optimal defense policies for partially
play

Optimal Defense Policies for Partially Erik Miehling Observable - PowerPoint PPT Presentation

May 11, 2023 •444 likes •733 views

University of Michigan - Ann Arbor Optimal Defense Policies for Partially Erik Miehling Observable Spreading Processes on Mohammad Rasouli Demosthenis Teneketzis Bayesian Attack Graphs Second ACM Workshop on Moving Target Defense (MTD 2015)

  1. University of Michigan - Ann Arbor Optimal Defense Policies for Partially Erik Miehling Observable Spreading Processes on Mohammad Rasouli Demosthenis Teneketzis Bayesian Attack Graphs Second ACM Workshop on Moving Target Defense (MTD 2015) Denver, Colorado — October 12-15, 2015 1

  2. Motivation ❖ Modern systems are becoming increasingly connected to improve operational efficiency and flexibility ❖ This convenience comes at the cost of introducing many vulnerabilities ❖ Factors from information security : ❖ Factors from MTD : Confidentiality (C) — Ensuring data does Reactiveness — should C not get into the wrong hands respond to observed changes in the system condition Integrity (I) — Maintaining accuracy/ I A trustworthiness of information Predictiveness — forecast, and prepare for, where the CIA triad Availability (A) — Ensuring that data is system will be in the future always available to trusted users 2

  3. The Conflict Environment ❖ We consider a dynamic setting where a network is continually being subjected to attacks with the objective of compromising some target resources through exploits . ❖ The defender can control services in the network to prevent the attacker from reaching the target resources. ❖ Philosophy: Automated approach to defending the network. ❖ Defense actions are observation-driven 3

  4. Contribution ❖ Contribution: We introduce a formal model which allows us to study dependencies between vulnerabilities in a system and to define (and compute) optimal defense policies. ❖ Aspects of our defense model ❖ Progressive attacks — recent exploits build upon previous exploits, progressively degrading the system ❖ Dynamic defense — defender is choosing the best action based on new information ❖ Partial knowledge — the defender is uncertain about the security of the network at any given time ❖ It is both reactive and predictive 4

  5. Attack Graphs ❖ Insufficient to look at single vulnerabilities when protecting a network ❖ Attackers combine vulnerabilities to penetrate the network ❖ Attack graphs model how multiple vulnerabilities can be combined and exploited by an attacker ❖ Explicitly takes into account paths that the attacker can take to reach the critical exploitation ❖ Can use tools such as CAULDRON * to generate attack graphs *Jajodia et al. 2010-11 5

  6. Bayesian Attack Graphs ❖ Bayesian attack graph: G = {N , θ , E , P} 11 2 12 ❖ Nodes, , represent attributes N α 12 10 1 3 α 13 : leaf nodes N L ⊆ N α 14 20 14 : critical (root) nodes N C ⊆ N R ⊆ N 4 9 19 5 13 6 15 ❖ Types, θ 17 7 : AND attributes N ∧ ⊆ N \ N L 16 8 18 : OR attributes N ∨ ⊆ N \ N L N L = { 1 , 5 , 7 , 8 , 11 , 12 , 16 , 17 , 20 } Attributes: ❖ Edges, , represent exploits N C = { 9 , 14 } ⊆ N R = { 2 , 9 , 14 , 18 } E N ∧ = { 2 , 3 , 6 , 9 , 10 , 13 , 18 , 19 } : exploits Types: E = ( i, j ) i,j ∈ N N ∨ = { 4 , 14 , 15 } Exploits: E = { (1 , 2) , (1 , 3) , . . . , (20 , 19) } ❖ Probabilities, P Probabilities: P = { α 1 , 2 , α 1 , 3 , . . . , α 20 , 19 } : exploit probabilities P = ( α ij ) ( i,j ) ∈ E 6

  7. Spreading Process ❖ The attacker’s behavior is assumed to follow a probabilistic spreading process At time : t = τ ❖ Each attribute (node) can be in one i ∈ N j of two states X i τ = 1 α jl X l X i X i τ = 0 t = 0 t = 1 α il (disabled) (enabled) k α kl ❖ Contagion seed and spread : At each time t probability that exploit will be discovered/taken 1. Each leaf attribute is enabled with by the attacker probability α i ∈ [0 , 1] (public knowledge) 2. Contagion spreads according to predecessor rules 7

