Dynamically enabled defense effectiveness evaluation of a home Internet based on vulnerability analysis and attack layer measurement

Abstract

Smart devices in a home Internet, such as routers and cameras, suffer malicious attacks from hackers on a daily basis. Defenders should change system states dynamically to improve the system’s defense ability. To quantify evaluation of defense effectiveness, this paper proposes an improved vulnerability scoring method for home Internets based on the Information Security Technology Security Vulnerability Classification Guide, which calculates a vulnerability score. A higher vulnerability score indicates weaker defense ability. This method only considers defense. In actual system attack and defense, the actions of attackers should also be considered. Therefore, a measurement method for the attack layer based on the Markov chain (MC) is proposed. This method builds a model of an attack layer that can assess whether the defender’s dynamic defense is effective by calculating the factor attack layer detection probability P _d. To optimize computing process, this paper introduces stochastic Petri nets (SPN) so that the parameters of MC transition matrix are easily gained. This model also obtains the minimum time period Δt, during which the defender must change system states. If the change time period is greater than Δt, attackers increase their probability of hacking into the home Internet system. Finally, the study concludes that if the vulnerability scores are lower after the system states are changed, Δt will become longer, meaning the home Internet system has enhanced defense ability.

1 Introduction

With the rapid development of the home Internet, a large number of smart terminals access the Internet via routers located at home [1]. Smart devices in a home Internet, such as routers and cameras, have suffered social engineering attack and other malicious attacks from hackers everyday. Attackers use various social engineering attacks to get home Internet router username and password, such as e-mail and phishing attacks, and then attack all kinds of home Internet smart terminals, causing enormous losses. Currently, the data of home Internet stored in the cloud services exists many security problems with the rapid development of cloud computing. Researchers have proposed many solutions for cloud data storage. For example, Jian Shen et al. [2] proposed a security audit protocol to solve the problem of data security storage in cloud services. Yan Kong et al. [3] proposed a decentralized belief propagation-based method called PD-LBP to improve the efficiency of accessing the encrypted data of home Internet on the cloud. A “Greedy Depth-first Search” algorithm was proposed by Zhihua Xia et al. [4] to provide efficient multi-keyword ranked search. Dengzhi Liu et al. [5] proposed a framework for urban data sharing by exploiting the attribute-based cryptography. LiZhi Xiong et al. [6] proposed a novel reversible data hiding (RDH) scheme for encrypted digital images using integer wavelet transform, histogram shifting, and orthogonal decomposition. Jian Shen et al. [7] proposed an efficient multi-layer authentication protocol and a secure session key generation method for WBANs. To enhance the security defense ability of a home Internet, many researchers proposed dynamically enabled technology which changes system states dynamically. This paper attempts to evaluate the effectiveness of dynamically enabled technology based on vulnerability analysis and attack layer measurement.

2 Related work

2.1 Home Internet

A home Internet comprises a TV, a refrigerator, air conditioning, and other smart appliances based on the home environment [8]. It has responsibility for the interconnection and intelligent cooperation among these smart appliances.

A home Internet is composed of smart terminals, communication networks, clouds, and controller APPs. The framework of a home Internet system is shown in Fig. 1.

Fig. 1

Framework of a home Internet

As Fig. 1 shows, equipment such as a TV, refrigerator, and camera acts as a service provider in a home Internet. The router is an important piece of equipment that manages network layer connectivity between a WAN and the LAN. Controller APPs control the equipment through the cloud.

2.2 Vulnerability in a home Internet

A home Internet system contains four attack layers, including smart terminals, communication networks, controller APPs, and clouds. Each input point in a home Internet system may be an attack point, and these attack points are aggregated into different attack surfaces. Multiple attack surfaces form an attack layer, as shown in Table 1.

Table 1 Security vulnerability in a home Internet system

Therefore, the number of attack points in each attack layer is equal to the sum of the number of attack points in each attack surface.

If the number of attack points is large, the attack layers and the entire system will contain additional risks. When the vulnerability of a system exists, the method to reduce the security risk is to reduce the number of attack surfaces in each attack layer.

3 Dynamically enabled defense effectiveness evaluation based on vulnerability analysis

3.1 Concepts of a vulnerability assessment

The core concept of dynamically enabled defense technology is to change the state of the system randomly, making it difficult for an attacker to exploit accumulated and outdated system vulnerabilities directly [9]. Theoretically, there is a change in the number of vulnerabilities, and the ease of vulnerability usage before and after a home Internet system is adjusted by using dynamically enabled defense technology [10]. Additionally, only a decline in the number of vulnerabilities and an increase in the ease of vulnerability usage can positively affect the dynamic change of the system status [11]. Therefore, analyzing vulnerability distribution before and after home Internet system changes can accurately evaluate the defense effectiveness of dynamically enabled defense technology [12].

