Upload
trancong
View
216
Download
1
Embed Size (px)
Citation preview
logo-irisa
IntroductionAttack-Defense Trees
Continuous Time Markov ChainsADTree to CTMC
ADTree evaluation using CTMCConclusions
A Stochastic Framework for QuantitativeAnalysis of Attack-Defense Trees
R. Jhawar K. Lounis S. Mauw
CSC/SnTUniversity of Luxembourg
Luxembourg
Security and Trust of Software Systems, 2016ADT2P & TREsPASS Project
1 / 35
logo-irisa
IntroductionAttack-Defense Trees
Continuous Time Markov ChainsADTree to CTMC
ADTree evaluation using CTMCConclusions
Plan
1 IntroductionCyber attacks nowadaysGraphical security modelsQuantitative analysis of security models
2 Attack-Defense TreesADTreesADTree Quantitative EvaluationADTree and need for a new semantics
3 Continuous Time Markov Chains4 ADTree to CTMC5 ADTree evaluation using CTMC6 Conclusions
2 / 35
logo-irisa
IntroductionAttack-Defense Trees
Continuous Time Markov ChainsADTree to CTMC
ADTree evaluation using CTMCConclusions
Cyber attacks nowadaysGraphical security modelsQuantitative analysis of security models
Cyber attacks nowadays
Cyber attacks are becoming more and more: Complex,Organized, Distributed and Sophisticated.
Their impact therefore is sometimes weighty, in some cases nottolerable.
3 / 35
logo-irisa
IntroductionAttack-Defense Trees
Continuous Time Markov ChainsADTree to CTMC
ADTree evaluation using CTMCConclusions
Cyber attacks nowadaysGraphical security modelsQuantitative analysis of security models
Graphical security models
To fend of cyber attacks negative impact, research efforts havecome with the development and design of security models:
4 / 35
logo-irisa
IntroductionAttack-Defense Trees
Continuous Time Markov ChainsADTree to CTMC
ADTree evaluation using CTMCConclusions
Cyber attacks nowadaysGraphical security modelsQuantitative analysis of security models
Graphical security models
Attack trees: A tree-based model for cyber attacksrepresentation. Introduced by Schneier in 1999.
Attack graphs: A directed graph-based model for cyber attacksrepresentation.
Attack countermeasures trees: A tree-based model tographically represent attacks and defenses in thesame layout.
Attack-defense trees: Extend the attack tree model withrefinable countermeasures. Introduced by Kordyet al. in 2010.
5 / 35
logo-irisa
IntroductionAttack-Defense Trees
Continuous Time Markov ChainsADTree to CTMC
ADTree evaluation using CTMCConclusions
Cyber attacks nowadaysGraphical security modelsQuantitative analysis of security models
Quantitative analysis of security models
- How? Quantitative analysis is performed either by theuse of analytical approach relying on BaysianNetworks, Petri Nets, Markov chains orsimulations such as Discrete simulation, MonteCarlo simulation.
- By? Computing metrics or attributes like : Probability ofan attack or a scenario in a given time, cost of theattacks, efficiency of countermeasures, mean timeto breach a system, the most probable scenario, ...
- Why? Perform quantitative analysis which will help toreduce the risk and the negative impact of cyberattacks.
6 / 35
logo-irisa
IntroductionAttack-Defense Trees
Continuous Time Markov ChainsADTree to CTMC
ADTree evaluation using CTMCConclusions
ADTreesADTree Quantitative EvaluationADTree and need for a new semantics
ADTrees
- What is it? Graphical methodology.- Used for? Security scenario representation.- Ancestor? Attack Trees.- Interpretation: Can be seen as game between two players
(proponent vs opponent).- Semantics: Multisets, De Morgan lattice, Equational,
Propositional, Series-Parallel graphs.- Practice: Used in industry.
