Synopsis

The rest of this thesis is organized as follow. In Chapter 2, we review related work in this area. In Chapter 3, we propose new hierarchical risk assessment architecture and risk analysis method for wireless network security. Chapter 4 gives 2 examples to illustrate the proposed architecture is useful to network risk assessment. In addition, we provide a view of attack graph based on the configurations of WLAN. Finally, Chapter 5 presents some conclusions.

Chapter 2 Related Work

Wireless networks have many security holes that may cause attacks and attackers always use these holes to achieve their goals. In order to keep attackers from accessing, monitoring and modifying network packets, some security tools can help to detect the configurations information of wireless networks. Furthermore, the administrators can use the configurations for risk assessment and show the risk value in the graph. These graphs collect the crucial information to aid network administrators in efficiently reinforcing network security. In this chapter, we first review the past researches for attack graph. Section 2.2 specifies the process of risk assessment. The risk assessment approaches of network are reviewed in section 2.3.

2.1 Past Researches for Attack Graph

Attack graphs have been widely used in security issues. Any attack or vulnerability could be observed from the path which went from an initial node to a success node. Formerly, the attack graph in which each node represented a state of attackers, and each edge represented an atomic attack that changed the state. Initial nodes expressed the states that attackers had not conducted any atomic attack, and success nodes expressed the states that attackers had successfully reached his goal [10]. Such the attack graph became very complex if the network added more hosts. As a result, an automatic tool is useful for administrators to establish the attack graph.

Many methods have been proposed to define the attack graph and automatically construct it. Ortalo et al. [9] developed a method named privilege graph, the nodes in privilege graph represented privileges owned by the users and the edges represented

vulnerabilities that would change privileges. The graph displayed different ways that attackers could reach his goal. From [10], Philips and Swiler defined an attack graph which was generated by three types of input: attack templates, configurations file, and attacker profiles.

Attack templates represented the necessary information or the steps of attack. The configuration file saved the detail information that attackers wanted, and the capabilities of attackers were stored in attacker profiles. In [11], Swiler et al. implements the method of [10]

into a tool. Moreover, the elimination of redundant paths was also surmounted. Ammann et al.

[12] developed a graph-based algorithm which was capable of finding mostly vulnerabilities.

Ingols et al. [13] defined another attack graph which called MP attack graph. The graph where the nodes were classified three types. State nodes presented access levels of attackers on the hosts. Prerequisite nodes represented reachable hosts from state nodes. Vulnerability nodes presented vulnerabilities on the specific services.

More recently, Jha and Wing [18] proposed the attack graph to consider the network environment included the network user, IP address, running service, etc. In [8], [23]. Sheyner et al. defined the attack graph where each node denoted a state of the network systems and each edge denoted an atomic attack which changed state. They also added three configurations included system open port numbers, connection relations and vulnerabilities into the configuration file and used model checking tool called “NuSMV” [24] to analyze attack graph. Zhang et al. [14] expended the privilege into the attack graph and compared with [8]. The result proved that their graph was much simpler than that in [8]. The reason was that the model checking tool is not able to determine the privilege of the network system.

From [15], Noel et al. defined another attack graph of network environment. Each node represented the machine on network and each edge represented the vulnerabilities that attackers used to compromise the network machine. Instead, the network machines were distributed to several subnets and then utilize the graph-drawing tool [25] to generate attack graph. This provided the good views for the administrators to know which subnets were easily

attacked. An architecture was proposed by Kotenko and Stepashkin [16] for security analysis based on construction of attack graph. In addition, they evaluated the network risk according to different wire network environment. Hence the attack graph not only to describe the vulnerabilities of the system but also to defend the environment of network before being attacked by attackers.

2.2 The Process of Risk Assessment

Risk assessment indicates the risks to network security and determines the probability of occurrence. Although it is impossible to use the risk assessment to eliminate all risks, administrators may expect the risks be reduced and adjust the configurations of the network environment.

According to [26], Gray et al. proposed the risk assessment process. The process was decomposed into nine parts and the flowchart is shown in Fig. 2.

z System characterization – In this step, the analysis items are identified, along with the configuration information and risk classifications that constitute the assessment model.

z Threat identification – The attacks of assessment environment are described in this step.

z Vulnerability identification – The goal of this step is to list the vulnerabilities that could be exploited by attackers.

z Control analysis – In this step, the rules is defined to describe the controllability or uncontrollability of the system after being attacked.

z Likelihood determination – The rules is defined to describe the probability of launching attacks.

z Impact analysis – In this step, the rules is defined to describe the impact severity of the system after being attacked.

z Risk determination – The goal of this step is to evaluate the security level of the system.

z Control recommendations – The goal of the recommended controls is to notice the security risks and support the experts to reduce the risks.

z Results documentations – Once the risk assessment has been completed, the results should be documented to help administrators understand the risks.

