A Stochastic Framework for Quantitative Analysis of Attack-Defense Trees

Similar documents
Probabilistic Reasoning with Graphical Security Models

Probabilistic Assessment of Security Scenarios Challenges and Solutions

Stochastic Petri Net. Ben, Yue (Cindy) 2013/05/08

arxiv: v1 [cs.cr] 8 Mar 2015

A Probabilistic Framework for Security Scenarios with Dependent Actions

Quantitative Verification and Synthesis of Attack-Defence Scenarios

Cyber Security Games with Asymmetric Information

ADVANCED ROBOTICS. PLAN REPRESENTATION Generalized Stochastic Petri nets and Markov Decision Processes

Cyber-Awareness and Games of Incomplete Information

Propositional and Predicate Logic

Attack Graph Modeling and Generation

Composition of product-form Generalized Stochastic Petri Nets: a modular approach

Bayesian Networks Inference with Probabilistic Graphical Models

From Stochastic Processes to Stochastic Petri Nets

Varieties of Stochastic Calculi

A Polynomial-time Nash Equilibrium Algorithm for Repeated Games

MODELLING DYNAMIC RELIABILITY VIA FLUID PETRI NETS

Guided design of attack trees: a system-based approach

Specification models and their analysis Petri Nets

PRISM An overview. automatic verification of systems with stochastic behaviour e.g. due to unreliability, uncertainty, randomisation,

Detection and Mitigation of Cyber-Attacks Using Game Theory and Learning

Uncertainty and Bayesian Networks

Modeling Data Correlations in Private Data Mining with Markov Model and Markov Networks. Yang Cao Emory University

SFM-11:CONNECT Summer School, Bertinoro, June 2011

Pricing of Cyber Insurance Contracts in a Network Model

Proxel-Based Simulation of Stochastic Petri Nets Containing Immediate Transitions

Cyber Security: Nonlinear Stochastic Models

Dynamic Noninterference Analysis Using Context Sensitive Static Analyses. Gurvan Le Guernic July 14, 2007

Dynamic and Adversarial Reachavoid Symbolic Planning

Stochastic Simulation.

A Simple Model for Sequences of Relational State Descriptions

Introduction Models of Attack Trees Computational Semantics. Attack Trees. Models and Computation. Jan Willemson, Aivo Jürgenson, Margus Niitsoo

Quantitative Model Checking (QMC) - SS12

EE562 ARTIFICIAL INTELLIGENCE FOR ENGINEERS

arxiv: v2 [cs.cr] 21 May 2018

Four-Dimensional GLV Scalar Multiplication

An Abstract Reduction Model for Computer Security Risk

A brief introduction to Logic. (slides from

Safety and Reliability of Embedded Systems. (Sicherheit und Zuverlässigkeit eingebetteter Systeme) Fault Tree Analysis Obscurities and Open Issues

Optimizing the Decision to Expel Attackers from an Information System

Scenario Graphs and Attack Graphs

Introduction Probabilistic Programming ProPPA Inference Results Conclusions. Embedding Machine Learning in Stochastic Process Algebra.

Chapter 3 Deterministic planning

V&V MURI Overview Caltech, October 2008

Learning in Zero-Sum Team Markov Games using Factored Value Functions

FL I PIT: The Game of Stealthy Takeover

Quantitative evaluation of Dependability

Analyzing Multiple Logs for Forensic Evidence

Towards Inference and Learning in Dynamic Bayesian Networks using Generalized Evidence

Outline. Logical Agents. Logical Reasoning. Knowledge Representation. Logical reasoning Propositional Logic Wumpus World Inference

R E A D : E S S E N T I A L S C R U M : A P R A C T I C A L G U I D E T O T H E M O S T P O P U L A R A G I L E P R O C E S S. C H.

arxiv: v1 [cs.lo] 21 Jan 2018

Exponential Moving Average Based Multiagent Reinforcement Learning Algorithms

Recap. Probability, stochastic processes, Markov chains. ELEC-C7210 Modeling and analysis of communication networks

Bayesian Network. Outline. Bayesian Network. Syntax Semantics Exact inference by enumeration Exact inference by variable elimination

