Optimal Defense Policies for Partially Erik Miehling Observable - - PowerPoint PPT Presentation
University of Michigan - Ann Arbor Optimal Defense Policies for Partially Erik Miehling Observable Spreading Processes on Mohammad Rasouli Demosthenis Teneketzis Bayesian Attack Graphs Second ACM Workshop on Moving Target Defense (MTD 2015)
University of Michigan - Ann Arbor Erik Miehling Mohammad Rasouli Demosthenis Teneketzis
Second ACM Workshop on Moving Target Defense (MTD 2015) Denver, Colorado — October 12-15, 2015
1
❖ Factors from information security:
Confidentiality (C) — Ensuring data does not get into the wrong hands Integrity (I) — Maintaining accuracy/ trustworthiness of information Availability (A) — Ensuring that data is always available to trusted users
❖ Modern systems are becoming increasingly
connected to improve operational efficiency and flexibility
❖ This convenience comes at the cost of
introducing many vulnerabilities
2
C I A
CIA triad
Reactiveness — should respond to observed changes in the system condition Predictiveness — forecast, and prepare for, where the system will be in the future
❖ Factors from MTD:
❖ We consider a dynamic setting where a network is continually being
❖ The defender can control services in the network to prevent the
❖ Philosophy: Automated approach to defending the network. ❖ Defense actions are observation-driven
3
❖ Contribution: We introduce a formal model which allows us to
❖ Aspects of our defense model ❖ Progressive attacks — recent exploits build upon previous exploits,
progressively degrading the system
❖ Dynamic defense — defender is choosing the best action based on
new information
❖ Partial knowledge — the defender is uncertain about the security of
the network at any given time
❖ It is both reactive and predictive
4
❖ Insufficient to look at single
❖ Attackers combine
❖ Attack graphs model how multiple vulnerabilities can be combined
❖ Explicitly takes into account paths that the attacker can take to
❖ Can use tools such as CAULDRON* to generate attack graphs
5 *Jajodia et al. 2010-11
❖ Nodes, , represent attributes
N
: critical (root) nodes : leaf nodes
❖ Bayesian attack graph: G = {N, θ, E, P}
1
2
3
4 5
6 7 8
9 10 11
12 13 14
15 16 17 18 19 20 α12 α13
α14
NL = {1, 5, 7, 8, 11, 12, 16, 17, 20} NC = {9, 14} ⊆ NR = {2, 9, 14, 18}
Attributes: Types: Exploits: Probabilities:
❖ Types,
: AND attributes
θ
❖ Edges, , represent exploits
: exploits
❖ Probabilities,
: exploit probabilities : OR attributes
E P
NL ⊆ N NC ⊆ NR ⊆ N E = (i, j)i,j∈N P = (αij)(i,j)∈E N∧ ⊆ N \ NL N∨ ⊆ N \ NL
N∧ = {2, 3, 6, 9, 10, 13, 18, 19} N∨ = {4, 14, 15} E = {(1, 2), (1, 3), . . . , (20, 19)} P = {α1,2, α1,3, . . . , α20,19}
6
❖ The attacker’s behavior is assumed to
t = τ
At time :
probability that exploit will be discovered/taken by the attacker (public knowledge)
❖ Contagion seed and spread: At each time t
Xi
τ = 1
j Xl
τ = 0
k
αil αjl αkl
t = 0
t = 1
(disabled) (enabled)
❖ Each attribute (node) can be in one
i ∈ N αi ∈ [0, 1]
7
❖ The type of the attribute dictates the
❖ For AND attributes, e.g. node l set of direct predecessors
t = τ
At time :
Xi
τ = 1
j Xl
τ = 0
m n k
αil αjl αkl αmk αnk
P(Xl
t+1 = 1|Xl t = 0, Xt) =
8 < : Q
p∈ ¯ Dl
αpl if ^
p∈ ¯ Dl
Xp
t = 1
8
