A Stochastic Framework for Quantitative Analysis of … Introduction Attack-Defense Trees Continuous Time Markov Chains ADTree to CTMC ADTree evaluation using CTMC Conclusions A Stochastic

logo-irisa

IntroductionAttack-Defense Trees

Continuous Time Markov ChainsADTree to CTMC

ADTree evaluation using CTMCConclusions

A Stochastic Framework for QuantitativeAnalysis of Attack-Defense Trees

R. Jhawar K. Lounis S. Mauw

CSC/SnTUniversity of Luxembourg

Luxembourg

Security and Trust of Software Systems, 2016ADT2P & TREsPASS Project

1 / 35

logo-irisa




Plan

1 IntroductionCyber attacks nowadaysGraphical security modelsQuantitative analysis of security models

2 Attack-Defense TreesADTreesADTree Quantitative EvaluationADTree and need for a new semantics

3 Continuous Time Markov Chains4 ADTree to CTMC5 ADTree evaluation using CTMC6 Conclusions

2 / 35

logo-irisa




Cyber attacks nowadaysGraphical security modelsQuantitative analysis of security models

Cyber attacks nowadays

Cyber attacks are becoming more and more: Complex,Organized, Distributed and Sophisticated.

Their impact therefore is sometimes weighty, in some cases nottolerable.

3 / 35

logo-irisa





Graphical security models

To fend of cyber attacks negative impact, research efforts havecome with the development and design of security models:

4 / 35

logo-irisa





Graphical security models

Attack trees: A tree-based model for cyber attacksrepresentation. Introduced by Schneier in 1999.

Attack graphs: A directed graph-based model for cyber attacksrepresentation.

Attack countermeasures trees: A tree-based model tographically represent attacks and defenses in thesame layout.

Attack-defense trees: Extend the attack tree model withrefinable countermeasures. Introduced by Kordyet al. in 2010.

5 / 35

logo-irisa





Quantitative analysis of security models

- How? Quantitative analysis is performed either by theuse of analytical approach relying on BaysianNetworks, Petri Nets, Markov chains orsimulations such as Discrete simulation, MonteCarlo simulation.

- By? Computing metrics or attributes like : Probability ofan attack or a scenario in a given time, cost of theattacks, efficiency of countermeasures, mean timeto breach a system, the most probable scenario, ...

- Why? Perform quantitative analysis which will help toreduce the risk and the negative impact of cyberattacks.

6 / 35

logo-irisa




ADTreesADTree Quantitative EvaluationADTree and need for a new semantics

ADTrees

- What is it? Graphical methodology.- Used for? Security scenario representation.- Ancestor? Attack Trees.- Interpretation: Can be seen as game between two players

(proponent vs opponent).- Semantics: Multisets, De Morgan lattice, Equational,

Propositional, Series-Parallel graphs.- Practice: Used in industry.

7 / 35

logo-irisa





ADTrees

Graphically:

CompromiseServer

NetworkScanning

Executedangerouscommands

Escalateprivileges

PasswordBrute force

TargetExploitation

UseVulnerability

Exploit

Vulnerab-ilities

Scanning

Preventtarget

identification

IP addressspace ran-domization

Mutablenetwork

Frequentpatch

development

Passwordchanging

policy

8 / 35

logo-irisa





ADTrees

Definition 1ADTrees are defined by means of an abstract syntax calledADTerms, typed-terms over the signature Σ = (S,F), where :

S = {p,o} is the set of types of players.F = {(∨p

k )k∈N, (∧pk )k∈N, (

−→∧ pk )k∈N, (∨o

k )k∈N, (∧ok )k∈N,

(−→∧ o

k )k∈N, cp, co} ∪ Bp ∪ Bo is a set of function symbols.

Definition 2ADTrees are closed-terms over the signature Σ = (S,F), andgenerated by the following grammar, where bs ∈ B and s ∈ S:

t :≡ bs | ∨s (t , . . . , t) | ∧s (t , . . . , t) | −→∧ s(t , ..., t) | cs(t , t)

9 / 35

logo-irisa





ADTrees

Examples of ADTerms :t0 = bp (Basic event)t1 = ∨p(bp

0 , t0) (Disjunction refinement)t2 = ∧p(t1,b

p1) (Conjunction refinement)

t3 =−→∧ p(t2,b

p2 ,b

p3) (Sequential Conjunction refinement)

t4 = cp(t3,bo0) (Counter-defense)

10 / 35

logo-irisa





ADTree Quantitative Evaluation

The quantitative evaluation of an ADTree consists inassessing a set of attributes like:Probability, cost, or time.It is performed through the standard bottom-up procedure.

11 / 35

logo-irisa





ADTree Quantitative Evaluation

Standard Bottom-up procedure (ADTool):

12 / 35

logo-irisa





ADTree and need for a new semantics

However1 The bottom-up procedure works only for independent

events.2 So far, there is only one approach [KPS14] 1 for

quantitative analysis of ADTree with dependent actions.3 Only discrete analysis can be done.

1. B. Kordy, M. Pouly, and P. Schweitzer. A probabilistic framework forsecurity scenarios with dependent actions. In International Conference onIntegrated Formal Methods, 256-271, 2014

13 / 35

logo-irisa






We need to develop a new semantics for ADTree. The newsemantics should allow dependent events to occur, and providemodeling capabilities for defense in a more realistic way. Itshould also provide a continuous analysis method for ADTreeevaluation.

