Figure 2 - uploaded by Saad Khan
Content may be subject to copyright.
Source publication
Context in source publication
Context 1
... develop a system that advises on relevant VA procedures, we need to manually collect authentic, expert and verified knowledge on existing VA techniques, e.g. using acquisi- tion software such as (Parkinson and Crampton 2016). The formal preprocess of VA is described in figure 2. It shows the tasks that were conducted before creating the solution. ...
Similar publications
Citations
... The approach of [14] focuses on time efficient generation of a minimal attack graph, using a model-checker that removes visualization problems and avoids state-space explosion. A similar project is [15], that tries to automatize the Vulnerability Assessment phase. Both of these projects do not generate the PDDL language automatically and neither of them work with a framework like Metasploit. ...
Offensive security is one of the state of the art measures to protect enterprises and organizations. Penetration testing, broadly called pentesting, is a branch of offensive security designed to find, rate and exploit these vulnerabilities, in order to assess the security posture of an organization. This process is often time-consuming and the quantity of information that pentesters need to manage might also be difficult to handle. This project takes a practical approach to solve the automation of pentesting and proposes a usable tool, called PTHelper. This open-source tool has been designed in a modular way to be easily upgradable by the pentesting community, and uses state of the art tools and artificial intelligence to achieve its objective.
Penetration testing offers strong advantages in the discovery of hidden vulnerabilities in a network and assessing network security. However, it can be carried out by only security analysts, which costs considerable time and money. The natural way to deal with the above problem is automated penetration testing, the essential part of which is automated attack planning. Although previous studies have explored various ways to discover attack paths, all of them require perfect network information beforehand, which is contradictory to realistic penetration testing scenarios. To vividly mimic intruders to find all possible attack paths hidden in a network from the perspective of hackers, we propose a network information gain based automated attack planning (NIG-AP) algorithm to achieve autonomous attack path discovery. The algorithm formalizes penetration testing as a Markov decision process and uses network information to obtain the reward, which guides an agent to choose the best response actions to discover hidden attack paths from the intruder’s perspective. Experimental results reveal that the proposed algorithm demonstrates substantial improvement in training time and effectiveness when mining attack paths.
Vulnerability assessment and security configuration of computer systems is heavily dependent on human experts, which are widely attributed as being in short supply. This can result in a system being left insecure because of the lack of easily accessible experience and specialist resources. While performing security tasks, human experts often revert to a system’s event logs to establish security information (configuration changes, errors, etc.). However, finding and exploiting knowledge from event logs is a challenging and time-consuming task for non-experts. Hence there is a strong need to provide mechanisms to make the process easier for security experts, as well as providing tools for those with significantly less security expertise. In this paper, we present a novel technique to process security event logs of a system that have been evaluated and configured by a security expert, extract key domain knowledge indicative of human decision making, and automatically apply acquired knowledge to previously unseen systems by non-experts to propose security improvements.
The proposed solution utilises rule mining algorithms to extract security actions from event log entries. The set of identified rules is represented as a domain action model. The domain model and problem instance generated from a previously unseen system can then be used to produce a plan-of-action, which can be exploited by non-professionals to improve their system’s security. Empirical analysis is subsequently performed on 21 event logs, where the acquired domain model and identified plans are discussed in terms of accuracy and performance.
Vulnerability assessment is the essential and well-established process of probing security flaws, weaknesses and inadequacies in a computing infrastructure. The process helps organisations to eliminate security issues before attackers can exploit them for monetary gains or other malicious purposes. The significant advancements in desktop, Web and mobile computing technologies have widened the range of security-related complications. It has become an increasingly crucial challenge for security analysts to devise comprehensive security evaluation and mitigation tools that can protect the business-critical operations. Researchers have proposed a variety of methods for vulnerability assessment, which can be broadly categorised into manual, assistive and fully automated. Manual vulnerability assessment is performed by a human expert, based on a specific set of instructions that are aimed at finding the security vulnerability. This method requires a large amount of time, effort and resources, and it is heavily reliant on expert knowledge, something that is widely attributed to being in short supply. The assistive vulnerability assessment is conducted with the help of scanning tools or frameworks that are usually up-to-date and look for the most relevant security weakness. However, the lack of flexibility, compatibility and regular maintenance of tools, as they contain static knowledge, renders them outdated and does not provide the beneficial information (in terms of depth and scope of tests) about the state of security. Fully automated vulnerability assessment leverages artificial intelligence techniques to produce expert-like decisions without human assistance and is by far considered as the most desirable (due to time and financial reduction for the end-user) method of evaluating a systems’ security. Although being highly desirable, such techniques require additional research in improving automated knowledge acquisition, representation and learning mechanisms. Further research is also needed to develop automated vulnerability mitigation techniques that are capable of actually securing the computing platform. The volume of research being performed into the use of artificial intelligence techniques in vulnerability assessment is increasing, and there is a need to provide a survey into the state of the art.
Understanding how to implement file system access control rules within a system is heavily reliant on expert knowledge, both that intrinsic to how a system can be configured as well as how a current configuration is structured. Maintaining the required level of expertise in fast-changing environments, where frequent configuration changes are implemented, can be challenging. Another set of complexities lies in gaining structural understanding of large volumes of permission information. The accuracy of a new addition within a file system access control is essential, as inadvertently assigning rights that result in a higher than necessary level of access can generate unintended vulnerabilities. To address these issues, a novel mechanism is devised to automatically process a system’s event history to determine how previous access control configuration actions have been implemented and then utilise the model for suggesting how to implement new access control rules. Throughout this paper, we focus on Microsoft’s New Technology File System permissions (NTFS) access control through processing operating system generated log data. We demonstrate how the novel technique can be utilised to plan for the administrator when assigning new permissions. The plans are then evaluated in terms of their validity as well as the reduction in required expert knowledge.
Vulnerability assessment and security configuration activities are heavily reliant on expert knowledge. This requirement often results in many systems being left insecure due to a lack of analysis expertise and access to specialist resources. It has long been known that a system's event logs provide historical information depicting potential security breaches, as well as recording configuration activities. However, identifying and utilising knowledge within the event logs is challenging for the non-expert. In this paper, a novel technique is developed to process security event logs of a computer that has been assessed and configured by a security professional, extract key domain knowledge indicative of their expert decision making, and automatically apply learnt knowledge to previously unseen systems by non-experts. The technique converts event log entries into an object-based model and dynamically extracts associative rules. The rules are further improved in terms of quality using a temporal metric to autonomously establish temporal-association rules and acquire a domain model of expert configuration tasks. The acquired domain model and problem instance generated from a previously unseen system can then be used to produce a plan-of-action, which can be exploited by non-professionals to improve their system's security. Empirical analysis is subsequently performed on 20 event logs, where identified plan traces are discussed in terms of accuracy and performance.
