Vulnerability Assessment of Wireless Network using Attack Graph

(1)

Vulnerability Assessment of Wireless Network

using Attack Graph

A Thesis submitted in partial fulfillment of the requirements for the degree of

Master of Engineering in Computer Science and

Engineering

Department of Computer Science and Engineering Jadavpur University, Kolkata

By Arunava Ghosh

Examination Roll: M4CSE10-10 Class Roll: 000810502013 of 2008-09 University Registration No. 105186 of 2008-09

Under the guidance of Shri M. S. Barik

Department of Computer Science and Engineering Jadavpur University, Kolkata

(2)

(3)

Department of Computer Science and Engineering, Faculty of Engineering and technology,

Jadavpur University, Kolkata 700032

Certificate of Approval

This is to certify that the thesis entitled “Vulnerability Assessment of Wireless Network using Attack Graph” is a bona-fide record of work carried out by Arunava Ghosh in partial fulfillment of the requirements for the award of the degree of Master of Engineering in Computer Science and Engineering in the Department of Computer Science and Engineering, Jadavpur university during the period June 2009 to May 2010. It is understood that by this approval the undersigned do not necessarily endorse or approve any statement made, opinion expressed or conclusion drawn therein but approve the thesis only for the purpose for which it has been submitted.

Examiners:

———————————— ————————————

(4)

(5)

List of Figures

2.1 Example of Multi-stage and Multi-host attack ………. 7

2.2 Network Vulnerability Analysis ………... 8

3.1 Infrastructure Network ………. 13

3.2 Ad-hoc Network ………... 13

4.1 3G Network Architecture Model ……….. 25

4.2 Signal flow for call delivery service………. 27

4.3 Speech Attack……… 33

4.4 Attack graph for Speech attack……….. 35

6.1 A sample value of each relation ……….... 37

6.2 Experimental Network Topology ………. 39

(7)

Abstract

Attack graph is an important tool for vulnerability assessment of network security. Several types of attack graph generation methods based on miscellaneous techniques have been proposed. Attack graphs provide the possible paths that an attacker can take to compromise the network. 3G wireless network is more vulnerable than earlier 2G wireless network because 3G connects the telephone network directly to the public network. A thorough study of vulnerability related to wireless network, helps in vulnerability assessment in wireless network. Attack graph can be used for vulnerability assessment in 3G wireless network. This thesis provides an approach of attack graph generation with the help of relational queries.

(8)

Chapter 1 Introduction

1.1 Motivation

Wireless network becomes more popular with the advent of 3G technology. In 3G the telecommunication network merges with public network. The possibility of attacks increases on 3G wireless network due to the introduction of IP based services. The 3G networks were built for performance, and as a result security was made a second priority due to trade off.

When evaluating the security of a network, it is not enough to consider the presence or absence of isolated vulnerabilities. Traditional tools for network vulnerability assessment, such as nessus, oval vulnerability scanner, simply scan individual machines on a network and report their known vulnerabilities. These tools are insufficient to analyze networks where interdependencies among individual vulnerabilities are a major issue. Attackers take the advantages of interdependencies among individual vulnerabilities to exploit multi- stage attack.

An efficient technique for evaluating the security of a computer network is the application of attack graphs. An attack graph represents all possible known attack paths that an attacker can use to penetrate a computer network. An attack path describes a chain of exploits, where starting from some initial state, each exploit in the chain makes the groundwork for subsequent exploits. On successful exploitation of vulnerabilities attacker reaches some desired goal state. A variety of graph-based approaches have been proposed for generating attack graphs and for analyzing them.

(9)

1.2 Thesis Objective

The thesis surveys different existing attack graph generation techniques and the vulnerabilities related to wireless network. The thesis also proposes a framework for generating attack graphs which can be used for vulnerability assessment to evaluate network security.

1.3 Thesis Layout

The thesis is organized as follows. The next chapter presents about the attack graph and various methods for attack graph generation. Chapter 3 introduces brief information of wireless network and short description of vulnerability in wireless network. Chapter 4 presents a discussion regarding 3G network in details and chapter 5 talks about concept of 3G attack graph. Chapter 6 proposed a new approach for generating attack graph. Finally, Chapter 7 includes conclusion and future works.

(10)

Chapter 2 Attack Graph

2.1 Introduction

An enterprise network by definition is a geographically dispersed network under the jurisdiction of one organization. It may consist of several different types of networks and computer systems from different vendors. The network of hosts continuously grows in size and becomes more complex in nature. Typically large networks contain various types of platforms and software packages and employ several mode of connectivity.

The analysis of the system information is very important to evaluate the network security of an enterprise network and that could protect us from the network attack. An attacker can break into a network through a series of exploits, where each exploit in the series satisfies the precondition for subsequent exploits and makes a causal relationship among them. Such a series of exploits makes an attack path and the set of all possible such attack paths form an attack graph. So, a security analyst must consider the effects of interactions of local vulnerabilities and find global security holes introduced by interconnection. It is impossible to continuously and manually verify that a network has no vulnerabilities to outside attacks. Tools have been developed to identify and report known vulnerabilities in running software versions, firewall policies, and other system settings.

The network security scanning tools are helpful to determine the vulnerabilities of individual host. Using this local vulnerability information along with other information about the network, such as connectivity between hosts, the analyst produces an attack graph.

(11)

2.2 Background

There are some efficient network scanner tools available in present day such as Nessus, Oval, Retina, Nmap, CyberCop etc. These scanning tools are useful in detecting vulnerabilities local to a system but the tools can not identify all conditions for a complete attack to take place, or how different vulnerabilities existing in different systems are correlated to produce attacks potentially more harmful than individual attacks.

One such tool that gives description about the correlated attacks in a network is the

attack graph. It shows the network administrators all possible sequences of attacker actions that eventually lead to the desired level of privilege on the target. In some literatures, attack graph is also termed as the exploit dependency graph.

For a specific network, an attack graph is a mathematical abstraction of the details of possible attacks. However, even for small networks, attack graphs are too large and complex for a human to fully comprehend. Though a user can quickly understand that attackers can penetrate the network, it is impossible to know which privileges and vulnerabilities are the most important to the attackers’ success. Hence computer network administrators require a tool that can identify the possible attacks and can take necessary measure to preserve the network security.

