Matthew Tassava,Cameron Kolodjski,Jeremy Straub

2024-09-17

Abstract:A system vulnerability analysis technique (SVAT) for the analysis of complex mission critical systems (CMCS) that cannot be taken offline or subjected to the risks posed by traditional penetration testing was previously developed. This system uses path-based analysis of vulnerabilities to identify potential threats to system security. Generalization logic building on the Blackboard Architecture's rule-fact paradigm was implemented in this system, the software for operation and network attack results review (SONARR). This paper presents an overview of additional functionality that has been added to this tool and the experimentation that was conducted to analyze their efficacy and the performance benefits of the new in-memory processing capabilities of the SONARR algorithm. The results of the performance tests and their relation to networks' architecture are discussed. The paper concludes with a discussion of avenues of future work, including the implementation of multithreading, additional analysis metrics like confidentiality, integrity, and availability, and improved heuristic development.

Cryptography and Security

Matthew Tassava,Cameron Kolodjski,Jordan Milbrath,Jeremy Straub

2024-09-17

Abstract:The development of a system vulnerability analysis tool (SVAT) for complex mission critical systems (CMCS) produced the software for operation and network attack results review (SONARR). This software builds upon the Blackboard Architecture and uses its a rule-fact logic to assess model networks to identify potential pathways that an attacker might take through them via the exploitation of vulnerabilities within the network. The SONARR objects and algorithm were developed previously; however, performance was insufficient for analyzing large networks. This paper describes and analyzes the performance of a multi-threaded SONARR algorithm and other enhancements which were developed to increase SONARR's performance and facilitate the analysis of large networks.

Cryptography and Security

Shengyi Pan,Lingfeng Bao,Jiayuan Zhou,Xing Hu,Xin Xia,Shanping Li

DOI: https://doi.org/10.1145/3597503.3639110

2024-01-01

Abstract:It is increasingly suggested to identify emerging software vulner-abilities (SVs) through relevant development activities (e.g., issue reports) to allow early warnings to open source software (OSS) users. However, the support for the following assessment of the de-tected SVs has not yet been explored. SV assessment characterizes the detected SVs to prioritize limited remediation resources on the critical ones. To fill this gap, we aim to enable early vulnerability assessment based on SV-related issue reports (SIR). Besides, we observe the following concerns of the existing assessment techniques: 1) the assessment output lacks rationale and practical value; 2) the associations between Common Vulnerability Scoring System (CVSS) metrics have been ignored; 3) insufficient evaluation sce-narios and metrics. We address these concerns to enhance the prac-ticality of our proposed early vulnerability assessment approach (namely proEVA). Specifically, based on the observation of strong associations between CVSS metrics, we propose a prompt-based model to exploit such relations for CVSS metrics prediction. More-over, we design a curriculum-learning (CL) schedule to guide the model better learn such hidden associations during training. Aside from the standard classification metrics adopted in existing works, we propose two severity-aware metrics to provide a more compre-hensive evaluation regarding the prioritization of the high-severe SVs. Experimental results show that proEVA significantly outper-forms the baselines in both types of metrics. We further discuss the transferability of the prediction model regarding the upgrade of the assessment system, an important yet overlooked evaluation scenario in existing works. The results verify that proEVA is more efficient and flexible in migrating to different assessment systems.

Yanmiao Zhang,Xiaoyu Ji,Yushi Cheng,Wenyuan Xu

DOI: https://doi.org/10.23919/ChiCC.2019.8866144

2019-01-01

Abstract:As a modern power transmission network, smart grid connects abundant terminal devices and plays an important role in our daily life. However, along with its growth are the security threats. Different from the separated environment previously, an adversary nowadays can destroy the power system by attacking its terminal devices. As a result, it's critical to ensure the security and safety of terminal devices. To achieve it, detecting the pre-existing vulnerabilities in the terminal program and enhancing its security, are of great importance and necessity. In this paper. we introduce Cker, a novel vulnerability detection tool for smart grid devices, which generates an program model based on device sources and sets rules to perform model checking. We utilize the static analysis to extract necessary information and build corresponding program models. By further checking the model with pre-defined vulnerability patterns, we achieve security detection and error reporting. The evaluation results demonstrate that our method can effectively detect vulnerabilities in smart devices with an acceptable accuracy and false positive rate. In addition, as Cker is realized by pure python. it can be easily scaled to other platforms.