Fig. 2. Risk Assessment Methodology Flowchart (Gray et al. [26])

2.3 The Approaches of Risk Assessment

Fig. 3. The Hierarchy Structure of Risk Assessment (Zhao et al. [27], [28])

In [27], [28]. Zhao et al. designed a risk assessment architecture which depended on Gray’s process as shown in Fig. 3. The top layer was the total risk value of network; the rules were defined in second layer and the network attacks were defined in the lowest layer. They also recommended a risk assessment method, which combined analytic hierarchy process (AHP) method and matrix operation for risk assessment. The steps of AHP method were specified as follow: (1) Constructing the hierarchy structure for risk assessment; (2) Constructing the judge matrix by expert experience; (3) Determining the weights of risk factors of each rule; (4) Calculating the quantitative coefficients depends on judge matrix.

After finished the first three steps, they estimated the unknown probabilities of risk factors of each attack type, p1, p2, …, pm, by using the Shannon entropy function [29] - [30]. This function was put forward to decide the weight of each network attack, as follows:

1 ln 1

= - m ln

m

i i

i

H p p

∑

= ⁽¹⁾

The judge matrix R of a rule is obtained by experts’ experiences as well as a corresponding vector b, which represents weights of risk factors of the rule. Suppose that R is an n-by-m matrix in which n implies there are n attack types in the wireless environment, and m represents the number of the risk factors in the rule.

11 12 1

The weight vector, q^T, is also acquired from the matrix by using Eq. (1).

q = [q1, q2,…, qn]^T

Then the risk value of each rule can be calculated by the following equation:

T

Changguang et al. [31] redesigned the architecture for wireless networks and used the same risk assessment method as [28]. They defined that the total risk value is the function of risk probability, impact severity and uncontrollability. The probability is denoted as p, the impact severity is denoted as c and uncontrollability is denoted as u, the risk happened denoted as s, whereas denoted as t. Then the formulas of total risk value can be calculated as:

( )

R= f risk probability, impact severity ,uncontrollable p c u

p c u

p c u p c p u c u p c u

= (3)

In [32], we know risk analysis could be analyzed through fuzzy linguistics; the information about risk was calculated via the fuzzy set theory and expressed in a natural language. However, the main drawback of the method is that it can not correctly calculate the average fuzzy set between two fuzzy sets. Therefore, Chen et al. [33] proposed an analysis method, which is called the center-of-gravity (COG) similarity method, to overcome the drawback of [32]. If the fuzzy value is not between zero and one, it is translated into the standardized fuzzy set. The average fuzzy set can be calculated by using fuzzy weight average (FWA) method shown as follows:

n

=1 n

=1

=

i i

i

i i

W R

R

W

∑

×

∑

⁽⁴⁾

Where Ris the average fuzzy set of the system security, W_iandR_iare the weight and the security risk level of each subsystem, respectively.

Liao et al. [34] proposed a hierarchical structure to construct the risk assessment architecture and used FWA method to compute the total risk value. The hierarchical structure was shown in Fig. 4, where each edge denoted fuzzy risk level and each node denoted weight importance of subsystem, respectively.

Fig. 4. Fuzzy Weight Average (FWA) Architecture (Liao et al. [27], [28])

The AHP method could easily obtain the quantitative value, but hardly constructed the judge matrixes if the analysis items changed with the environment. On the contrary, the linguistics method could easily extend the architecture, but hardly acquire the quantitative values.

Chapter 3

The Proposed Model for Risk Assessment

In this chapter, the proposed model is presented for risk assessment. In section 3.1, a hierarchical risk assessment architecture which combines the fuzzy linguistics and numerical descriptions is proposed to analyze the security robustness of wireless networks. Section 3.2 introduces the details of the attack types that we construct from the assessment architecture. In order to integrate fuzzy linguistics with numerical descriptions and calculate the risk value successfully, some definitions are described in section 3.3.

3.1 Constructing the Risk Assessment Architecture

According to the AHP method [26], [28], [32], the first step is to construct the risk assessment architecture of wireless networks. We can utilize layer structures to decompose complexity relationships into simple relationships. The highest layer is the goal, which is the total risk value of wireless environment. The second layer defines the same rule as [28]. The rule is judged in the aspects of probability of suffering attacked, impact severity and uncontrollability after being attacked. The third layer classifies the wireless attack types into six dimensions. Configurations in the lowest layer are the categories for wireless attack types that attackers will use when attacks occur. Fig. 5 shows the hierarchy risk assessment architecture of wireless networks.

