Article

MulVAL: a logic-based network security analyzer

Authors:

Sudhakar Govindavajhala,

Andrew W. AppelAuthors Info & Claims

SSYM'05: Proceedings of the 14th conference on USENIX Security Symposium - Volume 14

Page 8

Published: 31 July 2005 Publication History

Abstract

To determine the security impact software vulnerabilities have on a particular network, one must consider interactions among multiple network elements. For a vulnerability analysis tool to be useful in practice, two features are crucial. First, the model used in the analysis must be able to automatically integrate formal vulnerability specifications from the bug-reporting community. Second, the analysis must be able to scale to networks with thousands of machines.

We show how to achieve these two goals by presenting MulVAL, an end-to-end framework and reasoning system that conducts multihost, multistage vulnerability analysis on a network. MulVAL adopts Datalog as the modeling language for the elements in the analysis (bug specification, configuration description, reasoning rules, operating-system permission and privilege model, etc.). We easily leverage existing vulnerability-database and scanning tools by expressing their output in Datalog and feeding it to our MulVAL reasoning engine. Once the information is collected, the analysis can be performed in seconds for networks with thousands of machines.

We implemented our framework on the Red Hat Linux platform. Our framework can reason about 84% of the Red Hat bugs reported in OVAL, a formal vulnerability definition language. We tested our tool on a real network with hundreds of users. The tool detected a policy violation caused by software vulnerabilities and the system administrators took remediation measures.

References

[1]

{1} Paul Ammann, Duminda Wijesekera, and Saket Kaushik. Scalable, graph-based network vulnerability analysis. In Proceedings of 9th ACM Conference on Computer and Communications Security, Washington, DC, November 2002.]]

Digital Library

[2]

{2} R. Baldwin. Rule based analysis of computer security. Technical Report TR-401, MIT LCS Lab, 1988.]]

Digital Library

[3]

{3} Yair Bartal, Alain J. Mayer, Kobbi Nissim, and Avishai Wool. Firmato: A novel firewall management toolkit. In IEEE Symposium on Security and Privacy, pages 17-31, 1999.]]

[4]

{4} James Burns, Aileen Cheng, Proveen Gurung, David Martin, Jr., S. Raj Rajagopalan, Prasad Rao, and Alathurai V. Surendran. Automatic management of network security policy. In DARPA Information Survivability Conference and Exposition (DISCEX II'01), volume 2, Anaheim, California, June 2001.]]

[5]

{5} Frdric Cuppens and Alexandre Mige. Alert correlation in a cooperative intrusion detection framework. In Proceedings of the 2002 IEEE Symposium on Security and Privacy, page 202. IEEE Computer Society, 2002.]]

Digital Library

[6]

{6} Evgeny Dantsin, Thomas Eiter, Georg Gottlob, and Andrei Voronkov. Complexity and expressive power of logic programming. ACM Comput. Surv., 33(3):374-425, 2001.]]

Digital Library

[7]

{7} John DeTreville. Binder, a logic-based security language. In Proceedings of the 2002 IEEE Symposium on Security and Privacy, page 105. IEEE Computer Society, 2002.]]

Digital Library

[8]

{8} Daniel Farmer and Eugene H. Spafford. The cops security checker system. Technical Report CSD-TR-993, Purdue University, September 1991.]]

[9]

{9} William L. Fithen, Shawn V. Hernan, Paul F. O'Rourke, and David A. Shinberg. Formal modeling of vulnerabilities. Bell Labs technical journal, 8(4):173-186, 2004.]]

[10]

{10} Allen Van Gelder, Kenneth Ross, and John S. Schlipf. Unfounded sets and well-founded semantics for general logic programs. In PODS '88: Proceedings of the seventh ACM SIGACT-SIGMOD-SIGART symposium on Principles of database systems , pages 221-230, New York, NY, USA, 1988. ACM Press.]]

Digital Library

[11]

{11} Joshua D. Guttman. Filtering postures: Local enforcement for global policies. In Proc. IEEE Symp. on Security and Privacy, pages 120-129, Oakland, CA, 1997.]]

Digital Library

[12]

{12} Susan Hinrichs. Policy-based management: Bridging the gap. In 15th Annual Computer Security Applications Conference, Phoenix, Arizona, Dec 1999.]]

Digital Library

[13]

{13} Sushil Jajodia, Steven Noel, and Brian O'Berry. Topological analysis of network attack vulnerabity. In V. Kumar, J. Srivastava, and A. Lazarevic, editors, Managing Cyber Threats: Issues, Approaches and Challanges, chapter 5. Kluwer Academic Publisher, 2003.]]

