On this page you will find the results of my Master's thesis. I've worked on
this project for about six months. In the beginning I felt like this is a
sufficient amount of time, but the deeper I dived into the topic, the more
interesting and unexplored aspects I discovered. After restricting myself to
information extraction and transformation, it again seemed like a sufficient
amount of time, but again, many cool aspects came up which I did not
anticipate. Due to the limited time I had for the thesis, I feel the here
presented results are incomplete and deserve much more work than what can be
put into it in six months. But life goes on and I decided to not pursue a
PhD degree. I hope somebody will pick up my work and, based on the results
of the here presented thesis, continue the research in this field.
Nevertheless, I provide my work to the public domain and leave it to
somebody else to decide whether one or the aspect of my work is of some
value to future work. I would be happy to hear about your thoughts and
resulting discussions. Feel free to contact me at
robert.schuppenies@gmail.com
Master of Science Thesis
Automatic Extraction of Vulnerability Information for
Attack Graphs
by
Robert Schuppenies
Potsdam, Germany; March 2009
As computer networks are emerging in everyday life, network security has
become an important issue. At the same time, attacks turned more
sophisticated, making the defense of computer networks increasingly difficult.
In order to model and assess the security of complex networks, attack graphs
are used. These graphs provide a formal model to describe network security
and allow to identify paths which lead an attacker to the attack goal. By
means of attack graphs, unsuspicious system properties can be correlated into
imminent threats, intrusion detection systems can be deployed more
efficiently, and new network configurations can be tested conveniently. To
construct attack graphs system information as well as vulnerability
information are required. System information contains gathered data of the
network to be analyzed, whereas vulnerability information describes what is
required for a vulnerability to be exploited and what are the effects of such
an exploitation. The automatic extraction of vulnerability information to
make them usable for attack graphs remains an open issue.
This Master's Thesis addresses the challenge to automatically extract
vulnerability information from existing vulnerability databases and transform
them into a formal and unified format, thus making them available to attack
graph modeling. At first, the technical foundations are described,
highlighting fundamental aspects of vulnerabilities and the workflow of attack
graph construction. Then, related work on vulnerability representation and
extraction as well as attack graph construction, analysis, and tools is
presented. Next, a data structure is proposed which is able to represent
vulnerability information and important properties of systems under
attack. Based on previous works, an unrestrictive, predicate-based structure
is recommended, which will address the requirements of attack graph modeling.
Afterwards, the current state of vulnerability databases is examined, with an
emphasis on information extraction of data significant for attack graph
construction. A special focus is put on the information extraction from
textual vulnerability descriptions which have been neglected as a valuable
source in previous research. Finally, a proof of concept implementation is
presented which utilizes an attack graph tool as well as transformed
vulnerability information to build attack graphs.
The contribution is fourfold. First of all, information stored in
vulnerability databases is analyzed and its usefulness for attack graph
generation is evaluated. Second of all, a data structure is proposed which
allows to unify vulnerability information in an integrated model. Third of
all, transformations are realized that extract vulnerability information from
existing databases and transform them to the proposed model, hence making them
available to attack graph applications. Finally, a prototype is implemented
which uses both, the data structure and vulnerability information
transformations, to construct attack graphs with an existing attack graph
tool.
Downloads
Source Code
The source code of my thesis is now maintained by the Chair for Internet Technologies
and Systems at the Hasso-Plattner-Institute in Potsdam,
Germany. If you are interested in it, please contact Feng Cheng or Sebastian Roschke for
further details.