❖ The type of the attribute dictates the
❖ For AND attributes, e.g. node l ❖ For OR attributes, e.g. node k set of direct predecessors
t = τ
At time :
Xi
τ = 1
j Xl
τ = 0
m n k
αil αjl αkl αmk αnk
P(Xl
t+1 = 1|Xl t = 0, Xt) =
8 < : Q
p∈ ¯ Dl
αpl if ^
p∈ ¯ Dl
Xp
t = 1
P(Xk
t+1 = 1|Xk t = 0, Xt) =
8 < : 1 − Q
p∈ ¯ Dk
(1 − αpk) if _
p∈ ¯ Dk
Xp
t = 1
9
❖ Defender thus observes a subset of enabled
disabled attribute enabled & undetected enabled & detected
❖ Defender only partially observes this process
Yt ∈ {0, 1}N
❖ Rationale: defender may not know the full
capability of the attacker at any given time
t = 1|Xi t = 1)
probability
P(Y i
t = 1|Xi t = 0) = 0
10
❖ The defender uses network services as countermeasures ❖ Existence of exploits depend on services ❖ For example
❖ Secure Shell (SSH) ❖ File Transfer Protocol (FTP) ❖ Port scanning ❖ etc.
❖ Defender can thus temporarily block or disable these services to
11
u1
1 2 3 4 5 6
7
8 9
10 11 12
13 14 15
16 17 18
19 20
❖ Suppose there are a set of
services
❖ Taking action corresponds
to disabling service
❖ disables a subset of the
nodes
{u1, . . . , uM}
um um
Xi = 0, i ∈ Wum Wu1 = {1}
12
ut ∈ U = ℘({u1, . . . , uM})
❖ Action at time t
u2
1 2 3 4 5 6
7
8 9
10 11 12
13 14 15
16 17 18
19 20
u2
{u1, . . . , uM}
um um Xi = 0, i ∈ Wum Wu2 = {5, 17}
13 ❖ Suppose there are a set of
services
❖ Taking action corresponds
to disabling service
❖ disables a subset of the
nodes Wum
ut ∈ U = ℘({u1, . . . , uM})
❖ Action at time t
u3
1 2 3 4 5 6
7
8 9
10 11 12
13 14 15
16 17 18
19 20
{u1, . . . , uM}
um um Xi = 0, i ∈ Wum Wu3 = {13}
14 ❖ Suppose there are a set of
services
❖ Taking action corresponds
to disabling service
❖ disables a subset of the
nodes Wum
ut ∈ U = ℘({u1, . . . , uM})
❖ Action at time t
1 2 3 4 5 6
7
8 9
10 11 12
13 14 15
16 17 18
19 20
u1 u2 u2
u3
u4 u4 u4 u5 u5 u6
ut ∈ U = ℘({u1, . . . , uM}) {u1, . . . , uM}
um um Xi = 0, i ∈ Wum
❖ Action at time t
Assumption: All leaf nodes are covered by at least one service.
15 ❖ Suppose there are a set of
services
❖ Taking action corresponds
to disabling service
❖ disables a subset of the
nodes Wum
❖ Confidentiality &
❖ Cost of taking action in state :
u ∈ U C(x, u) x ∈ X
16
u C(·, u) < C(·, ˆ u)
❖ Availability factor: an action that has a higher negative impact
C(x, ·) < C(ˆ x, ·)
1
2
3
4
5
6 1 2
3
4
5
6
1
2 3
4
5
6
1
2 3
4
5
6
(monotone states under general topology) (monotone states under AND topology)
simplifying assumption
1 2
3
4
5
6 1
2 3
4
5 6
1 2
3
4
5 6
17
❖ Define the history up to time t as ❖ We capture by an information state
Ht
❖ Information state obeys the update rule T : ∆(X) × Y × U → ∆(X)
πt+1 = T (πt, yt+1, ut)
x1 x2 x3 x4 xK
space of monotone states
Ht = (π0, U1, Y1, U2, Y2, . . . , Ut−1, Yt) Π i
t = P(Xt = xi|Ht)
Πt = (Π 1
t , . . . , Π K t ) ∈ ∆(X)
18
❖ Choose a control policy that solves
g : ∆(X) → U, g ∈ G min
g∈G Eg
( ∞ X
t=0
ρtC(Πt, Ut)
) subject to Ut = g(Πt) Πt+1 = T (Πt, Yt+1, Ut)
❖ The above is a Partially Observable Markov Decision Process
19
u∈U
y∈Y
y
❖ The Bellman equation for the corresponding value function is:
g∗ V ∗ for all . π ∈ ∆(X)
dimensionality of this term is greatly reduced due to the monotonicity assumption
Reactive: captures belief
based on previous states, actions, and observations.
