Logic-based, data-driven enterprise network security analysis

Modern enterprise networks have grown to a complexity level where human administrators can hardly keep pace with the ever changing threats in terms of software vulnerabilities, misconfiguration in both network infrastructure and end hosts, as well as the various data and computing assets needing protection. How to reason about such diverse information to understand the security risks has become a significant challenge in managing enterprise networks security, especially with the increasingly sophisticated attacks we see today. In this talk, I will describe the MulVAL enterprise security analysis framework. MulVAL started as a logic-based attack-graph tool suite that takes as input Datalog tuples and rules representing diverse configuration information and security knowledge. A Datalog proof engine then efficiently computes all possible multi-stage, multi-host attack paths and present them in the form of an attack graph. Such attack graphs lend themselves to further advanced analysis which can answer questions such as what need to be done to address the potential security risks in the mean time also minimizing the cost to the organization. We present an approach based on SAT-solving that can turn such questions into a well-studied Boolean Satisfiability Solving problem, and demonstrate the feasibility of such approaches in managing realistic enterprise networks.
Dr. Xinming (Simon) Ou is assistant professor at Kansas State University. He received his PhD from Princeton University in 2005. Before joining Kansas State University, he was a post-doctoral research associate at Purdue University's Center for Education and Research in Information Assurance and Security (CERIAS), and a research associate at Idaho National Laboratory (INL). Dr. Ou's research is primarily in enterprise network security defense, with a focus on attack graphs, security configuration management, intrusion analysis, and security metrics for enterprise networks. Dr. Ou directs research for the Argus group, the cybersecurity research group at Kansas State University. He leads the MulVAL attack graph project, which has been used by INL on critical infrastructure protection, by Defence Research and Development Canada — Ottawa (DRDC-Ottawa) and NATO on a number of computer network defense projects, and by researchers from numerous academic institutions. Dr. Ou's research has been funded by U.S. National Science Foundation, Department of Energy, Department of Defense, HP Labs, and Rockwell Collins. He is a recipient of 2010 NSF Faculty Early Career Development (CAREER) Award.