2.3 Attack graph and its related terms

Basically, an attack graph is a data structure used to represent all possible attacks on a network. In abstraction, it is a graph that has the following properties:

o The graph reflects the network connectivity (not necessarily the topology) and vulnerability information (local or through the connections)

o Each path (i.e. attack path) in an attack graph is a series of exploits forming an attack scenario

(12)

Mathematically an attack graph can be defined as-

An Attack graph is a state transition system T = (S,τ , s0, SG) where S is a set of

network states,

τ

⊆S×S is a set of transition relations, s₀ ∈S is an initial network

state, SG ⊆ S is a set of target network states.

The key terms related to attack graph, are- vulnerability, exploit and attack path which are described briefly:

Vulnerability: In computer security, the term vulnerability is applied to a weakness in a system which allows an attacker to violate the integrity of that system. Vulnerabilities may result from weak passwords, software bugs, a computer virus or other malware, a script code injection, or a SQL injection.

Exploit: An exploit is a piece of software, a chunk of data, or sequence of commands that take advantage of vulnerability in order to cause unintended or unanticipated behavior to occur on computer software & hardware. They are commonly categorized and named by the type of vulnerability they utilize (e.g. SQL Injection Vulnerability SQL Inj. Exploit, Buffer Overflows Vulnerability Buffer Overflow Exploit).

Attack Path: Each path in an attack graph is a series of exploits, called actions, that leads to an undesirable state. An example of an undesirable state is a state where the intruder has obtained administrative access to a critical host.

2.4 Purpose of Attack Graph

An attack graph is an important tool for evaluating security vulnerabilities in enterprise networks. The main purpose of constructing attack graph is to identify the potential attack sequences according to the causal relationships between the series of exploits and discover the advanced attack strategies of attackers. This will help the security analyst to better understand the network security situation.

(13)

o To gather information: Attack graphs can answer questions like “What attacks is my system vulnerable to?” and “From an initial configuration, how many different ways can an attacker reach a final state to achieve his goal?”

o To make decisions: Attack graphs can answer questions like “Which set of actions should I prevent to ensure the attacker cannot achieve his goal?” or “Which set of security measures should I deploy to ensure the attacker cannot achieve his goal?”

2.5 Brief Description with an Example

When analyzing the security of an enterprise network, it is important to consider multi-stage and multi-host attacks. If we consider that an attacker can gain full access over a particular host, say victim host by exploiting vulnerability present at that host. Then through the victim host the attacker gets full control over another host, say target host. Hence, though the attacker cannot gain full access to the target host directly but, the attacker succeeds through the victim host. In particular, an attack graph that illustrates all possible multi-stage, multi-host attack paths is crucial for a system administrator to understand the nature of the threats and decide upon appropriate countermeasures.

We can cite an example to show how multi-stage and multi-host attack is possible. A restrictive firewall protects the machines that support public web and email services, as shown in Figure-2.1(a). This example shows how vulnerable services on a network can be exploited even when direct access to services is blocked.

The firewall implements the following policy to restrict connectivity from the attacker machine:

1. Incoming ssh traffic is permitted to both h1 and h2, although only h2 is running the service 2. Incoming web traffic is permitted only to h1, which is running Microsoft’s Internet Information Server (IIS);

3. Incoming email is permitted to h2, which is running the sendmail server;

4. Incoming File Transfer Protocol (FTP) traffic is blocked because h2 is running the wu_ftpd server, which has a history of vulnerabilities;

(14)

5. All outgoing traffic is permitted.

Figure-2.1: Example of Multi-stage and Multi-host attack

Here the goal of the attacker is to obtain super user (root) access on h2. This is not directly possible because (1) no known exploits exist for the version of sendmail running on h2, and (2) the firewall blocks access to the vulnerable wu_ftpd service from the attacker machine. Now, the question is whether the attack goal can be realized indirectly, i.e., through a sequence of multiple exploits.

The external attacker can obtain execute access with super user privilege on h2 in the following way:

1. The IIS Remote Data Services (RDS) exploit enables the attacker to execute programs on h1;

2. Gaining access by the IIS RDS exploit, the remote copy (rcp) program on h1 is executed to download a rootkit from the attacker machine;

3. A port-forwarding program from the rootkit is then executed to set up access from the attack machine through h1 to the FTP service on h2;

4. Finally, the wu_ftpd exploit is executed through the forwarded connection against

h2 to obtain root access there.

So, this is a possible attack path that leads to gain root access on h2 (shown in Figure-2.1(b)). attacker h1 h2 attacker h1 h2 IIS RDS exploit wu_ftpd exploit

(a) Network topology

(b) Attack graph showing one possible way to gain root

(15)

Attack graphs provide a visual representation of potential attack paths employing the vulnerabilities that could be followed to exploit system resources. There are various methods proposed to generate an attack graph. Making of an attack graph as a useful tool for configuration management requires two important issues to be considered. The first one is to represent the attack graph in such manner so that it is easy to understand by human user and the second one is to automate the graph generation.

2.6 Various methods of attack graph generation

As attack graph is a useful tool for evaluating security vulnerabilities in enterprise networks, the attack graph generation method is also very important. Earlier attack graph produced by the RED team is drawn by hand. Making attack graph by hand is tedious and error prone. Another thing is that network configuration including services run by different hosts is not fixed. Any changes in configuration of network devices such as firewall, router etc. will change the attack graph. So, attack graph generation by automation is preferable.

A typical process for vulnerability analysis of a network is shown in Figure-2.2. First, vulnerability scanning tools determine vulnerabilities of individual hosts. Using this local vulnerability information along with other information about the network, such as connectivity between hosts, the analyst produces an attack graph. Each path in an attack graph is a series of exploits, which we call atomic attacks, that leads to an undesirable state (e.g., a state where an intruder has obtained administrative access to a critical host).

Figure- 2.2: Network Vulnerability Analysis

attack graph generation tool Network host scanning tool Vulnerability Information per host

Network information and security condition

(16)

The main problem of attack graph generation is scalability problem; because small networks can produce vary large size of attack graph. Several authors proposed various approaches to automate the attack graph generation.

Yang et al.[4] present a graph generation method which is based on the basis of breadth-first search algorithm. The method can search all the attack paths that attackers possibly take in the target network. There are four steps to construct an attack graph. They are- collection of all the security elements of current network, construction of an attack nodes-set, finding the dependence of the attack nodes by use of BFS algorithm and finally construction of attack graph using proper dependence of the attack nodes. The graph is automatically generated by graphviz [25] and the scale of the attack graph is reduced by applying limiting strategies such as choosing a successful probability threshold value, below that the path is removed.