14 / 35

logo-irisa






We proposed to use : Continuous Time Markov Chain orCTMC as a new semantics for ADTree.We model attacks/defense execution using exponentialdistribution (good for delayed impact defenses).Using the analytical approach of CTMCs, we can evaluateseveral attributes, and perform a continuous analysis bythe use of Cumulative Distribution Function.

15 / 35

logo-irisa




Continuous Time Markov Chains

Definition 1A Continuous Time Markov chain is a tuple (S,G, π), where:

S is a finite disjoint set of states.G : S × S −→ R is the infinitesimal generator matrix whichgives the rate of transition between two states s ∈ S ands′ ∈ S.π : S −→ [0,1] is the initial probability distribution on S.

λ1

λ2

λ3

16 / 35

logo-irisa




Continuous Time Markov Chains

Definition 2An explicit continuous time Markov chain M is a tuple(S,S0,S∗,G), where:

S is a finite disjoint set of states.S0 ⊂ S is a finite set of initial states.S∗ ⊂ S is a finite set of final states.G : S × S −→ R is the infinitesimal generator matrix whichgives the rate of transition between two states s ∈ S ands′ ∈ S.

17 / 35

logo-irisa




ADTree to CTMC

We have formally defined the semantics of ADTrees interms of CTMC for each component : Basic events,conjunction refinement, Disjunction refinement, Sequentialconjunction refinement, and Countermeasure.

18 / 35

logo-irisa




ADTree to CTMC

19 / 35

logo-irisa




ADTree to CTMC

20 / 35

logo-irisa




ADTree to CTMC

21 / 35

logo-irisa




ADTree to CTMC

22 / 35

logo-irisa




ADTree evaluation using CTMC

We took an example study:

CompromiseServer

NetworkScanning

Executedangerouscommands

Escalateprivileges

PasswordBrute force

TargetExploitation

UseVulnerability

Exploit

Vulnerab-ilities

Scanning

Preventtarget

identification

IP addressspace ran-domization

Mutablenetwork

Frequentpatch

development

Passwordchanging

policy

23 / 35

logo-irisa





We obtain a final CTMC representing the entire ADTree:

λbp0

λbo0

+ λbo1

λbp2

λbp3

λbp1

λbo2

λbo3

λbo3

λbp2

λbp5

λbp1

λbp4

λbp5

λbo2

24 / 35

logo-irisa





We have assessed three situational cases:1 Attack tree (No defense is considered)2 Adding countermeasure (Prevent target identification)3 Adding the remaining countermeasures (Password policy,

Frequent patches).

25 / 35

logo-irisa





26 / 35

logo-irisa





Analytical approach using CTMC is performed as follow:

27 / 35

logo-irisa





Probabilistic attributes: Probability of final states (black states)representing the final goals G1 and G2

0 2 4 6 8 10

0

0.2

0.4

Time (Unit)

Pro

babi

lity

G1(case 1)G1(case 2)G1(case 3)G2(case 1)G2(case 2)G2(case 3)

28 / 35

logo-irisa





Probabilistic attributes: Probability of final states (black states)representing the final goal G1 + G2

0 2 4 6 8 10

0

0.2

0.4

0.6

0.8

1

Time (Unit)

Pro

babi

lity

Final Goal(case 1) Final Goal(case 2) Final Goal(case 3)

29 / 35

logo-irisa





Probabilistic attributes: Expected number of steps for eachscenario of G1 and G2

0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 5 5.5

[bp0 ; bp

1 ; bp2 ; bp

5 ]C3[bp

0 ; bp1 ; bp

2 ; bp5 ]C2

[bp0 ; bp

1 ; bp2 ; bp

5 ]C1

[bp0 ; bp

2 ; bp1 ; bp

5 ]C3[bp

0 ; bp2 ; bp

1 ; bp5 ]C2

[bp0 ; bp

2 ; bp1 ; bp

5 ]C1

[bp0 ; bp

3 ; bp4 ; bp

5 ]C3[bp

0 ; bp3 ; bp

4 ; bp5 ]C2

[bp0 ; bp

3 ; bp4 ; bp

5 ]C1

5.133.83

2.83

4.873.67

2.67

5.454

3

30 / 35

logo-irisa





Probabilistic attributes: Absorbing probabilities for G1 and G2

Case 1 Case 2 Case 30

50

100

50 50 4850 50 52

Pro

babi

lity

(%)

Absorbing probabilities �G1 | �G2

31 / 35

logo-irisa





Timed attributes: Mean time to security failure

Case 1 Case 2 Case 30

1

2

3

4

1.952.45

2.82

Tim

e(U

nit)

Mean Time To Security Failure

32 / 35

logo-irisa




Conclusions

We proposed a new semantics for ADTrees in terms ofCTMCs.We applied CTMC to perform quantitative analysis ofADTree with dependent actions.

33 / 35

logo-irisa




Challenges and Future Work

Challenges :Not all attacks and/or countermeasures execution followexponential-distribution.Estimating the rates for attacks/countermeasures hasalways been the main challenge for security assessment.

Future Work :Extend our framework in order to accurately model socialattacks and complex behaviors laying on otherdistributions.Embed the framework within the ADTool software andmake it more adaptable for real life security scenarios.

34 / 35

logo-irisa




Thanks for your attentionAny questions?

35 / 35

Documents

A Stochastic Framework for Quantitative Analysis of … Introduction Attack-Defense Trees Continuous Time Markov Chains ADTree to CTMC ADTree evaluation using CTMC Conclusions A Stochastic