Yinan Wang,Gangfeng Yan,Ronghao Zheng

DOI: https://doi.org/10.3390/app8050768

2018-01-01

Applied Sciences

Abstract:The integration of modern computing and advanced communication with power grids has led to the emergence of electrical cyber-physical systems (ECPSs). However, the massive application of communication technologies makes the power grids become more vulnerable to cyber attacks. In this paper, we study the vulnerability of ECPSs and develop defence strategies against cyber attacks. Detection and protection algorithms are proposed to deal with the emergency of cascading failures. Moreover, we propose a weight adjustment strategy to solve the unbalanced power flows problem which is caused by splitting incidents. A MATLAB-based platform with advantages of easy programming, fast calculation, and no damage to systems is built for the offline simulation and analysis of the vulnerability of ECPSs. We also propose a five-aspect method of vulnerability assessment which includes the robustness, economic costs, degree of damage, vulnerable equipment, and trip point. The study is of significance to decision makers as they can get specific advice and defence strategies about a special power system.

Xiuzhen Chen,Qinghua Zheng,Xiaohong Guan

DOI: https://doi.org/10.1007/s10796-008-9111-6

2008-01-01

Information Systems Frontiers

Abstract:Many security problems are caused by vulnerabilities hidden in enterprise computer networks. It is very important for system administrators to have knowledge about the security vulnerabilities. However, current vulnerability assessment methods may encounter the issues of high false positive rates, long computational time, and requirement of developing attack codes. Moreover, they are only capable of locating individual vulnerabilities on a single host without considering correlated effect of these vulnerabilities on a host or a section of network with the vulnerabilities possibly distributed among different hosts. To address these issues, an active vulnerability assessment system NetScope with C/S architecture is developed for evaluating computer network security based on open vulnerability assessment language instead of simulating attacks. The vulnerabilities and known attacks with their prerequisites and consequences are modeled based on predicate logic theory and are correlated so as to automatically construct potential attack paths with strong operation power of relational database management system. The testing results from a series of experiments show that this system has the advantages of a low false positive rate, short running periods, and little impact on the performance of audited systems and good scalability. The security vulnerabilities, undetectable if assessed individually in a network, are discovered without the need to simulate attacks. It is shown that the NetScope system is well suited for vulnerability assessment of large-scale computer networks such as campus networks and enterprise networks. Moreover, it can also be easily integrated with other security tools based on relational databases.

Georgios Bakirtzis,Brandon J. Simon,Aidan G. Collins,Cody H. Fleming,Carl R. Elks

DOI: https://doi.org/10.1109/JSYST.2019.2940145

2019-09-06

Abstract:Applying security as a lifecycle practice is becoming increasingly important to combat targeted attacks in safety-critical systems. Among others there are two significant challenges in this area: (1) the need for models that can characterize a realistic system in the absence of an implementation and (2) an automated way to associate attack vector information; that is, historical data, to such system models. We propose the cybersecurity body of knowledge (CYBOK), which takes in sufficiently characteristic models of systems and acts as a search engine for potential attack vectors. CYBOK is fundamentally an algorithmic approach to vulnerability exploration, which is a significant extension to the body of knowledge it builds upon. By using CYBOK, security analysts and system designers can work together to assess the overall security posture of systems early in their lifecycle, during major design decisions and before final product designs. Consequently, assisting in applying security earlier and throughout the systems lifecycle.

Systems and Control,Cryptography and Security

Zongjie Li,Zhibo Liu,Wai Kin Wong,Pingchuan Ma,Shuai Wang

DOI: https://doi.org/10.1109/tdsc.2024.3354789

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:In recent years, query-based static application security testing (Q-SAST) tools such as CodeQL have gained popularity due to their ability to codify vulnerability knowledge into SQL-like queries and search for vulnerabilities in the database derived from the software. The industry has made considerable progress in building Q-SAST tools, facilitating their integration into the continuous integration (CI) pipeline, and sustaining an active community. However, we do not have a systematic understanding of their vulnerability detection capability in comparison to conventional SAST tools. We conduct the first in-depth study of Q-SAST to demystify their C/C++ vulnerability detectability. Our study is conducted from three complementary aspects. We first use a synthetic CWE test suite and a real-world CVE test suite, totaling almost 30K programs with known CWE/CVE, to assess popular (commercial) Q-SAST and industry-leading SAST (requiring no queries). Then, we gather defect-fixing pull requests (PRs) since the release dates of three popular Q-SAST tools, characterizing historically-fixed defects and comparing them to pitfalls exposed in our CWE/CVE study. To enhance vulnerability detection, we design SAST-MT, a metamorphic testing framework to detect false positives (FPs) and false negatives (FNs) of Q-SAST. Findings of SAST-MT can be used to easily expose the root causes of Q-SAST's FPs and FNs. We summarize lessons from our study that can benefit both users and developers of Q-SAST.