  8. Spreading Process — Predecessor Rules ❖ The type of the attribute dictates the At time : t = τ nature of the spreading process j X i τ = 1 α jl m X l ❖ For AND attributes, e.g. node l τ = 0 α mk α il k α kl 8 ^ X p Q if t = 1 α pl α nk < P ( X l t +1 = 1 | X l t = 0 , X t ) = p ∈ ¯ D l p ∈ ¯ D l 0 otherwise : n set of direct predecessors 8

  9. Spreading Process — Predecessor Rules ❖ The type of the attribute dictates the At time : t = τ nature of the spreading process j X i τ = 1 α jl m X l ❖ For AND attributes, e.g. node l τ = 0 α mk α il k α kl 8 ^ X p Q if t = 1 α pl α nk < P ( X l t +1 = 1 | X l t = 0 , X t ) = p ∈ ¯ D l p ∈ ¯ D l 0 otherwise : n set of direct predecessors ❖ For OR attributes, e.g. node k 8 _ X p 1 − Q (1 − α pk ) if t = 1 < P ( X k t +1 = 1 | X k t = 0 , X t ) = p ∈ ¯ D k p ∈ ¯ D k 0 otherwise : 9

  10. Defender’s Observations ❖ Defender only partially observes this process probability β i = P ( Y i t = 1 | X i t = 1) of detection ❖ Rationale : defender may not know the full capability of the attacker at any given time Assumption : No false positives can occur. P ( Y i t = 1 | X i t = 0) = 0 disabled attribute ❖ Defender thus observes a subset of enabled enabled & undetected nodes that have been discovered at each enabled & detected time-step Y t ∈ { 0 , 1 } N 10

  11. Defender’s Countermeasures ❖ The defender uses network services as countermeasures ❖ Existence of exploits depend on services ❖ For example ❖ Secure Shell (SSH) ❖ File Transfer Protocol (FTP) ❖ Port scanning ❖ etc. ❖ Defender can thus temporarily block or disable these services to stop the attacker from progressing through the network 11

  12. Defender’s Countermeasures ❖ Suppose there are a set of M 11 { u 1 , . . . , u M } services 2 12 ❖ Taking action corresponds u m 10 u 1 1 3 to disabling service m 20 14 ❖ disables a subset of the u m 4 9 19 nodes W u m 5 13 6 15 17 X i = 0 , i ∈ W u m 7 16 8 18 ❖ Action at time t u t ∈ U = ℘ ( { u 1 , . . . , u M } ) W u 1 = { 1 } 12

  13. Defender’s Countermeasures ❖ Suppose there are a set of M 11 { u 1 , . . . , u M } services 2 12 ❖ Taking action corresponds u m 10 1 3 to disabling service m 20 14 ❖ disables a subset of the u m 4 9 19 nodes W u m 5 13 u 2 6 15 17 X i = 0 , i ∈ W u m u 2 7 16 8 18 ❖ Action at time t u t ∈ U = ℘ ( { u 1 , . . . , u M } ) W u 2 = { 5 , 17 } 13

  14. Defender’s Countermeasures ❖ Suppose there are a set of M 11 { u 1 , . . . , u M } services 2 12 ❖ Taking action corresponds u m 10 1 3 to disabling service m 20 14 ❖ disables a subset of the u m 4 9 19 nodes W u m 5 13 u 3 6 15 17 X i = 0 , i ∈ W u m 7 16 8 18 ❖ Action at time t u t ∈ U = ℘ ( { u 1 , . . . , u M } ) W u 3 = { 13 } 14

  15. Defender’s Countermeasures ❖ Suppose there are a set of u 4 M 11 { u 1 , . . . , u M } services u 5 2 12 ❖ Taking action corresponds u m 10 u 1 1 3 to disabling service m 20 14 ❖ disables a subset of the u m u 5 4 9 19 nodes W u m 5 13 u 2 u 3 6 15 17 X i = 0 , i ∈ W u m u 2 7 16 8 u 6 18 ❖ Action at time t u 4 u 4 u t ∈ U = ℘ ( { u 1 , . . . , u M } ) Assumption : All leaf nodes are covered by at least one service. 15

  16. Cost Function ❖ Cost of taking action in state : C ( x, u ) x ∈ X u ∈ U ❖ Confidentiality & Integrity factor: state is less costly x than state ˆ x C ( x, · ) < C (ˆ x, · ) ˆ x x ❖ Availability factor: an action that has a higher negative impact ˆ u on availability than another action should satisfy: u C ( · , u ) < C ( · , ˆ u ) 16

