The success of a security attack crucially depends on time: the more time available to the attacker, the higher the probability of a successful attack. Formalisms such as Reliability block diagrams, Reliability graphs and Attack Countermeasure trees provide quantitative information about attack scenarios, but they are provably insufficient to model dependent actions which involve costs, skills, and time. In this presentation, we extend the Attack Countermeasure trees with a notion of time; inspired by the fact that there is a strong correlation between the amount of resources in which the attacker invests (in this case time) and probability that an attacker succeeds. This allows for an effective selection of countermeasures and rank them according to their resource consumption in terms of costs/skills of installing them and effectiveness in preventing an attack

Guck, Dennis

Kumar, Rajesh

Stoelinga, Mariëlle

arXiv

Stoelinga, Mariëlle Ida Antoinette

University of Twente Research Information

Submitted to:QAPL 2015c© Kumar, Guck & StoelingaThis work is licensed under theCreative Commons Attribution License.Time Dependent Analysis withDynamic Counter Measure TreesRajesh Kumar Dennis Guck Mariëlle StoelingaFormal Methods and ToolsUniversity of TwenteEnschede, Netherlands{r.kumar,d.guck,m.i.a.stoelinga}@utwente.nlThe success of a security attack crucially depends on time: the more time available to the attacker,the higher the probability of a successful attack. Formalisms such as Reliability block diagrams,Reliability graphs and Attack Countermeasure trees provide quantitative information about attackscenarios, but they are provably insufficient to model dependent actions which involve costs, skills,and time. In this presentation, we extend the Attack Countermeasure trees with a notion of time;inspired by the fact that there is a strong correlation between the amount of resources in which theattacker invests (in this case time) and probability that an attacker succeeds. This allows for aneffective selection of countermeasures and rank them according to their resource consumption interms of costs/skills of installing them and effectiveness in preventing an attack.1 IntroductionAttack trees [12] and its variants [5] are simple yet powerful formalisms to quantitatively express theattack scenarios in a straight forward way. They have been studied extensively in the fields of riskassessment [9], e-voting [7], critical infrastructures [3] and socio-technical security [10]. Based on tem-poral attributes of the leaf nodes, Attack trees can be further classified as static or dynamic, both ofwhich can be further refined to take into only single parameters [6] [4] or multi parameters [8]. Staticanalysis techniques are useful in providing answers such as “Given an attacker skill set and attempt, whatis the probability of attacker to succeed?” whereas dynamic analysis techniques can answer questionssuch as “What is probability that an attacker succeeds with Probability of 0.8 in certain t units?”. Theycan further be refined by adding defence trees [2] or countermeasure trees [11] where both attacker anddefender try to restrict the chances of success of each other.This presentation involves Dynamic Attack Countermeasure trees (ACTs) which are dynamic attacktrees enriched with countermeasures. In this presentation we will focus on the inclusion of counter-measures in dynamic ACTs with AND and OR gates. Further, we evaluate the case study as providedin [11] using the ADT toolbox [6] as well as ATCalc, an extension of [1]. As first step we compute thestatic probabilities by a single parameter bottom up analysis and then extend the model by defining thetemporal attributes of the basic attack steps (BAS) to investigate how the attack proceeds over time.2 Dynamic Attack Countermeasure TreesAn Attack Countermeasure tree (ACT) can be seen as a directed acyclic graph. We formally representan ACT as a tuple (G,r,L) where:• G is a directed acyclic graph, i.e G = (V,E) with V a set of all vertices and E a set of all edgessuch that E = {(v,v′) | ∃v ∈V.v′ ∈ children(v)}.2 Time Dependent Analysis with Dynamic Counter Measure Trees• r ∈V is the single top root of (V,E). It represents the attacker’s goal.