Hardening Network Configurations in the Face of Zero-Day Vulnerabilities
Project Objectives:
To improve the security of complex networked systems and develop effective network hardening strategies, it is critical to consider the potential impact of zero-day vulnerabilities. Although known attack patterns can be easily modeled, handling zero-day vulnerabilities is inherently difficult due to their unpredictable nature. In fact, current approaches to network hardening only consider known vulnerabilities. As a consequence, the resulting hardening recommendations may be unrealistic and far from optimal. Additionally, most existing approaches assume that complete attack graphs have been generated, which may be unfeasible in practice for large networks. To overcome these limitations, we propose a goal-centric approach to network hardening that takes into account both known and zero-day vulnerabilities and only requires partial attack graphs. First, we propose to develop polynomial algorithms that, starting from a set of hardening goals, can build the partial attack graph that is relevant for the attacker to reach one of those goals. These algorithms must analyze known vulnerabilities and also hypothesize potential zero-day vulnerabilities. Second, leveraging our previous work on network hardening, we will develop polynomial algorithms that can identify sets of configuration changes that would prevent the attacker from reaching any of the goals considered.
To improve the security of complex networked systems and develop effective network hardening strategies, it is critical to consider the potential impact of zero-day vulnerabilities. Although known attack patterns can be easily modeled, handling zero-day vulnerabilities is inherently difficult due to their unpredictable nature. In fact, current approaches to network hardening only consider known vulnerabilities. As a consequence, the resulting hardening recommendations may be unrealistic and far from optimal. Additionally, most existing approaches assume that complete attack graphs have been generated, which may be unfeasible in practice for large networks. To overcome these limitations, we propose a goal-centric approach to network hardening that takes into account both known and zero-day vulnerabilities and only requires partial attack graphs. First, we propose to develop polynomial algorithms that, starting from a set of hardening goals, can build the partial attack graph that is relevant for the attacker to reach one of those goals. These algorithms must analyze known vulnerabilities and also hypothesize potential zero-day vulnerabilities. Second, leveraging our previous work on network hardening, we will develop polynomial algorithms that can identify sets of configuration changes that would prevent the attacker from reaching any of the goals considered.
Project Activities:
We proposed a set of efficient solutions to harden network configurations and assess the risk of zero day vulnerabilities. These solutions address the limitations of current hardening solutions and enable zero-day analysis of practical importance to be applied to networks of realistic sizes.
We proposed a set of efficient solutions to harden network configurations and assess the risk of zero day vulnerabilities. These solutions address the limitations of current hardening solutions and enable zero-day analysis of practical importance to be applied to networks of realistic sizes.
Project Findings:
Project findings are summarized in the publications listed below:
Lingyu Wang, Sushil Jajodia, Anoop Singhal, Pengsu Cheng, Steven Noel, "k-Zero day safety: A network security metric for measuring the risk of unknown vulnerabilities," IEEE Trans. on Dependable and Secure Computing, Vol. 11, No. 1, January/February 2014, pages 30-44.
Lingyu Wang, Mengyuan Zhang, Sushil Jajodia, Anoop Singhal, Massimiliano Albanese, "Modeling network diversity for evaluating the robustness of networks against zero-day attacks," Proc. 18th European Symp. on Research in Computer Security (ESORICS), Part II, Springer Lecture Notes in Computer Science, Vol. 8713, Miroslaw Kutylowski, Jaideep Vaidya, eds., Wroclaw, Poland, September 7-11, 2014, pages 494-511 (Acceptance ratio 58/234).
Project findings are summarized in the publications listed below:
Lingyu Wang, Sushil Jajodia, Anoop Singhal, Pengsu Cheng, Steven Noel, "k-Zero day safety: A network security metric for measuring the risk of unknown vulnerabilities," IEEE Trans. on Dependable and Secure Computing, Vol. 11, No. 1, January/February 2014, pages 30-44.
Lingyu Wang, Mengyuan Zhang, Sushil Jajodia, Anoop Singhal, Massimiliano Albanese, "Modeling network diversity for evaluating the robustness of networks against zero-day attacks," Proc. 18th European Symp. on Research in Computer Security (ESORICS), Part II, Springer Lecture Notes in Computer Science, Vol. 8713, Miroslaw Kutylowski, Jaideep Vaidya, eds., Wroclaw, Poland, September 7-11, 2014, pages 494-511 (Acceptance ratio 58/234).