computer science, information systems, software engineering, hardware & architecture

Gaurav Sharma,Stilianos Vidalis,Catherine Menon,Niharika Anand

DOI: https://doi.org/10.1007/s11042-022-14036-y

Abstract:Proactive security plays a vital role in preventing the attack before entering active mode. In the modern information environment, it depends on the vulnerability management practitioners of an organization in which the critical factor is the prioritization of threats. The existing models and methodology follow the traditional approaches of a Common Vulnerability Scoring System (CVSS) to prioritize threats and vulnerabilities. The CVSS is not able to provide effectiveness to the security of the business of an organization. In contrast, the vulnerability analysis needs a model which can give significance to the prioritization policies. The model depends on the CVSS score of threats and compares various features of vulnerability like threat vectors, inputs, environments used by threat agent's groups, and potential outputs of threat agents. Therefore, the research aims to design a semi-automatic model for vulnerability analysis of threats for the National Institute of Standards and Technology (NIST) database of cyber-crime. We have developed a semi-automatic model that simulates the CVE (Common Vulnerabilities and Exposures) list of the NIST database between 1999 and 2021, concerning the resources used by the threat agents, pre-requisites input, attack vectors, and dormant results. The semi-automatic approach of the model to perform the vulnerability analysis of threat agent groups identified in a network makes the model more efficient and effective to addresses the profiling of threat agents and evaluating the CTI (Critical Threat intelligence feed). Our experimental results imply that the semi-automatic model implements the vulnerability prioritization based on the CVSS score and uses the comparative analysis based on the threat agent's vectors identified. It also provides potency and optimized complexity to an organization's business to mitigate the vulnerability identified in a network.

Pavlos Cheimonidis,Kontantinos Rantos

2024-03-20

Abstract:The convergence of information and communication technologies has introduced new and advanced capabilities to Industrial Control Systems. However, concurrently, it has heightened their vulnerability to cyber attacks. Consequently, the imperative for new security methods has emerged as a critical need for these organizations to effectively identify and mitigate potential threats. This paper introduces an innovative approach by proposing a dynamic vulnerability criticality calculator. Our methodology encompasses the analysis of environmental topology and the effectiveness of deployed security mechanisms, coupled with the utilization of the Common Vulnerability Scoring System framework to adjust detected vulnerabilities based on the specific environment. Moreover, it evaluates the quantity of vulnerabilities and their interdependencies within each asset. Additionally, our approach integrates these factors into a comprehensive Fuzzy Cognitive Map model, incorporating attack paths to holistically assess the overall vulnerability score. To validate the efficacy of our proposed method, we present a relative case study alongside several modified scenarios, demonstrating its effectiveness in practical applications.

Cryptography and Security

Deqing Zou,Ju Yang,Zhen Li,Hai Jin,Xiaojing Ma

DOI: https://doi.org/10.1007/978-3-030-19223-5_17

2019-01-01

Abstract:Vulnerability severity assessment is an important research problem. Common Vulnerability Scoring System (CVSS) has been widely used to quantitatively assess the vulnerability severity, but its assessment process relies on human experts to determine metric values, which makes the assessment process tedious and subjective. This calls for tools that can assess the vulnerability severity automatically and objectively. In this paper, we move a step forward in this direction by proposing an approach for automatic assessment of vulnerability severity based on attack process, dubbed Open image in new window (AutoCVSS). The key insight is to leverage characteristics and rules we define to model the CVSS base metrics, and assess the vulnerability severity more automatically and objectively by capturing the attributes related to the characteristics during the attack process. In order to evaluate AutoCVSS, we reproduce the attacks for 98 vulnerabilities from Linux kernel, FTP service, and Apache service with their exploits. The experimental results show that the vulnerability severity scores automatically obtained by AutoCVSS are basically in accordance with those assessed manually by security experts in the National Vulnerability Database (NVD), which verifies the effectiveness of our approach.