7 / 35
logo-irisa
IntroductionAttack-Defense Trees
Continuous Time Markov ChainsADTree to CTMC
ADTree evaluation using CTMCConclusions
ADTreesADTree Quantitative EvaluationADTree and need for a new semantics
ADTrees
Graphically:
CompromiseServer
NetworkScanning
Executedangerouscommands
Escalateprivileges
PasswordBrute force
TargetExploitation
UseVulnerability
Exploit
Vulnerab-ilities
Scanning
Preventtarget
identification
IP addressspace ran-domization
Mutablenetwork
Frequentpatch
development
Passwordchanging
policy
8 / 35
logo-irisa
IntroductionAttack-Defense Trees
Continuous Time Markov ChainsADTree to CTMC
ADTree evaluation using CTMCConclusions
ADTreesADTree Quantitative EvaluationADTree and need for a new semantics
ADTrees
Definition 1ADTrees are defined by means of an abstract syntax calledADTerms, typed-terms over the signature Σ = (S,F), where :
S = {p,o} is the set of types of players.F = {(∨p
k )k∈N, (∧pk )k∈N, (
−→∧ pk )k∈N, (∨o
k )k∈N, (∧ok )k∈N,
(−→∧ o
k )k∈N, cp, co} ∪ Bp ∪ Bo is a set of function symbols.
Definition 2ADTrees are closed-terms over the signature Σ = (S,F), andgenerated by the following grammar, where bs ∈ B and s ∈ S:
t :≡ bs | ∨s (t , . . . , t) | ∧s (t , . . . , t) | −→∧ s(t , ..., t) | cs(t , t)
9 / 35
logo-irisa
IntroductionAttack-Defense Trees
Continuous Time Markov ChainsADTree to CTMC
ADTree evaluation using CTMCConclusions
ADTreesADTree Quantitative EvaluationADTree and need for a new semantics
ADTrees
Examples of ADTerms :t0 = bp (Basic event)t1 = ∨p(bp
0 , t0) (Disjunction refinement)t2 = ∧p(t1,b
p1) (Conjunction refinement)
t3 =−→∧ p(t2,b
p2 ,b
p3) (Sequential Conjunction refinement)
t4 = cp(t3,bo0) (Counter-defense)
10 / 35
logo-irisa
IntroductionAttack-Defense Trees
Continuous Time Markov ChainsADTree to CTMC
ADTree evaluation using CTMCConclusions
ADTreesADTree Quantitative EvaluationADTree and need for a new semantics
ADTree Quantitative Evaluation
The quantitative evaluation of an ADTree consists inassessing a set of attributes like:Probability, cost, or time.It is performed through the standard bottom-up procedure.
11 / 35
logo-irisa
IntroductionAttack-Defense Trees
Continuous Time Markov ChainsADTree to CTMC
ADTree evaluation using CTMCConclusions
ADTreesADTree Quantitative EvaluationADTree and need for a new semantics
ADTree Quantitative Evaluation
Standard Bottom-up procedure (ADTool):
12 / 35
logo-irisa
IntroductionAttack-Defense Trees
Continuous Time Markov ChainsADTree to CTMC
ADTree evaluation using CTMCConclusions
ADTreesADTree Quantitative EvaluationADTree and need for a new semantics
ADTree and need for a new semantics
However1 The bottom-up procedure works only for independent
events.2 So far, there is only one approach [KPS14] 1 for
quantitative analysis of ADTree with dependent actions.3 Only discrete analysis can be done.
1. B. Kordy, M. Pouly, and P. Schweitzer. A probabilistic framework forsecurity scenarios with dependent actions. In International Conference onIntegrated Formal Methods, 256-271, 2014
13 / 35
logo-irisa
IntroductionAttack-Defense Trees
Continuous Time Markov ChainsADTree to CTMC
ADTree evaluation using CTMCConclusions
ADTreesADTree Quantitative EvaluationADTree and need for a new semantics
ADTree and need for a new semantics
We need to develop a new semantics for ADTree. The newsemantics should allow dependent events to occur, and providemodeling capabilities for defense in a more realistic way. Itshould also provide a continuous analysis method for ADTreeevaluation.