As for the relationships among the architecture, we explain from the fourth layer to the top layer. The subcomponents of the fourth layer are represented by fuzzy linguistics which means the security weights of configurations and each edge is denoted the risk level between the configuration and the attack type. And then, the average fuzzy set of each attack type can be calculated through FWA method. By the expert experience, the risk degree between the

rules and the attack types can be decided. Hence we need to find the way to integrate fuzzy set and numerical value. In addition, according to [29], [30], the weights of attack types denote the discrepancies of experts. Hence we don’t need to consider the influence of configurations, and we only need to use risk degrees to decide weights of attack types. By using Eq. (1), the weights of attack types can be calculated through these degrees.

Fig. 5. The Assessment Architecture of the Wireless Networks

In order to combine fuzzy set with numerical value, the average fuzzy set should be quantified and then execute multiplication to the risk degree. The quantitative values of attack

types are called risk ratings. Attackers will get higher risk rating if they acquire more configurations. If we acquire quantitative risk ratings of n attack types, a1, a2, ..., an, the judge matrix can be modified where each row denotes the attack type and each column denotes the risk factor of the rule.

Afterward the risk value of each rule can be modified as

'

Finally, according to Eq. (3), the total risk value can be calculated by matrix operations.

3.2 Classification of Attack Types

By the third layer of the risk assessment architecture, it classifies the attack types of wireless networks mainly include the following portions:

3.2.1 Access Control Attack

These attacks attempt to utilize the wireless resources which are not permitted by administrators. The description and the configurations of these attacks are shown in Table 1.

Table 1. Classification of Access Control Attack

Attack Description Configurations

Rouge access control

Installing an unsecured AP inside a network, and creating an open backdoor into trusted networks

AP SSID (D1) AP MAC address (D2) Open channel (D4) MAC spoofing Acquiring a legal MAC address to

disguise as an authorized AP or station

STA MAC address (D7)

3.2.2 Monitor Attack

These attacks try to intercept aerial packets to obtain essential information concerned by attackers. The description and the configurations of these attacks are shown in Table 2.

Table 2. Classification of Monitor Attack

Attack Description Configurations

Eavesdropping

Capturing and decoding unprotected packets to obtain potentially sensitive information

AP IP address (D3), Encryption type (D5) STA IP address (D6)

Evil Twin AP

Masquerading as an authorized AP by beaconing the wireless service set identifier to lure users

AP SSID (D1) AP MAC address (D2) Open channel (D4)

Man in the Middle

Masquerading as an authorized AP and STA at one time, and collecting the packers between them

AP IP address (D3) Encryption type (D5) STA IP address (D6)

3.2.3 DoS/ DDoS Attack

These attacks are incidents which wireless stations and access points are interdicted of the services of the resource. The description and the configurations of these attacks are shown in Table 3.

Table 3. Classification of DoS/ DDoS attack

Attack Description Configurations

Authentication flood

Sending the forged authentication packets from random MAC addresses to fill a target AP’s association table

AP MAC address (D2) STA MAC address (D7)

De-authentication flood

Flooding wireless stations by sending the forged de-authentication packets to disconnect users from an access point

AP MAC address (D2) STA MAC address (D7)

ICMP Ping Flood Using attack tools to send a large ICMP packets to a wireless station or APs

AP IP address (D3) STA IP address (D6)

3.2.4 AP Key Cracking

These attacks try to decipher the encryption data to obtain the password which is configured by the access point. The description and the configurations of these attacks are shown in Table 4.

Table 4. Classification of AP Key Crack

Attack Description Configurations

WEP key cracking

Capturing packets to recover the WEP key by using WEP attack tools, such like aircrack, airsort.

AP MAC address (D2) Encryption type (D5) STA MAC address (D7)

WPA-PSK key cracking

Recovering the WPA key through captured key handshake frames by using dictionary attack tools, such like wpa_crack,, cWPAtty

AP MAC address (D2) Encryption type (D5) STA MAC address (D7)

Table 5. Classification of Remote Login

Attack Description Configurations

FTP

Filtering the FTP packets with the same source and destination addresses, comprising the packets to obtain the user id and password

STA IP address (D6) Open port number (D8) Access level (D9) Running service (D10)

Telnet

Filtering the Telnet session and examining the detail information to find the user id and password

STA IP address (D6) Open port number (D8) Access level (D9) Running service (D10)

Web

Consisting Web packets to acquire the essential browsing record and Web information

STA IP address (D6) Open port number (D8) Access level (D9) Running service (D10)

3.2.5 Remote Login

These attacks attempt to get the login id, the password, and other important information

in order to connecting with the remote hosts. The description and the configurations of these attacks are shown in Table 5.

3.2.6 Virus and Backdoors

These attacks attempt to infect some files to influence the hosts or let them open some services that attackers need. The description and the configurations of these attacks are shown in Table 6.

