Building an Event Driven Attack Graph Framework
Open Access
- Author:
- George, Rahul
- Graduate Program:
- Computer Science and Engineering
- Degree:
- Master of Science
- Document Type:
- Master Thesis
- Date of Defense:
- June 25, 2021
- Committee Members:
- Chitaranjan Das, Program Head/Chair
Trent Ray Jaeger, Thesis Advisor/Co-Advisor
Thomas F La Porta, Committee Member - Keywords:
- Intrusion Detection
Attack Graphs
Program Analysis
Computer Security - Abstract:
- Existing intrusion detection systems fail to detect unknown attacks, zero-day vulnerabilities and sophisticated multi layer attacks. This is because current intrusion detection systems lack visibility into all system components, specifically programs. They focus on known attacks/vulnerabilities, limiting their ability to detect unknown attacks. As a result they fail to track the evolution of attacks across multiple layers (network, host and program). We envision using modular component attack graphs for intrusion detection. Attack graphs have been used earlier in networks for risk analysis, reliability analysis. They’ve been employed in a reactive manner. We propose using program attack graphs for better visibility into programs and proactive intrusion detection (removing the dependency on known vulnerabilities or exploits). We identify program analyses needed to compute and connect attack surfaces, a source interface in a compute which may receive adversarial input, to attack states, flaws or security property violations, which grant the adversary privileges that create threats, and actions, operations that exploit those threats. We model two security properties in our program attack graphs: memory safety and information flow. We also identify and develop techniques to propagate these attack actions, as exploit operations may lead to subsequent safety property violations. We implement a framework which is able to automatically compute program attack graphs using these techniques and track the possible evolution of potential attacks across components through dynamic events. We also evaluate the efficacy of existing intrusion detection systems through a case study on the Shellshock vulnerabilities. We construct program attack graphs for multiple programs and were able to capture two known vulnerabilities. We estimate how our program attack graphs may evolve and illustrate the evolution for a specific program through a scenario. We simulate input surface expansion events for a few programs and record how they affect the attack graph.