Sheyner et al.[8] proposed a method using model checking technique. Here the network is modeled as a finite state machine, where state transitions correspond to atomic attack launched by the attacker. It specifies a desired security property (e.g. an attacker should never obtain root access to a host machine). The attacker’s goal generally corresponds to violating this property. The state of the network is formally modeled as a collection of Boolean variables, representing configuration parameters and attacker’s privileges and the attackers actions are modeled as state-transition relations. The security property of the network is specified as a temporal formula, which can be automatically checked against the model by a model checker.

McQueen et al.[6] proposed the method using predicate logic. The logical attack graph is generated with the help of MulVAL tool [7] used to illustrate all possible multi-stage and multi- host attack paths which is helpful for a system administrator to understand the nature of the threats and decide upon appropriate countermeasures. A logical attack graph is a directed graph and can be represented in the form of a tree with possible cross links between nodes. There are two kinds of nodes in the graph: a

derivation node and a fact node. There are also two kinds of fact nodes: a primitive

(17)

logical statement in the form of a predicate applied to its arguments. The root node is the attack goal. Every derivation node is labeled with an interaction rule that is used for the derivation step. The edges in the graph represent the “depends on” relation. A

fact node is dependent on one or more derivation nodes, each of which represents an application of an inter-action rule that yields the fact. A derivation node is dependent on one or more fact nodes, which together satisfy the preconditions of the rule. Thus a logical attack graph is a bipartite directed graph. The derivation nodes serve as a medium between a fact and its “reasons”, i.e., how the fact becomes true. Since a fact may have different ways to become true, the derivation nodes directed from a fact node form a disjunction. A derivation node represents a successful application of an interaction rule, where all its preconditions are satisfied by its children. Thus the fact nodes directed from a derivation node form a conjunction.

Another method proposed by Ammann et al. [1], present a scalable attack graph representation. They encode the attack graphs as dependencies among exploits and security conditions, under the assumption of monotonicity. The assumption is that an attacker does not decrease his ability by launching attacks, and hence does not need to relinquish privileges he already gained. Hence, attackers’ privileges always increase during the analysis. They treat vulnerabilities, intruder access privileges, and network connectivity as atomic Boolean attributes. In this model, monotonicity means that (1) once a post-condition is satisfied, it can never become unsatisfied, and (2) the negation operator cannot be used in expressing action preconditions. They present an efficient algorithm for extracting minimal attack scenarios from the representation, and suggest that a standard graph algorithm can produce a critical set of actions that disconnects the goal state of the attacker from the initial state. The monotonicity is required to handle only simple safety properties.

Jajodia et al. [20] proposed attack graph generation method using relational queries. In this method the attack graph is usually visualized as a directed graph having two types of vertices, exploits and security conditions (or simply conditions). An exploit is a triple (hs, hd, v), where hs and hd are two connected hosts and v is a vulnerability on the destination host hd. A security condition is a pair (h, c) indicating the host h

(18)

satisfies a condition c relevant to security. An attack graph has two types of edges denoting the inter-dependency between exploits and conditions. First, the require relation is a directed edge pointing from a condition to an exploit. The edge means the exploit cannot be executed unless the condition is satisfied. Second, the imply relation points from an exploit to a condition. This means executing the exploit will satisfy the condition.

(19)

Chapter 3 Vulnerability in Wireless Network

3.1 Wireless network

A network set up by using electromagnetic spectrum (radio, micro & light waves) to communicate among computers and other network devices is called wireless network. Wireless networks carry data from transmitters and receivers attached to computers to fixed transmitters and receivers connected to the campus network infrastructure via devices known as wireless access points.

Access points are placed at locations dictated by coverage needs and the nature of the signal requirements of a given wireless technology. While some wireless applications are focused point-to-point connections, others provide a general area of coverage. Hence, the two main components of wireless network are wireless router or access point and wireless clients. If a wireless router is attached to cable/DSL modem and wireless client is set up by adding wireless card to each computer then a simple wireless network is formed.

Sometimes, wireless network is also referred to as WiFi network or WLAN. Over the past few years wireless network is getting popular due to easy to setup feature and no cabling involved. The availability of low-cost WLAN equipment allows just about anyone to set up a wireless Internet access point.

Wireless network can be configured in two modes: infrastructure mode and ad hoc

mode. Infrastructure mode is used to connect computers with wireless network adapters, also known as wireless clients, to an existing wired network with the help from wireless router or access point. This mode not only provides access to the other networks but also include forwarding functions, medium access control etc. The access point does not just control medium access, but also acts as a bridge to other wireless or wired network.

(20)

The following diagram shows in Figure-3.1, a direct implementation of Windows Network Projector functionality built into a new or existing projector design. With this integrated support, the projector provides the capability of being discovered and connected to by a Windows Vista-based PC. This example shows the Windows Network Projector used with an infrastructure network connection [33].

Figure-3.1: Infrastructure Network

The design of infrastructure-based wireless network is simple because most of the network functionality lies within the access point, whereas the wireless clients can remain quiet simple. The infrastructure based networks cannot be used for disaster relief in cases where no infrastructure is left. So this type of networks is less flexible. Ad hoc mode is used to connect wireless clients directly together, without the need for a wireless router or access point. An ad hoc network consists of up to 9 wireless clients, which send their data directly to each other. This example shows the projector used with an ad hoc network connection (Figure-3.2) [33].

(21)

The deployment issues regarding wireless network technology can be best understood if placed into the following three service classifications:

o Wireless Personal Area Networking (WPAN)

o Wireless Local or Campus Area Networking (WLAN) o Wireless Wide Area Networking (WWAN)

WPAN Technology:

A WPAN is a network for interconnecting devices centered around an individual person's workspace - in which the connections are wireless. Typically, a wireless personal area network uses some technology that permits communication within about 10 meters - in other words, a very short range.

Some examples are: Cordless communication between keyboard and computer, cordless communication between Personal Productivity Device (PDA) and your computer, cordless communication within your between cell phone and home phone.

Feature: Low-powered, limited coverage range

Standard: Most popular WPAN standard are Bluetooth IEEE 802.15.1, Zigbee IEEE 802.15.4 , UWB (Ultra Wide Band) IEEE 802.15.3a

WLAN Technology:

WLAN provides wireless network communication over short distances using radio or infrared signals instead of traditional network cabling.

