Attacks on 3G

Attacks on 3G Networks can be classified depending on physical access to the 3G network. They are-

Single Infrastructure Attacks: Attacks within the same network domain, e.g., the attacker has gained access into a core 3G network entity and attacks other 3G network entities. It includes the following three levels of physical access between the attacker and the 3G telecommunication networks.

o Access to air interface with physical device: This affects the privacy of the subscriber and the network operator and also causes a man in the middle attack.

o Access to Cables connecting Central Offices (3G core network entities): Here the attacker may cause damage by disrupting normal transmission of signaling messages.

o Access to 3G core network entities in the Central Office: Here the attacker can cause damage by editing the service logic or modifying subscriber data (profile, security and services) stored in the network entity.

Cross Infrastructure Cyber Attacks: Attacks on the wireless telecommunication network from the IP domain. These attacks use Cross Network Services (combination of Internet-based data and data from the wireless telecommunication network to provide services to the wireless subscriber) as an entry point into the wireless telecommunication network. It includes the following two levels of physical access between the attacker and the 3G networks.

o Access to Links connecting the Internet and the 3G core network: The attacker can cause damage by disrupting normal transmission of signaling messages traversing the link and inserting signaling messages into the link between the two networks.

o Access to Internet Servers or Cross Network Servers (provides multimedia or other services to mobile subscribers) connected to the 3G networks: The attacker can cause damage by editing the service logic, modifying subscriber data (profile, security and services) stored in the Cross Network Servers.

The types of attack on 3G wireless telecommunication networks are-

o Interception: The attacker intercepts information but does not modify or delete them. This is a passive attack. This affects the privacy of the subscriber and the network operator.

o Fabrication/Replay: In this case the attacker may insert spurious objects into the system. The effects could result in the attacker masquerading as an authority figure.

o Modification of Resources: The attacker causes damage by modifying system resources.

o Denial of Service: The attacker causes an overload or a disruption in the system so that network functions in an abnormal manner.

o Interruption: The attacker caused an Interruption by destroying resources.

Another classification of attacks based on what means are used to cause the attack. The attack means are as follows-

o Data: The attacker attacks the data stored in the system. The damage is done by modifying, inserting and deleting the data stored in the system.

o Messages: The attacker attacks the system through the signaling messages.

The attacker may insert, modify, delete and replay signaling messages going in and out of the network.

o Service Logic: The attacker causes damage by attacking the service logic running in the various 3G core network entities.

4.4.2 3G Attack Graph

Attacks on the 3G wireless telecommunication networks occur due to the exchange of

propagates across the network due to normal end-to-end network operation. This feature is known as the cascading effect. Deduction of vulnerabilities and attacks in 3G systems is not feasible by manually because vulnerability deduction requires extensive knowledge of thousands of state machines and end-to-end networking of the telecommunication systems. The standard Internet based vulnerability assessment tools are not sufficient for 3G telecommunication networks because they present physical vulnerabilities which is not the goal of 3G network vulnerability assessment. The goal is to identify end-to-end system level vulnerabilities and interactions that lead to the cascading effect. Thus the attacks can be represented by form of an attack graph.

A 3G network specific attack graph is a network state transition showing the paths through a system starting with the conditions of the attack, the attack, continuing with the cascading effect of the attacker’s attack action(s) and ending in the attacker’s goal. The state of a 3G network may be defined as the collective state of all its blocks.

The Cellular Network Vulnerability Assessment Toolkit -CAT proposed by Kotapati et al. is a tool that represents 3G network vulnerabilities and attacks as attack graphs. CAT works by taking in 3G data parameter seeds and goals as input from the user and uses free technical specifications written in the Specification and Description Language (SDL) developed by ITU to identify system interactions that lead to the cascading effect. Seeds are data parameters which when corrupted by the attacker may or may not lead to the goal. In the attack graph seeds may merge at different stages of the attack graph. Goals are data parameters that are derived incorrectly due to the direct corruption of seeds by the attacker.

The attack shown in Figure-4.3 is called speech attack which is caused by corruption of ‘ISDN BC’ data parameter in the ‘IAM’ message. The 3G data parameter ‘ISDN BC’ is considered as the direct intent of the attack and it is called as the seed. CAT builds the attack graph (shown in Figure-4.4) for the speech attack in a bottom-up manner.

