780 likes | 1.74k Views
Attack Trees Techniques. Dijiang Huang. Some Materials thanks to DongSeong Kim and Kishor Trivedi, Duke University. Outline. Introduction of Attack Trees (AT) Attack Countermeasure Trees (ACT) ACT Analysis Effect of Adding Countermeasures in ACT (Case Studies) Optimization
E N D
Attack Trees Techniques Dijiang Huang Some Materials thanks to DongSeong Kim and Kishor Trivedi, Duke University
Outline • Introduction of Attack Trees (AT) • Attack Countermeasure Trees (ACT) • ACT Analysis • Effect of Adding Countermeasures in ACT (Case Studies) • Optimization • Single-objective Optimization • Multi-objective Optimization • Conclusions
Attack Tree Representation Vulnerability 1 Vulnerability 2 …… …… Atomic Attack/Exploit 11 Atomic attack/Exploit 12 Atomic attack/Exploit 21 Exploit 22 …… Malicious event 1 Malicious event 2 Logical Combination of these exploits …… Security Failure Confidentiality, integrity compromises…
Attack Tree (AT) : Schneier’s view A Simple BGP Attack Tree G: Reset a single BGP session Goal node OR node OR A1: Send message to router causing reset A2: Alter configuration via compromised router AND node AND OR A12 : TCP sequence number attack A111: Send RST message to TCP stack A112: Send BGP message OR Leaf attack events (atomic attacks) A1121: Notify A1122: Open A1123: Keep Alive
Goal An undefined Case OR 5mins 3euros 3mins 5euros • If one has more than one value of the same type in the nodes it is possible that the calculation isn’t unique and consequently undefined. • For example, one has an attack goal with two OR-connected leaves. Each leaf has a value for the time and a value for the money. • So, if one need 5 minutes and 3 euros for leaf one and 3 minutes and 5 euros for leaf two the goal becomes 3 minutes and 3 euros if one calculates each value separately. • But if one creates the attack profile Cheapest Attack in shortest Time the values of the attack goal are undefined. • Which values are chosen from which leaves? • To solve this dilemma one has to create a rank of the properties.
Similar Techniques • Faulty Tree • A Fault Tree is a graphic model that is used for the analysis that can be simply described as an analytical technique, whereby an undesired state of the system - the root of the tree - is specified (usually a state that is critical from a safety standpoint), and the system is then analysed in the context of its environment and operation to find all credible ways - the subtrees with nodes/leaves - that contribute to the undesired event. The fault events of the tree are linked by logical operators AND, OR, etc. Example of a Fault tree: A company president recognized that its personnel evaluation system was not effective.
Similar Techniques • Event Trees • The logic used in Event Trees is different to Fault Trees because the analysis is based on identification of the effects that a failure (of the initial event, i.e. the root of the tree) can produce. The process is therefore the opposite of Fault Trees. Event Trees do not include decision points requiring the logical operator’s OR and AND. They are based on binary logic, in which an event either has or has not happened or a component has or has not failed (partitioning of the tree in each case in two subtrees). Fuel system example
Similar Techniques • Attack Graph • Attack Graphs are a natural application of scenario graphs as outlined by Sheyner. They are organized like Attack or Fault Trees. However, unlike Attack or Fault Trees, the possibilities of cyclic dependencies or merged states exists An attack tree example from “A hybrid ranking approach to estimate vulnerability for dynamic attacks"
Existing Tree-based Attack and Countermeasure Approaches • Protection Tree • Defense Trees • No unique non-state-space model exists that incorporates both attacks and countermeasures. • Protection Trees: Only countermeasures are modeled. • Defense Trees: Both attack and countermeasures are included but countermeasures are placed only at the leaf nodes. S. Bistarelli, M. D. Aglio, and P. Peretti. Strategic Games on Defense Trees. LNCS, 4691:1–15, 2007. K. Edge and U. Major. A Framework for Analyzing and Mitigating the Vulnerabilities of Complex Systems via Attack and Protection Trees. PhD Thesis, 2007.
