” attack methods have been tested, the attacking process enters a more complicated phase. - The probability for success is expected to be much lower and the time to perform a successful breach much longer. 9/6/2021 OPLab, IM, NTU 43

Outline o o o Introduction Experiment Recorded Data Modeling the Intrusion Process A Hypothesis For The Intrusion Process Conclusions 9/6/2021 OPLab, IM, NTU 44

Conclusions o o We performed a practical intrusion test on a distributed computer system and collected data related to the difficulty of making these intrusions. These data seem to support our hypothesis that the intrusion process can be split into three distinctive phases: the learning phase, the standard attack phase, and the innovative attack phase. 9/6/2021 OPLab, IM, NTU 45

Conclusions o o Most of the data collected can be related to the standard attack phase. The times between consecutive breaches during the standard attack phase are exponentially distributed. 9/6/2021 OPLab, IM, NTU 46

Thanks for your listening 9/6/2021 OPLab, IM, NTU 47

9/6/2021 OPLab, IM, NTU 48