Feature: Relatively high power consumption, Limited support for roaming, Supported implementation topologies include overlapping cells and integration of remote cells via an existing network infrastructure.

Standard: The 802.11 wireless standards are-

o 802.11b supports bandwidth up to 11 Mbps, comparable to traditional Ethernet and uses the same unregulated radio signaling frequency (2.4 GHz) as the original 802.11 standard

o 802.11a supports bandwidth up to 54 Mbps and signals in a regulated frequency spectrum around 5 GHz.

(22)

o 802.11g supports bandwidth up to 54 Mbps, and it uses the 2.4 Ghz frequency for greater range.

WWAN Technology:

WWAN describes network technologies that are deployed over a large geographical area, typically consisting with a large amount of users, and are implemented wirelessly. A WWAN uses mobile telecommunication cellular network technologies such as WIMAX (though it's better applied to WMAN Networks), UMTS, GPRS, CDMA2000, GSM, CDPD, Mobitex, HSDPA or 3G to transfer data.

Feature: Voice service and data transmission

3.2 Wireless vs. wired network

Wireless networks, such as Wi-Fi, are for communications between devices. Wired networks, such as Ethernet, are for communications between fixed locations. There are some advantages of wireless network over the wired network. They are-

Flexibility: Wireless network provides mobility of sender and receiver devices. Within the network signal coverage nodes i.e. wireless devices can communicate without further restriction. Radio signals can penetrate the walls; senders and receivers can be placed anywhere. So, device mobility is the primary benefit of wireless.

Planning: Wireless network allows ad-hoc mode. Hence communication is possible without planning. In wired network proper planning is required for communication.

Robustness: Wireless networks can survive disasters, e.g., earthquakes or users pulling a plug. If the wireless devices survive, people can still communicate. Networks requiring a wired infrastructure will usually break down completely.

(23)

Cost: Adding additional users to a wireless network will not increase the cost. This is, important for e.g., lecture halls, hotel lobbies where the numbers using the network may vary significantly.

The disadvantageous features of wireless network are-

Quality of service: Wireless network typically offer lower quality than their wired counterparts. The main reasons for this are the lower bandwidth due to limitations in radio transmission, higher error rates due to interference and higher delay/delay variation due to extensive error correction and detection mechanisms.

Signal loss: Signal loss occurs when there is reception within the network coverage. Such area is called dead spot. The dead spots are mysterious, because even very careful planning cannot remove all dead spots, and sometimes live spots just move or, in the language of radio, fade. The spontaneous loss of communications for no apparent reason is probably one of the most irritating aspects of wireless networks. Often, the signal mysteriously returns even before one can investigate the cause of its loss. This occurs with cellular telephones, with Wi-Fi devices, and with all other wireless local area network (LAN) technologies.

Safety and security: Using radio waves for data transmission might interfere with other high-tech equipment in, e.g., hospitals. Special precautions have to be taken to prevent safety hazards. Eavesdropping is much easier in wireless network open radio interface. All standards must offer (automatic) encryption, privacy mechanisms, support for anonymity etc. Otherwise more and more wireless networks will be hacked into as is the case already.

Power source: Wireless devices are they still need a power source. Wired network nodes can draw power from the local alternating-current receptacle, but mobile wireless devices depend on batteries or some alternative power source.

(24)

Apart from disadvantages, wireless network gets popularity due to increased accessibility to information resources, network configuration and reconfiguration is easier, faster, and less expensive. The benefits of wireless Networks include: convenience, mobility, productivity, deployment, expandability and cost.

3.3 Vulnerability in wireless network

In computer security, vulnerability means weakness or flaws of the system. According to IEEE Computer Society terminology, vulnerability is “a weakness in an information system that could be exploited by an event to gain unauthorized access to information or disrupt processing” [31]. To be vulnerable, an attacker must have at least one applicable tool or technique that can connect to a system weakness. Vulnerability can be result of improper configuration of system or product (basically application software), poor system design, poor implementation.

The popularity of wireless networks is a testament primarily to their convenience, cost efficiency, and ease of integration with other networks and network components. The majority of computers sold to consumers today come pre-equipped with all necessary wireless Networks technology. However, wireless technology also creates new threats and alters the existing information security risk profile.

The wireless networks consist of four basic components: The transmission of data using radio frequencies; Access points that provide a connection to the organizational network and/or the Client devices (laptops, PDAs, etc.); and Users. Each of these components provides a route for attack.

3.3.1 Wireless Network Attacks

Generally, a threat is a potential violation of security. The violation need not actually occur for there to be a threat. Occurrence of violation means exploitation of vulnerabilities that is termed as attack. Some of the wireless attacks given below-

(25)

Accidental association: Unauthorized access to a different wireless network is caused by overlapping one or more wireless network. Here user of a particular network accidentally gains access to other wireless network.

Malicious association: “Malicious associations” are when wireless devices can be actively made by attacker to connect to a company network through their cracking laptop instead of a company access point (AP). These types of laptops are known as “soft APs” as they are created when an attacker runs some software that makes his/her wireless network card look like a legitimate access point. Once the attacker has gained access, he/she can steal passwords, launch attacks on the wired network, or plant Trojans.

Ad-hoc networks: Ad-hoc networks are defined as peer-to-peer networks between wireless computers having no access point in between them. These types of networks usually have little protection; so encryption methods can be used to provide security.

Non-traditional networks: Non-traditional networks such as personal network Bluetooth devices are not secured from attack. Even barcode readers, PDAs wireless printers and copiers should be secured. These nontraditional networks can be easily overlooked by IT personnel who have narrowly focused on laptops and access points.

Identity theft (MAC spoofing): When an attacker is able to listen in on network traffic and identify the MAC address of a computer with network privileges, then Identity theft (or MAC spoofing) occurs. Though most wireless systems allow some kind of MAC filtering to allow only authorized computers with specific MAC IDs to gain access and utilize the network, it is possible to attacker to gain access with the help of some specific software.

Man-in-the-middle attacks: The hacker connects to a real access point through another wireless card setup as soft AP offering a steady flow of traffic through the transparent hacking computer to the real network. The hacker can then sniff the traffic. This is an example of Man-in-the-middle attack. Man-in-the-middle attacks

(26)

are enhanced by software such as LANjack and AirJack, which automate multiple steps of the process.