14 / 35
logo-irisa
IntroductionAttack-Defense Trees
Continuous Time Markov ChainsADTree to CTMC
ADTree evaluation using CTMCConclusions
ADTreesADTree Quantitative EvaluationADTree and need for a new semantics
ADTree and need for a new semantics
We proposed to use : Continuous Time Markov Chain orCTMC as a new semantics for ADTree.We model attacks/defense execution using exponentialdistribution (good for delayed impact defenses).Using the analytical approach of CTMCs, we can evaluateseveral attributes, and perform a continuous analysis bythe use of Cumulative Distribution Function.
15 / 35
logo-irisa
IntroductionAttack-Defense Trees
Continuous Time Markov ChainsADTree to CTMC
ADTree evaluation using CTMCConclusions
Continuous Time Markov Chains
Definition 1A Continuous Time Markov chain is a tuple (S,G, π), where:
S is a finite disjoint set of states.G : S × S −→ R is the infinitesimal generator matrix whichgives the rate of transition between two states s ∈ S ands′ ∈ S.π : S −→ [0,1] is the initial probability distribution on S.
λ1
λ2
λ3
16 / 35
logo-irisa
IntroductionAttack-Defense Trees
Continuous Time Markov ChainsADTree to CTMC
ADTree evaluation using CTMCConclusions
Continuous Time Markov Chains
Definition 2An explicit continuous time Markov chain M is a tuple(S,S0,S∗,G), where:
S is a finite disjoint set of states.S0 ⊂ S is a finite set of initial states.S∗ ⊂ S is a finite set of final states.G : S × S −→ R is the infinitesimal generator matrix whichgives the rate of transition between two states s ∈ S ands′ ∈ S.
17 / 35
logo-irisa
IntroductionAttack-Defense Trees
Continuous Time Markov ChainsADTree to CTMC
ADTree evaluation using CTMCConclusions
ADTree to CTMC
We have formally defined the semantics of ADTrees interms of CTMC for each component : Basic events,conjunction refinement, Disjunction refinement, Sequentialconjunction refinement, and Countermeasure.
18 / 35
logo-irisa
IntroductionAttack-Defense Trees
Continuous Time Markov ChainsADTree to CTMC
ADTree evaluation using CTMCConclusions
ADTree to CTMC
19 / 35
logo-irisa
IntroductionAttack-Defense Trees
Continuous Time Markov ChainsADTree to CTMC
ADTree evaluation using CTMCConclusions
ADTree to CTMC
20 / 35
logo-irisa
IntroductionAttack-Defense Trees
Continuous Time Markov ChainsADTree to CTMC
ADTree evaluation using CTMCConclusions
ADTree to CTMC
21 / 35
logo-irisa
IntroductionAttack-Defense Trees
Continuous Time Markov ChainsADTree to CTMC
ADTree evaluation using CTMCConclusions
ADTree to CTMC
22 / 35
logo-irisa
IntroductionAttack-Defense Trees
Continuous Time Markov ChainsADTree to CTMC
ADTree evaluation using CTMCConclusions
ADTree evaluation using CTMC
We took an example study:
CompromiseServer
NetworkScanning
Executedangerouscommands
Escalateprivileges
PasswordBrute force
TargetExploitation
UseVulnerability
Exploit
Vulnerab-ilities
Scanning
Preventtarget
identification
IP addressspace ran-domization
Mutablenetwork
Frequentpatch
development
Passwordchanging
policy
23 / 35
logo-irisa
IntroductionAttack-Defense Trees
Continuous Time Markov ChainsADTree to CTMC
ADTree evaluation using CTMCConclusions
ADTree evaluation using CTMC
We obtain a final CTMC representing the entire ADTree:
λbp0
λbo0
+ λbo1
λbp2
λbp3
λbp1
λbo2
λbo3
λbo3
λbp2
λbp5
λbp1
λbp4
λbp5
λbo2
24 / 35
logo-irisa
IntroductionAttack-Defense Trees
Continuous Time Markov ChainsADTree to CTMC
ADTree evaluation using CTMCConclusions
ADTree evaluation using CTMC
We have assessed three situational cases:1 Attack tree (No defense is considered)2 Adding countermeasure (Prevent target identification)3 Adding the remaining countermeasures (Password policy,
Frequent patches).
