Professional Documents
Culture Documents
Attack Graph Generation Algorithm Implementation: Masaryk University
Attack Graph Generation Algorithm Implementation: Masaryk University
Faculty of Informatics
Bachelor’s Thesis
Jan Klos
Bachelor’s Thesis
Jan Klos
Jan Klos
i
Acknowledgements
I would like to thank my advisor, RNDr. Jana Komárková, for her
guidance with the thesis. I would also like to thank my colleagues for
their useful advice and to my family for their encouragement.
iii
Abstract
MulVAL is a logic programming based open source framework for
analyzing network for possible attack paths an intruder might take
when exploiting security vulnerabilities. This work is an implemen-
tation of MuPar, a parser that generates MulVAL inputs based on
JSON-formatted description of network topology, physical and virtual
hosts, clusters, running applications, network accesses and vulnerabil-
ity specifications. Inputs generated by MuPar are sourced to MulVAL
to (possibly) generate an attack graph. MuPar is implemented in a
way that allows easy extensibility and straightforward definition of
new vulnerability prerequisites and consequences. Command-line
interface for performing the analysis and conversion of the resulting
graph to JSON format is also provided.
iv
Keywords
attack graph, MulVAL, vulnerability analysis, security analyzer, attack
simulation, interaction rules, MuPar
v
Contents
Introduction 1
1 Attack Graphs 3
1.1 Research and Usage . . . . . . . . . . . . . . . . . . . . . . 3
1.2 Available Tools . . . . . . . . . . . . . . . . . . . . . . . . 4
2 MulVAL 7
2.1 MulVAL Adapters . . . . . . . . . . . . . . . . . . . . . . 7
2.2 MulVAL Analyzer and Graph Generator . . . . . . . . . . . 8
2.3 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3 Specifications 13
3.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3.2 Input and Output Specification . . . . . . . . . . . . . . . . 14
3.3 Vulnerability Data Sources . . . . . . . . . . . . . . . . . . 16
4 Implementation 19
4.1 Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.2 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.3 Hosts and clusters declaration format . . . . . . . . . . . . 20
4.4 Parsing the input . . . . . . . . . . . . . . . . . . . . . . . 26
4.5 MuPar command line interface and graph generation . . . . 26
4.6 Complexity . . . . . . . . . . . . . . . . . . . . . . . . . . 27
5 Conclusion 29
Bibliography 31
vii
Introduction
Attack graphs are graph-based representations of potential attack
paths an intruder might take in order to compromise computer sys-
tems and networks. They are a useful tool used for identification,
visualization, simulation and analysis of weak spots in cybersecurity
architecture.
Generating attack graphs for real medium-scale and large-scale
networks is a fairly complex task – both implementionally and compu-
tationally – especially if many inputs such as network filtering rules,
running applications, user accounts, credentials and permissions or
virtualization and cluster configurations have to be taken into account
so that a reasonably precise simulation of the security situation in the
network can be performed.
While there is a choice of different attack graph generation tools –
commercial, free or open source – many of them do not fit the criteria
for the task of modelling a sizable modern computer network, failing
in requirements such as computational complexity, extensibility or
interoperability with existing vulnerability scanning solutions and
vulnerability databases. Even more have to be excluded when price
and the amount of active development on the project must be taken
into account.
MulVAL (Multi-host, Multi-stage Vulnerability Analysis Language)
[1] is a framework for generating attack graphs that uses Datalog as
its modeling language. It is an open source project and is therefore
easily extensible. The reasoning engine of MulVAL analyzer scales
with polynomial complexity and is therefore capable of modelling
even enterprise networks of large sizes [2]. MulVAL consists of sev-
eral separately executed parts, out of which the analyzer and graph
generator will be of main interest for the purposes of this thesis.