[14]

{14} Samuel T. King, Z. Morley Mao, Dominic G. Lucchetti, and Peter M. Chen. Enriching intrusion alerts through multi-host causality. In The 12th Annual Network and Distributed System Security Symposium (NDSS 05), Feb. 2005.]]

[15]

{15} Ninghui Li, Benjamin N. Grosof, and Joan Feigenbaum. Delegation Logic: A logic-based approach to distributed authorization. ACM Transaction on Information and System Security (TISSEC), February 2003. To appear.]]

Digital Library

[16]

{16} Peng Ning, Yun Cui, and Douglas S. Reeves. Constructing attack scenarios through correlation of intrusion alerts. In CCS '02: Proceedings of the 9th ACM conference on Computer and communications security, pages 245-254. ACM Press, 2002.]]

Digital Library

[17]

{17} Steven Noel, Sushil Jajodia, Brian O'Berry, and Michael Jacobs. Efficient minimum-cost network hardening via exploit dependency graphs. In 19th Annual Computer Security Applications Conference (ACSAC), December 2003.]]

Digital Library

[18]

{18} National Institute of Standards and Technology. ICAT metabase. http://icat.nist.gov/icat.cfm, October 2004. web page fetched on October 28, 2004.]]

[19]

{19} Giridhar Pemmasani, Hai-Feng Guo, Yifei Dong, C.R. Ramakrishnan, and I.V. Ramakrishnan. On-line justification for tabled logic programs. In The 7th International Symposium on Functional and Logic Programming, April 2004.]]

[20]

{20} Larry Peterson, Tom Anderson, David Culler, and Timothy Roscoe. A blueprint for introducing disruptive technology into the internet. In Proceedings of the 1st Workshop on Hot Topics in Networks (HotNets-I), October 2002.]]

[21]

{21} C. R. Ramakrishnan and R. Sekar. Model-based analysis of configuration vulnerabilities. Journal of Computer Security, 10(1-2):189-209, 2002.]]

Digital Library

[22]

{22} Prasad Rao, Konstantinos F. Sagonas, Terrance Swift, David S. Warren, and Juliana Freire. XSB: A system for efficiently computing well-founded semantics. In Proceedings of the 4th International Conference on Logic Programming and Non-Monotonic Reasoning (LPNMR'97), pages 2-17, Dagstuhl, Germany, July 1997. Springer Verlag.]]

Digital Library

[23]

{23} Ronald W. Ritchey and Paul Ammann. Using model checking to analyze network vulnerabilities. In 2000 IEEE Symposium on Security and Privacy, pages 156-165, 2000.]]

Digital Library

[24]

{24} Oleg Sheyner, Joshua Haines, Somesh Jha, Richard Lippmann, and Jeannette M. Wing. Automated generation and analysis of attack graphs. In Proceedings of the 2002 IEEE Symposium on Security and Privacy, pages 254-265, 2002.]]

Digital Library

[25]

{25} Steven J. Templeton and Karl Levitt. A requires/provides model for computer attacks. In Proceedings of the 2000 workshop on New security paradigms, pages 31-38. ACM Press, 2000.]]

Digital Library

[26]

{26} Matthew Wojcik, Tiffany Bergeron, Todd Wittbold, and Robert Roberge. Introduction to OVAL: A new language to determine the presence of software vulnerabilities. http://oval.mitre.org/documents/docs-03/intro/intro.html, November 2003. Web page fetched on October 28, 2004.]]

[27]

{27} Dan Zerkle and Karl Levitt. NetKuang-A multihost configuration vulnerability checker. In Proc. of the 6th USENIX Security Symposium, pages 195-201, San Jose, California, 1996.]]

Digital Library

Cited By

Li FWang XLiu YLuo L(2023)Penetration Test Path Discovery Based on NHSC-PPOProceedings of the 2023 7th International Conference on Electronic Information Technology and Computer Engineering10.1145/3650400.3650693(1760-1765)Online publication date: 20-Oct-2023
https://dl.acm.org/doi/10.1145/3650400.3650693
Witte TGroner RRaschke ATichy MPekaric IFelderer MSchmerl BMaggio MCámara J(2022)Towards model co-evolution across self-adaptation steps for combined safety and security analysisProceedings of the 17th Symposium on Software Engineering for Adaptive and Self-Managing Systems10.1145/3524844.3528062(106-112)Online publication date: 18-May-2022
https://dl.acm.org/doi/10.1145/3524844.3528062
Buczkowski PMalacaria PHankin CFielder AGupta MKhorsandroo SAbdelsalam M(2022)Optimal Security Hardening over a Probabilistic Attack GraphProceedings of the 2022 ACM Workshop on Secure and Trustworthy Cyber-Physical Systems10.1145/3510547.3517919(21-30)Online publication date: 18-Apr-2022
https://dl.acm.org/doi/10.1145/3510547.3517919
Show More Cited By