Pavlos Cheimonidis,Konstantinos Rantos

DOI: https://doi.org/10.1007/s10207-024-00858-4

2024-05-10

International Journal of Information Security

Abstract:The convergence of information and communication technologies has introduced new and advanced capabilities to Industrial Control Systems. However, concurrently, it has heightened their vulnerability to cyber attacks. Consequently, the imperative for new security methods has emerged as a critical need for these organizations to effectively identify and mitigate potential threats. This paper introduces an innovative approach by proposing a dynamic vulnerability severity calculator. Our methodology encompasses the analysis of environmental topology and the effectiveness of deployed security mechanisms, coupled with the utilization of the Common Vulnerability Scoring System framework to adjust detected vulnerabilities based on the specific environment. Moreover, it evaluates the quantity of vulnerabilities and their interdependencies within each asset. Additionally, our approach integrates these factors into a comprehensive Fuzzy Cognitive Map model, incorporating attack paths to holistically assess the overall vulnerability score. To validate the efficacy of our proposed method, we present a relative case study alongside several modified scenarios, demonstrating its effectiveness in practical applications.

computer science, information systems, theory & methods, software engineering

Alaa T. AL Ghazo,Ratnesh Kumar

DOI: https://doi.org/10.1109/tsmc.2023.3345254

2024-01-01

IEEE Transactions on Systems, Man, and Cybernetics: Systems

Abstract:Supervisory control and data acquisition (SCADA) and industrial control systems (ICSs) are designed to operate for extended periods of time and can withstand extreme conditions. However, operators, engineers, and offices change over time, which can lead to outdated documentation and references. This can make it difficult to identify system components and their vulnerabilities, which can pose a security risk. In this article, we present an automated passive method for identifying system components based on network traffic structure and network message characteristics. The proposed approach considers both TCP/IP and Modbus, the two primary communication protocols in SCADA, to identify devices. The algorithm was implemented in Python and evaluated using water treatment SCADA data collected from the iTrust facility. Once the system devices have been identified, the algorithm queries the National Vulnerability Database (NVD) and the Common Vulnerabilities and Exposures (CVE) databases to identify each device’s known vulnerabilities. Using our research on automated attack graph generation and visualization (A2G2V) and strongly connected component induced min label cut (SCCiMLC), we can map device vulnerabilities to system-level attack graphs and identify the bare minimum of device vulnerabilities to mitigate in order to secure the entire system. The proposed technique has been demonstrated to be beneficial in identifying system components in SCADA and ICS systems to increase their security.

automation & control systems,computer science, cybernetics

Takeru Naito,Rei Watanabe,Takuho Mitsunaga

DOI: https://doi.org/10.1109/ICSPIS60075.2023.10344019

2023-11-08

Abstract:As businesses become more dependent on IT due to digital transformation, a variety of attackers are targeting companies, government agencies, and individuals to steal information and disrupt services. To reduce the risks these cyber threats pose, penetration testing and red teaming are important. On the other hand, these initiatives require skills and knowledge, and there is a shortage of human resources. This research aims to demonstrate the effectiveness of a system that inputs asset management data and vulnerability information into ChatGPT and searches for attack routes with a high threat level. Specifically, ChatGPT uses information used for IT asset management (OS type, version, device usage, account), vulnerability information published by CISA, and network information as input values to verify whether it is possible to output attack routes that are useful for penetration testing and red teaming. The results of the experiment confirmed that attack vectors for penetration testing and red teaming could be used to effectively uncover cybersecurity threats within an organization and perform risk assessments.

Computer Science

H. T. Tian,Liusheng Huang,Z. Zhou,Yonglong Luo

DOI: https://doi.org/10.1109/ISPAN.2004.1300542

2004-01-01

Abstract:With the continuous flood of vulnerabilities of computers, vulnerability management is a very important task for administrators to keep systems as secure as possible. Facing numerous attackers armed with complicated, automated tools, current manual vulnerability management by administrators is so time-consuming, error-prone. Administrators also do need automated defensive tools. This paper proposes an open framework of automated vulnerability management that dramatically alleviates the burden of administrators and improves the security of systems. In this framework, we present three XML based markup languages, Common Vulnerability Markup Language (CVML), System Information Markup Language (SIML), Network System Markup Language (NSML) to express crucial information related to systems and vulnerabilities to facilitate automated exchange and processing. Host Vulnerability Managers (HVMs) running on the target host maintain the crucial system information in SIML, receive vulnerability advisories in CVML from various sources, decide what vulnerabilities exist, and try to fix vulnerabilities automatically if possible. Domain vulnerability managers (DVMs) are responsible for the vulnerability management in NSML of the local network. DVMs correlate reports from HVMs and scan for network-based vulnerabilities in this domain. We have implemented a prototype of the framework that shows the effectiveness and efficiency of our solution.