3.2 Vulnerability scoring

Based on the diversity of the vulnerability assessment results, vulnerability assessment techniques can be divided into qualitative and quantitative evaluations. Qualitative evaluation determines a threat level for vulnerabilities, such as high, medium, and low, based on vulnerability assessment factors. Quantitative evaluation determines a specific threat score for vulnerabilities based on established rating factors, for example, an integer between 0 and 10. Currently, the Information Security Technology Security Vulnerability Classification Guide [13] provides domestic-standardized vulnerability rating criteria. This paper provides improvement based on these criteria and performs a quantitative evaluation of a home Internet system.

3.2.1 Information Security Technology Security Vulnerability Classification Guide

The Information Security Technology Security Vulnerability Classification Guide (GB/T 30279-2013) specifies classification elements and threat degrees of information security system vulnerabilities that are applicable to information security vulnerability management organizations and information security vulnerability issuing agencies to evaluate and identify the hazard degree of information security system vulnerabilities [14]. It is also a reference for information security product production, technology research and development, system operations, and other organizations and institutions performing related work [15].

The criteria provide a classification method for security vulnerabilities. Users can perform a comprehensive evaluation of the damage degree of a vulnerability based on the specific deployment of an affected system and the vulnerability threat level given by the criteria [16].

In the criteria, the security vulnerability classification elements include three aspects: access vector, access complexity, and impact degree. The available values for the access vector include “local,” “adjacent,” and “remote.” In general, the damage degree of a vulnerability that can be exploited remotely is higher than one that can be exploited adjacently. The available values of access complexity include “simple” and “complex,” and the damage degree of the vulnerability that has a “simple” access complexity is higher. The available values of impact degree include “completely,” “partially,” “lightly,” and “none.” Generally, the greater the vulnerability impact degree, the higher the degree of damage.

From low to high, the security vulnerability damage degree is low, medium, high, and super. The specific hazard level is determined by the values of the three elements (access vector, access complexity, and impact degree).

In the evaluation process, the Information Security Technology Security Vulnerability Classification Guide first assigns values to access vector, access complexity, and impact degree (confidentiality, integrity, and availability). These values reflect the potential impact of the vulnerability itself. Then, based on the evaluation values of confidentiality, integrity, and availability, the impact degree is calculated. Finally, on the basis of the evaluation values of access vector, access complexity, and impact degree, the final threat level of the vulnerability is determined. The grade assessment produced by the criteria is a quantitative assessment.

Figure 2 describes the threat level evaluation process for security vulnerabilities in the Information Security Technology Security Vulnerability Classification Guide.

Fig. 2

Threat level evaluation process for security vulnerability

3.2.2 Improved vulnerability evaluation method

Considering the home Internet system, this paper created some improvements based on the Information Security Technology Security Vulnerability Classification Guide. The improved vulnerability evaluation method is more suitable for vulnerability assessment of a home Internet system. It is a quantitative assessment method and can describe the damage degree of the vulnerability more accurately. The primary changes are as follows:

1. 1)

   Add “physical” to the range of values for the access vector because physical paths can directly launch attacks.

2. 2)

   Adjust the range of values of access complexity to “low,” “medium,” and “high.”

3. 3)

   Add corresponding values to the related attributes of each vulnerability evaluation factor.

4. 4)

   Obtain the evaluation score of the impact degree by mathematic formula.

5. 5)

   Combine the evaluation score of each factor by using the mathematic formula to calculate the final vulnerability score.

The improved vulnerability evaluation method is shown in Fig. 3.

Fig. 3

Improved vulnerability evaluation method

The indicators and their values based on the improved vulnerability evaluation method are shown in Tables 2, 3, and 4.

Table 2 Value range for access vector

Table 3 Value range for access complexity

Table 4 Value range for impact degree

In the improved vulnerability evaluation method, the mathematic formula for calculating the score of the impact degree factor is as follows:

$$ \mathrm{Impact}=\mathrm{ConfImpact}\times \mathrm{ConfImpactBias}+\mathrm{IntegImpact}\times \mathrm{IntegImpactBias}+\mathrm{AvailImpact}\times \mathrm{AvailImpactBias} $$

The value ranges of the impact factors are shown in Table 5.

Table 5 Value ranges of the impact factors

In the improved vulnerability evaluation method, the mathematic formula for final vulnerability score is as follows: Score = round(10 × AccessVector × AccessComplexity × Impact).

