# A Protocol Vulnerability Analysis Method Based on Logical Attack Graph

- 809 Downloads

## Abstract

The method of analyze the complex protocol vulnerability information from a large number of simple protocol vulnerability information is a tough problem. In this paper, we use attack graph method and construct the protocol vulnerability correlation graph. We also combine the attack target with other information to build the protocol logic attack graph, which is transformed into adjacency matrix. Through the adjacency matrix, we can find and calculate the path of complex attacks and the probability of success and hazard index. The experimental results show that this method can find the correlation among protocol vulnerabilities and can calculate the optimal attack path for protocol vulnerability.

## Keywords

Protocol vulnerability analysis Vulnerability correlation graph Logic attack graph## 1 Introduction and Related Work

In recent years, people pay attention to network attacks, most of which focus on vulnerabilities in computer systems, but less on communication protocols especially on wireless communication protocol security analysis. The main method of analyzing the vulnerability of a protocol is formal analysis [1]. Now attacks against protocols have obtained the characteristics of multi-step and multi-way, which utilizes different stages of communication protocol, and the existing methods lack the ability of correlation analysis of different vulnerabilities. Researchers have used attack graphs [2, 3] to analyze attacking behavior. Common Vulnerability Scoring System (CVSS) [4, 5] can analyze the dependencies of vulnerability, show all the attack path, and finally assessment Comprehensively evaluate system security trends. Holm et al. [6] focused on impact of the basic data provided by CVSS in the assessment of vulnerability. Combined with the shortcomings of CVSS quantification, a specific quantization method was given. But the quantization method was too complicated. Chen et al. [7] proposed an attack graph model for the probability of internal attack intention judgment. Based on the model, he proposed an algorithm to infer the intent of internal attack and maximum probabilistic attack path for that attack target. Liu et al. [8] proposed a game model to obtain optimized attack and defense decisions, which add confidence probability to extend vulnerability attributes. Li et al. [9] studied the correlation of vulnerability utilization. They proposed a kind of horizontal and vertical correlation which is suitable for different components of computer system. For the communication protocol vulnerability analysis, horizontal correlation simplification model will lose some information. In this paper, we proposed a method to generate a protocol attack logic diagram from the vulnerability target by using vulnerability of protocol. It can show every route to reach the target of attack, thus showing the possible complex attack, then search and calculate the optimal attack path at the same time.

## 2 Basic Concepts and Definitions

### Attack target and constraints.

Attacker takes some of the necessary pre-conditions to achieve the target, only when these preconditions are met, the attacker is possible to achieve the target with one means of attack. These necessary preconditions are the constraint for the attack target.

### Protocol Vulnerability.

A ternary {V_{ID}, C_{S}, R_{S}} is used to represent an atomic vulnerability of communication protocol, where V_{ID} is the vulnerability of a protocol against a certain attack, C_{S} is the set of constraints required for attack and R_{S} is the set of posterior results caused by attack. It can be expressed as:

### Protocol attack mode.

The attack mode for wireless communication protocol usually includes packet discarding, packet hijacking and forwarding, and so on. Protocol attacks include information such as privilege information, vulnerability information, conditional requirements, attack methods, and attack consequences.

## 3 Protocol Vulnerabilities Correlation Analysis

Because of certain correlations among preconditions and posterior results, atomic vulnerability set is combined into a protocol vulnerability correlation graph according to the correlation among them. The graph supports the use of multiple atomic vulnerabilities to achieve more advanced and complex attack targets. The graph construction process is described in detail.

### 3.1 Protocol Vulnerability Correlation Graph Construction

- 1)
Traversing the vulnerability of the protocol, generating a sub-tree containing only the current vulnerability and its child nodes by matching the preconditions and posterior results of attack;

- 2)
Using a recursive algorithm, which starts with an empty vulnerability correlation graph by accessing sub-tree of a node and traversing all its leaf nodes. If the leaf node has merged into the vulnerability correlation graph, the node is deleted and the connection to the leaf node points to the corresponding node in the vulnerability correlation graph. If the leaf node does not merge into vulnerability correlation graph, the sub-tree of that node is accessed. This algorithm is executed recursively until all nodes are visited again.

