Visualization techniques in Attack Graphs

By: Ashok R Varikuti

05/18/2009

1

Quote

“A picture is worth a thousand words.” – Napoleon Bonaparte

2

Outline

• Introduction to Attack Graphs

• Current limitations in Attack Graphs

• Survey of visualization toolkits

• Layered architecture of the model

• Discussion on how the model achieves the desired goal

• Implementation

• Conclusion3

Attack Graphs

• Provides a visual representation of attack paths and potential vulnerabilities in the network

• Makes the life of a system administrator easier by providing a convenient interface to identify vulnerabilities in the network

• MuLVAL generates attack graphs using a logic based approach

4

Attack Graphs

• Graph is generated using logic-based approach, hence Logical Attack Graph

• A node in the graph is a logical statement

• The edges in the graph specify the causality relations between network configurations and an attacker’s potential privileges.

• Illustrates “why the attack can happen”.

5

Logical Attack Graph Generator

6

3host network 7

Tree representation of 3host scenario attack graph8

Description

• The root node is the attack goal meaning “the attacker can execute arbitrary code as user root on machine workStation”

• The edges in the graph represent the “depends on” relation

• Fact Node 2 is enabled either by r2a or r2b, which are the derivation nodes for 2

9

10

Example:Energy Management Network

10

EMN

• EMN has 3 subnets, a DMZ (Demilitarized

Zone), an internal subnet, and an EMS(Energy Management System)

• Host-grouping applied based on similar configurations Ex: workstation

• The web server and the VPN server are directly accessible from the Internet

• The web server can access the file server through the NFS file-sharing protocol

11

EMN Continued..

• VPN server is allowed access to all hosts in the internal subnet

• Access to the EMS subnet is only allowed from the Citrix server in the internal subnet, and even then only to the data historian

• The attacker’s goal is to gain privileges to execute code on the communication Server

12

13

MulVAL LogicalAttackGraph

13

14

Limitations in Attack Graphs

• Attack Graph Problems: Size & Complexity– Difficult to quickly identify most important data – Difficult to assess and act on complete set of

possible attack steps– Not user interactive– Layout of the graph doesn’t correspond to the

underlying topology of the network

14

Contributions

• Solutions– Make the attack graph user interactive– Provide user interactivity, zooming and action

listener features – Provide different views of the graph for

analyzing in different dimensions

15

Visualization toolkits

• JUNG – An open source java software library. Mainly used in performing data analysis on relational data sets

• Piccolo – Mainly 2D graphics library with tree and fisheye layouts as salient features

• Graphviz – Open source package generally used to produce static visualizations

16

Two layered architecture 17

Static Layer

• Parse the text file into rich Dot Format

• The dot file is easy to analyze and produces a static image file as output.

• Disadvantages:– Layout

• Produces static images with random layout

– Scalability• Difficult to analyze large network's.• Possibility of edge-subnet, edge-edge and node-

node overlapping 18

Data Format

• Node (V):- The node is the most basic data type. It maps to an actual node in the real world enterprise network

• Gateway (G):- A gateway G typically maps to a firewall in a real world enterprise network.

• Subnet(S):- A subnet S is defined as :-

19

Data Format

• Connection (C):- A connection C is defined as the link between <subnet, gateway>.

• AttackStep (AS):- An attack step AS is defined as the link between <node,node>.

20

21

Topology-MappedAttack Graph

Improving Attack Graph Visualization through Data Reduction and Attack Grouping. John Homer, et al. In 5th International Workshop on Visualization for Cyber Security.

21

22

UntrimmedAttack Graph

Improving Attack Graph Visualization through Data Reduction and Attack Grouping. John Homer, et al. In 5th International Workshop on Visualization for Cyber Security.

22

23

TrimmedAttack Graph

Improving Attack Graph Visualization through Data Reduction and Attack Grouping. John Homer, et al. In 5th International Workshop on Visualization for Cyber Security.

23

Dynamic Layer

• Parse the Dot file using a dot grammar

• Prefuse conversion:-– Import prefuse packages– Prefuse graph object construction

• Map the parsed dot attributes with the prefuse attributes

• Construct the graph object based on the attribute values

24

The prefuse toolkit

• A java user interface toolkit for constructing interactive information visualization applications

• Supports visualization, animation, and interaction• Application building by stringing together fine-

grained, reusable components• Layers of indirection between source data,

visualized data and rendering.

25

System architecture

26

Toolkit features

• Data structures and I/O libraries• Multiple visualizations, multiple views • Application design through composable modules• A library of provided layout and distortion techniques• Animation and time-based processing• Graphics transforms, including panning and zooming• A full force simulator for physics-based interfaces• Interactor components for common interactions• Integrated color maps and search functionality• Event logging to support visualization evaluation

27

Architecture

• Filtering is the process of mapping abstract data to a representation suitable for visualization

• Actions are used to select visualized data and set visual properties such as location, font. Also used to perform tasks such as filtering, layout and color assignment

• Actionlists are used to enforce ordered execution of actions

28

Architecture Cont..

• Renderer's draw the visual items on to the screen by rendering the visual attributes

• The Display component draws all the visible items using appropriate renderer's onto the screen

• Display provides support to mouse and keyboard events on visible items

29

Useful features

• Panning and zooming allows the user to concentrate on the essential parts of the graph

• Expression techniques allows the user to visualize specific areas of graph with particular attributes Ex: The user can filter the graph to display information specific to the top three vulnerabilities

• Interactor components for common interactions such as showing the predicates attached with an edge

30

Extendible features

• Search functionality to search for a particular edge/node in the graph with a specific property.

• Overview feature allows to capture the whole view of network in a small dialog box

31

Implementation

32

Impl Contd..

33

34

Future Work

Two layered architecture 35

Conclusion

• The architecture generates an interactive display of the attack graphs.

• This provides a convenient way for the researcher's to enhance the tool in a better way.

• Provides a convenient way for network administrator to map the attack graph's into real network topology.

36

References

• http://prefuse.org• John Homer, Ashok Varikuti, Xinming Ou, and Miles A.

McQueen. Improving attack graph visualization through data reduction and attack grouping. In 5th International Workshop onVisualization for Cyber Security (VizSEC 2008), Cambridge, MA, U.S.A., September 2008.

37

Demo of Energy Management Network

38