Risk Analysis of Highly-integrated Systems

Simple Counter-terrorism Decision

Model-based Testing - From Safety to Security

Comp487/587 - Boolean Formulas

Logic, Knowledge Representation and Bayesian Decision Theory

Lecture 4 The stochastic ingredient

Research Article Research on Dynamic Reliability of a Jet Pipe Servo Valve Based on Generalized Stochastic Petri Nets

6 Reinforcement Learning

Trace Diagnostics using Temporal Implicants

Analyzing fuzzy and contextual approaches to vagueness by semantic games

Solving Deductive Games

Stochastic Petri Net

Outline. Logical Agents. Logical Reasoning. Knowledge Representation. Logical reasoning Propositional Logic Wumpus World Inference

Timed Automata. Chapter Clocks and clock constraints Clock variables and clock constraints

Probabilistic Graphical Networks: Definitions and Basic Results

Dependable Computer Systems

Some notes on Markov Decision Theory

POLYNOMIAL SPACE QSAT. Games. Polynomial space cont d

3 : Representation of Undirected GM

CS599 Lecture 1 Introduction To RL

Constrained data assimilation. W. Carlisle Thacker Atlantic Oceanographic and Meteorological Laboratory Miami, Florida USA

FAV i R This paper is produced mechanically as part of FAViR. See for more information.

7. Queueing Systems. 8. Petri nets vs. State Automata

Bias-Variance Error Bounds for Temporal Difference Updates

PRISM: Probabilistic Model Checking for Performance and Reliability Analysis

What is (certain) Spatio-Temporal Data?

Towards a Theory of Moving Target Defense

An Infinite-Game Semantics for Well-Founded Negation in Logic Programming

Concept of Statistical Model Checking. Presented By: Diana EL RABIH

Notes on Zero Knowledge

Solving Stochastic Planning Problems With Large State and Action Spaces

Development of Multi-Unit Dependency Evaluation Model Using Markov Process and Monte Carlo Method

4 : Exact Inference: Variable Elimination

Dependability Analysis

Containing Cascading Failures in Networks: Applications to Epidemics and Cybersecurity

Modal Logic. UIT2206: The Importance of Being Formal. Martin Henz. March 19, 2014

Chapter 4: Classical Propositional Semantics

Quantitative model to measure the spread of Security attacks in Computer Networks

Playing Abstract games with Hidden States (Spatial and Non-Spatial).

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

Internet Monetization

Introduction to Artificial Intelligence Propositional Logic & SAT Solving. UIUC CS 440 / ECE 448 Professor: Eyal Amir Spring Semester 2010

Software Verification

Stochastic2010 Page 1

2 : Directed GMs: Bayesian Networks

Transcription:

1 / 35 A Stochastic Framework for Quantitative Analysis of R. Jhawar K. Lounis S. Mauw CSC/SnT University of Luxembourg Luxembourg Security and Trust of Software Systems, 2016 ADT2P & TREsPASS Project

2 / 35 Plan Introduction 1 Introduction Cyber attacks nowadays Graphical security models Quantitative analysis of security models 2 ADTrees ADTree Quantitative Evaluation ADTree and need for a new semantics 3 4 5 6

Cyber attacks nowadays Cyber attacks nowadays Graphical security models Quantitative analysis of security models Cyber attacks are becoming more and more: Complex, Organized, Distributed and Sophisticated. Their impact therefore is sometimes weighty, in some cases not tolerable. 3 / 35

Graphical security models Cyber attacks nowadays Graphical security models Quantitative analysis of security models To fend of cyber attacks negative impact, research efforts have come with the development and design of security models: 4 / 35

Graphical security models Cyber attacks nowadays Graphical security models Quantitative analysis of security models Attack trees: A tree-based model for cyber attacks representation. Introduced by Schneier in 1999. Attack graphs: A directed graph-based model for cyber attacks representation. Attack countermeasures trees: A tree-based model to graphically represent attacks and defenses in the same layout. Attack-defense trees: Extend the attack tree model with refinable countermeasures. Introduced by Kordy et al. in 2010. 5 / 35

