A Simulation-Driven Approach for Assessing Risks of Complex Systems - - PowerPoint PPT Presentation

a simulation driven approach for assessing risks of
SMART_READER_LITE
LIVE PREVIEW

A Simulation-Driven Approach for Assessing Risks of Complex Systems - - PowerPoint PPT Presentation

Mar 13, 2023 302 likes •601 views

Complex Systems A Simulation-Based Approach Current Prototype Conclusions A Simulation-Driven Approach for Assessing Risks of Complex Systems Fabrizio Baiardi 1 Claudio Telmon 1 Daniele Sgandurra 2 1 Dipartimento di Informatica, Universit` a

slide-1
SLIDE 1

Complex Systems A Simulation-Based Approach Current Prototype Conclusions

A Simulation-Driven Approach for Assessing Risks

  • f Complex Systems

Fabrizio Baiardi1 Claudio Telmon1 Daniele Sgandurra2

1Dipartimento di Informatica, Universit`

a di Pisa, Italy

2Istituto di Informatica e Telematica, CNR, Pisa, Italy

13th European Workshop on Dependable Computing 11 May 2011

1/29 Fabrizio Baiardi, Claudio Telmon, Daniele Sgandurra Universit` a di Pisa, IIT-CNR

slide-2
SLIDE 2

Complex Systems A Simulation-Based Approach Current Prototype Conclusions

Outline

1

Complex Systems

2

A Simulation-Based Approach

3

Current Prototype

4

Conclusions

2/29 Fabrizio Baiardi, Claudio Telmon, Daniele Sgandurra Universit` a di Pisa, IIT-CNR

slide-3
SLIDE 3

Complex Systems A Simulation-Based Approach Current Prototype Conclusions

Complexity of Attacks

In the past: direct attacks: e.g., ping-of-death. Nowadays: complex attacks or attack plans: multi-steps attacks: modem+router+firewall+IDS+server+virtualization layer. Example: VMware Guest to Host escape requires 18 steps (BHUSA09, Cloudburst); 12 steps to defeat Vista Data Execution Prevention. Advanced persistent threat (APT): “a group with both the capability and the intent to persistently and effectively target a specific entity”.

3/29 Fabrizio Baiardi, Claudio Telmon, Daniele Sgandurra Universit` a di Pisa, IIT-CNR

slide-4
SLIDE 4

Complex Systems A Simulation-Based Approach Current Prototype Conclusions

Current Approaches to Model Complex Attacks

Need to consider all the possible states (` a la model checking):

1

a vulnerability has not been discovered;

2

a vulnerability has been discovered;

3

a vulnerability has been discovered but is unknown;

4

the vulnerability is known;

5

the vulnerability is known and a threat can exploit it;

6

... Markov chain-based approaches: need to consider all the transitions, which depend upon: strategies of the threats; correlations among vulnerabilities. State explosion. High complexity.

4/29 Fabrizio Baiardi, Claudio Telmon, Daniele Sgandurra Universit` a di Pisa, IIT-CNR

slide-5
SLIDE 5

Complex Systems A Simulation-Based Approach Current Prototype Conclusions

Analytical Models

Existing analytical models cannot predict distributions, because of: systemic factors: vulnerabilities; relations among components. complex threat models: knowledge; expertise in implementation of attacks; risk aversion.

5/29 Fabrizio Baiardi, Claudio Telmon, Daniele Sgandurra Universit` a di Pisa, IIT-CNR

slide-6
SLIDE 6

Complex Systems A Simulation-Based Approach Current Prototype Conclusions

Suggested Approach

Computation of probabilities that attack plans are discovered, successfully implemented, and their impacts. Risk management-based approach: average of impacts and distribution probability of attacks; not interested in worst-case values only.

6/29 Fabrizio Baiardi, Claudio Telmon, Daniele Sgandurra Universit` a di Pisa, IIT-CNR

slide-7
SLIDE 7

Complex Systems A Simulation-Based Approach Current Prototype Conclusions

A Simulation-Based Approach

To model alternative implementations of a system. To model and anticipate the evolution of complex systems: and to compute average impact of attacks. To avoid flaw of averages when using correlated functions. To evaluate the impact of a vulnerability that may be discovered in the future.

7/29 Fabrizio Baiardi, Claudio Telmon, Daniele Sgandurra Universit` a di Pisa, IIT-CNR

slide-8
SLIDE 8

Complex Systems A Simulation-Based Approach Current Prototype Conclusions

Attack Graph

Formal framework to describe attack plans. Our definition: AttGr(S, ag), of a threat agent ag, with respect to a system S, is a direct acyclic graph that describes all the attack plans ag can implement to achieve one of its goals:

1

each node n corresponds to a set of rights, r(n), of ag on S;

2

there is an arc from n1 to n2 labelled by at for any at where: r(n1) ⊇ pre(at), r(n2) = r(n1) ∪ post(at), ∃x ∈ post(at) such that x / ∈ r(n1).