MuPar has been implemented to address several shortcomings of
the base MulVAL distribution. The most significant one is the absence
of an adapter/parser that would convert all the data required to per-
form an accurate attack simulation from a unified, machine-readable
format to MulVAL Datalog inputs. MuPar sources all required data
(hosts, applications, networks and access rules, vulnerabilities and
their presences on hosts) from one or several JSON files and combines
1
them with an extended rule set that supports, unlike basic MulVAL,
declaration of virtual hosts, subnetworks, clusters and additional vul-
nerability properties.
MuPar also provides a command-line interface to run the parsing,
analysis and graph-generation tasks and adds the possibility to output
the resulting attack graph to JSON format. Most importantly, MuPar
is implemented with extensibility in mind, in order to minimize code
and input format changes required to add new functionality.
This thesis is organized into five chapters. Chapter 1 provides an
insight into the growing body of research regarding attack graphs,
their purpose in cybersecurity and their various applications. It also
provides a brief overview of the available solutions for their genera-
tion.
Chapter 2 describes the MulVAL framework in detail, focusing on
the base distribution’s vulnerability scanner adapters and its analysis
engine that serves as the basis for the MuPar project.
Chapter 3 provides the motivation behind the project, general
specification of inputs and outputs, expected sources of the input data,
a mapping of CVSS [3] metrics to MuPar’s vulnerability specifications.
Chapter 4 contains the technical description of the tool and its
implementation, a sample input file, reasoning behind the program-
matic choices as well as results of verification of MulVAL engine’s
polynomial complexity.
Chapter 5 recapitulates the advantages and addresses the short-
comings of the solution. A brief assessment of the possible future of
the tool and its extensibility potential is provided in this chapter.
2
1 Attack Graphs
3
1. Attack Graphs
4
1. Attack Graphs
Out of the listed tools, only MulVAL and Attack Graph Toolkit are
open source. Whereas MulVAL scales well even in large enterprise
network because of its polynomial complexity, the generation algo-
rithm of Attack Graph Toolkit has exponential complexity, making it
unusable for large-scale networks. Also, Attack Graph Toolkit has not
been updated since 2007.
5
2 MulVAL
MulVAL is a GPL-licensed framework aimed at security practitioners
and administrators to better manage and monitor configurations of
enterprise network systems. It leverages results of existing vulnerabil-
ity databases and scan tools and performs an analysis of the network
in order to generate a potential attack trace [19]. If found, such results
may also help in selection of the correct countermeasures, such as
patching the vulnerable application or operating system, changing
the network configuration or modifying access permissions.
7
2. MulVAL
8
2. MulVAL
attackerLocated(internet).
attackGoal(execCode(fileServer, _)).
9
2. MulVAL
2.3 Limitations
MulVAL is bundled with a basic set of interaction rules specifying
interactions on the network. The bundled rule set only supports 3
categories of exploitable range:
10
10:hacl(internet,webServer,tcp,80):1 11:attackerLocated(internet):1
5:hacl(webServer,fileServer,tcp,445):1 6:execCode(webServer,u1):0
1:execCode(fileServer,u2):0
3.1 Motivation
13
3. Specifications
the network not only from vulnerability scanner reports and vulnera-
bility database data, but also from exports of various configuration
management tools and firewall rules dumps.
∙ Specification of hosts
∙ Specification of clusters
∙ Specification of vulnerabilities
∙ Specification of vulnerabilities detected on hosts (scan results)
∙ Optional specification of network access between hosts (filtering
rules) and networks – such information may also be specified
directly in host entries
14
3. Specifications
∙ Vulnerability ID
15
3. Specifications
16
3. Specifications
17
4 Implementation
4.1 Challenges
One of the ambitions of the MuPar Project is to add the ability to
describe network infrastructure and filtering rules generated by other
sources and translate them to ’hacl’ MulVAL predicates. This allows
for precise modeling of vulnerabilities’ consequences as networks
often have far more complex configurations than simply allowing
everyone from inside network to connect. However, modeling very
complicated network routing rules is hardly trivial. MuPar adopted a
middle-ground approach: Hosts may be declared members of mul-
tiple networks and the relationships between the networks may be
specified using the hacl predicates. One network may also have multi-
ple subnets. While this allows for a reasonable granularity and may
closely resemble most of the network configurations. Complex net-
work routing schemes and features such as layer 2 filtering cannot be,
however, accurately represented. For the purposes of vulnerabilities
with Adjacent Attack Vector, all hosts within the same subnet are con-
sidered adjacent, even though that may not be necessarily true with
managed switches and VLAN configurations.