Figure-4.3: Speech Attack

For better understanding, this attack graph has been divided into levels. Each node has been assigned numbers; these numbers are tree numbers and correspond to the tree to which the node belongs. For example, all the nodes marked with number 1 form the first tree of the graph. Nodes at a particular level with the same tree number(s) are AND nodes. Again, nodes with the same tree number at a layer connected to a node in the layer above also indicate AND nodes. For example nodes at Level 0, are AND nodes, whereas nodes at Level 4 are OR nodes.

Condition nodes are composed of three nodes-

o The first one contains the level of Physical Access (PA) corresponds to attacker’s physical access to the network and may be classified as: (1) access to the air interface with the help of a physical device; (2) access to cables

o The second one contains the high level description of an attacker’s target (Tgt) which is described by a block and indicates all the processes and data sources within a block.

o The third one contains the vulnerability (Vul) which may be classified as: (1) attacking the data parameters in signaling messages exchanged between blocks; (2) attacking the service logic of a process in a block so that it behaves abnormally; and (3) corrupting the data sources in a block. In the attack example of Figure-4.4 the attacker corrupts data ’ISDN BC’ in message IAM.

So, the vulnerability is message and written as Vul: Message.

Events of Action node (Action) include incoming and outgoing signaling messages and the non-event includes changing data associated with the block. In the Figure-4.4 action node at Level 0 is an example of event and action node at Level 2 is an

example of non-event. Non-events cause a change in state of the network, but do not generate any event.

The Goal node in the Figure- 4.4 is the node at Level 5 as it is the highest Level of the attack graph. The node indicates corruption or derivation of data parameters due to the direct corruption of other data parameters (seeds) by the attacker.

The edges are classified as transition due to adversary action that describes the change in the state of the network as a result of the adversary action and the network transition that describes the change in the state of the network as a result of any of the action nodes. The edges with marked A indicate the transition due to adversary action.

Hence attack graph shows not only the attacker’s activity but also the global view or cumulative effect of attacker’s action. This is a unique feature of the attack graph.

Level: 5

Chapter 5

Attack Graph generation: A Modified Approach

An attack graph is a pictorial representation of paths indicating possible exploitation of network vulnerabilities by an attacker. A network administrator can use the attack graph to identify vulnerabilities present in the network and can take measures accordingly. The knowledge encoded in attack graphs can also be used to correlate isolated alerts into probable attack scenarios.

Several software packages have been designed to automate the generation of attack graphs. Most automated attack graph generators produce an attack graph that contains all the paths to a specific target host as opposed to the whole network. This type of graph can be aggregated for each host to comprise a network attack graph.

Most of the current analysis of attack graphs requires an algorithm to be developed and implemented, causing a delay in the availability of analysis. Standard graph related algorithms usually do not apply here because of the unique characteristics of attack graphs. This delay is usually not acceptable because the requirement for analyzing attack graphs may change rapidly due to constantly changing threats and network configurations. The interactive analysis of attack can remove the limitation caused by such delay.

So, we choose the attack graph generation approach based on relational queries proposed by Jajodia et al [20]. Here, network configuration and domain knowledge are represented by the relational model. The attack graph is generated using relational queries, which can either be materialized as relations or simply left as the definition of relational views. The latter case is especially suitable for large networks where materializing the complete attack graph can be prohibitive [20].

The approach is extended by introducing more details about network configuration and domain knowledge information. Network information can be obtained by using any vulnerability scanner such that Nessus, OVAL scanner. The domain knowledge information is obtained from OVAL [23] and NVD [24] database. We propose the following relation schemas in relational database for attack graph generation.

Relation 1: Connectivity (srcHost, dstHost, Access) Relation 2: Host-Information (Host_ip, Host_Name, OS) Relation 3: Pre-Condition (Host, Condition, Port)

Relation 4: Port-Blocked (srcHost, dstHost, dstPort) Relation 5: Host-Vulnerability (Host, VulnID)

Relation 6: Condition-Vulnerability Dependency (Accaess, Condition, Field, OS, Port, VulnID)

Relation 7: Vulnerability-Condition Dependency (Access, VulnID, Condition, OS, Port)

Network configuration includes relations 1to5 and the domain knowledge includes the relations 6 and 7.

Connectivity means whether the two hosts (source host as srcHost, destination host as dstHost) are connected through network or adjacent network. Hence the Access of the connectivity relation is either network or adjacent network. Basically, a vulnerability exploitable with network access means the vulnerable software is bound to the network stack and the attacker does not require local network access or local access.

