Topological Analysis of Multi-phase Attacks Using Expert Systems *

Abstract

With the increasing number and complexity of network attacks, the demand for automatic vulnerability analysis tools has increased. The prerequisite of making these tools is to have a formal and precise model of network configurations and vulnerabilities. Utilizing this model, network administrators can analyze the effects of vulnerabilities on the network and complex attack scenarios can be detected before happening. In this paper, we present a general logic-based framework for modeling network configurations and topologies. Then, a number of important and wide-spread network vulnerabilities are modeled as general inference rules based on the framework definitions. We implemented the approach using an expert system to analyze network configurations and detect how an attacker may exploit chain of vulnerabilities to reach his goal. Our approach explores all attacking paths and generates the closure of access rights that the attacker can gain by exploiting the vulnerabilities. The time complexity of calculating the closure is polynomial. Having the closure, we can test if a user has a special right over a resource in just O(1) time complexity. Moreover, the firewall filtering rules can be modeled and analyzed to determine the initial accesses in the network. Our framework is more flexible than previous ones, as it can model some major parts of Denial of Service (DoS) attacks and infer about network topology. Finally, a case study is also presented to explore the model applicability and show its efficiency and flexibility.