Motivation • For the corresponding state space model, • Number of states = 2(number of leaf events in the AT) 000 Marking of a state=(A1, A2, A3) Attack Response Tree (ART) R1 001 010 100 Goal R1 R1 AND 101 110 011 A1 A2 A3 R1 R1 111 Disadvantage
Motivation of ACT • Take a purely non-state-space approach to security modeling, • Taking into account attack as well as countermeasures (in the form of detection and mitigation techniques) • Detection and mitigation can be incorporated not just at the leaf node but also at the intermediate nodes • While at the same time avoiding the state-space explosion problem. • We find the optimal countermeasure set by way of single and multi-objective optimization using ACT (a non-state-space model).
Attack Countermeasure Tree (ACT) G: Reset a single BGP session • A simple BGP ACT OR Attack event Detection event Mitigation Event AND A1: Send message to router causing reset The event that detection or mitigation corresponding to A1 is not successful AND AND A2: Alter configuration via compromised router OR AND A111: Send RST message to TCP stack A112: Send BGP message The event that detection or mitigation corresponding to A2 is not successful A12 : TCP sequence number attack The event that detection or mitigation corresponding to A12 is not successful OR A1121: Notify A1122: Open A1123: Keep Alive
Attack Countermeasure Tree (ACT) G: Reset a single BGP session • A simple BGP ACT OR Attack event Detection event Mitigation Event AND A1: Send message to router causing reset AND AND AND M1: Randomize Seq. Num. D1: Trace-route check A2: Alter configuration via compromised router OR AND AND A111: Send RST message to TCP stack A112: Send BGP message A12 : TCP sequence number attack D2: Router firewall alert M2: Secure router OR AND A1121: Notify A1122: Open D12: TCP sequence number check M12: MD5 authentication A1123: Keep Alive
ACT Analysis • Qualitative Analysis (Metrics) • Mincuts • Importance Measures • Semi-quantitative analysis • Some atomic attacks are assigned value 1 and others assigned zero • Probabilities assigned to detection and mitigation events • (Fully) Quantitative Analysis (Metrics) • Probability of Attack • Rate and distribution of time to attack • Adversary’s viewpoint • Attack Cost (Cattacker) • Return on Attack (ROA) • Defender’s Viewpoint • Attack Impact (Igoal) • Security cost • Return on Investment (ROI)
ACT Analysis (Qualitative) Mincuts of an attack tree (AT) represents attack scenarios. Mincuts of this ACT – (represents attack-countermeasure scenarios) [(A2)(D2 M2)’], [(A1123)(D1M1)’ (A12)(D12 M12)’], [(A1122)(D1M1)’ (A12)(D12 M12)’], [(A1121)(D1M1)’ (A12)(D12 M12)’], [(A111)(D1M1)’ (A12)(D12 M12)’]. G: Reset a single BGP session OR Attack event Detection event Mitigation Event AND A1: Send message to router causing reset AND AND AND A2: Alter configuration via compromised router OR M1: Randomize Seq. Num. AND D1: Trace-route check AND A111: Send RST message to TCP stack A112: Send BGP message A12 : TCP sequence number attack D2: Router firewall alert M2: Secure router OR AND A1121: Notify D12: TCP sequence number check M12: MD5 authentication We can also compute structural importance measures for events in an ACT to perform sensitivity analysis. A1122: Open A1123: Keep Alive 19
Attack Countermeasure Tree (ACT) G: Reset a single BGP session • A simple BGP ACT OR Attack event Detection event Mitigation Event AND A1: Send message to router causing reset AND AND A2: Alter configuration via compromised router OR AND A111: Send RST message to TCP stack A112: Send BGP message A12 : TCP sequence number attack OR A1121: Notify A1122: Open A1123: Keep Alive
Other ACT models Attack success Attack success Attack success Attack event Detection event Mitigation Event AND AND A A A D … D1 D2 Dn (a) Pgoal = pA Pgoal = pA(1 − pD) Pgoal = pA(1 − pD1 )(1 − pD2 )...(1 − pDn) (b) (c) Attack success Attack success Attack success AND AND AND A AND A AND AND A M D D OR OR …. (d) Pgoal = pA(1 − pD × pM)) M Mn M1 M2 D1 D2 … Dn Pgoal = pA(1 − (1 −Π ni=1(1 − pDi )) × pM) (f) (e) P goal = pA(1 − (1 − Π ni=1(1 − pDi )) × pM)
Attack Cost and Attack Impact Attack cost Attack impact For k-of-n gate, without above assumption:
Attack Tree Analysis: A Simple AT with repeated events • Mincuts • {A1A2, A1 A3, A2 A3, A3} • Attack Cost • Cattacker = min{cA1+cA2 ,cA3} • Attack Impact • Igoal = max{iA1+iA2 , iA1+iA3 , iA2+iA3, iA3}.