However, in an actual home Internet system, there may be a situation in which attack points are more likely to be exploited by an attacker after dynamically enabled defense. This method, based on vulnerability analysis, only considers the strategies of the defenders. Therefore, the next section will introduce the changing behaviors of the attackers. A method to change an attack layer is proposed to evaluate the effectiveness of dynamically enabled defense based on the Markov chain.

4 A measurement method for an attack layer based on the Markov chain

During system attack and defense, the strategies of attackers and defenders are changing dynamically. This paper proposes a measurement method for an attack layer based on the Markov chain (MC). This method is improved by introducing stochastic Petri nets (SPN) theory that can be used to evaluate the effectiveness of dynamically enabled defense.

4.1 Method description

Defenders perform dynamically enabled defense of the attack layer. Dynamically enabled defense means that the attack layer will be in a state transition with a certain probability of reaching different states. The probability of transition between each two states constitutes a state transition probability matrix. The state at a specific moment is only related to the present state; it is independent of past states. This mathematical model conforms to the Markov process condition, called a Markov chain.

The primary concept of dynamically enabled defense is to present a constantly changing attack layer to the attacker to increase the difficulty of detecting and using the attack points in the attack layer. The defense attempts to reduce the system attack surface.

Regardless of the initial state, a home Internet system will eventually reach an equilibrium state after a limited state transition. Thus, the probability that the attack layer of a system finally reaches a specific state can be determined. Additionally, the mathematical expectation of the attack layer can be calculated, which is the defense effect expected after a series of dynamic changes.

Assume that the initial state of a home Internet system is S ₀. After n state transitions, the system reaches its final stationary state. The state transition of the attack layer of the system is shown in Fig. 4.

Fig. 4

State transition of attack layer

4.2 Attack layer measurement model establishment

Based on a home Internet environment and assuming that the defender does not know the actual state of the attack layer, the transition of the attack point in the system is random.

• Definition1: Assume that state S of a home Internet system is a discrete set S = {S ₀, S ₁, …, S _n}. The transition probability among the attack layers’ states is denoted as P _t, i. Therefore, the transition probability matrix of system state P _t is the (n + 1)-th order matrix, which can be denoted as follows:

$$ P=\left(\begin{array}{ccc}{P}_{0,0}& \dots & {P}_{0,\mathrm{n}}\\ {}\vdots & \ddots & \vdots \\ {}{P}_{\mathrm{n},0}& \cdots & {P}_{\mathrm{n},\mathrm{n}}\end{array}\right) $$

The stationary distribution probability of the Markov chain X = (x ₁, x ₁, …, x _n) can be calculated based on the equation set \( \left\{\begin{array}{l}X\bullet P=0\\ {}\sum \limits_{\mathrm{i}}{x}_{\mathrm{i}}=1,\kern0.5em 1\le i\le n\end{array}\right. \).

Attack layer detection probability P _d is proposed in this paper. It is an important indicator that can affect the mathematical expectation of the attack layer in a dynamic system. P _d is closely related to a variety of factors, such as the skill level of the attacker, the degree of familiarity with the system, the amount of computing resource, and the length of the analysis time.

• Definition2: Given certain computing resources and assuming that the degree of randomization and state space is not considered, attack layer detection probability is only linearly related to the time that the attacker analyzes the system. Additionally, the system state is periodically changed. Attack layer detection probability P _d of each state to the dynamic system S is defined as follows:

$$ {P}_{\mathrm{d}}=\frac{\varDelta t}{T_0},{P}_{\mathrm{d}}\in \left[0,1\right], $$

where Δt is denoted as the time interval during which the system state changes. T ₀ is denoted as the time period that is required by the attacker to research all the current attack points of the system.

• Definition3: A stochastic Petri net (SPN) is a five-tuple SPN = (P, T, F, M ₀, Λ), where P is a set of states, called places. T is a set of transitions. F ⊂ (P × T) ∪ (T × P) is a set of flow relations called arcs between places and transitions. M ₀ is the initial marking. The marking of SPN is used to describe the state of SPN. Λ is the array of firing rates λ associated with the transitions. The firing rate λ, a random variable, can also be a function λ(M) of the current marking.

In the game of system attack and defense, the strategies of attackers and defenders are changing continually. One example of the reachability graph in dynamically attack and defense is shown in Fig. 5.

Fig. 5

The reachability graph of SPN in the game of attack and defense

This paper introduces stochastic Petri nets that are isomorphic to homogeneous Markov processes. The reachability graph of a SPN can be mapped directly to a state apace of MC. It is easier to gain the parameters of MC transition probability matrix by using the reachability graph of SPN, so that the transition probability P _t, i in stationary distribution of MC can be calculated easily.

