Genetic Approximations for the Failure-Free Security Games Anton Charnamord anton.charnamord@cyber.ee October 2nd, 2015
Genetic Approximations for the Failure-Free Security Games Aleksandr Lenin 1 , 2 , Jan Willemson 1 and Anton Charnamord 1 , 2 1. Cybernetica AS, M�ealuse 2/1, Tallinn, Estonia 2. Tallinn University of Technology, Ehitajate tee 5, Tallinn, Estonia 2 October 2nd, 2015
Structure 1. Introduction. 2. De�nitions of required terms. 3. Genetic algorithm. 4. Genetic algorithm improved with adaptiveness. 5. Conclusions. 3 October 2nd, 2015
Hystory Fault Trees applied to analyse general security-critical systems in early 1980-s. Threat Logic Trees adjusted for information systems by Weiss in 1991. The method was popularized by Schneier under the name Attack Trees in the late 1990-s. 4 October 2nd, 2015
Attack Trees Use to Analyse the security of several practical applications, including PGP, BGP, SCADA systems and e-voting systems Assess vulnerability to insider attack threats Estimate the status of homeland security 5 October 2nd, 2015
Use in Security Assessment Qualitative assessment of security (purely descriptional) hierarchical representation is utilized to depict relationships between attack components Quantitative assessment of security (analysis) quantifying the claims made during the analysis 6 October 2nd, 2015
Computational Aspects of Attack Trees Buldas et all (2006) the idea of game-theoretic modelling of the adversarial decision making process the adversarial decision based on several interconnected parameters : cost risks penalties 7 October 2nd, 2015
Computational Aspects of Attack Trees J�rgenson and Willemson's model (2010) re�ned the previous approach achieved compliance with Mauw-Oostdijk framework introduce sequentiality into the adversarial decision making model increase in the model precision signi�cant drop in computational e�ciency 8 October 2nd, 2015
The Upper Bound Ideology Buldas and Stepanenko (2012) The Upper Bound Ideology In order to verify the security of the system, it is not necessary to compute the exact adversarial utility but only upper bounds. If adversarial utility has a negative upper bound in the fully adaptive model, it is safe to conclude that there are no bene�cial ways of attacking the system. 9 October 2nd, 2015
Improved Failure-Free Model Buldas and Lenin (2013) improved the fully adaptive model eliminated the force failure states The model more closely followed the upper bounds ideology computationally somewhat easier to analyse is still an NP-complete problem 10 October 2nd, 2015
Main Goals 1. Looking for a good heuristic approximation. 2. To �nd empirical evidence for the rational choice of the parameters of the genetic algorithm. 11 October 2nd, 2015
De�nitions X = {X 1 , X 2 , . . . , X n } is the set of all possible atomic attacks F is a monotone Boolean function corresponding to the considered attack tree 12 October 2nd, 2015
De�nitions Attack Suite Attack suite σ ⊆ X is a set of atomic attacks which have been chosen by the adversary to be launched and used to try to achieve the attacker's goal. Also known as individual. Satisfying attack suite A satisfying attack suite σ evaluates F to true when all the atomic attacks from the attack suite σ have been evaluated to true . Also known as live individual. 13 October 2nd, 2015
De�nitions Satis�ability game By a satis�ability game we mean a single-player game in which the player's goal is to satisfy a monotone Boolean function F ( x 1 , x 2 , . . . , x k ) by picking variables x i one at a time and assigning x i = 1. Each time the player picks the variable x i he pays some amount of expenses E i , which is modelled as a random variable. With a certain probability p i the move x i succeeds. The game ends when the condition F ≡ 1 is satis�ed and the player wins the prize P ∈ R the condition F ≡ 0 is satis�ed, meaning the loss of the game the player stops playing 14 October 2nd, 2015
Three Common Types of Games 1. SAT Game Without Repetitions the type of a game where a player can perform a move only once 2. SAT Game With Repetitions the type of a game where a player can re-run failed moves an arbitrary number of times 3. Failure-Free SAT Game the type of a game in which all success probabilities are equal to 1. It has been shown that any game with repetitions is equivalent to a failure-free game 15 October 2nd, 2015
