Exact Inference Techniques for the Analysis of Bayesian Attack Graphs

Attack graphs are a powerful tool for security risk assessment by analysing network vulnerabilities and the paths attackers can use to compromise network resources. The uncertainty about the attacker's behaviour makes Bayesian networks suitable to model attack graphs to perform static and dynamic analysis. Previous approaches have focused on the formalization of attack graphs into a Bayesian model rather than proposing mechanisms for their analysis. In this paper we propose to use efficient algorithms to make exact inference in Bayesian attack graphs, enabling the static and dynamic network risk assessments. To support the validity of our approach we have performed an extensive experimental evaluation on synthetic Bayesian attack graphs with different topologies, showing the computational advantages in terms of time and memory use of the proposed techniques when compared to existing approaches.Comment: 14 pages, 15 figure

Which attacks lead to hazards? Combining safety and security analysis for cyber-physical systems

Cyber-Physical Systems (CPS) are exposed to a plethora of attacks and their attack surface is only increasing. However, whilst many attack paths are possible, only some can threaten the system's safety and potentially lead to loss of life. Identifying them is of essence. We propose a methodology and develop a tool-chain to systematically analyse and enumerate the attacks leading to safety violations. This is achieved by lazily combining threat modelling and safety analysis with formal verification and with attack graph analysis. We also identify the minimum sets of privileges that must be protected to preserve safety. We demonstrate the effectiveness of our methodology to discover threat scenarios by applying it to a Communication Based Train Control System. Our design choices emphasise compatibility with existing safety and security frameworks, whilst remaining agnostic to specific tools or attack graphs representations

A Survey on Enterprise Network Security: Asset Behavioral Monitoring and Distributed Attack Detection

Enterprise networks that host valuable assets and services are popular and frequent targets of distributed network attacks. In order to cope with the ever-increasing threats, industrial and research communities develop systems and methods to monitor the behaviors of their assets and protect them from critical attacks. In this paper, we systematically survey related research articles and industrial systems to highlight the current status of this arms race in enterprise network security. First, we discuss the taxonomy of distributed network attacks on enterprise assets, including distributed denial-of-service (DDoS) and reconnaissance attacks. Second, we review existing methods in monitoring and classifying network behavior of enterprise hosts to verify their benign activities and isolate potential anomalies. Third, state-of-the-art detection methods for distributed network attacks sourced from external attackers are elaborated, highlighting their merits and bottlenecks. Fourth, as programmable networks and machine learning (ML) techniques are increasingly becoming adopted by the community, their current applications in network security are discussed. Finally, we highlight several research gaps on enterprise network security to inspire future research.Comment: Journal paper submitted to Elseive

Kyberoperaatioiden käyttö avaruudellista infrastruktuuria vastaan sotilaallisen voiman heikentämiseksi

