A simple, smart and extensible framework for network security measurement

Abstract

Several efficient tools have emerged to aim at auditing and measuring the security of a computer system or an internal network. Along with the increasing complexity of network attacks, these tools become more and more complicated. Even so, most of them can only do simple snapshot analysis of the current system and are incapable of identifying possible attacks whose preconditions are not fulfilled at the beginning but may be possible during the further attack progression. This paper proposes a new framework for the security measurement that commits complex attack sequences and does stateful inspection of the target environment. The framework consists of five core components: Information Gatherer, Knowledge Base, Interaction Agent, Evaluation Engine and User Interface. An easy-to-use tool, called SNAPP, is realized based on the proposed framework. The dependencies among each attack step in an attack sequence revealed by SNAPP can be easily expressed using Attack Graphs which assist to make security evaluations of the testing environment. Several experiments that actually simulate and perform some well known penetration attacks using SNAPP are presented and analyzed for comparison and measurement of current security methods, such as the conventional filtering-based firewalls and our patented Lock-Keeper technology, which is an implementation of the high-level security concept "Physical Separation". © 2008 Springer-Verlag Berlin Heidelberg.