Another requirement was to model host ’functions’ and ’roles’.
This allows declaring role-consequence relationships such as "if a
DNS server for a network is compromised, that network loses integrity
and confidentiality". Functions may also have multiple arity: A DNS
server role has one parameter (a network), but a computer routing
communication between two networks has two. Function specification
has been implemented in such a way that declaring new roles and
functions is possible with as few changes as possible.
4.2 Requirements
MuPar is implemented in Python [35] and requires at least Python
version 3.6 to run. From Python dependencies, Jinja2 [36] package for
rendering MulVAL input files (rules and the starting script) is the only
additional requirement – all the other dependencies are part of the
base Python distribution.
19
4. Implementation
For attack trace and attack graph generation, MuPar utilises Mul-
VAL’s reasoning engine and therefore requires XSB installed with its
binary on PATH. Mulval installation path has to be supplied in an
environmental variable.
Memory requirements of the analysis vary depending on the size
of the modelled network, the number of attack paths and the number
of predicates.
20
4. Implementation
}
],
"apps": [
{
"user": "dnsuser",
"app_id": "bind",
"protocol": "tcp",
"port": 53
}
],
"accesses": [
{
"src": "default",
"protocol": "tcp",
"port": 53
}
],
"functions": [
{
"function_name": "DnsServer",
"network": "default"
}
]
},
{
"host_id": "vmhost1.domain",
"networks": [
{
"ip": "10.0.0.2",
"subnet": "10.0.0.0/8"
},
{
"interface": "192.168.0.1/24",
"network_id": "hostonly1"
}
],
"apps": [
{
"user": "vmuser",
"app_id": "qemu"
21
4. Implementation
}
],
"accesses": [
{
"src": "hostonly1",
"protocol": "*",
"port": "*"
}
]
},
{
"host_id": "vmhost2.domain",
"networks": [
{
"ip": "10.0.0.3",
"subnet": "10.0.0.0/8"
},
{
"interface": "192.168.0.1/24",
"network_id": "hostonly2"
}
],
"apps": [
{
"user": "vmuser",
"app_id": "qemu"
}
],
"accesses": [
{
"src": "hostonly2",
"protocol": "*",
"port": "*"
}
]
},
{
"host_id": "vm1.virtualnet",
"is_virtual": true,
"vm_host": "vmhost1.domain",
22
4. Implementation
"cluster_membership": "nginxcluster",
"networks": [
{
"ip": "10.0.0.4",
"subnet": "10.0.0.0/8"
},
{
"ip": "192.168.0.2",
"subnet": "192.168.0.0/24",
"network_id": "hostonly1"
}
],
"accesses": [
{
"src": "hostonly1",
"protocol": "*",
"port": "*"
},
{
"src": "default",
"protocol": "tcp",
"port": 80
},
{
"src": {
"type": "Host",
"id": "vmhost1.domain"
},
"protocol": "tcp",
"port": "vm_management_port"
}
]
},
{
"host_id": "vm2.virtualnet",
"is_virtual": true,
"vm_host": "vmhost2.domain",
"cluster_membership": "nginxcluster",
"networks": [
{
23
4. Implementation
"ip": "10.0.0.5",
"subnet": "10.0.0.0/8"
},
{
"ip": "192.168.0.2",
"subnet": "192.168.0.0/24",
"network_id": "hostonly2"
}
],
"accesses": [
{
"src": "hostonly2",
"protocol": "*",
"port": "*"
},
{
"src": "default",
"protocol": "tcp",
"port": 80
},
{
"src": {
"type": "Host",
"id": "vmhost2.domain"
},
"protocol": "tcp",
"port": "vm_management_port"
}
]
}
],
"clusters": [
{
"cluster_id": "nginxcluster",
"apps": [
{
"user": "nginxuser",
"app_id": "nginx",
"protocol": "tcp",
"port": 80
24
4. Implementation
}
]
}
]
}
{
"vulnerabilities": [
{
"vulnerability_id": "CVE-bind-remote-code-execution",
"prerequisites": [
{
"name": "NetAccess"
},
{
"name": "RunningNetworkService",
"app": "bind"
}
],
"consequences": [{
"name": "ExecCode"
}]
}
],
"vulnerability_presences": [
{
"vulnerability": "CVE-bind-remote-code-execution",
"host": "dnsserver.domain"
}
]
}
25
4. Implementation
26
4. Implementation
4.6 Complexity
To validate the expectation that the attack path generation will scale
polynomially [19, 2, 20], a benchmark similar to [20] was conducted.
