1 / 21

A Kolmogorov Complexity Approach for Measuring Attack Path Complexity

A Kolmogorov Complexity Approach for Measuring Attack Path Complexity. By Nwokedi C. Idika & Bharat Bhargava Presented by Bharat Bhargava. Outline. Motivation The Kolmogorov Complexity Method (KCM) The K-step Capability Accumulation Metric (KCA) Applying KCM to KCA. Motivation.

macaria-roseanne
Download Presentation

A Kolmogorov Complexity Approach for Measuring Attack Path Complexity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Kolmogorov Complexity Approach for Measuring Attack Path Complexity • By Nwokedi C. Idika & Bharat Bhargava • Presented by Bharat Bhargava

  2. Outline • Motivation • The Kolmogorov Complexity Method (KCM) • The K-step Capability Accumulation Metric (KCA) • Applying KCM to KCA

  3. Motivation • Perfect enterprise security is impossible to achieve, and must be approximated • The difficulty associated with causing a security breach is used as an indicator of the quality of an enterprise’s security • The ability of an attacker to exploit a vulnerability is referred to as exploitability

  4. Exploitability is Important • Common Vulnerability Scoring System (CVSS) • exploitability is incorporated scoring of vulnerabilities • Computer Emergency Response Team/ Coordination Center (CERT/CC) • has a numeric score based exploitability • SANS Critical Vulnerability Analysis Scale Rating • 2 of its 4 ratings include exploitability Thus, assessing the difficulty of attack paths is important!

  5. Representing Attack Paths with Attack Graphs Total Attack Paths: 4

  6. Issues with Representation • Counting the number of paths is straightforward (usually) • Measuring the complexity of each attack is non-trivial • Choices for determining attack complexity have been made in the literature • However, these choices lack consistency, and fail to make some of the modeler’s assumptions explicit If security metrics will become more of a science, we will need a standard way of communicating our measurements!

  7. What We Would Like • A standard way of measuring attack path complexity that is grounded in some sound theory • A attack path measurement approach that incorporates the assumptions of the modeler • A way of measuring attack paths that provides a modeler sufficient flexibility to model the attack path as desired The Kolmogorov Complexity Method achieves these aims

  8. Kolmogorov Complexity (KC) • KC determines a string’s complexity by using the size of the smallest program that can produce that string • Let K be a the function that returns the KC of a string • Given strings x1 and x2, if K(x1) < K(x2), then x2 is more complex than x1 Idea: If we model attack paths as strings, we can apply KC to attack paths

  9. Representing Attack Paths • Alphabet • A corresponds to the set of all exploits (i.e., instances of vulnerabilities) found in all attack graphs under consideration • Constants • ε is the empty string • vi ∈ A denotes that an exploit from an attack graph • ∅ corresponds to the empty set

  10. Representing Attack Paths (II) • Operators • Let S and T be two strings composed of characters from A • Let E1 and E2 be expressions in the language • ST evaluates to the concatenation of strings S and T • () provides priority ordering • (S)+ denotes that S may repeat one or more times

  11. Representing Attack Paths (III) • Operators (continued...) • Sk evaluates to k instances of S concatenated together • E1[k]E2 evaluates to the insertion of E1 into index k of E2 where the first character of E2 is index 0 (the above can be generalized to E1[k1],[k2],...[kn]E2) • E1l,[k]E2 concatenate E1l to E2 and insert E1 into the kth index of E2 • E1l[k]E2 inserts E1l into the kth index of E2

  12. The Kolmogorov Complexity Method (KCM) Applied to an Attack Path Quantitative Representation: v1v1v1v2v3v1v1 Qualitative Representations: v13,2[2]v2v3, v13,[2]v2v3v1, v13v2v3v1v1 Each representation makes explicit distinct assumptions about the attack path

  13. KCM Can Handle Cyclic Attack Paths A Representation: v12(v1v2v3)+v12

  14. Outline • Motivation • The Kolmogorov Complexity Method (KCM) • The K-step Capability Accumulation Metric (KCA) • Applying KCM to KCA

  15. Previously Proposed Metrics • Capability Metrics: measure security in terms of an attacker’s capability • Number of Paths (Ortalo et al. ’99), Weakest Adversary (Pamula et al. ’06), Network Compromise Percentage (Lippmann et al. ’06) • Complexity Metrics: measure security in terms of effort • Shortest Path (Phillips & Swiler ’98), Mean of Path Lengths (Li & Vaughn ’06)

  16. The K-Step Capability Accumulation Metric (KCA) • KCA is a hybrid of a complexity metric and a capability metric • More than how difficult it is to cause a security breach, or what capabilities can an attacker obtain, KCA is concerned with the amount of capability an attacker can attain for varying levels of attack effort Intuition: In general, a network that can be compromised in a single attack step is less secure than another network that requires a series of multiple attack steps to compromise the network

  17. KCA: Comparing 2 Attack Graphs G2 G1 KCA1(G1) = KCA1(G2) KCA2(G1) < KCA2(G2) G1 is more secure than G2

  18. Adapting KCA for KCM • Assuming the KCM qualitative representation • Cappi(G) = ∪ capabilities(pi) • Let q1 through qn be quantitative representations of the attack paths p1 through pn respectively • qj0...i is the substring of qj from index 0 to index i • qji is the ith position of of qj

  19. Adapting KCA for KCM (II) • Similar definitions exist for s • e(sj0...i) = qj0...m, such that sji = qjm and qjm ≠ qjm+1 also ∀ v ∈ qj0...m, v ∈ sj0...i • This gives the following: • KCAk(G) = ∪i=1kCape(sj0...i)(G), for all attack paths j

  20. Summary • We have proposed a methodology for measuring attack paths, the Kolmogorov Complexity Method (KCM) • We have proposed a novel security metric that combines complexity and capabilities obtained by the attacker, the K-step Capability Accumulation Metric (KCA) • We have shown that KCM can be applied to a security metric, namely, KCA

  21. Thank You

More Related