The mathematical expectation of the state attack layer can be calculated by the equation A ^∗ = X ^∗(N ^∗ P _d), where N is the total number of attack points in one attack layer. N = n₀ + n₁ + … + n_i, where n _i is the number of attack points in the i-th attack surface.

Defenders must perform appropriate dynamic defense and state transition strategy so that A ^∗ = X ^∗(N ^∗ P _d) ≤ N ₀, where N ₀ is the initial number of attack points in a static system attack layer. In this manner, the attack surface of a system will decrease.

5 Case analysis

5.1 Vulnerability analysis case

In this paper, the improved vulnerability evaluation method is verified using the vulnerability of a home router as an example.

The home router is a D-link DIR-645. The following vulnerability exists in the D-link DIR-645: when fetching the value of the “password” parameter in the “POST” parameter in an authentication script called “authentication.cgi,” the attacker can cause a buffer overflow and then obtain remote command execution rights. When “authentication.cgi” on the Web server of the router is visited, the read() function in the authentication_main() function reads the POST parameter into the stack without verifying that the content-length field in the HTTP protocol exceeds the buffer size, causing a buffer overflow.

An example of the vulnerability score using the improved vulnerability evaluation method is shown in Table 6.

Table 6 Evaluation score for each vulnerability evaluation factor

The evaluation scores of the impact degree factors can be obtained by combining the scores of the impact factors and Table 5, as shown in Table 7.

Table 7 Evaluation score of impact factors

Substitute the evaluation scores of the impact degree factors and the impact factors into the mathematic formula for the impact degree evaluation, as follows: Impact = 0.7 × 0.25 + 0 × 0.25 + 1.0 × 0.50 = 0.675. The evaluation score of the impact degree is 0.675.

Substitute the evaluation scores of access vector, access complexity, and impact degree into the mathematic formula for vulnerability evaluation, as follows: Score = round(10 × 1.0 × 0.9 × 0.675) = 6.08. The final evaluation score of the vulnerability is 6.08.

Based on the dynamic characteristics of the home Internet system based on dynamically enabled defense theory, assume the D-link DIR-645 router is replaced with a DIR-818W router. However, Home Network Administration Protocol (HNAP) vulnerability (CVE-2016-6563) exists in DIR-818W, and it will possibly be used to execute remote code. The router includes a pre-authentication stack buffer overflow vulnerability which affects the HNAP SOAP protocol, accepts any string of arbitrary length of some XML parameters, and then copies them onto the stack. In the process of executing an HNAP login operation, the handling of the SOAP message generated by an incorrect format will cause a buffer overflow in the stack. The XML field in the mail body of SOAP that is vulnerable includes Action, Username, LoginPassword, and Captcha.

In the improved vulnerability evaluation method, the evaluation scores of each vulnerability evaluation factor and impact factor are shown in Tables 8 and 9.

Table 8 Evaluation score of each vulnerability evaluation factor

Table 9 Evaluation score of impact factors

Substitute the evaluation scores of the impact degree factors and the impact factors into the mathematic formula for impact degree evaluation, as follows: Impact = 0.7 × 0.25 + 0 × 0.25 + 1.0 × 0.50 = 0.675. The evaluation score of the impact degree is 0.675.

Substitute the evaluation score of access vector, access complexity, and impact degree into the mathematic formula for vulnerability evaluation, as follows: Score = round(10 × 1.0 × 0.8 × 0.675) = 5.40. The final evaluation score of the vulnerability is 5.40.

According to the evaluation result, it is clearly indicated that this dynamic defense of a system is positive because the vulnerability score after the system defense is lower. It also indicates that the security risk of the system after dynamic defense becomes relatively lower.

5.2 Attack layer measurement case

This paper takes a certain home Internet system as an example. The initial state of one attack layer can transition among five states. The reachability graph of the system is shown in Fig. 6.

Fig. 6

The reachability graph of SPN of a home Internet system

P_init represents the initial place of the system. Transition t1 represents the initiation of attacks by attackers. Then, the marking will transition from P_init to P1 or P2. P_pre represents the defense strategies made by defenders. Transition t2 represents successful defenses that make the marking transition to P3. Transition t3 represents successful attacks that make the marking transition to P4. In order to realize a closed-loop system, transition t5 is added to describe the process of system from being invaded to a normal state.

The firing rate λ = (2, 1, 1, 3, 2) is given. Therefore, a Markov chain which is isomorphic to the given SPN can be derived by replacing the transitions t_i to λ _i, which is shown in Fig. 7.