Attack Tree Analysis: Attack Scenarios G: Reset a single BGP session All attack scenarios • (A111, A12) Cattacker =3500$ • (A1121, A12) Cattacker = 2500$ • (A1122, A12) Cattacker = 3000$ • (A1123, A12) Cattacker = 1800$ • (A2) Cattacker = 4000$ OR A1: Send message to router causing reset A2: Alter configuration via compromised router 4000$ AND Attacker Cost constraint – 3000$ OR A12 : TCP sequence number attack 1000$ • Only possible attack scenarios • (A1121, A12 ) • (A1122, A12 ) • (A1123, A12 ) A111: Send RST message to TCP stack A112: Send BGP message 2500$ OR 1500$ 2000$ 800$ A1121: Notify A1122: Open A1123: Keep Alive
ACT Analysis (Qualitative) G: Reset a single BGP session Mincuts of an attack tree (AT) represents attack scenarios. Mincuts of this ACT – (represents attack-countermeasure scenarios) [(A2)(D2 M2)’], [(A1123)(D1M1)’ (A12)(D12 M12)’], [(A1122)(D1M1)’ (A12)(D12 M12)’], [(A1121)(D1M1)’ (A12)(D12 M12)’], [(A111)(D1M1)’ (A12)(D12 M12)’]. OR Attack event Detection event Mitigation Event AND A1: Send message to router causing reset AND AND AND A2: Alter configuration via compromised router OR M1: Randomize Seq. Num. AND D1: Trace-route check AND A111: Send RST message to TCP stack A112: Send BGP message A12 : TCP sequence number attack D2: Router firewall alert M2: Secure router OR AND A1121: Notify D12: TCP sequence number check M12: MD5 authentication A1122: Open A1123: Keep Alive We can also compute structural importance measures for events in an ACT to perform sensitivity analysis. Boolean structure function (more on this later): 26
ACT Analysis (Quantitative) $- Impact of attack (defender’s view) $- Cost of attack (adversary’s view) Attack cost: $1800 G: Reset a single BGP session Attack impact: $4000 OR max 1800$ 4000$ min A1: Send message to router causing reset 1800$ 3500$ AND A2: Alter configuration via compromised router sum sum max min OR 2500$ A12 : TCP sequence number attack 800$ 4000$ A111: Send RST message to TCP stack A112: Send BGP message 1000$ 800$ 2000$ 2500$ OR min max A1121: Notify A1122: Open A1123: Keep Alive 1500$ 2000$ 800$
ACT Analysis (Quantitative) (contd.) Risk= expected value of impact = Impact X Probability of attack=Igoal*Pgoal • Cost, impact and risk analysis using ACTs have been implemented in SHARPE software package. SCADA compromised Attack event Mitigation Event OR PRA Power loads not provided Incorrect estimates to customers OR OR Incorrect monitoring Unavailable network (LAN) Problematic Control Unavailable network (WAN) Database Workstation OR OR Incomplete sensors Wrong state estimation Control servers Controlling agents AND AND 2 / 3 AND AND AND AND S1 S2 S3 HMI G1 G2 G3 SCOPF switch restart restart restart K out of N node S. A. Zonouz, H. Khurana, W. H. Sanders, and T. M. Yardley. RRE: A Game-Theoretic Intrusion Response and Recovery Engine. In Proc. DSN, pages 439–448, 2009.
