1 / 20

A PRM‐based Approach to Assessment of Network Security

A PRM‐based Approach to Assessment of Network Security. Fredrik Löf, Johan Stomberg, Teodor Sommestad, Mathias Ekstedt Royal Institute of Technology Jonas Hallberg, Johan Bengtsson Swedish Defence Research Agency. Agenda. Aim, Scope and Requirements Related works – Attack Graphs

bela
Download Presentation

A PRM‐based Approach to Assessment of Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A PRM‐based Approach to Assessment of Network Security Fredrik Löf, Johan Stomberg, Teodor Sommestad, Mathias Ekstedt Royal Institute of Technology Jonas Hallberg, Johan Bengtsson Swedish Defence Research Agency

  2. Agenda Aim, Scope and Requirements Related works – Attack Graphs The Probabilistic Relational Model (PRM) approach in general The example from the paper

  3. The control system is complex Is my control system secureenough? Actually, I don’tevenknoweverything I haveoutthere… Advancedfunctionality Interconnected Heterogenousthird-partycomponents

  4. Vulnerabilities are potentiallyeverywhere And howdoes all of this relate? Howdovulnerabilitespropagate?

  5. Poordecision support for cybersecurity Should I spend my budget on a stafftraining program, loggingfunctionality, or new firewalls? • Plenty of reference material: • NIST SP 800-82, NERC CIP, ISO 27004, ISA-SP99, material from US-CERT, SCADA Procurement Language, CORAS, OCTAVE, CRAMM…, books, articles … Vulnerability databases, Wikipedia… • But, howdotheyrelate? Overlap. Different focus. • Blank spots? Consequences. Priorities.  No holisticscope that help the decsison maker seeconsequences of decisions

  6. Requirements from the decision-maker • Relevant predictions of security risk of solutions • Holisticscope of the assessment • High enough precision of assessment • At least order different solution alternatives • The likelihood of securitybreaches/incidents (could be seen as part of the definition of ”risk”) • Minimize work for the decision-maker • Lowcost to performanalyses/assesments • Practicalavailability of data needed for the analyses(I know I use DNP3, perhaps that it is encrypted, definitely not the encryptionalgorithm/strength) • Reusability of analysis data(I can’tafford to start from scratch every time security is to be reviewed/considered) • Compatiable to othertypes of analyses(security is oneout of manyproperties…) • Theoryshould not need to be known in detial to decision-maker(I knowwhat I have , not exactlyhowsecurityworks (compare to users of CAD programs) • Support is needednow! Decisions are taken today no matterif relevant topics are researched or not…

  7. Attack graphs(our fundament) The network’sstate Condition/state Theattacker’sidentity/identities Picture from:Heberlein et al., A Taxonomy for ComparingAttack-GraphApproaches. Retrieved from http://www.netsq.com/Documents/AttackGraphPaper.pdf.

  8. Applying attack graphs State X reachable? System model Theory Picture from: Roschke, S., Cheng, F., Schuppenies, R., & Meinel, C. (2009). Towards Unifying Vulnerability Information for Attack Graph Construction. In Proceedings of the 12th International Conference on Information Security, Springer.

  9. Conditions Attack steps Identity: For all hosts, what access level does the adversary own? Network: For all hosts, what vulnerable services running? (what ports are open) Is there a physical connection between host X and host Y? Can service Z on host Y be called from host X? What paths do the IDS monitor?

  10. Conditions Host Attack steps Identity: For all hosts, what access level does the adversary own? Network: For all hosts, what vulnerable services running? (what ports are open) Is there a physical connection between host X and host Y? Can service Z on host Y be called from host X? What paths do the IDS monitor? Malicious code attack Admin level request

  11. Others that suggest probabilistic attack graphs Sheyner, O. , Scenario graphs and attack graphs, PhD thesis, Carnegie Mellon University, 2004 Liu, Y., & Hong, M., Network vulnerabilityassessmentusingBayesiannetworks. In Proceedings of Data Mining, IntrusionDetection, Information Assurance, and Data Networks Security (pp. 61-71). Orlando, Florida, USA, 2005. M. Frigault and L. Wang. Measuring network security using Bayesian network-based attack graphs. In Proceedings of the 3rd IEEE International Workshop on Security, Trust, and Privacy for Software Applications (STPSA’08), 2008. M. Frigault, L.Wang, A. Singhal, and S. Jajodia. Measuring network security using dynamic Bayesian network. In Proceedings of the 4th ACM workshop on Quality of protection, 2008. Homer, J., Manhattan, K., Ou, X.,Schmidt, D.,A Sound and Practical Approach to Quantifying Security Risk in Enterprise Networks. Kansas State University, 2010 http://people.cis.ksu.edu/~xou/publications/tr_homer_0809.pdf.

  12. PRMs (Probabilistic relational models) P(State X reachable) Manual System model Theory Also includes humans, processes etc General conditional probabilities Picture from: Roschke, S., Cheng, F., Schuppenies, R., & Meinel, C. (2009). Towards Unifying Vulnerability Information for Attack Graph Construction. In Proceedings of the 12th International Conference on Information Security, Springer.

  13. Probabilistic attack/defense graphs - theory

  14. Probabilistic attack/defense graphs - data Possible Impossible Possible Impossible

  15. Connecting attack/defense graphs and modeling languages More formally…Probabilistic Relational Models (http://dags.stanford.edu/PRMs/)

  16. But, wheredo the conditionalprobabilities come from? • Existingknowledge • Documenetedknowledge (Litterature / articles / reports / vulnerabilityDBs / …) • Typicallydetailedknowledge that needs to be abstracted • Experts • Not yetelicitedknowledge • Experiments • Observations • Case studies • Our principal strategy is not to discover new theorybut to combineexistingtheoryinto a consistent, moreholisticmodel • Sure, weknow to little… • But, manypracticionersalsouse to little of whatwealreadyknow…

  17. The example: a PRM for Network Security

  18. Indication of quality of the theory

  19. Combined Endeavor 07 NATO + Partners, yearlyexcersise

  20. PRM‐based security risk assessment in summary Holistic Probabilistic/indicative System architecturemodel-based

More Related