Attack Trees: semi-adaptive model Aivo Jrgenson 2 , 3 Jan Willemson 1 - - PowerPoint PPT Presentation

Attack Trees: semi-adaptive model

Aivo Jürgenson2,3 Jan Willemson1

1Cybernetica, Tartu, Estonia 2Tallinn University of Technology, Tallinn, Estonia 3Elion Enterprises Ltd, Tallinn, Estonia

1st February 2009

Jürgenson,Willemson (Estonia) Attack Trees: semi-adaptive model 1st February 2009 1 / 13

Outline of the talk

1 Introduction to multi-parameter attack trees 2 Semi-adaptive model 3 Semi-adaptive blocking model 4 Results and Questions

Jürgenson,Willemson (Estonia) Attack Trees: semi-adaptive model 1st February 2009 2 / 13

Attack trees (J. D. Weiss 1991, B. Schneier 1999)

Obtain ad- ministrator privileges ∨ Access system console ∨ Enter computer center ∨ Break into computer center Unattended guest Corrupt

• perator

Obtain ad- ministrator password ∨ Guess password & Obtain password file Encounter simple password Look over admin shoulder

Jürgenson,Willemson (Estonia) Attack Trees: semi-adaptive model 1st February 2009 3 / 13

Attacker financial game (A. Buldas et al. 2006)

Jürgenson,Willemson (Estonia) Attack Trees: semi-adaptive model 1st February 2009 4 / 13

Attacker financial game (A. Buldas et al. 2006)

Attack prepa- ration costs Preventive security broken? Gains from the attack

p yes

Attacker caught?

(1 − p) no

Penalty paid

q− yes

Outcome = −Cost − Penalties− Outcome = −Cost

(1 − q−) no

Attacker caught? Penalty paid

q+ yes

Outcome = −Cost + Gains − Penalties+ Outcome = −Cost + Gains

(1 − q+) no

Jürgenson,Willemson (Estonia) Attack Trees: semi-adaptive model 1st February 2009 4 / 13

Attacker financial game (A. Buldas et al. 2006)

Attack prepa- ration costs Preventive security broken? Gains from the attack

p yes

Attacker caught?

(1 − p) no

Penalty paid

q− yes

Outcome = −Cost − Penalties− Outcome = −Cost

(1 − q−) no

Attacker caught? Penalty paid

q+ yes

Outcome = −Cost + Gains − Penalties+ Outcome = −Cost + Gains

(1 − q+) no

Jürgenson,Willemson (Estonia) Attack Trees: semi-adaptive model 1st February 2009 4 / 13

Attacker financial game (A. Buldas et al. 2006)

Attack prepa- ration costs Preventive security broken? Gains from the attack

p yes

Attacker caught?

(1 − p) no

Penalty paid

q− yes

Outcome = −Cost − Penalties− Outcome = −Cost

(1 − q−) no

Attacker caught? Penalty paid

q+ yes

Outcome = −Cost + Gains − Penalties+ Outcome = −Cost + Gains

(1 − q+) no

Jürgenson,Willemson (Estonia) Attack Trees: semi-adaptive model 1st February 2009 4 / 13

Attacker financial game (A. Buldas et al. 2006)

Attack prepa- ration costs Preventive security broken? Gains from the attack

p yes

Attacker caught?

(1 − p) no

Penalties− paid

q− yes

Outcome = −Cost − Penalties− Outcome = −Cost

(1 − q−) no

Attacker caught? Penalties+ paid

q+ yes

Outcome = −Cost + Gains − Penalties+ Outcome = −Cost + Gains

(1 − q+) no

Jürgenson,Willemson (Estonia) Attack Trees: semi-adaptive model 1st February 2009 4 / 13

Attacker financial game (A. Buldas et al. 2006)

Attack prepa- ration costs Preventive security broken? Gains from the attack

p yes

Attacker caught?

(1 − p) no

Penalties− paid

q− yes

Outcome = −Cost − Penalties− Outcome = −Cost

(1 − q−) no

Attacker caught? Penalties+ paid

q+ yes

Outcome = −Cost + Gains − Penalties+ Outcome = −Cost + Gains

(1 − q+) no

Jürgenson,Willemson (Estonia) Attack Trees: semi-adaptive model 1st February 2009 4 / 13

Multi-parameter Attack Trees (A. Buldas et al., 2006)

Gains – the value gained from the successful attack Costi – the cost of the elementary attack, pi – success probability π−

i = q− i · Penalty− i

– the expected penalty, unsuccessful attack π+

i = q+ i · Penalty+ i

– the expected penalty, successful attack

Jürgenson,Willemson (Estonia) Attack Trees: semi-adaptive model 1st February 2009 5 / 13

Multi-parameter Attack Trees (A. Buldas et al., 2006)