Denial of service: A Denial-of-Service attack (DoS) occurs when an attacker continuously attacks a targeted AP (Access Point) or network with spurious requests, premature successful connection messages, failure messages, and/or other commands. This causes legitimate users unable to get on the network and may even cause the network to crash. These attacks rely on the abuse of protocols such as the Extensible Authentication Protocol (EAP).

Network injection: In a network injection attack, an attacker can make use of access points that are exposed to non-filtered network traffic, specifically broadcasting network traffic such as “Spanning Tree” (802.1D), OSPF, RIP, and HSRP. The attacker injects spurious networking re-configuration commands that affect routers, switches, and intelligent hubs. A whole network can be brought down in this manner and require rebooting or even reprogramming of all intelligent networking devices.

To secure wireless network requires securing transmission, access points and need firewall, antivirus solution. Most of the cases improper configuration of wireless network makes the system vulnerable. So proper firewall configuration, wireless network configuration can prevent most of the attacks.

(27)

Chapter 4 Attack Graph on 3G Network

4.1 Introduction to 3G

The growth of wireless industry is increasing dramatically due to popularity of cellular phone. Subscribers of mobile phones are giving additional value to mobile phones devices which have become much more than just for communication, with the adoption of 3G technology. Mobiles are now multimedia devices delivering a variety of applications including music, games, video, internet, and e-mail among others.

The drivers for this growth differ from each network, but they can be categorized in the three following areas:

o Service coverage: several countries still have a low penetration rate and their investment priority is to expand their network and offer mobile services to more users.

o Quality of service: countries that have several competing mobile operators have gone from quantitative service to qualitative service where quality of service is their priority in order to gain market share.

o Network upgrades and new applications: countries that have reach coverage and service quality are expanding the applications to users including services such as location, gaming, music, and video.

3G is an International Telecommunication Union (ITU) standard for third generation mobile telephone systems under the International Mobile Telecommunications, IMT-2000. IMT-2000 is a single family of compatible standards that is intended to support both packet-switched and circuit-switched wireless data transmission and offer high data rates up to 2 Mbps (depending on mobility/velocity), with high spectrum efficiency[38]. IMT-2000 family is composed of the following six technologies operating in Ultra High Frequency band:

(28)

o IMT DS (Direct Sequence): UMTS Terrestrial Radio Access (UTRA) and W-CDMA (wideband W-CDMA);

o IMT MC (Multicarrier): CDMA2000, 3G version of cdmaOne;

o IMT TC (Time Code): UTRA mode that uses time division multiplexing; o IMT SC (Single Carrier): accommodation of Enhanced Data Rates for GSM

Evolution (EDGE) technology to 3G;

o IMT FT (Frequency Time): Digitally Enhanced Cordless Telecommunications (DECT) system;

o IMT OFDMA: WiMAX;

3G networks will be able to offer a variety of new services that combine high voice quality telephony, high-speed mobile IP services, information technology, rich media, and offer diverse content due to high bandwidth rates.

4.2 Existing Wireless Network technologies prior 3G

3G wireless networks represent an evolution of wireless network technology, and were preceded by 1G, 2G, and 2.5G wireless networks.

First Generation (1G): The first generation (1G) of wireless mobile communications was based on analog signaling. This type of wireless cellular systems started appearing in the 1980s.1G networks are based on the AMPS (Advanced Mobile Phone Service) standard. Analog systems were primarily based on circuit-switched technology and designed for voice, not data. As 1G is analog, the spectral efficiency (a rating indicating how efficiently available bandwidth is used to transmit data) was very low and the effective “energy/bit” was high. So the handsets had short talk/standby times.

Second Generation (2G): The second generation (2G) of the wireless mobile network was based on low-band digital data signaling. There are several 2G standards in use. They are-

(29)

o GSM (Global System for Mobile Communications) widely used in Europe and countries other than USA, now appearing in the USA.

o CDMA (Code Division Multiple Access) used in USA and its use is spreading in the rest of the world.

o PDC (Personal Digital Cellular) used only in Japan where iMode uses packet switched PDC.

The 2G wireless networks mentioned above are also mostly based on circuit-switched technology. 2G wireless networks expand the range of applications to more advanced voice services, such as Called Line Identification. Some characteristics of 2G networks are:

o Maximum data rates of 9.6 Kbits/second to 14.4 Kbits/second if you are in just the right place.

o Digital voice (results in a lower quality voice but uses less precious spectrum). o Enhanced telephony features such as caller-id.

o Services such as text based messaging (big winner), downloads of still images and audio clips, etc.

2.5G (Between 2G and 3G): 2.5G networks are essentially General Packet Radio Service (GPRS) packet overlays on 2G networks. The effective data rate of 2G circuit-switched wireless systems is much slower than today's Internet. As a result, GSM, PDC and other TDMA-based mobile system providers and carriers have developed 2.5G technology that is packet-based and increases the data communication speeds. GPRS is primarily a software upgrade of GSM. It is designed to allow the GSM world to implement a full range of Internet services without waiting for the deployment of full-scale 3G wireless systems. GPRS technology is packet-based and designed to work in parallel with the 2G GSM, PDC and TDMA systems that are used for voice communications. Some characteristics of 2.5G networks are:

o Data rates of 64 – 144kb/second. o Packet based.

o Always-on connectivity.

(30)

A new wireless standard, Enhanced Data GSM Environment (EDGE), has been developed to increase the data rate of GPRS up-to 384 Kbits/second thus allowing GSM and TDMA operators to offer high-speed services. EDGE based networks fall in between 2.5G and 3G networks [39].

4.3 Third Generation (3G)

3G comes with enhancements over previous wireless technologies, like high-speed transmission, advanced multimedia access and global roaming. 3G is mostly used with mobile phones and handsets as a means to connect the phone to the Internet or other IP networks in order to make voice and video calls, to download and upload data and to surf the net.

Basically, 3G wireless technology corresponds to the convergence of various 2G wireless telecommunications systems into a single global system that includes both terrestrial and satellite components. The 3G wireless technology unifies existing cellular standards, such as CDMA, GSM and TDMA under one umbrella. The following three air interface modes accomplish this result: wideband CDMA, CDMA2000 and the Universal Wireless Communication (UWC-136) interfaces.

Wideband CDMA (W-CDMA) is compatible with the current 2G GSM networks used for high-capacity applications and 2G digital wireless systems will be used for voice calls. The second radio interface is CDMA2000, backward compatible with the second generation CDMA IS-95 standard predominantly used in US. The third radio interface, Universal Wireless Communications – UWC-136 is designed to comply with ANSI-136, the North American TDMA standard

Specifically, 3G wireless networks support the following maximum data transfer rates:

o 2.05 Mbits/second to stationary devices.

o 384 Kbits/second for slowly moving devices, such as a handset carried by a walking user.