An example of a network attack is an RPC buffer overflow. On the other hand, a vulnerability exploitable with adjacent network access requires the attacker to have access to either the broadcast or collision domain of the vulnerable software.

Examples of local networks include local IP subnet, Bluetooth, IEEE 802.11, and local Ethernet segment [5].

Host-Information relation stores the information about a particular host such as ip address, name of the host, operating system of the host and operating system related patch information.

Pre-Condition relation indicates a host having an initial condition. The condition may be software product (e.g. IIS server) running on the host with opened port value (e.g.

80 for IIS server) or Privilege i.e. user/ root. Obviously if the condition is privilege type then port attribute contains null value.

The Port-Blocked relation indicates if particular port is blocked between two hosts.

Basically, if H1 and H2 are two hosts where H1 is a source host and H2 is destination host and the port P of H2 is blocked; that means there is no connectivity between H1 and H2 through port P. So, this relation is useful when there is a restriction of connectivity between two hosts.

Host-Vulnerability relation represents the list of vulnerabilities present in a particular host machine. Vulnerability scanners output this information. We use CVE [21] for vulnerability identification.

The condition-vulnerability dependency relation indicates a condition C with specific operating system (OS) and specific port is required for exploiting a vulnerability V on the destination host though the OS information is not required on the source port. The attribute F indicates whether the condition C belongs to the source (S) or the destination (D) host. The vulnerability-condition dependency relation indicates a condition C with specific operating system (OS) and specific port is satisfied by exploiting a vulnerability V.

For better understanding a sample value of each relation is given in the following figure Figure-6.1.

Relation: Connectivity

Relation: Host-Information

Host_ip Host_name OS OS_Patch

202.102.12.25 H1 Windows XP P1

202.102.12.25 H1 Windows XP P2

Relation: Pre-Condition

Host_Name Condition Port

H1 IIS 80

Relation: Port-Blocked

srcHost dstHost dstPort

Relation: Host-Vulnerability Host_Name VulnID

H1 CVE-

Relation: Condition-Vulnerability Dependency

Access Condition Field OS Port VulnID

network IIS D Windows XP 80 CVE-

network User S 80 CVE-

network Root S 80 CVE-

Relation: Vulnerability-Condition Dependency

Access VulnID Condition OS Port

network CVE- User Windows XP 80

Figure-6.1 A sample value of each relation

Using the above relations relational queries is executed and the results are stored orderly into three relations that are defined below:

Exploit (Access, srcHost, dstHost, VulnID,OS,Port )

srcHost dstHost Access

H1 H2 network

Condition-Exploit (Access, Host, Condition ,OS,Port, srcHost, dstHost, VulnID ) Exploit-Condition (Access, srcHost, dstHost, VulnID, Host,Condition ,OS,Port)

There is another relation defined as Condition (Host, Condition, Os, Port) which takes initial values from Pre-Condition and Host-Information relations, is updated when new conditions (basically Host and Condition attributes) appear in Condition relation. The process is repeated until new conditions occur in Exploit-Condition relation. Finally, these four relations are required for representing the complete attack graph (those relations may or may not need to be materialized). For graph representation all attributes of the last four relations are not required. So we define another four relations containing only necessary attributes for better understanding. The relation EX contains (srcHost, dstHost, VulnID) from Exploit relation., CE contains (Host, Condition, srcHost, dstHost, VulnID) from Condition-Exploit relation, EC contains (srcHost, dstHost, VulnID, Host, Condition) from Exploit- Condition relation and HC contains (Host, Condition) from Condition relation. Hence the attack graph representation is same as proposed by Jajodia et al.

Now, for the visual representation, attack graph is a directed graph having two types of vertices, the relations HC and EX and the edges interconnect them are represented by relations CE and EC. Each relation has a composite key composed of all the attributes in that relation. The attack graph is generated with the help of Graphviz [25]

software.

The modified approach is required due to the fact that vulnerability of a software product is operating system and installed patch specific. Hence presence of a particular product is vulnerable depends on the version and type of the operating system installed on the host machine. Some times upgraded version of the product fixes the previous vulnerability of the system. Again vulnerability can be exploited depending access to host. The various accesses such as local, adjacent network or network are defined in CVSS [5].

This modified approach is implemented with various SQL server packages like Microsoft SQL Server, MySQL Server, PostgreSQL Server to make compatible with various server packages.

5.1 Case Study

The modified approach is verified with an experimental environment is given below.

Its topology is shown as Figure-6.2.