On Intel Core i7-3610QM locked at 2.3 GHz and 8 GiB RAM, running
Ubuntu 18.04 and with the XSB process constrained to a single CPU
core, the results for a test run with increasing number of hosts are as
follows:
Hosts Time
102 0.21 s
510 0.94 s
1003 6.41 s
2006 31.97 s
4998 219.74 s
27
5 Conclusion
Compared to base MulVAL distribution, following features have been
implemented as part of MuPar project:
∙ JSON-formatted input containing all the data about the mod-
elled network
29
5. Conclusion
30
Bibliography
1. The MulVAL Project [online]. 2013 [visited on 2018-12-11]. Avail-
able from: http://people.cs.ksu.edu/~xou/mulval/.
2. OU, Xinming; BOYER, Wayne F; MCQUEEN, Miles A. A scalable
approach to attack graph generation. In: Proceedings of the 13th
ACM conference on Computer and communications security. 2006,
pp. 336–345. 556 cit.
3. CVSS v3.0 Specification Document [online]. 2018 [visited on
2018-12-06]. Available from: https://www.first.org/cvss/
specification-document.
4. PHILLIPS, Cynthia; SWILER, Laura Painton. A graph-based sys-
tem for network-vulnerability analysis. In: Proceedings of the 1998
workshop on New security paradigms. 1998, pp. 71–79. 778 cit.
5. SWILER, Laura P; PHILLIPS, Cynthia; ELLIS, David; CHAKE-
RIAN, Stefan. Computer-attack graph generation tool. In: discex.
2001, p. 1307. 425 cit.
6. LI, Zhi-tang; LEI, Jie; WANG, Li; LI, Dong. A data mining ap-
proach to generating network attack graph for intrusion predic-
tion. In: Fuzzy Systems and Knowledge Discovery, 2007. FSKD 2007.
Fourth International Conference on. 2007, vol. 4, pp. 307–311. 42 cit.
7. QIN, Xinzhou; LEE, Wenke. Attack plan recognition and pre-
diction using causal networks. In: Computer Security Applications
Conference, 2004. 20th Annual. 2004, pp. 370–379. 214 cit.
8. WANG, Lingyu; ISLAM, Tania; LONG, Tao; SINGHAL, Anoop;
JAJODIA, Sushil. An attack graph-based probabilistic security
metric. In: IFIP Annual Conference on Data and Applications Secu-
rity and Privacy. 2008, pp. 283–296. 305 cit.
9. MEHTA, Vaibhav; BARTZIS, Constantinos; ZHU, Haifeng;
CLARKE, Edmund; WING, Jeannette. Ranking attack graphs. In:
International Workshop on Recent Advances in Intrusion Detection.
2006, pp. 127–144. 222 cit.
31
BIBLIOGRAPHY
32
BIBLIOGRAPHY
33
BIBLIOGRAPHY
34