Fig. 7

The Markov chain of the home Internet system

The stationary state vectorX = {x ₀, x₁, x₂, x₃, x₄} can be calculated by the equation set \( \left\{\begin{array}{l}X\bullet P=0\\ {}\sum \limits_{\mathrm{i}}{x}_{\mathrm{i}}=1,\kern0.5em 1\le i\le n\end{array}\right. \), as follows:

$$ \left\{\begin{array}{l}2{x}_0=2\bullet {x}_4\\ {}2{x}_1=3{x}_2+2\bullet {x}_0\\ {}4{x}_2={x}_1\\ {}{x}_3={x}_1+3\bullet {x}_4\\ {}{x}_0+{x}_1+{x}_2+{x}_3+{x}_4=1\end{array}\right. $$

The solution is \( X=\left\{\frac{5}{43},\frac{8}{43},\frac{2}{43},\frac{23}{43},\frac{5}{43}\right\} \).

This paper chooses the controller APPs attack layer as an example. We assume that defenders do not know the actual state of the attack layer. The transitions of the attack points of the system are random. And the attacker cannot explore all the attack paths before the next state change.

The controller APPs attack layer has two attack surfaces, which include five attack points, as shown in Table 1 (N ₀ = 5). Assuming that N ₁ = 8, N ₂ = 6, N ₃ = 7 and N ₄ = 4 after a limited transition, the mathematical expectation of the attack layer is as follows:

$$ {A}^{\ast }=\left[\frac{5}{43}{N}_0\kern0.5em \frac{8}{43}{N}_1\kern0.5em \frac{2}{43}{N}_2\kern0.5em \frac{23}{43}{N}_3\kern0.5em \frac{5}{43}{N}_4\right]\bullet {P_{\mathrm{d}}}^T $$

.

Defenders must perform appropriate dynamic defense and state transition strategy so thatA ^∗ = X ^∗(N ^∗ P _d) ≤ N ₀; therefore,

$$ \left[\frac{5}{43}\bullet 5\kern0.5em \frac{8}{43}\bullet 8\kern0.5em \frac{2}{43}\bullet 6\kern0.5em \frac{23}{43}\bullet 7\kern0.5em \frac{5}{43}\bullet 4\right]\bullet {P_{\mathrm{d}}}^T\le 5 $$

.

To simplify the calculations, assume each time attack layer detection probability P _d, i is the same constant. Thus, P _d ^∗ ≤ 0.762 is used to determine whether the system’s dynamically enabled defense is effective.

When P _d ≥ 0.762, the mathematical expectation of the attack layer in a dynamic system is larger than the mathematical expectation in a static system. The home Internet system using dynamically enabled defense will not be effective in this scenario.

Given a specific computing resource, we assume that some attackers can successfully explore all the attack points of the system within 8 h. Based on \( {P}_{\mathrm{d}}=\frac{\varDelta t}{T_0},{P}_{\mathrm{d}}\in \left[0,1\right] \), we can obtain \( \frac{\varDelta t}{8}\le 0.762 \). Then, the minimum time period during which the system state changes is Δt = 6.096h. Therefore, the system should perform dynamically enabled defense within 6.096 h so that the defense is effective.

6 Conclusion

Smart terminals in a home Internet suffer malicious attacks from hackers on a daily basis. Defenders should change system states dynamically to improve system defense ability. To quantify the defense ability of a home Internet, this paper proposes an improved vulnerability scoring method based on the Information Security Technology Security Vulnerability Classification Guide. Using D-link DIR-645 and D-link DIR-818W routers as an example, changing the routers decreased the vulnerability score of the home Internet system from 6.08 to 5.40. The defense ability of the home Internet system was enhanced.

During actual home Internet attack and defense, the actions of attackers should also be considered. Therefore, this paper proposes a method to measure an attack layer based on the Markov chain. This paper chooses the controller APPs attack layer as an example. This method builds a model of an attack layer that can assess whether the defenders use of dynamic defense is effective. This paper introduces stochastic Petri nets to improve this method by using the reachability graph of SPN. It is easier to gain the parameters of MC transition probability matrix with the reachability graph.

Then, by calculating the factor attack layer detection probability P _d, the model determines that when P _d ≥ 0.762, there is no defensive effect even if defenders change the system states. This model also obtains the minimum time period Δt = 6.096h after which the defender must change system states. If the time period for defense is greater than Δt, attackers have a probability of hacking into a home Internet system.

Finally, this paper concludes that after defenders change the system states, the vulnerability score may become higher or lower. The minimum time period Δt of changing states will become longer if the vulnerability score is lower, meaning the home Internet system has an enhanced defense ability.