Cyber attacks nowadays Graphical security models Quantitative analysis of security models Quantitative analysis of security models - How? Quantitative analysis is performed either by the use of analytical approach relying on Baysian Networks, Petri Nets, Markov chains or simulations such as Discrete simulation, Monte Carlo simulation. - By? Computing metrics or attributes like : Probability of an attack or a scenario in a given time, cost of the attacks, efficiency of countermeasures, mean time to breach a system, the most probable scenario,... - Why? Perform quantitative analysis which will help to reduce the risk and the negative impact of cyber attacks. 6 / 35

7 / 35 ADTrees Introduction ADTrees ADTree Quantitative Evaluation ADTree and need for a new semantics - What is it? Graphical methodology. - Used for? Security scenario representation. - Ancestor? Attack Trees. - Interpretation: Can be seen as game between two players (proponent vs opponent). - Semantics: Multisets, De Morgan lattice, Equational, Propositional, Series-Parallel graphs. - Practice: Used in industry.

8 / 35 ADTrees Introduction ADTrees ADTree Quantitative Evaluation ADTree and need for a new semantics Graphically: Compromise Server Prevent target identification Network Scanning Escalate privileges Execute dangerous commands IP address space randomization Mutable network Target Exploitation Password Brute force Frequent patch development Vulnerabilities Scanning Use Vulnerability Exploit Password changing policy

ADTrees Introduction ADTrees ADTree Quantitative Evaluation ADTree and need for a new semantics Definition 1 ADTrees are defined by means of an abstract syntax called ADTerms, typed-terms over the signature Σ = (S, F), where : S = {p, o} is the set of types of players. F = {( p k ) k N, ( p k ) k N, ( p k ) k N, ( o k ) k N, ( o k ) k N, ( o k ) k N, c p, c o } B p B o is a set of function symbols. Definition 2 ADTrees are closed-terms over the signature Σ = (S, F), and generated by the following grammar, where b s B and s S: t : b s s (t,..., t) s (t,..., t) s (t,..., t) c s (t, t) 9 / 35

10 / 35 ADTrees Introduction ADTrees ADTree Quantitative Evaluation ADTree and need for a new semantics Examples of ADTerms : t 0 = b p (Basic event) t 1 = p (b p 0, t 0) (Disjunction refinement) t 2 = p (t 1, b p 1 ) (Conjunction refinement) t 3 = p (t 2, b p 2, bp 3 ) (Sequential Conjunction refinement) t 4 = c p (t 3, b0 o) (Counter-defense)

ADTree Quantitative Evaluation ADTrees ADTree Quantitative Evaluation ADTree and need for a new semantics The quantitative evaluation of an ADTree consists in assessing a set of attributes like:probability, cost, or time. It is performed through the standard bottom-up procedure. 11 / 35

ADTree Quantitative Evaluation ADTrees ADTree Quantitative Evaluation ADTree and need for a new semantics Standard Bottom-up procedure (ADTool): 12 / 35

ADTrees ADTree Quantitative Evaluation ADTree and need for a new semantics ADTree and need for a new semantics However 1 The bottom-up procedure works only for independent events. 2 So far, there is only one approach [KPS14] 1 for quantitative analysis of ADTree with dependent actions. 3 Only discrete analysis can be done. 1. B. Kordy, M. Pouly, and P. Schweitzer. A probabilistic framework for security scenarios with dependent actions. In International Conference on Integrated Formal Methods, 256-271, 2014 13 / 35

ADTrees ADTree Quantitative Evaluation ADTree and need for a new semantics ADTree and need for a new semantics We need to develop a new semantics for ADTree. The new semantics should allow dependent events to occur, and provide modeling capabilities for defense in a more realistic way. It should also provide a continuous analysis method for ADTree evaluation. 14 / 35

ADTrees ADTree Quantitative Evaluation ADTree and need for a new semantics ADTree and need for a new semantics We proposed to use : Continuous Time Markov Chain or CTMC as a new semantics for ADTree. We model attacks/defense execution using exponential distribution (good for delayed impact defenses). Using the analytical approach of CTMCs, we can evaluate several attributes, and perform a continuous analysis by the use of Cumulative Distribution Function. 15 / 35

Definition 1 A Continuous Time Markov chain is a tuple (S, G, π), where: S is a finite disjoint set of states. G : S S R is the infinitesimal generator matrix which gives the rate of transition between two states s S and s S. π : S [0, 1] is the initial probability distribution on S. λ 1 λ 3 λ 2 16 / 35