(31)

o 128 Kbits/second for fast moving devices, such as handsets in moving vehicles.

3G has the following enhancements over 2.5G and previous networks- o Several times higher data speed,

o Enhanced audio and video streaming,

o Video-conferencing support, Web and WAP browsing at higher speeds, o IPTV (TV through the Internet) support.

4.3.1 3G Architecture

3G wireless networks consist of a Radio Access Network (RAN) and a core 3G network. RAN is connected to the core 3G network and the core 3G network is connected to the IP Network i.e. Internet and the Circuit Switched Network i.e. PSTN (Public Switched Telephone Network). Internet connectivity enables 3G users to receive data services, such as weather reports, stock reports, sports information, chat, electronic mail; Cross Network Services such as Call Forwarding Services, Client Billing Service and Location Based Instant Messaging; Location Based Services such as navigation, restaurant information, etc. In 2G systems network access is provided either to the PSTN or the Internet, so Cross Network Services are unavailable [3]. The architecture of the 3G network is illustrated in the Figure-4.1.

(32)

Figure-4.1: 3G Network Architecture Model

The Radio Access Network consists of new network elements, known as Node B and Radio Network Controllers (RNCs). Node B is comparable to the Base Transceiver Station in 2G wireless networks. RNC replaces the Base Station Controller. It provides the radio resource management, handover control and support for the connections to circuit-switched and packet-switched domains.

The core 3G network contains the Circuit Switched (CS) domain, the Packet Switched

(PS) domain and the IP Multimedia Subsystem (IMS) based on the functional viewpoint. The Circuit Switched domain includes 3G MSC and Gateway Mobile Switching Center (GMSC) for switching of voice calls. The CS Domain is used to access the PSTN. The Packet Switched domain includes 3G SGSNs and GGSNs, which provide the same functionality that they provide in a GPRS system. The PS domain is used to access the Internet. The CS and PS domain may have some entities in common. The IP Multimedia Subsystem includes a set of all core network entities for provision of multimedia services. The IMS enables the mobile network operators to offer their subscriber’s multimedia services based on and built upon Internet applications, services and protocols. The ultimate goal of the IMS is to provide IP Services to its subscribers.

Circuit Switch Domain Packet Switch Domain

RAN (Radio Access Network) Mobile Station

MSC: Mobile Switching Center

GMSC: Gateway Mobile Switching Center SGSN: Service GPRS Support Node GGSN: Gateway GPRS Support Node IMS IP Multimedia Subsytam

IMS GGSN SGSN IP Network Circuit Switch Network MSC GMSC Core Network

(33)

4.3.2 3G Network

Subscribers may be related with two networks in a 3G system: a home network and a

serving network. The responsibilities of the home network are to provide services to the subscriber, management and maintenance of subscriber profiles, billing and authenticating the subscriber to receive service. On the other hand the serving network changes as the user location changes. It provides radio resources, mobility management, routing and handling services for the subscribers.

All subscribers are permanently assigned a geographical region called a home network from where they may roam to other visiting networks. The Home Location Register (HLR) is in the home network and stores permanent subscriber profile data and relevant temporary data such as current subscriber location (pointer to Visitor Location Register i.e. VLR). The VLR is assigned to a specific administrative area and associated with one Mobile Switching Centers (MSCs) that act as an interface between the radio system and the fixed network, and handles circuit switched services for subscribers currently roaming in its area. The VLR acts as a temporary repository and stores data of all mobile stations (user handset) that are currently roaming in its assigned area. The VLR obtains this data from the HLR assigned to the mobile station. The VLR and MSC are either in the home or home network depending on the location of the subscriber [18].

If a network delivering a call to the mobile network cannot locate the HLR, the call is routed to an MSC. This MSC will locate the appropriate HLR and then route the call to the MSC where the mobile station is located. The MSC in charge of routing the call to the actual location of the mobile station is called the Gateway MSC (GMSC). The GMSC’s are available to pass voice traffic between the PSTN network and the 3G network [17].

One of the basic 3G services is call delivery service that is used to deliver incoming calls to any subscriber with a mobile device regardless of their location. The signal flow for call delivery service is illustrated in the Fig.4.2. When a call is placed to a mobile subscriber, the call (signaling message ‘IAM’) is sent to the nearest GMSC

(34)

which is responsible for routing calls and passing voice traffic between different networks. Each signaling message contains data items used to invoke functions at the destination service nodes. For an example, the IAM signaling message contains the ‘called number’ data item and is used to invoke the function that finds the assigned HLR (home network) of the called party at the GMSC [5]. The GMSC checks the called number in the incoming call (‘IAM’) and resolves it to the assigned HLR of the called party. Then it sends the signaling message ‘SRI’ to HLR. The SRI message contains data items such as the called number and the alerting pattern. Basically the alerting pattern denotes the pattern like packet switched data or short message service or circuit switched call. An alerting pattern is used to alert the called mobile subscriber.

Figure-4.2: Signal flow for call delivery service

9. Page

GMSC HLR VLR MSC

1. Initial Address Message

(IAM) 2. Send Rout Info (SRI)

5. Send Rout Info Ack (SRI_ACK)

3. Provide Roam Num (PRN)

4. Rom Num Ack (PRN_ACK

7. SIFIC

8. Page MS

Air Interface

6. Initial Address Message (IAM)

Cell Phone

Visiting Network Home Network

(35)

The HLR is aware of the location where the called subscriber is currently visiting and requests the corresponding VLR for a ‘roaming number’ (‘PRN’) to route the call and downloads the incoming call profile to the VLR. The VLR then assigns a roaming number for routing the call and passes it on to the HLR (‘PRN_ACK’). Then the HLR passes on this ‘roaming number’ to the GMSC (‘SRI_ACK’). The GMSC uses this ‘roaming number’ to route the incoming call to the MSC where the subscriber is currently visiting. The MSC requests the VLR for the incoming call profile for the called subscriber (‘SIFIC’) and receives the profile in the ‘Page MS’ signaling message. The MSC alerts (‘Page’) the mobile station [17-18].