  17. Monotone States (monotone states under general topology) 2 3 2 3 2 3 2 3 Assumption : The only 1 1 1 1 5 5 5 5 feasible states are 4 4 4 4 monotone . 6 6 6 6 (monotone states under AND topology) 2 3 2 3 2 3 Assumption : The attack 1 1 1 graph only contains 5 5 5 4 4 4 AND nodes. 6 6 6 simplifying assumption 17

  18. Defender’s Information States ❖ Define the history up to time t as H t = ( π 0 , U 1 , Y 1 , U 2 , Y 2 , . . . , U t − 1 , Y t ) ❖ We capture by an information state Π t = ( Π 1 t , . . . , Π K t ) ∈ ∆ ( X ) H t Π i t = P ( X t = x i | H t ) space of monotone states X . . . x 1 x 2 x 3 x 4 x K ❖ Information state obeys the update rule T : ∆ ( X ) × Y × U → ∆ ( X ) π t +1 = T ( π t , y t +1 , u t ) 18

  19. Defender’s Optimization Problem ❖ Choose a control policy that solves g : ∆ ( X ) → U , g ∈ G ( ∞ ) X � Π 0 = π 0 � g ∈ G E g ρ t C ( Π t , U t ) min t =0 subject to U t = g ( Π t ) Π t +1 = T ( Π t , Y t +1 , U t ) ❖ The above is a Partially Observable Markov Decision Process (POMDP) 19

  20. Dynamic Programming Solution ❖ The optimal policy achieves the minimum expected discounted g ∗ total cost. ❖ The Bellman equation for the corresponding value function is: V ∗ n o X V ∗ ( π ) = min V ∗ ( T ( π , y, u )) C ( π , u ) + ρ P π ,u y u ∈ U y ∈ Y for all . π ∈ ∆ ( X ) dimensionality of this term is greatly reduced due to the monotonicity assumption

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Optimal trade and storage policies Christophe Gouel INRA CEPII September 1819, 2014

Optimal trade and storage policies Christophe Gouel INRA CEPII September 1819, 2014

Introduction Optimal policies Simple rules Policy messages Conclusion Optimal trade and storage policies Christophe Gouel INRA CEPII September 1819, 2014 References Gouel (2014) Stocks for the stabilization of food markets: Lessons

399 views • 26 slides
LQ optimal control for partially specified input noise Alexander Erreygers Jasper De Bock Gert

LQ optimal control for partially specified input noise Alexander Erreygers Jasper De Bock Gert

LQ optimal control for partially specified input noise Alexander Erreygers Jasper De Bock Gert de Cooman Arthur Van Camp Ghent University 28th European Conference on Operational Research 1 / 13 Scalar linear systems The controller is

715 views • 30 slides
Optimal Acquisition of a Partially Hedgeable House skun etin 1 , Fernando Zapatero 2 Co 1

Optimal Acquisition of a Partially Hedgeable House skun etin 1 , Fernando Zapatero 2 Co 1

Optimal Acquisition of a Partially Hedgeable House skun etin 1 , Fernando Zapatero 2 Co 1 Department of Mathematics and Statistics CSU Sacramento 2 Marshall School of Business USC November 14, 2009 WCMF, Santa Barbara Co skun etin,

237 views • 20 slides
Spatial Climate-Economic Models in the Design A. Xepapadeas of Optimal Climate Policies across

Spatial Climate-Economic Models in the Design A. Xepapadeas of Optimal Climate Policies across

Optimal Climate Policies Spatial Climate-Economic Models in the Design A. Xepapadeas of Optimal Climate Policies across Locations Introduction Energy Balance Climate Anastasios Xepapadeas(*) with William A. Brock and Models Gustav

944 views • 58 slides
(Near)-optimal policies for Probabilistic IPC 2018 domains Brikena C elaj Department of

(Near)-optimal policies for Probabilistic IPC 2018 domains Brikena C elaj Department of

(Near)-optimal policies for Probabilistic IPC 2018 domains Brikena C elaj Department of Mathematics and Computer Science University of Basel June 2020 Brikena C elaj (Near)-optimal policies for Probabilistic IPC 2018 domains 1 / 45

661 views • 47 slides
Optimal Decentralized Control of System with Partially Exchangeable Agents Aditya Mahajan McGill

Optimal Decentralized Control of System with Partially Exchangeable Agents Aditya Mahajan McGill

Optimal Decentralized Control of System with Partially Exchangeable Agents Aditya Mahajan McGill University Joint work with Jalal Arabneydi Allerton Conference on Communication, Control, and Computing 28 Sep, 2016 Decentralized control with

