19 research outputs found
ESASCF: Expertise Extraction, Generalization and Reply Framework for an Optimized Automation of Network Security Compliance
The Cyber threats exposure has created worldwide pressure on organizations to
comply with cyber security standards and policies for protecting their digital
assets. Vulnerability assessment (VA) and Penetration Testing (PT) are widely
adopted Security Compliance (SC) methods to identify security gaps and
anticipate security breaches. In the computer networks context and despite the
use of autonomous tools and systems, security compliance remains highly
repetitive and resources consuming. In this paper, we proposed a novel method
to tackle the ever-growing problem of efficiency and effectiveness in network
infrastructures security auditing by formally introducing, designing, and
developing an Expert-System Automated Security Compliance Framework (ESASCF)
that enables industrial and open-source VA and PT tools and systems to extract,
process, store and re-use the expertise in a human-expert way to allow direct
application in similar scenarios or during the periodic re-testing. The
implemented model was then integrated within the ESASCF and tested on different
size networks and proved efficient in terms of time-efficiency and testing
effectiveness allowing ESASCF to take over autonomously the SC in Re-testing
and offloading Expert by automating repeated segments SC and thus enabling
Experts to prioritize important tasks in Ad-Hoc compliance tests. The obtained
results validate the performance enhancement notably by cutting the time
required for an expert to 50% in the context of typical corporate networks
first SC and 20% in re-testing, representing a significant cost-cutting. In
addition, the framework allows a long-term impact illustrated in the knowledge
extraction, generalization, and re-utilization, which enables better SC
confidence independent of the human expert skills, coverage, and wrong
decisions resulting in impactful false negatives
Les POMDP font de meilleurs hackers: Tenir compte de l'incertitude dans les tests de penetration
Penetration Testing is a methodology for assessing network security, by
generating and executing possible hacking attacks. Doing so automatically
allows for regular and systematic testing. A key question is how to generate
the attacks. This is naturally formulated as planning under uncertainty, i.e.,
under incomplete knowledge about the network configuration. Previous work uses
classical planning, and requires costly pre-processes reducing this uncertainty
by extensive application of scanning methods. By contrast, we herein model the
attack planning problem in terms of partially observable Markov decision
processes (POMDP). This allows to reason about the knowledge available, and to
intelligently employ scanning actions as part of the attack. As one would
expect, this accurate solution does not scale. We devise a method that relies
on POMDPs to find good attacks on individual machines, which are then composed
into an attack on the network as a whole. This decomposition exploits network
structure to the extent possible, making targeted approximations (only) where
needed. Evaluating this method on a suitably adapted industrial test suite, we
demonstrate its effectiveness in both runtime and solution quality.Comment: JFPDA 2012 (7\`emes Journ\'ees Francophones Planification,
D\'ecision, et Apprentissage pour la conduite de syst\`emes), Nancy, Franc
Trapping malicious insiders in the SPDR web
Abstract The insider threat has assumed increasing importance as our dependence on critical cyber information infrastructure has increased. In this paper we describe an approach for thwarting and attributing insider attacks. The Sense, Prepare, Detect, and React (SPDR
Hierarchical reinforcement learning for efficient and effective automated penetration testing of large networks
Penetration testing (PT) is a method for assessing and evaluating the security of digital assets by planning, generating, and executing possible attacks that aim to discover and exploit vulnerabilities. In large networks, penetration testing becomes repetitive, complex and resource consuming despite the use of automated tools. This paper investigates reinforcement learning (RL) to make penetration testing more intelligent, targeted, and efficient. The proposed approach called Intelligent Automated Penetration Testing Framework (IAPTF) utilizes model-based RL to automate sequential decision making. Penetration testing tasks are treated as a partially observed Markov decision process (POMDP) which is solved with an external POMDP-solver using different algorithms to identify the most efficient options. A major difficulty encountered was solving large POMDPs resulting from large networks. This was overcome by representing networks hierarchically as a group of clusters and treating each cluster separately. This approach is tested through simulations of networks of various sizes. The results show that IAPTF with hierarchical network modeling outperforms previous approaches as well as human performance in terms of time, number of tested vectors and accuracy, and the advantage increases with the network size. Another advantage of IAPTF is the ease of repetition for retesting similar networks, which is often encountered in real PT. The results suggest that IAPTF is a promising approach to offload work from and ultimately replace human pen testing
Hierarchical reinforcement learning for efficient and effective automated penetration testing of large networks
Penetration testing (PT) is a method for assessing and evaluating the security of digital
assets by planning, generating, and executing possible attacks that aim to discover and
exploit vulnerabilities. In large networks, penetration testing becomes repetitive, complex
and resource consuming despite the use of automated tools. This paper investigates reinforcement learning (RL) to make penetration testing more intelligent, targeted, and efficient. The proposed approach called Intelligent Automated Penetration Testing Framework
(IAPTF) utilizes model-based RL to automate sequential decision making. Penetration
testing tasks are treated as a partially observed Markov decision process (POMDP) which
is solved with an external POMDP-solver using different algorithms to identify the most
efficient options. A major difficulty encountered was solving large POMDPs resulting from
large networks. This was overcome by representing networks hierarchically as a group of
clusters and treating each cluster separately. This approach is tested through simulations
of networks of various sizes. The results show that IAPTF with hierarchical network modeling outperforms previous approaches as well as human performance in terms of time,
number of tested vectors and accuracy, and the advantage increases with the network size.
Another advantage of IAPTF is the ease of repetition for retesting similar networks, which
is often encountered in real PT. The results suggest that IAPTF is a promising approach to
offload work from and ultimately replace human pen testing