• L : V → Σ is a labelling function that assigns to each vertex an AT element, i.e Σ = (Gates∪Leafs)where Gates = {AND,OR} is a set of logical gates such that for all L(v) ∈Gates, children(v) 6= /0and Leafs = A j ∪Dm∪Mk is a set of basic events such that for all L(v) ∈ Leafs, children(v) = /0where: (a) A j is the set of j attack events; (b) Dm is the set of m detection events; (c) Mk is the setof k mitigation events.To have a time dependent analysis of ACTs, we need to annotate the leaf nodes with two parameters:(1) The probability of a successful execution of an attack step; (2) A random variable X that describes theexecution of an attack with respect to time. Due to the memoryless property of exponential distributions,we define the CDF of the random variable X by:P[X < t] = 1− e−λ t .The eventual probability of success obtained in step (1) can be used to compute the parameter λ =−ln(1−p)t which defines the timed behaviour of an attacker. Note that since any CDF always approaches1 by increasing the time bound t, this implies that an attacker always succeeds if he is given a sufficientamount time.2.1 Semantics of BAS and GatesBasic Attack Step (BAS): A BAS is a basic step of an attacker or defender which interacts with a gate.It is activated once it receives an activation signal from its parent node. After an exponential delay withrate λ the BAS propagates a success signal to its parent. Note, that the initial activation signal is sent bythe top-level node at system start.AND: An AND gate is a conjunction of events. Once it is activated by receiving an activation signalfrom its parent, it activates its children from left to right. The gate sends out a success signal if all of itsattached children are successful.OR: An OR gate is a disjunction of events. The activation is equal to the AND gate. The gate sends outa success signal if any of its attached children is successful.Countermeasures: Countermeasures are used to model the defender actions which are used to blockassociated attack steps. They consist out of two basic events, i.e. detection and mitigation. The counter-measure is activated on receiving the activation signal from the top node. Once it receives the activationsignal it activates only the detection event. After the detection event is successful after an exponentialdelay by rate λ1, the countermeasure gate activates the mitigation event which in turn is successful afteran exponential delay by rate λ2. A countermeasure gate can be seen from either defender or attackerperspective. From the defender perspective, a countermeasure gate is successful if both detection andmitigation events are successful consecutively. An attacker is interested in an undetected and unmitigatedevent and his motive is successful if the countermeasure gate fails.3 Case Study and Interpretation of ResultsMalicious Insider attack The ACT for the malicious insider attack (MIA) from [11] is depicted inFigure 1. The MIA ACT has BAS as well as detection and mitigation events. The countermeasure gatesare represented by triangles. We conducted our case study by using the ADT toolbox [6] to compare theresults to [11] and ATCalc [1] to compute the attack probability over time.Kumar, Guck & Stoelinga 3MaliciousInsider AttackSuccessDistributionFile sharingOnline ChatCopy to MediaUSB-DriveCD-RomFloppyDiskElectronicdrop boxFTP tofile serverInternetPost towebsitePost tonewsgroupEmailWeb basedAccountLocal AccountElevationAcquire AdminPrevilagesPoor Con-figurationSendmailExploitAcquirePasswordCM to StealPasswordRequestadmin pinTrackNumberof tries atpasswordSteal PasswordRootTelnetSniffNetworkAlterationUnauthorizedalterationManipulationby VirusVirusCMLaunchMitigationDetect VirusLaunchVirusSnoopingViolationof orga-nizationalpolicyMisuseFigure 1: ACT of the malicious insider attack.The result in Figure 2a is obtained by varying all the probabilities of an attack in the leaf nodes (Pleaf)in the range of [0,1]. Figure 2a shows that with the countermeasures being in place, the probability ofan attack at the root node (Pgoal) first decreases with only detection measures (perfect mitigation) andthen increases with detection and mitigation measures in place (imperfect mitigation). Those resultsare equal to the results obtained in [11]. To extend the case study, we consider now the probability ofan attack over a time frame of 10 hours. Figure 2b is obtained with different values for Pleaf, fixed at[0.05,0.1,0.25]. The results obtained in Figure 