ACT Analysis (Quantitative) (contd.) G: Reset a single BGP session OR A1: Send message to router causing reset AND Range of cCM2 (CM2=(D2.M2)): 0-200$ AND A2: Alter configuration via compromised router AND OR A12 : TCP sequence number attack A111: Send RST message to TCP stack A112: Send BGP message D2: Router firewall alert M2: Secure router OR M2 $ D2 $ A1121: Notify A1122: Open A1123: Keep Alive
Malicious Insider Attack Tree (MI AT) G: Malicious Insider attack success OR A1: Alteration A2: Distribution A3: Snooping A4: Elevation AND OR A41: Acquire admin privilege A21: File Sharing A11: Unauthorized alternation of registry A12: Launch virus A32: Violation of organization policy A31: Misuse OR OR A412: Steal Password A413: Sendmail Exploit A411: Poor Configuration A214: Copy to Media A211: Email A212: Electronic Drop Box A213: Online Chat OR OR OR OR A4121: Sniff Network A4122: Root Telnet A2111: Local Account A2112: Web-based account A2121: FTP to FileServer A2122: Internet A2141: Floppy Disk A2142: CD-ROM A2143: USB Drive OR A21221: Post to News Group A21222: Post to Website
Malicious Insider Attack Countermeasure Tree (MI ACT) G: Malicious Insider Attack Success OR A1: Alteration A2: Distribution A3: Snooping A4: Elevation AND OR A41: Acquire admin privilege AND A11: Unauthorized alternation of registry A21: File Sharing A32: Violation of organization policy A31: Misuse OR AND A12: Launch virus AND M12: Launch mitigation (anti-virus) D12: Detect virus attack (anti-virus) A411: Poor Configuration A413: Sendmail Exploit OR M412: Request admin pin AND D412: Track number of tries at password A412: Steal Password A214: Copy to Media A211: Email A212: Electronic Drop Box A213: Online Chat OR OR OR OR A4121: Sniff Network A4122: Root Telnet Attack event Detection event Mitigation Event A2111: Local Account A2112: Web-based account A2121: FTP to File Server A2122: Internet A2141: Floppy Disk A2142: CD-ROM A2143: USB Drive OR A21221: Post to News Group A21222: Post to Website
Structural Importance Measure • Given an ACT, its boolean structure function can be built. • = 1 when the attack succeeds • whereas = 0 when attack fails. • Two state vectors are considered: BGP attack Boolean structure function example:
Structural importance measure • Structural importance measure is defined to be the normalized count of state vectors where the component is relevant for the boolean structure function. • An attack event (Ak) is said to be relevant for a particular state vector X, when flipping the boolean value associated with attack event Ak flips the value of from 1 to 0. In other words, Ak is relevant to state vector X if • The Birbaum importance measure of an attack event represents the change in the probability of attack at the goal caused by small change in the probability of attack of the ACT node at Ak.
Importance Measures Implementation of the countermeasure with highest Structural Importance measure causes maximum decrease in Pgoal at each step. Implementation of the countermeasure with highest Birnbaum Importance measure causes maximum decrease in Pgoal at each step. BGP ACT
How to implement in a real networking system? • An example for virtual networking system security measurement
Cloud-Based Security Measurement • Mirroring based detection
Related Papers • A. Roy, D. Kim, and K. S. Trivedi. ACT: Attack Countermeasure Trees for Information Assurance Analysis. In Proc. INFOCOM. IEEE, 2010 (poster). • A. Roy, D. Kim, and K. S. Trivedi. Cyber Security analysis using Attack Countermeasure Trees. In Proc. Cyber Security & Information Intelligence Research Workshop (CSIIRW), pp.23-26, ACM, 2010 (Extended Abstract). • A. Roy, D. Kim, and K. S. Trivedi. ACT: Towards unifying the constructs of attack and defense trees. Journal of Security and Communication Networks – Special Issue:23, 2010. • D. Huang, D. Kim, and K.S. Trivedi. Cloud-based Security Measurement and Evaluation Architecture for Enterprise Network Systems, Technical Report, 2011.