SECURITY ANALYSIS OF TCP/IP NETWORKS - An Approach to Automatic Analysis of Network Security Properties

Miroslav Sveda, Ondrej Rysavy, Petr Matousek, Jaroslav Rab, Rudolf Cejka

Abstract

This paper deals with an approach to security analysis of TCP/IP-based computer networks. The method developed stems from a formal model of network topology with changing link states, and deploys bounded model checking of network security properties supported by SAT-based decision procedure. Its implementation consists of a set of tools that provide automatic analysis of router configurations, network topologies, and states with respect to checked properties. While the paper aims at supporting a real practice, its form strives to be exact enough to explain the principles of the method in more detail.

References

  1. Bartal, Y., Mayer, A.J., Nissim, K., Wool, A., 1999. Firmato: A Novel Firewall Management Toolkit. In IEEE Symposium on Security and Privacy, pages 17- 31.
  2. Bera, P., Ghosh, S.K., Dasgupta, Pallab, 2009. Fault Analysis of Security Policy Implementations in Enterprise Networks. In the First International Conference on Networks & Communications, IEEE Comp.Soc., pages 240-245.
  3. Bera, P., Ghosh, S.K., Dasgupta, Pallab, 2009a. Formal Verification of Security Policy Implementations in Enterprise Networks. In LNCS 5905, Springer Berlin / Heidelberg, pages 117-131.
  4. Biere, A., Cinnatti, A., Clarke, E., Strichman, O., Zhu, Y., 2003. Bounded model checking. Advances in Computers, Advances in Computers, Academic Press.
  5. Burns, J., et al., 2001. Automatic management of network security policy. In DARPA Information Survivability Conference and Exposition, pages 1012-1026.
  6. Cejka, R., MatouĊĦek, P., Rab J., Rysavy, O., Sveda, M., 2008. A Formal Approach to Network Security Analysis. Technical Report FIT, Brno University of Technology, Brno, CZ.
  7. Christiansen, M., Fleury, E., 2004. An Interval Decision Diagram Based Firewall. In 3rd International Conference on Networking (ICN'04). IEEE, pages 1- 6.
  8. Clarke, E.M., Grumberg, O., Peled, D.A., 1999. Model Checking. MIT Press.
  9. Gross, J.L., Yellen, J., (editors), 2004. Handbook of Graph Theory. CRC Press.
  10. Holloway, E.M., 2009. Self Organized Multi Agent Swarms (SOMAS) for Network Security. Master's Thesis, Air Force Inst of Tech Wright-Patterson AFB OH School of Engineering and Management.
  11. Jeffrey, A., Samak, T., 2009. Model Checking Firewall Policy Configurations. In IEEE International Symposium on Policies for Distributed Systems and Networks, pages 60-67, 2009.
  12. Kumar, S., 1995. Classification and Detection of Computer Intrusions. PhD Thesis, Purdue, IN.
  13. Lindqvist, U., Jonsson, E., 1997. How to Systematically Classify Computer Security Intrusions. In IEEE Symposium on Security and Privacy, Washington DC.
  14. Matousek, P., Rab, J., Rysavy, O., Sveda, M., 2008. A formal model for network-wide security analysis. In 15th IEEE Symposium and Workshop on ECBS, 2008.
  15. Mitre, 2008. Common Vulnerabilities and Exposures Database. Available on
  16. http://cve.mitre.org/; accessed on Feb 2008.
  17. Neumann, P.G., Parker, D.B., 1989. A Summary of Computer Misuse Techniques. In Proc. 12th National Computer Security Conference, pages 396-407.
  18. Ou, X., Govindavajhala, S., Appel, A.W., 2005. MulVAL: A logic-based network security analyzer. In Proc. of the 14th USENIX Security Symposium, Baltimore.
  19. Ritchey, R.W., Ammann, P., 2000. Using model checking to analyze network vulnerabilities. In IEEE Symposium on Security and Privacy, Washington, USA.
  20. Shahriari, H.R., Jalili, R., 2005. Modeling and Analyzing Network Vulnerabilities via a Logic-Based Approach. In 2nd Int. Symposium of Telecommunications, pages 13-18.
  21. Snort, 2008. Snort network intrusion and prevention system. Available from http://www.snort.org/; accessed on Feb 2008.
  22. Stirling, C., 1992. Modal and temporal logics. pages 477- 563. Oxford University Press, Inc., New York, NY, USA.
  23. Tidwell, T., Larson R., Fitch K., Hale J., 2001. Modeling Internet attacks. In Proc. of the IEEE Workshop on Information Assurance and Security, West Point, NY.
  24. Xie, G.G., Zhan, J., Maltz, D.A., Zhang, H., Greenberg, A.G., Hjalmtysson, G., Rexford, J., 2005. On static reachability analysis of ip networks. In INFOCOM, pages 2170-2183.
  25. Zakeri, R., Shahriari, H.R., Jalili, R., Sadoddin, R. , 2005. Modeling TCP/IP Networks Topology for Network Vulnerability Analysis. In 2nd Int. Symposium of Telecommunications, pages 653-658.
Download


Paper Citation


in Harvard Style

Sveda M., Rysavy O., Matousek P., Rab J. and Cejka R. (2010). SECURITY ANALYSIS OF TCP/IP NETWORKS - An Approach to Automatic Analysis of Network Security Properties . In Proceedings of the International Conference on Data Communication Networking and Optical Communication Systems - Volume 1: DCNET, (ICETE 2010) ISBN 978-989-8425-25-6, pages 5-11. DOI: 10.5220/0002838300050011


in Bibtex Style

@conference{dcnet10,
author={Miroslav Sveda and Ondrej Rysavy and Petr Matousek and Jaroslav Rab and Rudolf Cejka},
title={SECURITY ANALYSIS OF TCP/IP NETWORKS - An Approach to Automatic Analysis of Network Security Properties},
booktitle={Proceedings of the International Conference on Data Communication Networking and Optical Communication Systems - Volume 1: DCNET, (ICETE 2010)},
year={2010},
pages={5-11},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002838300050011},
isbn={978-989-8425-25-6},
}


in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Data Communication Networking and Optical Communication Systems - Volume 1: DCNET, (ICETE 2010)
TI - SECURITY ANALYSIS OF TCP/IP NETWORKS - An Approach to Automatic Analysis of Network Security Properties
SN - 978-989-8425-25-6
AU - Sveda M.
AU - Rysavy O.
AU - Matousek P.
AU - Rab J.
AU - Cejka R.
PY - 2010
SP - 5
EP - 11
DO - 10.5220/0002838300050011