Library-based Attack Tree Synthesis S ebastien L e Cong, Sophie - - PowerPoint PPT Presentation

library based attack tree synthesis
SMART_READER_LITE
LIVE PREVIEW

Library-based Attack Tree Synthesis S ebastien L e Cong, Sophie - - PowerPoint PPT Presentation

May 27, 2023 8 likes •204 views

Formal setting Algorithm and demo Theoretical complexity Conclusion Library-based Attack Tree Synthesis S ebastien L e Cong, Sophie Pinchinat Francois Schwarzentruber Univ Rennes - France June 22, 2020 1 / 19 Formal setting

slide-1
SLIDE 1

Formal setting Algorithm and demo Theoretical complexity Conclusion

Library-based Attack Tree Synthesis

S´ ebastien Lˆ e Cong, Sophie Pinchinat Francois Schwarzentruber

Univ Rennes - France

June 22, 2020

1 / 19

slide-2
SLIDE 2

Formal setting Algorithm and demo Theoretical complexity Conclusion

Attack reports are difficult to “parse”

2 / 19

slide-3
SLIDE 3

Formal setting Algorithm and demo Theoretical complexity Conclusion

Attack tree as recipe of attack task

steal painting turn security off enter museum disable camera 1 disable camera 2 enter door a enter door b take painting

leaf Primitive task

OR node

Execute one of the subtasks

AND node

Execute subtasks “concurrently”

SAND node

Execute subtasks sequentially

3 / 19

slide-4
SLIDE 4

Formal setting Algorithm and demo Theoretical complexity Conclusion

Our contribution: library-based attack tree synthesis

An attack (e.g. log file) A library Synthesis An attack tree

steal painting turn security off enter museum disable camera 1 disable camera 2 enter door a enter door b take painting

4 / 19

slide-5
SLIDE 5

Formal setting Algorithm and demo Theoretical complexity Conclusion

Outline

1

Formal setting

2

Algorithm and demo

3

Theoretical complexity

4

Conclusion

5 / 19

slide-6
SLIDE 6

Formal setting Algorithm and demo Theoretical complexity Conclusion

Outline

1

Formal setting

2

Algorithm and demo

3

Theoretical complexity

4

Conclusion

6 / 19

slide-7
SLIDE 7

Formal setting Algorithm and demo Theoretical complexity Conclusion

An attack

formalized as a trace:

7 / 19

slide-8
SLIDE 8

Formal setting Algorithm and demo Theoretical complexity Conclusion

Library

A catalog of known attack patterns

1 steal painting turn security off enter museum take painting 2 turn security off disable camera 1 disable camera 2 3 turn security off goto the center blow up a bomb 4 disable camera 1 ¬monitor1 to frozen1 8 / 19

slide-9
SLIDE 9

Formal setting Algorithm and demo Theoretical complexity Conclusion

Semantics of attack trees

steal painting turn security off enter museum disable camera 1 disable camera 2 enter door a enter door b take painting

attack tree explains trace t if leaf t achieves primitive task (direct notion) OR node at least one child tree explains t AND node t is a merge of traces explained by child trees SAND node t is a sequence of traces explained by child trees

9 / 19

slide-10
SLIDE 10

Formal setting Algorithm and demo Theoretical complexity Conclusion

Library-based attack tree synthesis

A trace A library Synthesis An attack tree

steal painting turn security off enter museum disable camera 1 disable camera 2 enter door a enter door b take painting

Synthesis specifications : build an attack tree that

1

explains the input trace

2

rests upon the input library

10 / 19

slide-11
SLIDE 11

Formal setting Algorithm and demo Theoretical complexity Conclusion

Outline

1

Formal setting

2

Algorithm and demo

3

Theoretical complexity

4

Conclusion

11 / 19

slide-12
SLIDE 12

Formal setting Algorithm and demo Theoretical complexity Conclusion

Attack tree synthesis ∼ Parsing

Algorithmic principles Trace ∼ Formal word Library attack patterns ∼ Grammar rules Attack tree ∼ Syntactic tree Bottom-up approach ∼ Cocke-Younger-Kasami parsing algorithm

12 / 19

slide-13
SLIDE 13

Formal setting Algorithm and demo Theoretical complexity Conclusion

Online tool

http://attacktreesynthesis.irisa.fr/

13 / 19

slide-14
SLIDE 14

Formal setting Algorithm and demo Theoretical complexity Conclusion

Outline

1

Formal setting

2

Algorithm and demo

3

Theoretical complexity

4

Conclusion

14 / 19

slide-15
SLIDE 15

Formal setting Algorithm and demo Theoretical complexity Conclusion

Theoretical complexity

Theorem The library-based attack tree synthesis is NP-complete. Still, polynomial in the length of the input trace! NP-membership: given algorithm NP-hardness: reduction from the Packed Interval Coverage, essentially due to AND operator. Theorem For bounded AND-arity libraries, synthesis is in P.

15 / 19

slide-16
SLIDE 16

Formal setting Algorithm and demo Theoretical complexity Conclusion

Outline

1

Formal setting

2

Algorithm and demo

3

Theoretical complexity

4

Conclusion

16 / 19

slide-17
SLIDE 17

Formal setting Algorithm and demo Theoretical complexity Conclusion

Conclusion

A formal library-based attack tree synthesis problem An algorithm and an online protoype tool A complete study of the theoretical complexity

⇒ Algorithm essentially optimal

Bounded AND-arity in libraries is a realistic assumption

17 / 19

slide-18
SLIDE 18

Formal setting Algorithm and demo Theoretical complexity Conclusion

Perspectives

Theoretical: More abstract attack patterns: first-order features in rules as in (Jhawar et al. 2018) and (Ivanova et al. 2015) Library-based attack tree synthesis for a set of traces Practical: Scalability of the tool, e.g. parsing optimisation techniques Bridge the gap with libraries in practice, e.g. MITRE-ATT&CK

18 / 19

slide-19
SLIDE 19

Formal setting Algorithm and demo Theoretical complexity Conclusion

Thank you for your attention!

19 / 19