25 research outputs found
Exact Inference Techniques for the Analysis of Bayesian Attack Graphs
Attack graphs are a powerful tool for security risk assessment by analysing
network vulnerabilities and the paths attackers can use to compromise network
resources. The uncertainty about the attacker's behaviour makes Bayesian
networks suitable to model attack graphs to perform static and dynamic
analysis. Previous approaches have focused on the formalization of attack
graphs into a Bayesian model rather than proposing mechanisms for their
analysis. In this paper we propose to use efficient algorithms to make exact
inference in Bayesian attack graphs, enabling the static and dynamic network
risk assessments. To support the validity of our approach we have performed an
extensive experimental evaluation on synthetic Bayesian attack graphs with
different topologies, showing the computational advantages in terms of time and
memory use of the proposed techniques when compared to existing approaches.Comment: 14 pages, 15 figure
MaxSAT Evaluation 2020 -- Benchmark: Identifying Maximum Probability Minimal Cut Sets in Fault Trees
This paper presents a MaxSAT benchmark focused on the identification of
Maximum Probability Minimal Cut Sets (MPMCSs) in fault trees. We address the
MPMCS problem by transforming the input fault tree into a weighted logical
formula that is then used to build and solve a Weighted Partial MaxSAT problem.
The benchmark includes 80 cases with fault trees of different size and
composition as well as the optimal cost and solution for each case.Comment: 5 pages, 1 figure. To appear in Proceedings of the MaxSAT Evaluation
2020 (MSE'20). https://maxsat-evaluations.github.io/2020
Identifying Security-Critical Cyber-Physical Components in Industrial Control Systems
In recent years, Industrial Control Systems (ICS) have become an appealing
target for cyber attacks, having massive destructive consequences. Security
metrics are therefore essential to assess their security posture. In this
paper, we present a novel ICS security metric based on AND/OR graphs that
represent cyber-physical dependencies among network components. Our metric is
able to efficiently identify sets of critical cyber-physical components, with
minimal cost for an attacker, such that if compromised, the system would enter
into a non-operational state. We address this problem by efficiently
transforming the input AND/OR graph-based model into a weighted logical formula
that is then used to build and solve a Weighted Partial MAX-SAT problem. Our
tool, META4ICS, leverages state-of-the-art techniques from the field of logical
satisfiability optimisation in order to achieve efficient computation times.
Our experimental results indicate that the proposed security metric can
efficiently scale to networks with thousands of nodes and be computed in
seconds. In addition, we present a case study where we have used our system to
analyse the security posture of a realistic water transport network. We discuss
our findings on the plant as well as further security applications of our
metric.Comment: Keywords: Security metrics, industrial control systems,
cyber-physical systems, AND-OR graphs, MAX-SAT resolutio
Ovalyzer: an OVAL to Cfengine Translator
International audienceIn this demo we show how we can increase the vulnerability awareness of self-governed environments by feeding the autonomic system Cfengine with security advisories taken from OVAL repositories and automatically translated by Ovalyzer. Ovalyzer is an extensible plugin-based OVAL to Cfengine translator capable of translating OVAL documents to Cfengine policy rules that represent them. These policy rules can be later consumed by Cfengine agents in order to assess their own security exposure in an autonomous manner
Collaborative Remediation of Configuration Vulnerabilities in Autonomic Networks and Systems
International audienceAutonomic computing has become an important paradigm for dealing with large scale network management. However, changes operated by administrators and self-governed entities may generate vulnerable configurations increasing the exposure to security attacks. In this paper, we propose a novel approach for supporting collaborative treatments in order to remediate known security vulnerabilities in autonomic networks and systems. We put forward a mathematical formulation of vulnerability treatments as well as an XCCDF-based language for specifying them in a machine-readable manner. We describe a collaborative framework for performing these treatments taking advantage of optimized algorithms, and evaluate its performance in order to show the feasibility of our solution
Improving Present Security through the Detection of Past Hidden Vulnerable States
International audienceVulnerability assessment activities usually analyze new security advisories over current running systems. However, a system compromised in the past by a vulnerability unknown at that moment may still constitute a potential security threat in the present. Accordingly, past unknown system exposures are required to be taken into account. We present in this paper a novel approach for increasing the overall security of computing systems by identifying past hidden vulnerable states. In that context, we propose a modeling for detecting unknown past system exposures as well as an OVAL-based distributed framework for autonomously gathering network devices information and automatically analyzing their past security exposure. We also describe an implementation prototype and evaluate its performance through an extensive set of experiments
Increasing Android Security using a Lightweight OVAL-based Vulnerability Assessment Framework
International audienceMobile computing devices and the services offered by them are utilized by millions of users on a daily basis. However, they operate in hostile environments getting exposed to a wide variety of threats. Accordingly, vulnerability management mechanisms are highly required. We present in this paper a novel approach for increasing the security of mobile devices by efficiently detecting vulnerable configurations. In that context, we propose a modeling for performing vulnerability assessment activities as well as an OVAL-based distributed framework for ensuring safe configurations within the Android platform. We also describe an implementation prototype and evaluate its performance through an extensive set of experiments
A Probabilistic Cost-efficient Approach for Mobile Security Assessment
International audienceThe development of mobile technologies and services has contributed to the large-scale deployment of smartphones and tablets. These environments are exposed to a wide range of security attacks and may contain critical information about users such as contact directories and phone calls. Assessing configuration vulnerabilities is a key challenge for maintaining their security, but this activity should be performed in a lightweight manner in order to minimize the impact on their scarce resources. In this paper we present a novel approach for assessing configuration vulnerabilities in mobile devices by using a probabilistic cost-efficient security framework. We put forward a probabilistic assessment strategy supported by a mathematical model and detail our assessment framework based on OVAL vulnerability descriptions. We also describe an implementation prototype and evaluate its feasibility through a comprehensive set of experiments
Machine-assisted Cyber Threat Analysis using Conceptual Knowledge Discovery: – Position Paper –
International audienceOver the last years, computer networks have evolved into highly dynamic and interconnected environments, involving multiple heterogeneous devices and providing a myriad of services on top of them. This complex landscape has made it extremely difficult for security administrators to keep accurate and be effective in protecting their systems against cyber threats. In this paper, we describe our vision and scientific posture on how artificial intelligence techniques and a smart use of security knowledge may assist system administrators in better defending their networks. To that end, we put forward a research roadmap involving three complimentary axes, namely, (I) the use of FCA-based mechanisms for managing configuration vulnerabilities, (II) the exploitation of knowledge representation techniques for automated security reasoning, and (III) the design of a cyber threat intelligence mechanism as a CKDD process. Then, we describe a machine-assisted process for cyber threat analysis which provides a holistic perspective of how these three research axes are integrated together