Definition 2 An explicit continuous time Markov chain M is a tuple (S, S 0, S, G), where: S is a finite disjoint set of states. S 0 S is a finite set of initial states. S S is a finite set of final states. G : S S R is the infinitesimal generator matrix which gives the rate of transition between two states s S and s S. 17 / 35

Introduction We have formally defined the semantics of ADTrees in terms of CTMC for each component : Basic events, conjunction refinement, Disjunction refinement, Sequential conjunction refinement, and Countermeasure. 18 / 35

Introduction 19 / 35

Introduction 20 / 35

Introduction 21 / 35

Introduction 22 / 35

We took an example study: Compromise Server Prevent target identification Network Scanning Escalate privileges Execute dangerous commands IP address space randomization Mutable network Target Exploitation Password Brute force Frequent patch development Vulnerabilities Scanning Use Vulnerability Exploit Password changing policy 23 / 35

24 / 35 Introduction We obtain a final CTMC representing the entire ADTree: λ b p 4 λ b p 5 λ b o 2 λ b p 0 λ b o 2 λ p b 3 λ p b 2 λ b o 0 + λ b o 1 λ b p 1 λ p b 1 λ b o 3 λ b o 3 λ b p 2 λ b p 5

We have assessed three situational cases: 1 Attack tree (No defense is considered) 2 Adding countermeasure (Prevent target identification) 3 Adding the remaining countermeasures (Password policy, Frequent patches). 25 / 35

26 / 35

Analytical approach using CTMC is performed as follow: 27 / 35

Probabilistic attributes: Probability of final states (black states) representing the final goals G 1 and G 2 Probability 0.4 0.2 G 1 (case 1) G 1 (case 2) G 1 (case 3) G 2 (case 1) G 2 (case 2) G 2 (case 3) 0 0 2 4 6 8 10 Time (Unit) 28 / 35

Probabilistic attributes: Probability of final states (black states) representing the final goal G 1 + G 2 Final Goal(case 1) Final Goal(case 2) Final Goal(case 3) 1 0.8 Probability 0.6 0.4 0.2 0 0 2 4 6 8 10 Time (Unit) 29 / 35

Probabilistic attributes: Expected number of steps for each scenario of G 1 and G 2 [b p 0 ; bp 1 ; bp 2 ; bp 5 ]C3 [b p 0 ; bp 1 ; bp 2 ; bp 5 ]C2 [b p 0 ; bp 1 ; bp 2 ; bp 5 ]C1 2.83 3.83 5.13 [b p 0 ; bp 2 ; bp 1 ; bp 5 ]C3 [b p 0 ; bp 2 ; bp 1 ; bp 5 ]C2 [b p 0 ; bp 2 ; bp 1 ; bp 5 ]C1 2.67 3.67 4.87 [b p 0 ; bp 3 ; bp 4 ; bp 5 ]C3 [b p 0 ; bp 3 ; bp 4 ; bp 5 ]C2 [b p 0 ; bp 3 ; bp 4 ; bp 5 ]C1 3 4 5.45 0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 5 5.5 30 / 35

Probabilistic attributes: Absorbing probabilities for G 1 and G 2 Probability (%) 100 50 50 50 50 50 4852 0 Case 1 Case 2 Case 3 Absorbing probabilities G 1 G 2 31 / 35

Timed attributes: Mean time to security failure 4 Time (Unit) 3 2 1 1.95 2.45 2.82 0 Case 1 Case 2 Case 3 Mean Time To Security Failure 32 / 35

Introduction We proposed a new semantics for ADTrees in terms of CTMCs. We applied CTMC to perform quantitative analysis of ADTree with dependent actions. 33 / 35

Challenges and Future Work Challenges : Not all attacks and/or countermeasures execution follow exponential-distribution. Estimating the rates for attacks/countermeasures has always been the main challenge for security assessment. Future Work : Extend our framework in order to accurately model social attacks and complex behaviors laying on other distributions. Embed the framework within the ADTool software and make it more adaptable for real life security scenarios. 34 / 35

35 / 35 Thanks for your attention Any questions?

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback