1 / 35 A Stochastic Framework for Quantitative Analysis of R. Jhawar K. Lounis S. Mauw CSC/SnT University of Luxembourg Luxembourg Security and Trust of Software Systems, 2016 ADT2P & TREsPASS Project
2 / 35 Plan Introduction 1 Introduction Cyber attacks nowadays Graphical security models Quantitative analysis of security models 2 ADTrees ADTree Quantitative Evaluation ADTree and need for a new semantics 3 4 5 6
Cyber attacks nowadays Cyber attacks nowadays Graphical security models Quantitative analysis of security models Cyber attacks are becoming more and more: Complex, Organized, Distributed and Sophisticated. Their impact therefore is sometimes weighty, in some cases not tolerable. 3 / 35
Graphical security models Cyber attacks nowadays Graphical security models Quantitative analysis of security models To fend of cyber attacks negative impact, research efforts have come with the development and design of security models: 4 / 35
Graphical security models Cyber attacks nowadays Graphical security models Quantitative analysis of security models Attack trees: A tree-based model for cyber attacks representation. Introduced by Schneier in 1999. Attack graphs: A directed graph-based model for cyber attacks representation. Attack countermeasures trees: A tree-based model to graphically represent attacks and defenses in the same layout. Attack-defense trees: Extend the attack tree model with refinable countermeasures. Introduced by Kordy et al. in 2010. 5 / 35
Cyber attacks nowadays Graphical security models Quantitative analysis of security models Quantitative analysis of security models - How? Quantitative analysis is performed either by the use of analytical approach relying on Baysian Networks, Petri Nets, Markov chains or simulations such as Discrete simulation, Monte Carlo simulation. - By? Computing metrics or attributes like : Probability of an attack or a scenario in a given time, cost of the attacks, efficiency of countermeasures, mean time to breach a system, the most probable scenario,... - Why? Perform quantitative analysis which will help to reduce the risk and the negative impact of cyber attacks. 6 / 35
7 / 35 ADTrees Introduction ADTrees ADTree Quantitative Evaluation ADTree and need for a new semantics - What is it? Graphical methodology. - Used for? Security scenario representation. - Ancestor? Attack Trees. - Interpretation: Can be seen as game between two players (proponent vs opponent). - Semantics: Multisets, De Morgan lattice, Equational, Propositional, Series-Parallel graphs. - Practice: Used in industry.
8 / 35 ADTrees Introduction ADTrees ADTree Quantitative Evaluation ADTree and need for a new semantics Graphically: Compromise Server Prevent target identification Network Scanning Escalate privileges Execute dangerous commands IP address space randomization Mutable network Target Exploitation Password Brute force Frequent patch development Vulnerabilities Scanning Use Vulnerability Exploit Password changing policy
ADTrees Introduction ADTrees ADTree Quantitative Evaluation ADTree and need for a new semantics Definition 1 ADTrees are defined by means of an abstract syntax called ADTerms, typed-terms over the signature Σ = (S, F), where : S = {p, o} is the set of types of players. F = {( p k ) k N, ( p k ) k N, ( p k ) k N, ( o k ) k N, ( o k ) k N, ( o k ) k N, c p, c o } B p B o is a set of function symbols. Definition 2 ADTrees are closed-terms over the signature Σ = (S, F), and generated by the following grammar, where b s B and s S: t : b s s (t,..., t) s (t,..., t) s (t,..., t) c s (t, t) 9 / 35
10 / 35 ADTrees Introduction ADTrees ADTree Quantitative Evaluation ADTree and need for a new semantics Examples of ADTerms : t 0 = b p (Basic event) t 1 = p (b p 0, t 0) (Disjunction refinement) t 2 = p (t 1, b p 1 ) (Conjunction refinement) t 3 = p (t 2, b p 2, bp 3 ) (Sequential Conjunction refinement) t 4 = c p (t 3, b0 o) (Counter-defense)
ADTree Quantitative Evaluation ADTrees ADTree Quantitative Evaluation ADTree and need for a new semantics The quantitative evaluation of an ADTree consists in assessing a set of attributes like:probability, cost, or time. It is performed through the standard bottom-up procedure. 11 / 35
ADTree Quantitative Evaluation ADTrees ADTree Quantitative Evaluation ADTree and need for a new semantics Standard Bottom-up procedure (ADTool): 12 / 35
ADTrees ADTree Quantitative Evaluation ADTree and need for a new semantics ADTree and need for a new semantics However 1 The bottom-up procedure works only for independent events. 2 So far, there is only one approach [KPS14] 1 for quantitative analysis of ADTree with dependent actions. 3 Only discrete analysis can be done. 1. B. Kordy, M. Pouly, and P. Schweitzer. A probabilistic framework for security scenarios with dependent actions. In International Conference on Integrated Formal Methods, 256-271, 2014 13 / 35
