CANVuS: Context-Aware Network Vulnerability Scanning

  • Yunjing Xu
  • Michael Bailey
  • Eric Vander Weele
  • Farnam Jahanian
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6307)

Abstract

Enterprise networks face a variety of threats including worms, viruses, and DDoS attacks. Development of effective defenses against these threats requires accurate inventories of network devices and the services they are running. Traditional vulnerability scanning systems meet these requirements by periodically probing target networks to discover hosts and the services they are running. This polling-based model of vulnerability scanning suffers from two problems that limit its effectiveness—wasted network resources and detection latency that leads to stale data. We argue that these limitations stem primarily from the use of time as the scanning decision variable. To mitigate these problems, we instead advocate for an event-driven approach that decides when to scan based on changes in the network context—an instantaneous view of the host and network state. In this paper, we propose an architecture for building network context for enterprise security applications by using existing passive data sources and common network formats. Using this architecture, we built CANVuS, a context-aware network vulnerability scanning system that triggers scanning operations based on changes indicated by network activities. Experimental results show that this approach outperforms the existing models in timeliness and consumes much fewer network resources.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Abedin, M., Nessa, S., Al-Shaer, E., Khan, L.: Vulnerability analysis for evaluating quality of protection of security policies. In: Proceedings of the 2nd ACM Workshop on Quality of Protection (QoP 2006), Alexandria VA (October 2006)Google Scholar
  2. 2.
    Ahmed, M.S., Al-Shaer, E., Khan, L.: Towards autonomic risk-aware security configuration. In: Proceedings of the 11th IEEE/IFIP Network Operations and Management Symposium (NOMS 2008), Salvador, Bahia, Brazil (April 2008)Google Scholar
  3. 3.
    Allman, M., Kreibich, C., Paxson, V., Sommer, R., Weaver, N.: Principles for developing comprehensive network visibility. In: Provos, N. (ed.) Proceedings of 3rd USENIX Workshop on Hot Topics in Security, San Jose, CA, USA, July 29, USENIX Association (2008)Google Scholar
  4. 4.
    Allman, M., Paxson, V.: A reactive measurement framework. In: Claypool, M., Uhlig, S. (eds.) PAM 2008. LNCS, vol. 4979, pp. 92–101. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  5. 5.
    Ammann, P., Wijesekera, D., Kaushik, S.: Scalable, graph-based network vulnerability analysis. In: Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS 2002), Washington DC (November 2002)Google Scholar
  6. 6.
    Bau, J., Bursztein, E., Gupta, D., Mitchell, J.: State of the art: Automated black-box web application vulnerability testing. In: Proceedings of the 31st IEEE Symposium on Security & Privacy (S&P 2010), Oakland, CA (May 2010)Google Scholar
  7. 7.
    Beattie, S., Arnold, S., Cowan, C., Wagle, P., Wright, C., Shostack, A.: Timing the application of security patches for optimal uptime. In: Proceedings of the 16th Annual LISA System Administration Conference, Philadelphia, PA, USA (November 2002)Google Scholar
  8. 8.
    Edward Bjarte. Prads - passive real-time asset detection system, http://gamelinux.github.com/prads
  9. 9.
    Cheswick, W.R., Bellovin, S.M.: Firewalls and Internet Security; Repelling the Wily Hacker. Addison Wesley, Reading (1994)MATHGoogle Scholar
  10. 10.
    Cooke, E., Bailey, M., Jahanian, F., Mortier, R.: The dark oracle: Perspective-aware unused and unreachable address discovery. In: Proceedings of the 3rd USENIX Symposium on Networked Systems Design and Implementation (NSDI 2006) (May 2006)Google Scholar
  11. 11.
    eEye Digital Security. Retina - network security scanner, http://www.eeye.com/Products/Retina.aspx
  12. 12.
    Ilya Etingof. Pysnmp, http://pysnmp.sourceforge.net/
  13. 13.
    Ingols, K., Lippmann, R., Piwowarski, K.: Practical attack graph generation for network defense. In: Proceedings of the 22nd Annual Computer Security Applications Conference, ACSAC 2006 (December 2006)Google Scholar