Jeremy Straub

2023-06-07

Abstract:Penetration testing increases the security of systems through tasking testers to 'think like the adversary' and attempt to find the ways that an attacker would break into the system. For many systems, this can be conducted in a safe and controlled way; however, some systems are so critical to human life and safety that the risk of their failure or disablement due to active penetration testing cannot be assumed. These systems are also critical to evaluate the security of, to prevent attackers from disabling them or causing their maloperation; however, this must be done in a manner that doesn't risk the very malady that testing seeks to avoid through the testing process itself. This paper presents P2SCP, a paradigm for penetration testing of systems that cannot be subjected to the risk of penetration testing. It discusses how data collection, the creation of digital twins and cousins and evaluative analysis can be utilized to conduct virtual penetration tests on critical infrastructure systems. This proposed paradigm is analyzed through the use of several case studies.

Cryptography and Security

CHEN Xiu-zhen,LI Jian-hua

DOI: https://doi.org/10.3969/j.issn.1000-1220.2007.09.004

2007-01-01

Abstract:The main intention of vulnerability assessment technology is to find existed vulnerabilities hidden in the networked systems by active probing and to provide corresponding solutions before hackers exploit them. It is based on the idea of nip in the bud. The most vulnerability assessment systems have shortcomings of high false rate, long-term scanning period and using exploit code. Aimed at these shortcomings, a novel model of vulnerability assessment based on open vulnerability assessment language is proposed in this paper. The proposed system consists of three modules: central console, checking agent and data center, which corporate to achieve vulnerability assessment. Compared with other vulnerability assessment systems, it is of high precision, low impact on the audited system performance, short term scanning period and strong scalability. Moreover, it avoids the work of developing exploit code required by traditional vulnerability assessment systems.

Meng Li,Liangzhen Lai,Vikas Chandra,David Z. Pan

DOI: https://doi.org/10.1145/3061639.3062220

2017-01-01

Abstract:Fault attack becomes a serious threat to system security and requires to be evaluated in the design stage. Existing methods usually ignore the intrinsic uncertainty in attack process and suffer from low scalability. In this paper, we develop a general framework to evaluate system vulnerability against fault attack. A holistic model for fault injection is incorporated to capture the probabilistic nature of attack process. Based on the probabilistic model, a security metric named as System Security Factor (SSF) is defined to measure the system vulnerability. In the framework, a Monte Carlo method is leveraged to enable a feasible evaluation of SSF for different systems, security policies, and attack techniques. We enhance the framework with a novel system pre-characterization procedure, based on which an importance sampling strategy is proposed. Experimental results on a commercial processor demonstrate that compared to random sampling, a 2500X speedup is achieved with the proposed sampling strategy. Meanwhile, 3% registers are identified to contribute to more than 95% SSF. By hardening these registers, a 6.5X security improvement can be achieved with less than 2% area overhead.

Luis Alberto Benthin Sanguino,Rafael Uetz

DOI: https://doi.org/10.48550/arXiv.1705.05347

2017-05-16

Abstract:In this paper, we analyze the Common Platform Enumeration (CPE) dictionary and the Common Vulnerabilities and Exposures (CVE) feeds. These repositories are widely used in Vulnerability Management Systems (VMSs) to check for known vulnerabilities in software products. The analysis shows, among other issues, a lack of synchronization between both datasets that can lead to incorrect results output by VMSs relying on those datasets. To deal with these problems, we developed a method that recommends to a user a prioritized list of CPE identifiers for a given software product. The user can then assign (and, if necessary, adapt) the most suitable CPE identifier to the software so that regular (e.g., daily) checks can find known vulnerabilities for this software in the CVE feeds. Our evaluation of this method shows that this interaction is indeed necessary because a fully automated CPE assignment is prone to errors due to the CPE and CVE shortcomings. We implemented an open-source VMS that employs the proposed method and published it on GitHub.

Cryptography and Security

赖维莹,陈秀真,李建华

DOI: https://doi.org/10.3969/j.issn.1000-3428.2008.18.056

2008-01-01

Abstract:The paper proposes a novel active vulnerability detection system based on C/S mode.This system is composed of two modules:agentand console.The detection agent, which is a vulnerability scanner based on OVAL Schema, can give an effective and all-sided vulnerability scan aswell as reporting the result to the console without any damage to the network.At the same time, the console realizes remote control against theprocess of scans on several computers and gathering of scan results of the whole network.The test result proves that this system is feasible andadvanced.