Index Terms

MulVAL: a logic-based network security analyzer

Recommendations

D-ward: source-end defense against distributed denial-of-service attacks
Detecting Insider Theft of Trade Secrets

Trusted insiders who misuse their privileges to gather and steal sensitive information represent a potent threat to businesses. Applying access controls to protect sensitive information can reduce the threat but has significant limitations. Even if ...
RTNSS: a routing trace-based network security system for preventing ARP spoofing attacks

The motion of address resolution protocol (ARP) is done without any problem in a general environment, but it is not considered from the security aspect; therefore, it risks being threatened by an attack from the network called ARP spoofing or ARP ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

SSYM'05: Proceedings of the 14th conference on USENIX Security Symposium - Volume 14

July 2005

340 pages

Publisher

USENIX Association

United States

Publication History

Published: 31 July 2005

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

73
Total Citations
View Citations
42
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 16 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Li FWang XLiu YLuo L(2023)Penetration Test Path Discovery Based on NHSC-PPOProceedings of the 2023 7th International Conference on Electronic Information Technology and Computer Engineering10.1145/3650400.3650693(1760-1765)Online publication date: 20-Oct-2023
https://dl.acm.org/doi/10.1145/3650400.3650693
Witte TGroner RRaschke ATichy MPekaric IFelderer MSchmerl BMaggio MCámara J(2022)Towards model co-evolution across self-adaptation steps for combined safety and security analysisProceedings of the 17th Symposium on Software Engineering for Adaptive and Self-Managing Systems10.1145/3524844.3528062(106-112)Online publication date: 18-May-2022
https://dl.acm.org/doi/10.1145/3524844.3528062
Buczkowski PMalacaria PHankin CFielder AGupta MKhorsandroo SAbdelsalam M(2022)Optimal Security Hardening over a Probabilistic Attack GraphProceedings of the 2022 ACM Workshop on Secure and Trustworthy Cyber-Physical Systems10.1145/3510547.3517919(21-30)Online publication date: 18-Apr-2022
https://dl.acm.org/doi/10.1145/3510547.3517919
Javorník MKomárková JHusák M(2019)Decision Support for Mission-Centric Cyber DefenceProceedings of the 14th International Conference on Availability, Reliability and Security10.1145/3339252.3340522(1-8)Online publication date: 26-Aug-2019
https://dl.acm.org/doi/10.1145/3339252.3340522
Inokuchi MOhta YKinoshita SYagyu TStan OBitton RElovici YShabtai AGalbraith SRussello GSusilo WGollmann DKirda ELiang Z(2019)Design Procedure of Knowledge Base for Practical Attack Graph GenerationProceedings of the 2019 ACM Asia Conference on Computer and Communications Security10.1145/3321705.3329853(594-601)Online publication date: 2-Jul-2019
https://dl.acm.org/doi/10.1145/3321705.3329853
Agmon NShabtai APuzis R(2019)Deployment optimization of IoT devices through attack graph analysisProceedings of the 12th Conference on Security and Privacy in Wireless and Mobile Networks10.1145/3317549.3323411(192-202)Online publication date: 15-May-2019
https://dl.acm.org/doi/10.1145/3317549.3323411
Khakpour NSkandylas CNariman GWeyns DLitoiu MClarke STei K(2019)Towards secure architecture-based adaptationsProceedings of the 14th International Symposium on Software Engineering for Adaptive and Self-Managing Systems10.1109/SEAMS.2019.00023(114-125)Online publication date: 25-May-2019
https://dl.acm.org/doi/10.1109/SEAMS.2019.00023
Lee JMoon DKim ILee Y(2019)A semantic approach to improving machine readability of a large-scale attack graphThe Journal of Supercomputing10.1007/s11227-018-2394-675:6(3028-3045)Online publication date: 1-Jun-2019
https://dl.acm.org/doi/10.1007/s11227-018-2394-6
Mukherjee PMazumdar C(2018)Attack Difficulty Metric for Assessment of Network SecurityProceedings of the 13th International Conference on Availability, Reliability and Security10.1145/3230833.3232817(1-10)Online publication date: 27-Aug-2018
https://dl.acm.org/doi/10.1145/3230833.3232817
Johnson PLagerström REkstedt M(2018)A Meta Language for Threat Modeling and Attack SimulationsProceedings of the 13th International Conference on Availability, Reliability and Security10.1145/3230833.3232799(1-8)Online publication date: 27-Aug-2018
https://dl.acm.org/doi/10.1145/3230833.3232799
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Table of Contents