Analyzing Vulnerabilities and Measuring Security Level at Design and Exploitation Stages of Computer Network Life Cycle - Computer Network Security

Information Technology Reference

In-Depth Information

The low-level rules of this database are generated on the basis of Open Source

Vulnerability Database (OSVDB) [24]. For example, OSVDB vulnerability with id

6117 shown on fig.2 can be translated to the following rule: « IF GOAL = “Buffer

Overflow” AND PRODUCT_BASE_NAME = MDaemon AND

PRODUCT_VERSION_NAME = “2.71 SP1” THEN HELLOEXPL.C ». This rule cor-

responds to the exploit helloexpl.c from the DB of attack tools (exploits).

<vuln osvdb_id="6117" osvdb_create_date="2004-04-08 22:45:51"

last_modified_date="2004-05-14 04:56:29">

<osvdb_title>MDaemon Long HELO Overflow</osvdb_title>

<disclosure_date>1998-03-11 00:44:45</disclosure_date>

<discovery_date>0001-01-01 00:00:00</discovery_date>

<exploit_publish_date>1998-03-11 00:44:45</exploit_publish_date>

<location_remote>1</location_remote>

<attack_type_dos>1</attack_type_dos>

<impact_available>1</impact_available>

<exploit_available>1</exploit_available>

<vuln_verified>1</vuln_verified>

<vendor_name>Alt-N Technologies</vendor_name>

<base_name>MDaemon</base_name>

<version_name>2.71 SP1</version_name>

</product>

</products>

<ext_refs>

….

<ext_ref type_name="Generic Exploit URL" indirect="0">

http://do wnloads.securityfo-

cus.com/vulnerabilities/exploits/heloexpl.c</ext_ref>

</ext_refs>

…

</vuln>

Fig. 2. OSVDB vulnerability of the MDaemon Long HELO overflow

The DB of attack tools (exploits) contains exploits and parameters of their execu-

tion. A choice of a parameter is determined by the data in KB about analyzed system.

For example, the program of ftp brute force password cracking needs to know the ftp

server port which can be determined by port scanning.

The module of scriptset (attack scenarios) generation selects the data about ana-

lyzed system from the data and knowledge repository, generates attack scriptset based

on using operation (functionality) rules, monitors scriptset execution and scriptset up-

dating at runtime, updates data about analyzed system.

The module of scenario execution selects an attack action and exploits, prognoses

a possible feedback from analyzed computer network, launches the exploit and recog-

nizes a response of analyzed computer network.

In case of interaction with a computer network a real network traffic is generated.

In case of operation with the model of analyzed system two levels of attack simula-

tion are provided: (1) at the first level each low-level action is represented by its label

describing attack type and (or) used exploit, and also attack parameters; (2) at the sec-

Computer Network Security

Search WWH ::

Custom Search

Home