4.3.3 3G Network Security

A set of security requirements defined by ITU, for IMT-2000 systems within the structure of Open Systems Security Architecture (ITU Recommendation X.800) are:

o Only authorized users should be able to access and use telecommunication networks;

o Authorized users should be able to access and operate on assets they are authorized to access;

o Telecommunication networks should provide privacy at the level set by the security policies of the network;

o All users should be held accountable for their own but only their own actions in telecommunication networks;

o In order to ensure availability, telecommunication networks should be protected against unsolicited access or operations;

o It should be possible to retrieve security-related information from

telecommunication networks (but only authorized users should be able to retrieve such information);

o If security violations are detected, they should be handled in a controlled way in accordance with a pre-defined plan to minimize potential damage;

o After a security breach is detected, it should be possible to restore normal security levels;

(36)

The security architecture of telecommunication networks should provide certain flexibility in order to support different security policies, e.g., different strength of security mechanisms; [40]

The first five of the above goals are to be achieved by implementing confidentiality, data integrity, accountability – including authentication, non-repudiation, and access control and availability mechanisms [40].

The security implementation of 3G network is important as 3G is based on IP technology. The 1G and 2G networks were isolated because they did not provide connectivity to any public networks to which end subscribers had direct access. The vulnerabilities of these networks are few and well assessed. 3G provides direct access to the public network so; it becomes open to the attacker. In 3G more users of varied data-capable devices who are accessing content and communicating with one another across multiple networks, so there will be more traffic on the cellular networks. That implies a higher likelihood of attacks occurring from any number of sources. For an example, many sophisticated attacks disguise themselves in data flows across sessions and ports – the more traffic there is, the harder it is to identify the threats.

4.4 Introduction to 3G Attack Graph

The Third generation (3G) wireless telecommunication is IP based whereas 1G and 2G wireless networks and the PSTN are closed as signaling messages are exchanged on private isolated SS7 (Signaling System No. 7) based networks. So, 1G, 2G, PSTN networks are isolated networks in the sense they have no connectivity to any public network. On the other hand 3G provides circuit switched and high speed packet data services for 3G-enabled mobile devices. With the integration of the core 3G networks, the PSTN and the Internet, the networks have opened up additional vulnerabilities and provided malicious attackers easy access. This integration imports the inherent vulnerabilities of the Internet to the 3G networks and provides the end subscriber direct access to the control infrastructure of the 3G network. The Internet is open and accessible any one with simple equipment. It is also

(37)

very easy for malicious attackers to break into Internet servers due to many vulnerability.

4.4.1 Attacks on 3G

Attacks on 3G Networks can be classified depending on physical access to the 3G network. They are-

Single Infrastructure Attacks: Attacks within the same network domain, e.g., the attacker has gained access into a core 3G network entity and attacks other 3G network entities. It includes the following three levels of physical access between the attacker and the 3G telecommunication networks.

o Access to air interface with physical device: This affects the privacy of the subscriber and the network operator and also causes a man in the middle attack.

o Access to Cables connecting Central Offices (3G core network entities): Here the attacker may cause damage by disrupting normal transmission of signaling messages.

o Access to 3G core network entities in the Central Office: Here the attacker can cause damage by editing the service logic or modifying subscriber data (profile, security and services) stored in the network entity.

Cross Infrastructure Cyber Attacks: Attacks on the wireless telecommunication network from the IP domain. These attacks use Cross Network Services (combination of Internet-based data and data from the wireless telecommunication network to provide services to the wireless subscriber) as an entry point into the wireless telecommunication network. It includes the following two levels of physical access between the attacker and the 3G networks.

o Access to Links connecting the Internet and the 3G core network: The attacker can cause damage by disrupting normal transmission of signaling messages traversing the link and inserting signaling messages into the link between the two networks.

(38)

o Access to Internet Servers or Cross Network Servers (provides

multimedia or other services to mobile subscribers) connected to the 3G networks: The attacker can cause damage by editing the service logic, modifying subscriber data (profile, security and services) stored in the Cross

Network Servers.

The types of attack on 3G wireless telecommunication networks are-

o Interception: The attacker intercepts information but does not modify or delete them. This is a passive attack. This affects the privacy of the subscriber and the network operator.

o Fabrication/Replay: In this case the attacker may insert spurious objects into the system. The effects could result in the attacker masquerading as an authority figure.

o Modification of Resources: The attacker causes damage by modifying system resources.

o Denial of Service: The attacker causes an overload or a disruption in the system so that network functions in an abnormal manner.

o Interruption: The attacker caused an Interruption by destroying resources.

Another classification of attacks based on what means are used to cause the attack. The attack means are as follows-

o Data: The attacker attacks the data stored in the system. The damage is done by modifying, inserting and deleting the data stored in the system.

o Messages: The attacker attacks the system through the signaling messages. The attacker may insert, modify, delete and replay signaling messages going in and out of the network.

o Service Logic: The attacker causes damage by attacking the service logic running in the various 3G core network entities.

4.4.2 3G Attack Graph

(39)

propagates across the network due to normal end-to-end network operation. This feature is known as the cascading effect. Deduction of vulnerabilities and attacks in 3G systems is not feasible by manually because vulnerability deduction requires extensive knowledge of thousands of state machines and end-to-end networking of the telecommunication systems. The standard Internet based vulnerability assessment tools are not sufficient for 3G telecommunication networks because they present physical vulnerabilities which is not the goal of 3G network vulnerability assessment. The goal is to identify end-to-end system level vulnerabilities and interactions that lead to the cascading effect. Thus the attacks can be represented by form of an attack graph.

A 3G network specific attack graph is a network state transition showing the paths through a system starting with the conditions of the attack, the attack, continuing with the cascading effect of the attacker’s attack action(s) and ending in the attacker’s goal. The state of a 3G network may be defined as the collective state of all its blocks.

The Cellular Network Vulnerability Assessment Toolkit -CAT proposed by Kotapati et al. is a tool that represents 3G network vulnerabilities and attacks as attack graphs. CAT works by taking in 3G data parameter seeds and goals as input from the user and uses free technical specifications written in the Specification and Description Language (SDL) developed by ITU to identify system interactions that lead to the cascading effect. Seeds are data parameters which when corrupted by the attacker may or may not lead to the goal. In the attack graph seeds may merge at different stages of the attack graph. Goals are data parameters that are derived incorrectly due to the direct corruption of seeds by the attacker.