2b shows that given an attacker ample time, it is sure thathe will eventually be able to reach the goal. Further, it is nicely observable how much more time anattacker needs to reach his attack goal when the detection and mitigation is in place.0 0.2 0.4 0.6 0.8 100.20.40.60.81PleafPgoalNo CMWith CM (Detect and Mitig)Only Detect(a) Pgoal versus Pleaf0 2 4 6 8 1000.20.40.60.81TimePgoal Without CM (P=0.05)Without CM (P=0.1)Without CM (P=0.25)CM-Detect (P=0.05)CM-Detect (P=0.1)CM-Detect (P=0.25)CM-Detect+Mitig (P=0.05)CM-Detect+Mitig (P=0.1)CM-Detect+Mitig (P=0.25)(b) Pgoal versus TimeFigure 2: Pgoal versus (a) Plea f (b) Time(sec)4 Time Dependent Analysis with Dynamic Counter Measure Trees4 ConclusionWe presented the inclusion of time in Attack Countermeasure trees and provided a case study to showthe applicability of this approach. This enables us to answer questions like: What is the probabilityfor an attacker to succeed given ′t′ time units by integrating new countermeasures? In future work weconsider shared attack scenarios as well as extend the dynamic ACTs with: (1) Sequential AND andSequential OR gates which can model the casual dependencies of attack steps, i.e. an attack can onlytake place if attack steps are executed in a certain order; (2) Probabilistic gates which activates the BASand countermeasure events with discrete probabilities, i.e. attacks as well as countermeasures are onlyexecuted with a certain probability.Acknowledgement. This work has been supported by the EU FP7 project TREsPASS (318003) andby the STW-ProRail partnership program ExploRail under the project ArRangeer (12238).References[1] F. Arnold, A.F.E. Belinfante, F.I. van der Berg, D. Guck & M.I.A. Stoelinga (2013): DFTCalc: A Tool forEfficient Fault Tree Analysis. In: Proc. of the 32nd Int. Conf. on Computer Safety, Reliability, and SecuritySAFECOMP, pp. 293–301, doi:10.1007/978-3-642-40793-2_27.[2] S. Bistarelli, F. Fioravanti, P. Peretti & F. Santini (2012): Evaluation of complex security scenar-ios using defense trees and economic indexes. J. Exp. Theor. Artif. Intell. 24(2), pp. 161–192,doi:10.1080/13623079.2011.587206.[3] E. Byres (2013): The air gap: SCADA’s enduring security myth. Commun. ACM 56(8), pp. 29–31,doi:10.1145/2492007.2492018.[4] B. Kordy, S. Mauw & P. Schweitzer (2012): Quantitative Questions on Attack-Defense Trees. CoRRabs/1210.8092. Available at http://arxiv.org/abs/1210.8092.[5] B. Kordy, L. Pietre-Cambacedes & P. Schweitzer (2013): DAG-Based Attack and Defense Modeling: Don’tMiss the Forest for the Attack Trees. CoRR abs/1303.7397. Available at http://arxiv.org/abs/1303.7397.[6] Barbara Kordy, Piotr Kordy, Sjouke Mauw & Patrick Schweitzer (2013): ADTool: Security Analysis withAttack-Defense Trees. In: Quantitative Evaluation of Systems - 10th International Conference, QEST 2013,Buenos Aires, Argentina, August 27-30, 2013. Proceedings, pp. 173–176, doi:10.1007/978-3-642-40196-1_15.[7] E. Lazarus, D.L. Dill & J. Epstein (2011): Applying a Reusable Election Threat Model at the County Level.In: Electronic Voting Technology Workshop / Workshop on Trustworthy ElectionsEVT/WOTE, pp. 12–12.Available at http://dl.acm.org/citation.cfm?id=2028012.2028024.[8] A. Lenin & A. Buldas (2014): Limiting Adversarial Budget in Quantitative Security Assessment. In: Proc. ofthe 5th Int. Conf. on Decision and Game Theory for Security (GameSec), pp. 155–174, doi:10.1007/978-3-319-12601-2_9.[9] S. Paul & R.l Vignon-Davillier (2014): Unifying traditional risk assessment approaches with attack trees. J.Inf. Sec. Appl. 19(3), pp. 165–181, doi:10.1016/j.jisa.2014.03.006.[10] K. Reddy, H.S. Venter, M.S. Olivier & I. Currie (2008): Towards Privacy Taxonomy-Based Attack TreeAnalysis for the Protection of Consumer Information Privacy. In: Proc of the 6th Annual Conf. on Privacy,Security and Trust (PST), pp. 56–64, doi:10.1109/PST.2008.18.[11] Arpan Roy, Dong Seong Kim & Kishor S. Trivedi (2012): Attack countermeasure trees (ACT): towardsunifying the constructs of attack and defense trees. Security and Communication Networks, pp. 929–943,doi:10.1002/sec.299. Available at http://dx.doi.org/10.1002/sec.299.[12] B. Schneier (2008): Schneier on security. Wiley.

Time dependent analysis with dynamic counter measure trees

Abstract

Similar works

Full text

Available Versions

University of Twente Research Information

NARCIS