3

ag owns all the resources in res(at) for each attack at labelling an arc of AttGr(S, ag);

4

final nodes are the goals of the attackers.

8/29 Fabrizio Baiardi, Claudio Telmon, Daniele Sgandurra Universit` a di Pisa, IIT-CNR

slide-9
SLIDE 9

Complex Systems A Simulation-Based Approach Current Prototype Conclusions

Attack Graph: Example

A Test Network A planner-based approach to generate and analyze minimal attack graph

9/29 Fabrizio Baiardi, Claudio Telmon, Daniele Sgandurra Universit` a di Pisa, IIT-CNR

slide-10
SLIDE 10

Complex Systems A Simulation-Based Approach Current Prototype Conclusions

Attack Graph: Example

An Attack Graph A planner-based approach to generate and analyze minimal attack graph

10/29 Fabrizio Baiardi, Claudio Telmon, Daniele Sgandurra Universit` a di Pisa, IIT-CNR

slide-11
SLIDE 11

Complex Systems A Simulation-Based Approach Current Prototype Conclusions

Acquisition of Rights (1)

Our contribution: a state is a set of rights. A right is a pair < component, attribute >: property on an component; relation among components. Elementary attack: < component, preconditions(A), postconditions(a) >. Advantages: easier construction of the system; easier to discover equivalent attack plans; partial knowledge of the system by the attacker; several attack strategies can be exploited in parallels. Assumption: monotonicity of rights acquisition.

11/29 Fabrizio Baiardi, Claudio Telmon, Daniele Sgandurra Universit` a di Pisa, IIT-CNR

slide-12
SLIDE 12

Complex Systems A Simulation-Based Approach Current Prototype Conclusions

Acquisition of Rights (2)

The arc from n1 to n2 models the acquisition of rights when ag

  • wns all the rights in r(n1) and it successfully implements at.

The acquisition of rights through a plan, i.e. a sequence of elementary attacks, is modelled by a path of the graph. The set of rights of ag increases anytime an attack at is successful because post(at) = ∅, so that for any arc from n1 to n2: r(n1) ⊂ r(n2)

12/29 Fabrizio Baiardi, Claudio Telmon, Daniele Sgandurra Universit` a di Pisa, IIT-CNR

slide-13
SLIDE 13

Complex Systems A Simulation-Based Approach Current Prototype Conclusions

Attack Graph: Example

An Attack Graph With Rights (r=rule: precondition→postcondition)

13/29 Fabrizio Baiardi, Claudio Telmon, Daniele Sgandurra Universit` a di Pisa, IIT-CNR

slide-14
SLIDE 14

Complex Systems A Simulation-Based Approach Current Prototype Conclusions

Risk Assessment through a Simulator

Simulation of the evolution of attack plans of distinct agents: detailed exploration of the space of attack plans. Multiple simulations return statistics on the influence of distinct sources of non-determinism in the choice/implementation of a plan: the probability of discovering system vulnerabilities; available information on these vulnerabilities; the success probability of the agent’s plans; the choice among alternative attacks in a plan.

14/29 Fabrizio Baiardi, Claudio Telmon, Daniele Sgandurra Universit` a di Pisa, IIT-CNR

slide-15
SLIDE 15

Complex Systems A Simulation-Based Approach Current Prototype Conclusions

Input of the Simulator

Input of the simulator:

1

a set of threat agents, each described in terms of: available resources; goals; a strategy to select attacks.

2

a set of vulnerabilities, each associated with a probability distribution of being discovered;

3

a set of elementary attacks and, for any attack: the resources it requires; the vulnerabilities that enable the attack; the success probability.

15/29 Fabrizio Baiardi, Claudio Telmon, Daniele Sgandurra Universit` a di Pisa, IIT-CNR

slide-16
SLIDE 16

Complex Systems A Simulation-Based Approach Current Prototype Conclusions

Dynamic Vulnerabilities

Vulnerabilities can be discovered or patched during the simulation: an arc is removed; an arc is added; the success probability of an attack is increased/decreased. Hard to model with most of the current approaches. Attack graph is updated accordingly.

16/29 Fabrizio Baiardi, Claudio Telmon, Daniele Sgandurra Universit` a di Pisa, IIT-CNR

slide-17
SLIDE 17

Complex Systems A Simulation-Based Approach Current Prototype Conclusions

Look-Ahead Degree of the Agent

Mimics the discovery of attack plans by the agent. Useful to model advanced persistent threats. Example: a goal node is 2 steps far: if look-ahead is 0: random choice among the possible attacks; if look-ahead is 2: choose the attack whose goal is 1 step far; if look-ahead is 1: choose the attack whose destination node has more rights, or with a greater probability of success: draws are resolved according to the threat model.

17/29 Fabrizio Baiardi, Claudio Telmon, Daniele Sgandurra Universit` a di Pisa, IIT-CNR

slide-18
SLIDE 18

Complex Systems A Simulation-Based Approach Current Prototype Conclusions

Countermeasures

Need to evaluate the effectiveness of alternative set of countermeasures. Useful to evaluate alternative system evolutions. We model countermeasures as arc removals. Currently, the simulator returns a set of static countermeasures = arcs to be removed taking into account: cost of each countermeasure; total investment in countermeasure selection; number of attack plans that share an arc or an attack.