Moderni yhteiskuntamme on riippuvainen avaruudesta. Sen avulla kyetään kommunikoimaan globaalisti, valvomaan ohjuslaukaisuja, navigoimaan maalla, merellä ja ilmassa sekä tukemaan sotilaallista suunnittelua ja toimintaa. Tästä syystä avaruudellinen infrastruktuuri on myös houkutteleva kohde hyökkääjän näkökulmasta. Perinteisesti satelliitintorjuntakyvyt ovat olleet ainoastaan valtioiden saatavilla niiden kalliista hinnasta johtuen. Riippuvuus tietoverkoista on kuitenkin kasvattanut erityisesti kyberhyökkäysten määrää satelliitteja ja niihin liittyvää infrastruktuuria vastaan. Maa-asemat ja satelliitit esimerkiksi kommunikoivat tietoverkkojen ja -järjestelmien kautta. Kyberhyökkäysten tekeminen on myös huomattavasti halvempaa, eivätkä niiden tekijät jää yhtä helposti kiinni. Tämän tutkimuksen tarkoituksena oli selvittää, millaisia hyökkäyksiä avaruudellista infrastruktuuria vastaan kybertoimintaympäristön kautta on toteutettu ja millaisia kyberoperaatioita tätä infrastruktuuria vastaan nykypäivänä voitaisiin toteuttaa sotilaallisen voiman heikentämiseksi. Tutkimus tehtiin postpositivistisena monitapaustutkimuksena. Tutkimusaineistona käytetyt tapaukset kerättiin kirjallisuuskatsauksella. Tapaukset kvantifioitiin viiteen eri kategoriaan kyberhyökkäyksistä saatujen tietojen perusteella. Kategoriat olivat lohko (maa-asema, satelliitti, yhteysväli, käyttäjä), hyökkäyksen kohde, hyökkääjä, tekotapa ja motiivi. Analysoinnin perusteella kyberhyökkäyksiä tehtiin tutkitulla aikavälillä (1986 – 2019) eniten maa-asemaa kohtaan. Hyökkäyksen kohteena ja tekijänä oli useimmiten valtio, hyökkäysten määrä yrityksiä kohtaan lisääntyi erityisesti 2010-luvulla. Hyökkäyksiä toteutettiin useimmiten kalastelu- ja haittaohjelmasähköpostin kautta, mutta monessa tapauksessa hyökkäystapa jäi tuntemattomaksi. Hyökkäysten motiivi vaihteli, useimmin syynä oli vakoilu ja tiedon hankinta. Kategorisoinnin pohjalta laadittiin neljä skenaariota. Skenaariot pohjautuivat tapausten analysoinnin perusteella havaittuihin eniten toistuneisiin teemoihin. Skenaariot laadittiin kohdistuvaksi maa-asemaa, satelliittia ja yhteysväliä vastaan. Kohteena oli joko valtio tai yritys. Tekijänä oli amatööri, valtio, rikollisryhmä tai kapinallisryhmä. Hyökkääjien motiivina oli näyttämisen halu, teknologian testaaminen, vakoilu ja tiedon hankinta. Tekotapana hyökkääjät hyödynsivät vanhentuneita päivityksiä, sähköpostihyökkäystä, varastettua laitetta ja salaamatonta yhteyttä. Hyökkääjillä on skenaarioiden perusteella monia mahdollisia tapoja vaikuttaa sotilaalliseen voimaan heikentävästi, eikä uhka tule pelkästään hyvillä resursseilla va-rustettujen valtiollisten toimijoiden suunnasta. Tutkimuksen perusteella laadittujen skenaarioiden avulla kyetään kuvaamaan erilaisia tilanteita, joissa kyberoperaatioilla pyritään vaikuttamaan sotilaallisesta näkökulmasta avaruudellista infrastruktuuria vastaan. Skenaarioiden avulla kyetään myös tuomaan ymmärrystä siitä, kuinka merkittävässä roolissa kyberpuolustus on avaruuteen liittyen, ja millaisia uhkia vastaan sotilaat joutuvat mahdollisesti varautumaan tulevaisuudessa

A review of attack graph and attack tree visual syntax in cyber security

Perceiving and understanding cyber-attacks can be a difficult task, and more effective techniques are needed to aid cyber-attack perception. Attack modelling techniques (AMTs) - such as attack graphs, attack trees and fault trees, are a popular method of mathematically and visually representing the sequence of events that lead to a successful cyber-attack. These methods are useful visual aids that can aid cyber-attack perception. This survey paper describes the fundamental theory of cyber-attack before describing how important elements of a cyber-attack are represented in attack graphs and attack trees. The key focus of the paper is to present empirical research aimed at analysing more than 180 attack graphs and attack trees to identify how attack graphs and attack trees present cyber-attacks in terms of their visual syntax. There is little empirical or comparative research which evaluates the effectiveness of these methods. Furthermore, despite their popularity, there is no standardised attack graph visual syntax configuration, and more than seventy self-nominated attack graph and twenty attack tree configurations have been described in the literature - each of which presents attributes such as preconditions and exploits in a different way. The survey demonstrates that there is no standard method of representing attack graphs or attack trees and that more research is needed to standardise the representation