Table 6. Classification of Virus and Backdoor

Attack Description Configurations

Virus

Enticing the user to execute a virus program unwittingly and duplicated itself to infect another program in order to influence the hosts

Encryption type (D5) Open port number (D8) Running service (D10)

Backdoor

Attracting the user to execute a backdoor program unwittingly, controlling the compromised host that attackers need later

Encryption type (D5) Open port number (D8) Running service (D10)

3.3 Definition

In this section, we first define the composition of the fuzzy set and their arithmetic operations for the purpose of the risk assessment architecture. Also, a quantitative method of the fuzzy set, which extends the discrete fuzzy set, is proposed to determine the value of risk rating to integrate with expert experience.

Definition 1. Positive trapezoidal fuzzy set. Suppose that a positive trapezoidal fuzzy set ( )

A x can be represented as(a a a a1, , ,2 3 4), where a a a₁, ,_{2 3} and a₄are real numbers, is described as any fuzzy subset with its membership function ^μ_A( )^x is defined as follows and shown in

Fig. 6.

Fig. 6. Positive Trapezoidal Fuzzy Number

Where^μ_A( )^x indicates the membership value of the elementxinA, and^μ_A( )^{x ∈}[ ]^0,1 .

From the Fig. 6, ifa₁ =a₂=a₃ =a₄, then ^{A x}( ) is called a real number. If a₁ = a₂

anda₃= , then a₄ ^{A x}( ) is called a crisp fuzzy set. Ifa₂ = , then a₃ ^{A x}( ) is called a triangular fuzzy set.

Definition 2. Arithmetic operations of fuzzy sets. For the two positive trapezoidal fuzzy

sets^{A x}( ) and^{B x}( ), where A( ) (x = a a a a1, , ,2 3 4)andB( ) (x = b b b b1, , ,2 3 4), the arithmetic operations can be defined as follows.

i) Addition:

iii) Multiplication:

defined as the risk rating which means the distinction between a given fuzzy set and its fuzzy complement. For the set is defined within the interval [0, 1], the quantification of the fuzzy set can be measured by:

(

^A( )

)

^{= 2A}₀^{1 ( )-1}

f x

∫

x dx ⁽¹⁰⁾

According to [35], Yager and Kirl introduced the fuzziness of the fuzz set ^{A x}( ) using the summation of the distinction which is measured by distance function between the fuzzy set and its fuzzy complement is defined as:

(

( )

) (

^{( ) ( )}

) (

^{( )}

⁽

^{( )}

⁾ )

Eq. (10) is suitable only to the discrete fuzzy set. However, the fuzzy set which is defined on the bounded fuzzy set can be readily modified. Consider the interval [0, 1]. The replacement results of Eq. (9) can be described in the following equation:

(

( )

)

^{( )}

(

^{( )}

)

Definition 4. Quantitative coefficient of the judge matrix. For each judge matrix, the

quantification coefficient c , which is the certainty of each attack type is defined as: _j

j 1- j

c = e (12)

where e is defined by Shannon’s entropy measure [36] based on Eq. (1). The entropy _j e is _j the uncertainty of the given risk degrees and is defined as:

(

1 2

)

Definition 5. Normalized weight of the quantitative coefficient. For the normalized

weightq , each quantification coefficient _k c should be equally preferred. The formula is _j defined as: the larger risk value reaches, the more danger of the wireless environment.

3.4 General Solution Algorithm

Our process of risk assessment is now almost complete, all that remains is to describe the calculating procedures with the steps in the analysis of wireless networks. In the following, we make some assumptions and then design a solution algorithm for risk assessment of wireless networks.

(1) We construct an m × n matrix to represent the configurations that the attack types utilize to start the attack. The rows denote the configurations and the columns denote the attack types.

The matrix C is configuration; whereas the j^th attack type doesn’t need the i^th configuration.

(2) Suppose that the experts define a fuzzy linguistic representation vectors MF = [mf1, mf2, …, mfk] of k elements, where each element includes four membership values.

(3) Suppose that the experts define a fuzzy risk levels vector L = [l1, l2,…, lm] of m elements of the configurations, where each element includes four membership values.

(4) Suppose that there exists a vector Rv = [rv1, rv2,…, rvk], where the i^th element denotes an n × qi matrix. The rows represent the attack types and the columns represent the risk factors of each rule that defined by the experts.

(5) Suppose that there exists a vector Bv = [bv1, bv2,…, bvk], where each element denotes a

(5) Suppose that there exists a vector Bv = [bv1, bv2,…, bvk], where each element denotes a

在文檔中 基於攻擊圖形的混合式無線網路風險評估方法 (頁 13-0)