The attack shown in Figure-4.3 is called speech attack which is caused by corruption of ‘ISDN BC’ data parameter in the ‘IAM’ message. The 3G data parameter ‘ISDN BC’ is considered as the direct intent of the attack and it is called as the seed. CAT builds the attack graph (shown in Figure-4.4) for the speech attack in a bottom-up manner.

(40)

Figure-4.3: Speech Attack

The attack graph consists of three types of nodes- Condition nodes represent conditions that hold for an attack, Action nodes may be events or non-events that cause a network transition, Goal node is the final node in a tree occurring at the highest level. The goal node is achieved when the corrupt data parameters are propagated to other 3G blocks. The edges of the attack graph show the implicit transition in network state.

For better understanding, this attack graph has been divided into levels. Each node has been assigned numbers; these numbers are tree numbers and correspond to the tree to which the node belongs. For example, all the nodes marked with number 1 form the first tree of the graph. Nodes at a particular level with the same tree number(s) are AND nodes. Again, nodes with the same tree number at a layer connected to a node in the layer above also indicate AND nodes. For example nodes at Level 0, are AND nodes, whereas nodes at Level 4 are OR nodes.

Condition nodes are composed of three nodes-

o The first one contains the level of Physical Access (PA) corresponds to attacker’s physical access to the network and may be classified as: (1) access to the air interface with the help of a physical device; (2) access to cables connecting central offices; and (3) access to 3G core network blocks in the central office.

Internet

3G Network

VLR GMSC HLR MSC IP Server IP Server Attack Cascade Cascade

(41)

o The second one contains the high level description of an attacker’s target (Tgt) which is described by a block and indicates all the processes and data sources within a block.

o The third one contains the vulnerability (Vul) which may be classified as: (1) attacking the data parameters in signaling messages exchanged between blocks; (2) attacking the service logic of a process in a block so that it behaves abnormally; and (3) corrupting the data sources in a block. In the attack example of Figure-4.4 the attacker corrupts data ’ISDN BC’ in message IAM. So, the vulnerability is message and written as Vul: Message.

Events of Action node (Action) include incoming and outgoing signaling messages and the non-event includes changing data associated with the block. In the Figure-4.4 action node at Level 0 is an example of event and action node at Level 2 is an

example of non-event. Non-events cause a change in state of the network, but do not generate any event.

The Goal node in the Figure- 4.4 is the node at Level 5 as it is the highest Level of the attack graph. The node indicates corruption or derivation of data parameters due to the direct corruption of other data parameters (seeds) by the attacker.

The edges are classified as transition due to adversary action that describes the change in the state of the network as a result of the adversary action and the network

transition that describes the change in the state of the network as a result of any of the action nodes. The edges with marked A indicate the transition due to adversary action. Hence attack graph shows not only the attacker’s activity but also the global view or cumulative effect of attacker’s action. This is a unique feature of the attack graph.

(42)

Level: 5 Level: 4 Level: 3 Level: 2 Level: 1 Level: 0

Figure-4.4: Attack graph for Speech attack

1, Action: Incoming Message SIFIC arriving at VLR 1, Action: Corrupt Bearer Service in Message SIFIC

1, PA: Level 2

1, Tgt: VLR

1, Vul: Message

2, Action: Corrupt data ‘ISDN BC’ corrupts ‘Bearer Service,’ in Process

ICH_MSC of MSC 1, 2, Goal: Incorrect

Bearer Service provided

2, Action: Corrupt data ‘ISDN BC’ in Process ICH_MSC of MSC

2, Action: Corrupt data ‘ISDN BC’ in Message IAM

2, Action: Incoming Message IAM arriving

At MSC

2, Vul: Message 2, Tgt: MSC

2, PA: Level 2

2, Action: Respond with corrupt Bearer Service in

(43)

Chapter 5 Attack Graph generation: A Modified Approach

An attack graph is a pictorial representation of paths indicating possible exploitation of network vulnerabilities by an attacker. A network administrator can use the attack graph to identify vulnerabilities present in the network and can take measures accordingly. The knowledge encoded in attack graphs can also be used to correlate isolated alerts into probable attack scenarios.

Several software packages have been designed to automate the generation of attack graphs. Most automated attack graph generators produce an attack graph that contains all the paths to a specific target host as opposed to the whole network. This type of graph can be aggregated for each host to comprise a network attack graph.

Most of the current analysis of attack graphs requires an algorithm to be developed and implemented, causing a delay in the availability of analysis. Standard graph related algorithms usually do not apply here because of the unique characteristics of attack graphs. This delay is usually not acceptable because the requirement for analyzing attack graphs may change rapidly due to constantly changing threats and network configurations. The interactive analysis of attack can remove the limitation caused by such delay.

So, we choose the attack graph generation approach based on relational queries proposed by Jajodia et al [20]. Here, network configuration and domain knowledge are represented by the relational model. The attack graph is generated using relational queries, which can either be materialized as relations or simply left as the definition of relational views. The latter case is especially suitable for large networks where materializing the complete attack graph can be prohibitive [20].

(44)

The approach is extended by introducing more details about network configuration and domain knowledge information. Network information can be obtained by using any vulnerability scanner such that Nessus, OVAL scanner. The domain knowledge information is obtained from OVAL [23] and NVD [24] database. We propose the following relation schemas in relational database for attack graph generation.

Relation 1: Connectivity (srcHost, dstHost, Access) Relation 2: Host-Information (Host_ip, Host_Name, OS) Relation 3: Pre-Condition (Host, Condition, Port)

Relation 4: Port-Blocked (srcHost, dstHost, dstPort) Relation 5: Host-Vulnerability (Host, VulnID)

Relation 6: Condition-Vulnerability Dependency (Accaess, Condition, Field, OS, Port, VulnID)

Relation 7: Vulnerability-Condition Dependency (Access, VulnID, Condition, OS, Port)

Network configuration includes relations 1to5 and the domain knowledge includes the relations 6 and 7.

Connectivity means whether the two hosts (source host as srcHost, destination host as dstHost) are connected through network or adjacent network. Hence the Access of the connectivity relation is either network or adjacent network. Basically, a vulnerability exploitable with network access means the vulnerable software is bound to the network stack and the attacker does not require local network access or local access. An example of a network attack is an RPC buffer overflow. On the other hand, a vulnerability exploitable with adjacent network access requires the attacker to have access to either the broadcast or collision domain of the vulnerable software. Examples of local networks include local IP subnet, Bluetooth, IEEE 802.11, and local Ethernet segment [5].

Vulnerability Assessment of Wireless Network using Attack Graph