25 / 35
logo-irisa
IntroductionAttack-Defense Trees
Continuous Time Markov ChainsADTree to CTMC
ADTree evaluation using CTMCConclusions
ADTree evaluation using CTMC
26 / 35
logo-irisa
IntroductionAttack-Defense Trees
Continuous Time Markov ChainsADTree to CTMC
ADTree evaluation using CTMCConclusions
ADTree evaluation using CTMC
Analytical approach using CTMC is performed as follow:
27 / 35
logo-irisa
IntroductionAttack-Defense Trees
Continuous Time Markov ChainsADTree to CTMC
ADTree evaluation using CTMCConclusions
ADTree evaluation using CTMC
Probabilistic attributes: Probability of final states (black states)representing the final goals G1 and G2
0 2 4 6 8 10
0
0.2
0.4
Time (Unit)
Pro
babi
lity
G1(case 1)G1(case 2)G1(case 3)G2(case 1)G2(case 2)G2(case 3)
28 / 35
logo-irisa
IntroductionAttack-Defense Trees
Continuous Time Markov ChainsADTree to CTMC
ADTree evaluation using CTMCConclusions
ADTree evaluation using CTMC
Probabilistic attributes: Probability of final states (black states)representing the final goal G1 + G2
0 2 4 6 8 10
0
0.2
0.4
0.6
0.8
1
Time (Unit)
Pro
babi
lity
Final Goal(case 1) Final Goal(case 2) Final Goal(case 3)
29 / 35
logo-irisa
IntroductionAttack-Defense Trees
Continuous Time Markov ChainsADTree to CTMC
ADTree evaluation using CTMCConclusions
ADTree evaluation using CTMC
Probabilistic attributes: Expected number of steps for eachscenario of G1 and G2
0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 5 5.5
[bp0 ; bp
1 ; bp2 ; bp
5 ]C3[bp
0 ; bp1 ; bp
2 ; bp5 ]C2
[bp0 ; bp
1 ; bp2 ; bp
5 ]C1
[bp0 ; bp
2 ; bp1 ; bp
5 ]C3[bp
0 ; bp2 ; bp
1 ; bp5 ]C2
[bp0 ; bp
2 ; bp1 ; bp
5 ]C1
[bp0 ; bp
3 ; bp4 ; bp
5 ]C3[bp
0 ; bp3 ; bp
4 ; bp5 ]C2
[bp0 ; bp
3 ; bp4 ; bp
5 ]C1
5.133.83
2.83
4.873.67
2.67
5.454
3
30 / 35
logo-irisa
IntroductionAttack-Defense Trees
Continuous Time Markov ChainsADTree to CTMC
ADTree evaluation using CTMCConclusions
ADTree evaluation using CTMC
Probabilistic attributes: Absorbing probabilities for G1 and G2
Case 1 Case 2 Case 30
50
100
50 50 4850 50 52
Pro
babi
lity
(%)
Absorbing probabilities �G1 | �G2
31 / 35
logo-irisa
IntroductionAttack-Defense Trees
Continuous Time Markov ChainsADTree to CTMC
ADTree evaluation using CTMCConclusions
ADTree evaluation using CTMC
Timed attributes: Mean time to security failure
Case 1 Case 2 Case 30
1
2
3
4
1.952.45
2.82
Tim
e(U
nit)
Mean Time To Security Failure
32 / 35
logo-irisa
IntroductionAttack-Defense Trees
Continuous Time Markov ChainsADTree to CTMC
ADTree evaluation using CTMCConclusions
Conclusions
We proposed a new semantics for ADTrees in terms ofCTMCs.We applied CTMC to perform quantitative analysis ofADTree with dependent actions.
33 / 35
logo-irisa
IntroductionAttack-Defense Trees
Continuous Time Markov ChainsADTree to CTMC
ADTree evaluation using CTMCConclusions
Challenges and Future Work
Challenges :Not all attacks and/or countermeasures execution followexponential-distribution.Estimating the rates for attacks/countermeasures hasalways been the main challenge for security assessment.
Future Work :Extend our framework in order to accurately model socialattacks and complex behaviors laying on otherdistributions.Embed the framework within the ADTool software andmake it more adaptable for real life security scenarios.
34 / 35