  14. 14.
    Kreibich, C., Sommer, R.: Policy-controlled event management for distributed intrusion detection. In: ICDCS Workshops, pp. 385–391. IEEE Computer Society, Los Alamitos (2005)Google Scholar
  15. 15.
    McAllister, S., Kirda, E., Kruegel, C.: Leveraging user interactions for in-depth testing of web applications. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 191–210. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  16. 16.
    Mehta, V., Bartzis, C., Zhu, H., Clarke, E., Wing, J.: Ranking attack graphs. In: Zamboni, D., Krügel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 127–144. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  17. 17.
    Microsoft. Watcher - web security testing tool and passive, http://websecuritytool.codeplex.com
  18. 18.
    Oberheide, J., Cooke, E., Jahanian, F.: Cloudav: N-version antivirus in the network cloud. In: Proceedings of the 17th USENIX Security Symposium (Security 2008), San Jose, CA (July 2008)Google Scholar
  19. 19.
    Oberheide, J., Cooke, E., Jahanian, F.: If It Ain’t Broke, Don’t Fix It: Challenges and New Directions for Inferring the Impact of Software Patches. In: 12th Workshop on Hot Topics in Operating Systems (HotOS XII), Monte Verita, Switzerland (May 2009)Google Scholar
  20. 20.
    Ou, X., Boyer, W.F., McQueen, M.A.: A scalable approach to attack graph generation. In: Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS 2006), Alexandria, VA (October 2006)Google Scholar
  21. 21.
    Ou, X., Govindavajhala, S., Appel, A.W.: Mulval: A logic-based network security analyzer. In: Proceedings of the 14th USENIX Security Symposium (USENIX Security 2005), Baltimore, MD (August 2005)Google Scholar
  22. 22.
    Paxson, V.: Bro: A System for Detecting Network Intruders in Real-Time. Computer Networks 31(23-24), 2435–2463 (1999)CrossRefGoogle Scholar
  23. 23.
    Roesch, M.: Snort: Lightweight intrusion detection for networksx. In: Proceedings of the 13th Systems Administration Conference (LISA), pp. 229–238 (1999)Google Scholar
  24. 24.
    Sawilla, R.E., Ou, X.: Identifying critical attack assets in dependency attack graphs. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 18–34. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  25. 25.
    Tenable Network Security. Nessus - vulnerability scanner, http://www.nessus.org
  26. 26.
    Tenable Network Security. Nessus passive vulnerability scanner, http://www.nessus.org/products/pvs/
  27. 27.
    Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.M.: Automated generation and analysis of attack graphs. In: Proceedings of 2002 IEEE Symposium on Security and Privacy (S&P 2002), Oakland, CA (May 2002)Google Scholar
  28. 28.
    Sinha, S., Bailey, M., Jahanian, F.: Shedding light on the configuration of dark addresses. In: Proceedings of Network and Distributed System Security Symposium (NDSS 2007) (February 2007)Google Scholar
  29. 29.
    Sinha, S., Bailey, M.D., Jahanian, F.: One Size Does Not Fit All: 10 Years of Applying Context Aware Security. In: Proceedings of the 2009 IEEE International Conference on Technologies for Homeland Security (HST 2009), Waltham, Massachusetts, USA (May 2009)Google Scholar
  30. 30.
    Sinha, S., Jahanian, F., Patel, J.M.: Wind: Workload-aware intrusion detection. In: Zamboni, D., Krügel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 290–310. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  31. 31.
    Sourcefire. Sourcefire rna - real-time network awareness, http://www.sourcefire.com/products/3D/rna
  32. 32.
    Sourcefire, Inc. Clamav antivirus (2008), http://www.clamav.net/
  33. 33.
    University of Michigan. University of Michigan — ITS — Safe Computing — IT Security Services Office (April 2010), http://safecomputing.umich.edu/about/
  34. 34.
    Vallentin, M.: VAST: Network Visibility Across Space and Time. Master’s thesis, Technische Universitat Munchen (January 2009)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Yunjing Xu
    • 1
  • Michael Bailey
    • 1
  • Eric Vander Weele
    • 1
  • Farnam Jahanian
    • 1
  1. 1.Computer Science and EngineeringUniversity of MichiganAnn ArborUSA

Personalised recommendations