Information Decay + POMDP Incorporating Defenders Behaviour in - - PowerPoint PPT Presentation

▶

Dec 31, 2023 528 likes •701 views

Information Decay + POMDP Incorporating Defenders Behaviour in Autonomous Penetration Testing Jonathon Schwartz 1 , Hanna Kurniawati 1 , and Edwin El-Mahassni 2 1 1 Research School of Computer Science, ANU 2 Defence Science and Technology

SLIDE 1

Information Decay + POMDP

Incorporating Defender’s Behaviour in Autonomous Penetration Testing

Jonathon Schwartz1, Hanna Kurniawati1, and Edwin El-Mahassni2

1 Research School of Computer Science, ANU 2 Defence Science and Technology Group, Australian Department of Defence

SLIDE 2

Network Penetration Testing

SLIDE 3

Autonomous Penetration Testing

We can view penetration testing as a sequential decision

problem.

Three sources of uncertainty:
1. Partial
bservability
2. Unreliable attack

tools

3. The defender

SLIDE 4

Current state of autonomous pen-testing

Method Partial Unreliable Defender

bservability

actions Attack planning no yes no (Lucangeli et al, SecArt ’10) POMDP yes yes no (Sarruate et al, AAAI ’12) Stochastic game no yes yes (Lye and Wing, IJIS ’05) This work yes yes yes

SLIDE 5

POMDPs

Partially Observable Markov Decision Process ⟨S, A, T, O, Z, R, γ⟩

SLIDE 6

Idea for incorporating the defender

Pen-tester and defender can only infer each other via observed changes to the network state. Our proposed idea: Model defender’s behaviour as a Markovian Arrival Process (MAP)

SLIDE 7

Information Decay

This work: Bernoulli process. Model defender by single parameter: the information decay factor d. Intuitively, d is probability that the defender mitigates the pen-tester’s action For each system property we assume the same process and that each process is IID.

SLIDE 8

Information Decay + POMDP: D-PenTesting

Given P = ⟨S, A, T, O, Z, R, γ⟩ Let I(a) be the afgected set of a ∈ A, where i ∈ I(a) ifg state variable si is changed or observed by a Define transition Td for state variable sj: Td ( s′

j | sj, a

) =          T ( s′

j | sj, a

) j ∈ I(a) d ·

1 |S′

j |−1

j ̸∈ I(a) and s′

j ̸= sj

1 − d

therwise.

Requires knowing d beforehand.

SLIDE 9

Learning the defenders model: LD-PenTesting

Given D-PenTesting POMDP Pd = ⟨S, A, Td, O, Z, R, γ⟩ Define LD-PenTesting POMDP Pld = ⟨Sld, A, Tld, O, Zld, Rld, γ⟩, where:

A, O, γ are unchanged from Pd
Sld = S × D, where
D represents possible values of d
D discretised to resolution δ
Increases |S| by 1

δ fold

Zld(⟨s, d⟩, a, o) = Z(s, a, o)
Rld(⟨s, d⟩, a) = R(s, a)
Tld(⟨s, d⟩, a, ⟨s′, d′⟩) = Td(s, a, s′) · ∆dd′
where ∆dd′ is the Kronecker Delta (identity) function
Td is transition function with decay factor d

SLIDE 10

Experimental Scenarios

Scenario 1 Extends original scenario proposed for POMDP pen-testing by Sarruate et al (AAAI ’12) to include a defender. Scenario 2 Extends stochastic game scenario proposed by Lye and Wing (IJIS ’05) to partially observable setting.

SLIDE 11

Experimental setup

Planning

Planning using SARSOP offmine POMDP solver (Kurniawati et al,

RSS ’08)

D-PenTesting and LD-PenTesting given no knowledge of

defender during planning Simulation

Tested each pen-tester agent against difgerent defenders in

simulation

SLIDE 12

POMDP-PenTesting vs D-PenTesting vs LD-PenTesting

SLIDE 13

D-PenTesting performance

SLIDE 14

D-PenTesting vs LD-PenTesting

SLIDE 15

Conclusion

Presented effjcient abstract defender model based on MAP
Incorporated this model to create D-PenTesting and

LD-PenTesting.

Our approach can handle the three main sources of uncertainty:
1. partial observability,
2. unreliable attack tools, and
3. the defender

SLIDE 16