### 3.2 Protocol Vulnerability Correlation Graph Simplification

The original vulnerability graph is relatively large and needs to be simplified. We design the vulnerability reduction method by loop correlation.

## 4 Protocol Attack Path Calculation

According to the protocol attack logic graph, we can analyze the attack process (or atomic vulnerability utilization sequence) that can achieve the advanced attack target. We can also make these associated atomic vulnerabilities as a whole and constitute a more advanced composite vulnerability. The protocol attack logic graph construction includes three steps as following description.

### 4.1 Protocol Attack Logic Graph Construction

Protocol attack logic graph construction algorithm is divided into the following two steps: (1) the corresponding transformation of the target and the vulnerability of protocol. According to the target we can search vulnerability which is used by attacking method. (2) Protocol attack logic graph construction algorithm. It needs to merge the same redundant vulnerability nodes and associated paths to generate attack logic graph the correlation tree.

### 4.2 Logical Attack Graph Calculation

- 1.First convert the directed graph to an adjacency matrix, as shown in Fig. 4.The value of each element in the adjacency matrix is calculated by Eq. (1).$$ a_{ij} = \left\{ {\begin{array}{*{20}c} 0 \\ 0 \\ 1 \\ \end{array} \begin{array}{*{20}c} {\begin{array}{*{20}c} {} \\ {} \\ {} \\ \end{array} } & \begin{aligned} & i = j \\ & {\text{no directed edge from }}i{\text{ to }}j \\ & {\text{directed edge from }}i{\text{ to }}j \, \\ \end{aligned} \\ \end{array} } \right. $$(1)
- 2.
Calculate the path cost of the logical attack graph by the adjacency matrix.

Each attack path on the composite attack logic graph is composed of a series of atomic attacks. This paper uses CVSS to quantify the attributes of an atomic vulnerability. The probability \( p_{i} \) used by vulnerability \( i \) is:$$ p_{i} = c_{i} \cdot d_{i} \cdot ic_{i} $$(2)In (2) \( c_{i} \) is the confidence level of node \( i \), \( d_{i} \) is the degree of vulnerability of node \( i \), and \( ic_{i} \) is the influence coefficient of the constraint that node \( i \) is used.

Atomic Attack Successful Hazard Index \( h_{i} \)$$ h_{i} = p_{i} \cdot k_{i} $$(3)In (3) \( k_{i} \) is attacking impact on the confidentiality, integrity, and availability.

- a)
Find the node with 0 in-degrees; calculate the probability and hazard index of the vulnerability utility from the beginning node to the next node;

- b)
Update adjacent value of start node to next node in the adjacency matrix, while shadowing row and column of start node;

- c)
With the shadowed matrix as input, jump to a;

- d)
Find end node to get the utility value of attack.

In Algorithm 1 V_{ij}.P is probability saved, p_{ij} is probability of attack, V_{ij}.H is hazard index saved, h_{ij} is hazard index of attack.

### 4.3 Optimal Attack Path Calculation

By calculating and continually updating the value of the adjacency matrix, we can calculate the benefit achieved by the attack target. The benefits of an atomic attack \( B_{F} \) are generally expressed as a hazard to the communication protocol by the attack. The cost of atomic attack \( C_{T} \) is expressed as the reciprocal of probability of attack. So we can calculate the utility value of the attack \( U \), which is equal to the difference of gain and cost.

In (4) \( a_{ij} \) is the non-zero element and it belongs to the node whose out-degree is 0(that is, the terminating node), \( a_{ij} .h_{ij} \) is the hazard index, \( a_{ij} .p_{ij} \) is the probability of the success of the attack on the node.

