We use proprietary and third party's cookies to improve your experience and our services, identifying your Internet Browsing preferences on our website; develop analytic activities and display advertising based on your preferences. If you keep browsing, you accept its use. You can get more information on our Cookie Policy
Cookies Policy
MulVAL Attack Paths Engine - FIWARE Forge Wiki

MulVAL Attack Paths Engine

From FIWARE Forge Wiki

Jump to: navigation, search

Contents

Brief description

The objective is to preemptively identify the attack trace and to avoid the access to the assets being the target of an attack. An attack can impact a service by compromising resources that are needed to deliver this service. Failures to complete a task could disturge the service delivery effectiveness or cause the service to fail. In a FI-WARE, it will possible to assign a value to sensitive services for example and associeted resources, that provides a basis for measuring service impact of an attack. The attack trace engine is used to understand vulnerabilities an attacker can exploit next, and based on the current state of the services, anticipate the impact of attack step, then to suggest the best actions to minimize future impact. The discovery of attack traces requires a reasoning engine analyzing the inputs from vulnerability Oval scanners,network topology data base and Common Vulnerability Scoring System.

Programming artefacts

Attack trace engine models the interaction of component vulnerabilties with system and network configurations.

The information in the vulnerability database provided by the bug-reporting community, the configuration information of each machine and the network, and other relevant information are all encoded as Datalog facts.

The reasoning engine consists of a collection of Datalog rules that captures the operating system behavior and the interaction of various components in the network. Thus integrating information from the bug-reporting community and off-the-shelf scanning tools in the reasoningmodel is straightforward.

Technologies Used

- Datalog Language (Deductive Database Programming), a subset of Prolog, modeling language for the elements in the analysis (vulnerability specification, configuration description, reasoning rules, operating-system permission and privilege model, etc..

- Reasoning rules specifying semantics of different kinds of exploits, compromise propagation, and multihop network access.

- Host Access Control List specifying all accesses between hosts that are allowed by the network.

- Policy specification defining user access rules to information and services.

- Binding information mapping a data symbol to a path on a machine.

Runtime pre-requisites

Network topology, Vulnerabilities collection from Oval scanner, ITAC data base and CVSS scoring.

Otherwise, for impact analysis, we assume that service workflows are known, and tells what resources are needed to the service delivery.

IPR

Usage submited to preliminary autorisation of the University of Kansas

Publicly available information

http://people.cis.ksu.edu/~xou/mulval/

Personal tools
Create a book