Contract No.: 285248 Strategic Objective


General Mulval Attack Path API Information



Download 1.78 Mb.
Page8/54
Date28.01.2017
Size1.78 Mb.
#8871
1   ...   4   5   6   7   8   9   10   11   ...   54

4.2General Mulval Attack Path API Information


The Mulval Attack Path engine is an orchestration of chained modules. A module can be an adapter, core attack graph computation, attack path visualization or metrics analysis.

file:orchestration_chained_modules.png‎

Figure 2: Orchestration of chained modules.

The attack path engine is composed of four modules:

1. Adapters

2. Core Attack Graph Computation

3. Metrics analysis

4. Attack Path visualization

4.2.1Adapters


What are adapters?

The adapters convert / transform the input data files to the internal information which is required by the engine. Regarding of the interface attack path engine in input, the input data files are:

1. NVD database

2. Vulnerability scanners (OVAL and NESSUS)

NVD database can be obtained directly from NIST. After getting these XML files, the adapter parsers them and stores them to the local MySQL database.

A NVD example is provided in figure bellow.

file:nvd_example.png

OVAL result is obtained by using an OVAL scanner. In our case, we use the OVAL interpreter which can be downloaded at

http://sourceforge.net/projects/ovaldi/

The OVAL Interpreter scan the “vulnerable host” and provides a result on xml file. Bellow is an example of OVAL result:




file:oval_example_result.png

NESSUS result is obtained by using NESSUS scanner. The NESSUS scanner scans the set of IP addresses and offers an export option in order to export the result to xml format.



Example of NESSUS result

file:nessus_example_result.png

4.2.2Core Attack Graph Computation


This module is the core computation. It uses the input files (OVAL or NESSUS scanner) transformed previously by the adapters and combines these input files with the local MySQL database in order to get more information about the vulnerability. The core computation is handled with the ProLog rules.

4.2.3Attack Path Visualization


The attack path visualization is the result of the core computation which can be rendered under different formats: XML, PDF, text file.

Bellow is an example under XML format.



file:example_xml_attackpath.png

Bellow is an example under PDF format.



file:example_pdf_attackpath.png

Bellow an example under Text format.



file:example_text_attackpath.png

4.2.4Metrics Analysis


The metrics analysis uses the CVSS scoring. This score is contained in each vulnerability definition. We have included a quantitative risk assessment algorithm.

5Security-Monitoring: Mulval Attack Path Engine Web Application Open API Specification

5.1Introduction to the Mulval Attack Path Engine Web Application API

5.1.1Mulval Attack Path Engine Web Application API Core


This document provides a description of the available interface and presents adapters used by the MulVAL Attack Path Engine to import data files. The adapter transforms the data file to internal data in order to provide reporting and decision support in the context of the security monitoring G.E.

file:mulval_api_principe.png‎

Figure 1: principle of Mulval API

As this part is based on the Mulval Attack path engine, you can relate to Mulval Attack Path Engine Open API Specification for more information about the core functions of this tool.

Here is the link to this topic Security-Monitoring:_Mulval_Attack_Path_Engine_Open_API_Specification)




file:attack path engine call mulval core function.png

Figure 2: principle of Mulval Attack path engine web application

The web application part is based on the core functions of Mulval. Then, we developped an intelligence which can connect directly to the powerful functions of Mulval. This capacity of the direct connection is called connector.

5.1.2Intended Audience


This document is addressed both software architects and developers, and the operators of MulVAL Attack Path Engine.

5.1.3API Change History


This version of the Mulval Attack Path API Guide replaces and obsoletes all previous versions. The most recent changes are described in the table below:

Revision Date

Changes Summary

August, 2012

  • V1.0, first release

January, 2012

  • V1.1 release

  • Nessus scanner supported

  • Attack path generated from the file exported by the Nessus scanner.

January, 2013

5.1.4How to Read This Document


Along the document, some special notations are applied to differentiate some special words or concepts. The following list summarizes these special notations:

  • A bold, mono-spaced font is used to represent a module.

  • An italic font is used to represent an example

5.1.5Additional Resources


In term of architecture design, the connector takes place greatly inside it. Connector means that permits to connect with others in order to link them together. We can give some references which described the connector's principle.

Trilogy of connectors: Basis principles and connector design explanation, Hardcover, authors: Robert Mroczkowski, Romain Jugy, Alexander Gerfer

Concerning web application, it's now something best known from every body. We just give you a refence on which that we use to develop this additional application.

Application Developer's Guide [[1]]



Download 1.78 Mb.

Share with your friends:
1   ...   4   5   6   7   8   9   10   11   ...   54




The database is protected by copyright ©ininet.org 2024
send message

    Main page