Predictive: continuation cost incorporates the dynamics, taking into account the effect of future possible attacks and defense policies on the specification of the current defense decision.
21
u∈U
y∈Y
y
❖ The Bellman equation for the corresponding value function
g∗ V ∗ for all . π ∈ ∆(X)
Attributes:
machine 2
1 2 3 4
5
6 7 8 9 10
11 12
α11,12 α9,10 α3,4 α6,7 α7,8 α2,3 α8,11 α5,6 α10,11 α1,2 α4,9 α8,9
22
Attributes:
machine 2
u2 u1: block WebDAV service
: disconnect machine 2 Countermeasures:
1 2 3
4 5
6 7 8 9
10
11 12
α11,12
α9,10
α10,11 α3,4 α1,2 α6,7 α7,8 α8,9 α2,3 α4,9 α8,11 α5,6
u1
u2
23
❖ The resulting POMDP contains ❖ 29-states/observations ❖ 4 actions ❖ Solved using pomdp-solve* ❖ We show three different information
states with different corresponding
❖ The optimal policy is intuitive ❖ Disable the service that
corresponds to the attribute that has a high probability of being enabled.
1 5 10 15 20 25 29 0.1 0.2 0.3 0.4 0.5 1 5 10 15 20 25 29 0.1 0.2 0.3 0.4 1 5 10 15 20 25 29 0.1 0.2 0.3
(a) (b) (c)
π(2)
τ
π(3)
τ
π(1)
τ u∗ = u1 u∗ = u2 u∗ = ∅
24 *Cassandra 2003-15 (online)
❖ Summary ❖ Introduced a formal
model (built upon Bayesian attack graphs) for defending a network
❖ Formulated the
problem as a POMDP
❖ Solved the POMDP
for a small example
❖ Future Work ❖ Scaling the problem ❖ Exact POMDP solvers only capable of
handling small examples
❖ Realistic attack graphs are big! ❖ Complexity analysis? ❖ Structural results ❖ Directed acyclic graphs give rise to a
natural partial order
❖ Can we use this to show threshold
properties of the optimal policy?
25
C I A
1 2 3 4
5
6
7
8 9 10
11 12
α11,12 α9,10 α10,11 α3,4 α1,2 α6,7 α7,8
α8,9
α2,3 α4,9
α8,11 α5,6
u1
u2 u3
u4
Xi
τ = 1
j Xl
τ = 0
m n k
αil αjl αkl αmk αnk
26
❖ NSF — Foundations Of Resilient CybEr-
Grant: CNS-1238962
❖ Special thanks to the following funding sources ❖ ARO MURI — Adversarial and Uncertain
Grant: W911NF-13-1-0421
27
πt
yt+1 πt+1 attack spread
πt+ πt++
πt+++ t+ t++ t+++
πt+1 = T (πt, yt+1, ut) = T4(T3(T2(T1(πt, ut))), yt+1).
❖ Decompose the information state update into four steps
πt+ = T1(πt, ut) πt++ = T2(πt+) πt+++ = T3(πt++) πt+1 = T4(πt+++, yt+1)
❖ The update can then be written as the composition
(effect of action) (effect of attack) (effect of spread) (effect of observation) 28