Genetic Approximations for the Failure-Free SAT Games The optimization problem to solve Given a monotone Boolean function F ( x 1 , x 2 , . . . , x n ) optimize the utility function U ( x i 1 , x i 2 , . . . , x i n ) over the set of all satisfying assignments ful�lling a set of model-speci�c conditions The models for the SAT games without move repetitions and the failure-free SAT games di�er only by their corresponding utility functions 16 October 2nd, 2015
Genetic Algorithm (GA) A genetic algorithm is typically characterized by the set of the following parameters: A genetic representation of chromosomes or individuals A population of encoded solutions Fitness function Genetic operators (selection, crossover, mutation) Control parameters (population size, crossover rate, mutation rate) 17 October 2nd, 2015
GA. Attack Suites An individual is any feasible solution to the considered optimization problem. For the SAT games a solution is any of the satisfying attack suites . Linear binary representation of individuals has been chosen to facilitate the robustness of the crossover and mutation operations. 18 October 2nd, 2015
GA. Individuals Generation Algorithm 1: Recursive individual generation algorithm Data : The root of a propositional directed acyclic graph (PDAG) representing a monotone Boolean function. An empty individual with all bits set to 0. Result : Live individual. if the root is a leaf then get the index of the leaf; set corresponding individual's bit to 1; end else if the root is an AND node then forall the children of the root do recursive call: child considered as root parameter; end end else if the root is an OR node then choose at least one child; forall the chosen children do recursive call: child considered as root parameter; end end 19 October 2nd, 2015
GA. Population Size The choice of the population size: too small population does not contain enough genetic variation to maintain the exploration capabilities too big population already contains enough genetic variation to e�ciently explore the search space, and only results in the performance overhead in the crossover operator 20 October 2nd, 2015
GA. Population Size Suboptimal size there is a high risk to converge to suboptimal solutions Optimal size corresponds to the minimal population size capable of producing the best result sets the lower bound of reasonable choice for the population size Size greater than the optimal size upper bound is solely based on performance considerations does not add anything, except for the increase in the time required to run the analysis 21 October 2nd, 2015
GA. The Population Size E�ect 100 75 Precision(%) Case of a single attack tree size: 100 leaves 50 crossover operator: uniform mutation rate: 0.1 25 average minimal maximal 0 0 10 20 30 40 50 Population size (# of individuals) 22 October 2nd, 2015
GA. Reasonable Choice for Population Size 100 80 % of the considered trees Case of the set af attack trees of di�erent sizes 60 (ranging from 10 to 100 leaves with steps of size 3) 40 20 0 0 30 60 90 120 150 180 Population size (% of the size of the tree) 23 October 2nd, 2015
GA. Reasonable Choice for Population Size There is no obvious relation between the size of the analysed tree and the optimal population size. The optimal population size might depend on the structure of the tree itself. In general, the population size equal to 180% of the size of the tree would �t every considered attack tree. In the case the population size was chosen to be 50%, this choice would be optimal for approximately 75% of attack trees. 24 October 2nd, 2015
GA. Time Measurement Depending on the Optimal Population Size 280 Average execution time Minimal execution time 224 Maximal execution time Time (seconds) 168 112 56 0 0 20 40 60 80 100 120 140 160 180 200 Population size (# of individuals) 25 October 2nd, 2015
GA. Crossover The crossover rate controls the probability at which individuals are subjected to crossover. Individuals, not subjected to crossover, remain unmodi�ed. The higher the crossover rate is, the quicker the new solutions get introduced into the population. 26 October 2nd, 2015
GA. Crossover We have chosen to disable parent selection entirely thus defaulting to crossing every individual with every other individual in the population (crossover rate equal to 1). Notable crossover techniques: the single-point crossover operator the two-point crossover operator the uniform crossover operator 27 October 2nd, 2015
October 2nd, 2015 Convergence Di�erences GA. The Crossover Opetors Di�erence in convergence speed (# of generations) − 10 10 0 28 Di�erence in convergence speed (# of generations) − 10 10 0
Recommend
More recommend
