Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Automated Penetration Testing: Formalization and Realization

Charilaos Skandylas, Mikael Asplund

TL;DR

This work formalizes automated penetration testing at the architectural level and introduces ADAPT, an autonomic framework based on the MAPE-K loop to plan and execute attacks against real systems. By modeling the target as a security-informed architecture and using a utility-based decision process, ADAPT autonomously selects scans and exploits, coordinating a repertoire of techniques with off-the-shelf tools. The approach is instantiated for hosts and services, implemented in ADAPT, and evaluated on Metasploitable2/3 and a realistic VM network, demonstrating end-to-end automation without prior target knowledge. The contributions include a formal problem formulation, a generic autonomic architecture, an instantiation for real networks, and empirical validation showing practical feasibility and scalability for automated pentesting.

Abstract

Recent changes in standards and regulations, driven by the increasing importance of software systems in meeting societal needs, mandate increased security testing of software systems. Penetration testing has been shown to be a reliable method to asses software system security. However, manual penetration testing is labor-intensive and requires highly skilled practitioners. Given the shortage of cybersecurity experts and current societal needs, increasing the degree of automation involved in penetration testing can aid in fulfilling the demands for increased security testing. In this work, we formally express the penetration testing problem at the architectural level and suggest a general self-organizing architecture that can be instantiated to automate penetration testing of real systems. We further describe and implement a specialization of the architecture in the ADAPT tool, targeting systems composed of hosts and services. We evaluate and demonstrate the feasibility of ADAPT by automatically performing penetration tests with success against: Metasploitable2, Metasploitable3, and a realistic virtual network used as a lab environment for penetration tester training.

Automated Penetration Testing: Formalization and Realization

TL;DR

This work formalizes automated penetration testing at the architectural level and introduces ADAPT, an autonomic framework based on the MAPE-K loop to plan and execute attacks against real systems. By modeling the target as a security-informed architecture and using a utility-based decision process, ADAPT autonomously selects scans and exploits, coordinating a repertoire of techniques with off-the-shelf tools. The approach is instantiated for hosts and services, implemented in ADAPT, and evaluated on Metasploitable2/3 and a realistic VM network, demonstrating end-to-end automation without prior target knowledge. The contributions include a formal problem formulation, a generic autonomic architecture, an instantiation for real networks, and empirical validation showing practical feasibility and scalability for automated pentesting.

Abstract

Recent changes in standards and regulations, driven by the increasing importance of software systems in meeting societal needs, mandate increased security testing of software systems. Penetration testing has been shown to be a reliable method to asses software system security. However, manual penetration testing is labor-intensive and requires highly skilled practitioners. Given the shortage of cybersecurity experts and current societal needs, increasing the degree of automation involved in penetration testing can aid in fulfilling the demands for increased security testing. In this work, we formally express the penetration testing problem at the architectural level and suggest a general self-organizing architecture that can be instantiated to automate penetration testing of real systems. We further describe and implement a specialization of the architecture in the ADAPT tool, targeting systems composed of hosts and services. We evaluate and demonstrate the feasibility of ADAPT by automatically performing penetration tests with success against: Metasploitable2, Metasploitable3, and a realistic virtual network used as a lab environment for penetration tester training.

Paper Structure

This paper contains 17 sections, 2 equations, 9 figures, 13 tables, 6 algorithms.

Table of Contents

  1. Introduction
  2. Related Work
  3. Preliminaries
  4. Architectural Modeling for Security
  5. Self-Adaptive Systems
  6. Utility-based Decision Making
  7. Problem Formulation
  8. Pentest State, Attacks, and Scans
  9. Penetration Testing Formulation
  10. RL and PDDL to our problem definition
  11. ADAPT
  12. Instantiation Targeting Hosts and Services
  13. Evaluation
  14. Experiment Setup
  15. Initial Tool Setup
  16. ...and 2 more sections

Figures (9)

  • Figure 1: An Example security-informed Architecture.
  • Figure 2: Automated Penetration Testing Architecture
  • Figure 3: Groups that have captured each flag per week
  • Figure 4: The exploitation graph for Metasploitable2
  • Figure 5: The exploitation graph for Metasploitable3
  • ...and 4 more figures

Theorems & Definitions (7)

  • Definition 1
  • Definition 2
  • Definition 3
  • Definition 4
  • Definition 5
  • Example 1
  • Example 2