DEPENDABILITY IN CLOUD COMPUTING

The technological advances and success of Service-Oriented Architectures and the Cloud computing paradigm have produced a revolution in the Information and Communications Technology (ICT). Today, a wide range of services are provisioned to the users in a flexible and cost-effective manner, thanks to the encapsulation of several technologies with modern business models. These services not only offer high-level software functionalities such as social networks or e-commerce but also middleware tools that simplify application development and low-level data storage, processing, and networking resources. Hence, with the advent of the Cloud computing paradigm, today's ICT allows users to completely outsource their IT infrastructure and benefit significantly from the economies of scale. At the same time, with the widespread use of ICT, the amount of data being generated, stored and processed by private companies, public organizations and individuals is rapidly increasing. The in-house management of data and applications is proving to be highly cost intensive and Cloud computing is becoming the destination of choice for increasing number of users. As a consequence, Cloud computing services are being used to realize a wide range of applications, each having unique dependability and Quality-of-Service (Qos) requirements. For example, a small enterprise may use a Cloud storage service as a simple backup solution, requiring high data availability, while a large government organization may execute a real-time mission-critical application using the Cloud compute service, requiring high levels of dependability (e.g., reliability, availability, security) and performance. Service providers are presently able to offer sufficient resource heterogeneity, but are failing to satisfy users' dependability requirements mainly because the failures and vulnerabilities in Cloud infrastructures are a norm rather than an exception. This thesis provides a comprehensive solution for improving the dependability of Cloud computing -- so that -- users can justifiably trust Cloud computing services for building, deploying and executing their applications. A number of approaches ranging from the use of trustworthy hardware to secure application design has been proposed in the literature. The proposed solution consists of three inter-operable yet independent modules, each designed to improve dependability under different system context and/or use-case. A user can selectively apply either a single module or combine them suitably to improve the dependability of her applications both during design time and runtime. Based on the modules applied, the overall proposed solution can increase dependability at three distinct levels. In the following, we provide a brief description of each module. The first module comprises a set of assurance techniques that validates whether a given service supports a specified dependability property with a given level of assurance, and accordingly, awards it a machine-readable certificate. To achieve this, we define a hierarchy of dependability properties where a property represents the dependability characteristics of the service and its specific configuration. A model of the service is also used to verify the validity of the certificate using runtime monitoring, thus complementing the dynamic nature of the Cloud computing infrastructure and making the certificate usable both at discovery and runtime. This module also extends the service registry to allow users to select services with a set of certified dependability properties, hence offering the basic support required to implement dependable applications. We note that this module directly considers services implemented by service providers and provides awareness tools that allow users to be aware of the QoS offered by potential partner services. We denote this passive technique as the solution that offers first level of dependability in this thesis. Service providers typically implement a standard set of dependability mechanisms that satisfy the basic needs of most users. Since each application has unique dependability requirements, assurance techniques are not always effective, and a pro-active approach to dependability management is also required. The second module of our solution advocates the innovative approach of offering dependability as a service to users' applications and realizes a framework containing all the mechanisms required to achieve this. We note that this approach relieves users from implementing low-level dependability mechanisms and system management procedures during application development and satisfies specific dependability goals of each application. We denote the module offering dependability as a service as the solution that offers second level of dependability in this thesis. The third, and the last, module of our solution concerns secure application execution. This module considers complex applications and presents advanced resource management schemes that deploy applications with improved optimality when compared to the algorithms of the second module. This module improves dependability of a given application by minimizing its exposure to existing vulnerabilities, while being subject to the same dependability policies and resource allocation conditions as in the second module. Our approach to secure application deployment and execution denotes the third level of dependability offered in this thesis. The contributions of this thesis can be summarized as follows.The contributions of this thesis can be summarized as follows. \u2022 With respect to assurance techniques our contributions are: i) de finition of a hierarchy of dependability properties, an approach to service modeling, and a model transformation scheme; ii) de finition of a dependability certifi cation scheme for services; iii) an approach to service selection that considers users' dependability requirements; iv) de finition of a solution to dependability certifi cation of composite services, where the dependability properties of a composite service are calculated on the basis of the dependability certi ficates of component services. \u2022 With respect to off ering dependability as a service our contributions are: i) de finition of a delivery scheme that transparently functions on users' applications and satisfi es their dependability requirements; ii) design of a framework that encapsulates all the components necessary to o er dependability as a service to the users; iii) an approach to translate high level users' requirements to low level dependability mechanisms; iv) formulation of constraints that allow enforcement of deployment conditions inherent to dependability mechanisms and an approach to satisfy such constraints during resource allocation; v) a resource management scheme that masks the a ffect of system changes by adapting the current allocation of the application. \u2022 With respect to security management our contributions are: i) an approach that deploys users' applications in the Cloud infrastructure such that their exposure to vulnerabilities is minimized; ii) an approach to build interruptible elastic algorithms whose optimality improves as the processing time increases, eventually converging to an optimal solution