18/29 Fabrizio Baiardi, Claudio Telmon, Daniele Sgandurra Universit` a di Pisa, IIT-CNR

slide-19
SLIDE 19

Complex Systems A Simulation-Based Approach Current Prototype Conclusions

Dynamic Countermeasures

To remove a vulnerability only when a condition is satisfied: e.g. as soon as a given number of attacks that exploit the vulnerability has been executed. To prevent an agent from using some rights she has acquired. Example: an intrusion detection system that switches some connections off to prevent an agent from exploiting some rights: modeled by an arc from n1 to n2 where r(n2) ⊂ r(n1); the arc may be coupled with a success probability and/or require some preconditions on r(n1); the introduction of this arc violates the monotonicity condition.

19/29 Fabrizio Baiardi, Claudio Telmon, Daniele Sgandurra Universit` a di Pisa, IIT-CNR

slide-20
SLIDE 20

Complex Systems A Simulation-Based Approach Current Prototype Conclusions

Prototype

The current prototype has been developed using C++: ∼5K lines of code; Boost Library; Qwt library for graphics: also exports graphs in .dot. Generates statistics: average impact for experiment; correlation among agent’s skill and impacts; impact of each agent for each experiment; a description of the agent coupled with the path on the graph. Performance are acceptable: 300 intelligent agents, graphs having ∼250 nodes, on Core 2 Duo, 4 GHz Ram, < 1 minute.

20/29 Fabrizio Baiardi, Claudio Telmon, Daniele Sgandurra Universit` a di Pisa, IIT-CNR

slide-21
SLIDE 21

Complex Systems A Simulation-Based Approach Current Prototype Conclusions

Screenshots

Number of Experiments to Execute

21/29 Fabrizio Baiardi, Claudio Telmon, Daniele Sgandurra Universit` a di Pisa, IIT-CNR

slide-22
SLIDE 22

Complex Systems A Simulation-Based Approach Current Prototype Conclusions

Screenshots

An Attack Graph

22/29 Fabrizio Baiardi, Claudio Telmon, Daniele Sgandurra Universit` a di Pisa, IIT-CNR

slide-23
SLIDE 23

Complex Systems A Simulation-Based Approach Current Prototype Conclusions

Screenshots

Computation of System Evolution

23/29 Fabrizio Baiardi, Claudio Telmon, Daniele Sgandurra Universit` a di Pisa, IIT-CNR

slide-24
SLIDE 24

Complex Systems A Simulation-Based Approach Current Prototype Conclusions

Screenshots

An Attack Graph After System Evolution

24/29 Fabrizio Baiardi, Claudio Telmon, Daniele Sgandurra Universit` a di Pisa, IIT-CNR

slide-25
SLIDE 25

Complex Systems A Simulation-Based Approach Current Prototype Conclusions

Screenshots

Final Statistics

25/29 Fabrizio Baiardi, Claudio Telmon, Daniele Sgandurra Universit` a di Pisa, IIT-CNR

slide-26
SLIDE 26

Complex Systems A Simulation-Based Approach Current Prototype Conclusions

Conclusions

Implementation of a tool that simulates the evolution of the attack plans of intelligent agents and the corresponding updates of the system security state. Attack plans are rigorously defined in terms of attack graphs. Ability of evaluate alternative countermeasures before implementing them in new version of the system. Evaluate the joint effect of concurrent activities and the influence of several parameters: the probability of discovering vulnerabilities; the amount of information on attacks and vulnerabilities that each agent can access.

26/29 Fabrizio Baiardi, Claudio Telmon, Daniele Sgandurra Universit` a di Pisa, IIT-CNR

slide-27
SLIDE 27

Complex Systems A Simulation-Based Approach Current Prototype Conclusions

Future Works

Evaluation on (quasi-)real scenarios. A more flexible tool to choose the set of countermeasures: e.g., a (minimal) cut of the graph; based upon the numbers of attacks; based upon the numbers of threats; based upon the total cost for the owner. Competitions among threats: a threat removes an arc after implementing the attack.

27/29 Fabrizio Baiardi, Claudio Telmon, Daniele Sgandurra Universit` a di Pisa, IIT-CNR

slide-28
SLIDE 28

Complex Systems A Simulation-Based Approach Current Prototype Conclusions

Credits

Prototype of the simulator: Gabriele Piga.

28/29 Fabrizio Baiardi, Claudio Telmon, Daniele Sgandurra Universit` a di Pisa, IIT-CNR

slide-29
SLIDE 29

Complex Systems A Simulation-Based Approach Current Prototype Conclusions

Questions?

Thank you!

29/29 Fabrizio Baiardi, Claudio Telmon, Daniele Sgandurra Universit` a di Pisa, IIT-CNR