## 5 Experiment Analysis

Atomic attack success probability and hazard index

No. | Vulnerability | Attack Probability | Hazard index |
---|---|---|---|

V0 | Address information easy to leak | 0.6 | 4.93434 |

V1 | Not dense or weak | 0.9 | 7.40151 |

V2 | Header type field complete check defect | 0.64 | 5.2633 |

V3 | Header length complete check defect | 0.456 | 3.7501 |

V4 | Header field value is not defined | 0.655 | 5.38665 |

V5 | The message is easily modified | 0.29 | 2.38493 |

V6 | Sync head interference | 0.85 | 6.99031 |

V7 | Weak identity authentication | 0.627 | 5.15639 |

V8 | No time validation | 0.4 | 3.28956 |

Attack success probability and hazard index calculation

Attack path | Attack probability | Hazard index | Attack path utility value |
---|---|---|---|

(V0,V7,V1) | 0.22572 | 15.8475 | 0.281412 |

(V4,V1) | 0.4995 | 11.9658 | 0.409024 |

(V6,V7,V1) | 0.479655 | 19.5482 | 0.428499 |

(V8,V1) | 0.36 | 10.6911 | 0.266464 |

Path (V6, V7, V1) represents the attack path with the largest attack utility as shown in Fig. 6.

## 6 Conclusion

The method is relatively brief by attacking logic graph and adjacency matrix calculation. By expressing complex link graph structure, and removing the repeated complex calculation, this method is made to be extensible. However, the experimental data of this paper is less in number. When the amount of data is large, the time overhead is weak when constructing the vulnerability association graph and the attacking logic graph. Thus the algorithm needs to be optimized to fit the calculation of large-scale data.

## Notes

### Acknowledgement

This work is supported by China Academy of Engineering Physics Project 2014A0403020 and 2015A0403002.

## References

- 1.Shi, S.: Research on Formal Verification Methods of Security Protocols. Huazhong University of Science and Technology (2009)Google Scholar
- 2.Wang, L., Islam, T., Long, T., Singhal, A., Jajodia, S.: An attack graph-based probabilistic security metric. In: Atluri, V. (ed.) DBSec 2008. LNCS, vol. 5094, pp. 283–296. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-70567-3_22 CrossRefGoogle Scholar
- 3.Zhao, C., Wang, H., Lin, J., et al.: A generation method of network security hardening strategy based on attack graphs. Int. J. Web Serv. Res.
**12**(1), 45–61 (2015)CrossRefGoogle Scholar - 4.Keramati, M., Akbari, A., Keramati, M.: CVSS-based security metrics for quantitative analysis of attack graphs. In: International Conference on Computer and Knowledge Engineering, pp. 178–183. IEEE, Piscataway (2013)Google Scholar
- 5.Harada, T., Kanaoka, A., Okamoto, E., et al.: Identifying potentially-impacted area by vulnerabilities in networked systems using CVSS. In: 10th International Symposium on Applications and the Internet, pp. 367–370. IEEE, Piscataway (2010)Google Scholar
- 6.Holm, H., Ekstedt, M., Andersson, D.: Empirical analysis of system-level vulnerability metrics through actual attacks. IEEE Trans. Dependable Secure Comput.
**9**(6), 825–837 (2012)CrossRefGoogle Scholar - 7.Chen, X., Fang, B., Tan, Q., et al.: Inferring attack intent of malicious insider based on probabilistic attack graph model. Chin. J. Comput.
**37**(1), 62–72 (2014)Google Scholar - 8.Liu, G., Zhang, H., Li, Q.: Network security optimal attack and defense decision-making method based on game model. J. Nanjing Univ. Sci. Technol.
**38**(1), 12–21 (2014)Google Scholar - 9.Li, Q., Zhang, L., Zhang, C., Yang, T.: Optimization method for attack graph based on vulnerability exploit correlation. Comput. Eng.
**38**(21), 129–132 (2012)Google Scholar