There are two hosts in the experimental network. Host H1 runs FTP service and IE (Internet Explorer) is running on H1. Host B runs IIS server. The firewall is inactive in this scenario, i.e. allow the exterior hosts to access all services of internal hosts. In order to simplify the experiments we only consider 5 vulnerabilities exist in the network is shown in Figure- 6.2. Information in each host is stored in the relational database tables.

Figure-6.2: Experimental Network Topology

The operating system (OS) of H1 is Windows XP and OS of H2 is Windows NT. H1 has an OS related vulnerability CVE-2006-3086. Connectivity relation for H1 to H2 stores the value like {H1, H2, network}. The knowledge database is created for this experiment manually.

Firewall

Router H1

Attacker H2

CVE-2006-3086 CVE-2006-1359 CVE-2006-1190

CVE-2002-1181 CVE-2003-0113

IIS FTP IE

Now the attack graph generated by this method is shown in the Figure-6.3. In the attack graph the red coloured rectangle indicates the attack i.e. exploit and the ellipse with green colour bordered indicates the initial condition. The ellipse with green background indicates the attacker’s initial condition. The yellow coloured ellipse indicates the condition where attacker gains user privilege on a particular host.

Similarly red colourd ellipse indicates the condition where attacker gains root privilege on the particular host.

Figure-6.3: Attack graph of Figure-6.2

Chapter 6

Conclusion

6.1 Contribution of the Thesis

The thesis presented a way to vulnerability assessment of wireless network for improving network security management using attack graph. The general study of attack graph that includes description, application and various attack graph generation methods reveals that attack graph is a powerful tool for vulnerability assessment in the network security.

Several authors proposed various methods for automatic attack graph generation.

Again, scalability problem and time complexity are most challenging issues regarding attack graph generation because of large size of real networks and presence of huge number of vulnerabilities. My approach of attack graph generation is the modification of previous works. The modified approach considered the detail information about the network topology, information regarding host machines and standard vulnerability identification number to reduce the size of the attack graph.

The vulnerability study of wireless network along with 3G networks indicates that the security of the wireless network is depended on end-to-end network connectivity. So vulnerability assessment of wireless networks involves computer security as well as the end-to-end network security. In this perspective wired network is more secured than wireless network. So, most of the attack graph generation approaches measure the network security at enterprise level without considering the vulnerability at end-to-end system level. My approach regarding attack graph generation is also applicable in 3G network because 3G wireless network provides IP based connectivity to the Internet.

6.2 Future work

The work covers some areas related to attack graph generation. The network configuration and domain knowledge is given manually. But this is not feasible in real world scenario. So, some techniques will be introduced so that the network configuration and domain knowledge are obtained automatically.

The study of 3G attack graph focuses on the vulnerability assessment at end-to-end system level. The proposed approach can be further extended to cover both the internet vulnerability assessment and end-to-end network vulnerability assessment of 3G network.

Bibliography

[1] Paul Ammann, Duminda Wijesekera, and Saket Kaushik. Scalable, graph-based network vulnerability analysis. In CCS ’02: Proceedings of the 9th ACM conference on Computer and communications security, pages 217–224, New York, NY, USA, 2002. ACM.

[2] Sushil Jajodia. Topological analysis of network attack vulnerability. In ASIACCS

’07: Proceedings of the 2nd ACM symposium on Information, computer and communications security, pages 2–2, New York, NY, USA, 2007. ACM.

[3] S. Jha, O. Sheyner, and J. Wing. Two formal analysis of attack graphs. In CSFW ’02:

Proceedings of the 15th IEEE workshop on Computer Security Foundations, page 49, Washington, DC, USA, 2002. IEEE Computer Society.

[4] Dapeng Man, Bing Zhang, Wu Yang, Wenjin Jin, and Yongtian Yang. A method for global attack graph generation. Networking, Sensing and Control, 2008. ICNSC 2008. IEEE International Conference on, pages 236–241, April 2008.

[5] Peter Mell, Karen Scarfone, and Sasha Romanosky. CVSS -A Complete Guide to the Common Vulnerability Scoring System Version 2.0, 2007.

[6] Xinming Ou, Wayne F. Boyer, and Miles A. McQueen. A scalable approach to attack

[6] Xinming Ou, Wayne F. Boyer, and Miles A. McQueen. A scalable approach to attack

In document Vulnerability Assessment of Wireless Network using Attack Graph (Page 37-54)