Gains – the value gained from the successful attack Costi – the cost of the elementary attack, pi – success probability π−

i = q− i · Penalty− i

– the expected penalty, unsuccessful attack π+

i = q+ i · Penalty+ i

– the expected penalty, successful attack (Cost, p, π+, π−) = (Cost1, p1, π+

1 , π− 1 ),

if Outcome1 > Outcome2 (Cost2, p2, π+

2 , π− 2 ),

if Outcome1 ≤ Outcome2 Outcomei = pi · Gains − Costi − pi · π+

i − (1 − pi) · π− i

Jürgenson,Willemson (Estonia) Attack Trees: semi-adaptive model 1st February 2009 5 / 13

Multi-parameter Attack Trees (A. Buldas et al., 2006)

Gains – the value gained from the successful attack Costi – the cost of the elementary attack, pi – success probability π−

i = q− i · Penalty− i

– the expected penalty, unsuccessful attack π+

i = q+ i · Penalty+ i

– the expected penalty, successful attack (Cost, p, π+, π−) = (Cost1, p1, π+

1 , π− 1 ),

if Outcome1 > Outcome2 (Cost2, p2, π+

2 , π− 2 ),

if Outcome1 ≤ Outcome2 Outcomei = pi · Gains − Costi − pi · π+

i − (1 − pi) · π− i

Cost = Cost1 + Cost2, p = p1 · p2, π+ = π+

1 + π+ 2 ,

π− = p1(1 − p2)(π+

1 + π− 2 ) + (1 − p1)p2(π− 1 + π+ 2 )

1 − p1p2 + +(1 − p1)(1 − p2)(π−

1 + π− 2 )

1 − p1p2

Jürgenson,Willemson (Estonia) Attack Trees: semi-adaptive model 1st February 2009 5 / 13

Attacker adaptiveness

Current models all assume that all attacks take place simultanously, in the same time. In the real life, attacker has the option to choose different strategy during the execution of attack tree, after some elementary attack succeeds, or fails.

Jürgenson,Willemson (Estonia) Attack Trees: semi-adaptive model 1st February 2009 6 / 13

Attacker adaptiveness

Current models all assume that all attacks take place simultanously, in the same time. In the real life, attacker has the option to choose different strategy during the execution of attack tree, after some elementary attack succeeds, or fails. Full-adaptive model

attacker can choose any not-used attack for the next step, rather complicated to analyze, we will not go there.

Jürgenson,Willemson (Estonia) Attack Trees: semi-adaptive model 1st February 2009 6 / 13

Attacker adaptiveness

Current models all assume that all attacks take place simultanously, in the same time. In the real life, attacker has the option to choose different strategy during the execution of attack tree, after some elementary attack succeeds, or fails. Full-adaptive model

attacker can choose any not-used attack for the next step, rather complicated to analyze, we will not go there.

Semi-adaptive model

attacker fixes the order of the attacks, attacker has the option to skip some attacks from the previously fixed

• rder.

Jürgenson,Willemson (Estonia) Attack Trees: semi-adaptive model 1st February 2009 6 / 13

Semi-adaptive model

Simplified attacker actions: Create the attack tree F with the set of elementary attacks X = {X1, X2, . . . , Xn}.

Jürgenson,Willemson (Estonia) Attack Trees: semi-adaptive model 1st February 2009 7 / 13

Semi-adaptive model

Simplified attacker actions: Create the attack tree F with the set of elementary attacks X = {X1, X2, . . . , Xn}. Choose subset S ⊆ X and create the subtree, i.e. choose one possible way of realizing the attack tree F.

Jürgenson,Willemson (Estonia) Attack Trees: semi-adaptive model 1st February 2009 7 / 13

Semi-adaptive model

Simplified attacker actions: Create the attack tree F with the set of elementary attacks X = {X1, X2, . . . , Xn}. Choose subset S ⊆ X and create the subtree, i.e. choose one possible way of realizing the attack tree F. Choose the permutation α for the subset S, i.e. choose the order of the attacks, eq α = {X2, X3, X1}.

Jürgenson,Willemson (Estonia) Attack Trees: semi-adaptive model 1st February 2009 7 / 13

Semi-adaptive model

Simplified attacker actions: Create the attack tree F with the set of elementary attacks X = {X1, X2, . . . , Xn}. Choose subset S ⊆ X and create the subtree, i.e. choose one possible way of realizing the attack tree F. Choose the permutation α for the subset S, i.e. choose the order of the attacks, eq α = {X2, X3, X1}. Evaluate the outcome of the subtree S and permutation α.