ADTrees ADTree Quantitative Evaluation ADTree and need for a new semantics ADTree and need for a new semantics We need to develop a new semantics for ADTree. The new semantics should allow dependent events to occur, and provide modeling capabilities for defense in a more realistic way. It should also provide a continuous analysis method for ADTree evaluation. 14 / 35
ADTrees ADTree Quantitative Evaluation ADTree and need for a new semantics ADTree and need for a new semantics We proposed to use : Continuous Time Markov Chain or CTMC as a new semantics for ADTree. We model attacks/defense execution using exponential distribution (good for delayed impact defenses). Using the analytical approach of CTMCs, we can evaluate several attributes, and perform a continuous analysis by the use of Cumulative Distribution Function. 15 / 35
Definition 1 A Continuous Time Markov chain is a tuple (S, G, π), where: S is a finite disjoint set of states. G : S S R is the infinitesimal generator matrix which gives the rate of transition between two states s S and s S. π : S [0, 1] is the initial probability distribution on S. λ 1 λ 3 λ 2 16 / 35
Definition 2 An explicit continuous time Markov chain M is a tuple (S, S 0, S, G), where: S is a finite disjoint set of states. S 0 S is a finite set of initial states. S S is a finite set of final states. G : S S R is the infinitesimal generator matrix which gives the rate of transition between two states s S and s S. 17 / 35
Introduction We have formally defined the semantics of ADTrees in terms of CTMC for each component : Basic events, conjunction refinement, Disjunction refinement, Sequential conjunction refinement, and Countermeasure. 18 / 35
Introduction 19 / 35
Introduction 20 / 35
Introduction 21 / 35
Introduction 22 / 35
We took an example study: Compromise Server Prevent target identification Network Scanning Escalate privileges Execute dangerous commands IP address space randomization Mutable network Target Exploitation Password Brute force Frequent patch development Vulnerabilities Scanning Use Vulnerability Exploit Password changing policy 23 / 35
24 / 35 Introduction We obtain a final CTMC representing the entire ADTree: λ b p 4 λ b p 5 λ b o 2 λ b p 0 λ b o 2 λ p b 3 λ p b 2 λ b o 0 + λ b o 1 λ b p 1 λ p b 1 λ b o 3 λ b o 3 λ b p 2 λ b p 5
We have assessed three situational cases: 1 Attack tree (No defense is considered) 2 Adding countermeasure (Prevent target identification) 3 Adding the remaining countermeasures (Password policy, Frequent patches). 25 / 35
26 / 35
Analytical approach using CTMC is performed as follow: 27 / 35
Probabilistic attributes: Probability of final states (black states) representing the final goals G 1 and G 2 Probability 0.4 0.2 G 1 (case 1) G 1 (case 2) G 1 (case 3) G 2 (case 1) G 2 (case 2) G 2 (case 3) 0 0 2 4 6 8 10 Time (Unit) 28 / 35
Probabilistic attributes: Probability of final states (black states) representing the final goal G 1 + G 2 Final Goal(case 1) Final Goal(case 2) Final Goal(case 3) 1 0.8 Probability 0.6 0.4 0.2 0 0 2 4 6 8 10 Time (Unit) 29 / 35
Probabilistic attributes: Expected number of steps for each scenario of G 1 and G 2 [b p 0 ; bp 1 ; bp 2 ; bp 5 ]C3 [b p 0 ; bp 1 ; bp 2 ; bp 5 ]C2 [b p 0 ; bp 1 ; bp 2 ; bp 5 ]C1 2.83 3.83 5.13 [b p 0 ; bp 2 ; bp 1 ; bp 5 ]C3 [b p 0 ; bp 2 ; bp 1 ; bp 5 ]C2 [b p 0 ; bp 2 ; bp 1 ; bp 5 ]C1 2.67 3.67 4.87 [b p 0 ; bp 3 ; bp 4 ; bp 5 ]C3 [b p 0 ; bp 3 ; bp 4 ; bp 5 ]C2 [b p 0 ; bp 3 ; bp 4 ; bp 5 ]C1 3 4 5.45 0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 5 5.5 30 / 35
Probabilistic attributes: Absorbing probabilities for G 1 and G 2 Probability (%) 100 50 50 50 50 50 4852 0 Case 1 Case 2 Case 3 Absorbing probabilities G 1 G 2 31 / 35
Timed attributes: Mean time to security failure 4 Time (Unit) 3 2 1 1.95 2.45 2.82 0 Case 1 Case 2 Case 3 Mean Time To Security Failure 32 / 35
Introduction We proposed a new semantics for ADTrees in terms of CTMCs. We applied CTMC to perform quantitative analysis of ADTree with dependent actions. 33 / 35
Challenges and Future Work Challenges : Not all attacks and/or countermeasures execution follow exponential-distribution. Estimating the rates for attacks/countermeasures has always been the main challenge for security assessment. Future Work : Extend our framework in order to accurately model social attacks and complex behaviors laying on other distributions. Embed the framework within the ADTool software and make it more adaptable for real life security scenarios. 34 / 35
35 / 35 Thanks for your attention Any questions?