Jürgenson,Willemson (Estonia) Attack Trees: semi-adaptive model 1st February 2009 7 / 13

Semi-adaptive model

Simplified attacker actions: Create the attack tree F with the set of elementary attacks X = {X1, X2, . . . , Xn}. Choose subset S ⊆ X and create the subtree, i.e. choose one possible way of realizing the attack tree F. Choose the permutation α for the subset S, i.e. choose the order of the attacks, eq α = {X2, X3, X1}. Evaluate the outcome of the subtree S and permutation α. Choose the maximum outcome for all different combinations of permuations α and subtrees S.

Jürgenson,Willemson (Estonia) Attack Trees: semi-adaptive model 1st February 2009 7 / 13

Evaluating the outcome of attack tree

Outcomesemiadaptive = max{Outcomeα : S ⊆ X, F(S := true) = true, α} Outcomeα = pα · Gains −

n

• i=1

pα,i · Expensesi

Jürgenson,Willemson (Estonia) Attack Trees: semi-adaptive model 1st February 2009 8 / 13

Evaluating the outcome of attack tree

Outcomesemiadaptive = max{Outcomeα : S ⊆ X, F(S := true) = true, α} Outcomeα = pα · Gains −

n

• i=1

pα,i · Expensesi Theorem: Outcomesemiadaptive ≥ OutcomeJW08 ≥ OutcomeBuldas06

Jürgenson,Willemson (Estonia) Attack Trees: semi-adaptive model 1st February 2009 8 / 13

Algorithm 1: Evaluating the outcome of permutation α

Data: Variables A, variable counter i, path probability p Result: sum - outcome of the permutation α sum := 0;

1

if evaluating F(A) and in the path from leaf Xα(i) to root of the tree,

2

some node will get value t or f then compute_outcome(A, i + 1, p);return sum;

3

A[α(i)] := t; if F(A) = t then

4

sum := sum + p · pα(i) ·

• Gains −

j∈A(Costj + πj i )

• ;

5

else

6

compute_outcome

• A, i + 1, p · pα(i)
• ;

7

A[α(i)] := f; if F(A) = f then

8

sum := sum + p · (1 − pα(i)) ·

• −

j∈A(Costj + πj i )

• ;

9

else

10

compute_outcome

• A, i + 1, p ·
• 1 − pα(i)
• ;

11

return sum;

12

Jürgenson,Willemson (Estonia) Attack Trees: semi-adaptive model 1st February 2009 9 / 13

Algorithm 2: Evaluating the probability pα(i)

Data: Variables {X1, . . . , Xn}, permutation α Result: pα,i - probability of the permutation α forall node Z in {X1, . . . , Xn} do

1

Z.t := 0; Z.f := 0;

2

for i := 1 to n do

3

Find the path (Y0, Y1, . . . , Ym) from the root Y0 to leaf Ym = Xα(i);

4

pα,α(i) = m

i=1 (1 − Zj.a); 5

(where Zj is the second subnode of the node Yj−1 after the node Yj

6

and a =

• t

if Yj−1 is OR-node f if Yj−1 is AND-node ); Xα(i).t := pα(i);

7

Xα(i).f := 1 − pα(i);

8

Update the parameters for the nodes {Ym−1, Ym−2, . . . , Y0};

9

return pα,i;

10

Jürgenson,Willemson (Estonia) Attack Trees: semi-adaptive model 1st February 2009 10 / 13

Computational complexity

Computing the outcome of permutation (Algorithm 1) has exponential complexity. Computing the probability pα,i (Algorithm 2) is efficient. All together, for finding the best outcome, we have something in the

• rder of

O(2n · n! · n2)

Jürgenson,Willemson (Estonia) Attack Trees: semi-adaptive model 1st February 2009 11 / 13

Semi-adaptive blocking model

We also consider elementary attacks, which block the whole attack tree, when they fail. The real life analogue for capturing the attacker, imprisonment or death penalty. Algorithms 1 and 2 require only a slight change. However, the complexity for computing pα,α(i) becomes also exponential and therefore the model is even more difficult to compute.

Jürgenson,Willemson (Estonia) Attack Trees: semi-adaptive model 1st February 2009 12 / 13

Results and Questions

Results: We have yet another way to compute the outcome of the attack tree, which yields even bigger outcomes. The model unfortunately has exponential complexity, again.

Jürgenson,Willemson (Estonia) Attack Trees: semi-adaptive model 1st February 2009 13 / 13

Results and Questions

Results: We have yet another way to compute the outcome of the attack tree, which yields even bigger outcomes. The model unfortunately has exponential complexity, again. Questions: Applying theorems from the last article (Jürgenson and Willemson, 2008) to this model as well and optimizing the computions? Applying genetic programming concepts to attack trees and outcome computions? Learning Bayesian networks to come up with other interesting models?

Jürgenson,Willemson (Estonia) Attack Trees: semi-adaptive model 1st February 2009 13 / 13