856 views • 68 slides
Defense-Within-Limits Policies Insurer and Insured Perspectives on Bad Faith Risks and Pitfalls

Defense-Within-Limits Policies Insurer and Insured Perspectives on Bad Faith Risks and Pitfalls

Presenting a live 90-minute webinar with interactive Q&amp;A Navigating Insurance Bad Faith Claims Involving Additional Insureds and Defense-Within-Limits Policies Insurer and Insured Perspectives on Bad Faith Risks and Pitfalls With AIs and

810 views • 52 slides
Biosens II Background Biosens II Subproject 2.3 Optimal replacement policies for dairy

Biosens II Background Biosens II Subproject 2.3 Optimal replacement policies for dairy

Biosens II Background Biosens II Subproject 2.3 Optimal replacement policies for dairy cows based on Overview daily yield measurements MDP intro Dairy HMDP Model Case example: Markov decision processes State space model Embedding

67 views • 6 slides
Optimal service selection policies for dynamic service composition Miroslav ivkovi University

Optimal service selection policies for dynamic service composition Miroslav ivkovi University

Optimal service selection policies for dynamic service composition Miroslav ivkovi University of Amsterdam (UvA) System and Network Engineering Group m.zivkovic@uva.nl Joost Bosman, Hans van den Berg, Rob van der Mei, Erik Meeuwissen,

398 views • 18 slides
Agricultural price instability and optimal stabilisation policies PhD Defence Christophe Gouel

Agricultural price instability and optimal stabilisation policies PhD Defence Christophe Gouel

Introduction My approach Results Conclusion and perspectives Agricultural price instability and optimal stabilisation policies PhD Defence Christophe Gouel INRA CEPII cole Polytechnique April 8, 2011 1/16 Introduction My

847 views • 30 slides
06-10-2014 Institut for Produktionsdyr og Heste Optimal replacement policies for dairy cows based

06-10-2014 Institut for Produktionsdyr og Heste Optimal replacement policies for dairy cows based

06-10-2014 Institut for Produktionsdyr og Heste Optimal replacement policies for dairy cows based on daily yield measurements Katarina Nielsen Dominiak, Ph.D Student Advanced Quantitative Methods in Herd Management AQMHM 06-10-2014 Dias 1

424 views • 11 slides
Optimal Metering Policies for Optimized Profile Descent Operations at Airports Heng Chen and

Optimal Metering Policies for Optimized Profile Descent Operations at Airports Heng Chen and

Optimal Metering Policies for Optimized Profile Descent Operations at Airports Heng Chen and Senay Solak Isenberg School of Management University of Massachusetts Amherst ICRAT 2014, Istanbul May 30, 2014 Outline Motivation Problem

541 views • 29 slides
Path Planning in Unknown Environment by Optimal Transport on Graph Haomin Zhou School of

Path Planning in Unknown Environment by Optimal Transport on Graph Haomin Zhou School of

Path Planning in Unknown Environment by Optimal Transport on Graph Haomin Zhou School of Mathematics, Georgia Tech Collaborators: Magnus Egerstedt (ECE, GT), Haoyan Zhai (Math, GT) Partially Supported by NSF, ONR Optimal Path In Dynamical

585 views • 33 slides
Optimal dividend and reinvestment policies when payments are subject to both fixed and

Optimal dividend and reinvestment policies when payments are subject to both fixed and

Introduction to the problem The solution A financial example Optimal dividend and reinvestment policies when payments are subject to both fixed and proportional costs Jostein Paulsen October 15, 2008 Introduction to the problem The solution

651 views • 29 slides
Deriving optimal carbon policies for biomass utilization 9.12.2014 IEA Task 38 Workshop on

Deriving optimal carbon policies for biomass utilization 9.12.2014 IEA Task 38 Workshop on

Forests, land use and climate change: Deriving optimal carbon policies for biomass utilization 9.12.2014 IEA Task 38 Workshop on Forests Aapo Rautiainen Jussi Lintunen Jussi Uusivuori In this presentation We present a model which

491 views • 30 slides
Globalizing the Defense Industrial Base Pentagon policies to

Globalizing the Defense Industrial Base Pentagon policies to

Manufacturing Insecurity: Americas Manufacturing Crisis and the Erosion of the U.S. Defense Industrial Base Sponsored by: AFL-CIO Industrial Union Council Coalition for a Prosperous America AFL-CIO Metal Trades Department Alliance for American

449 views • 23 slides
freedesktop.org X bling, system-wide IPC, universal input, desktop integration (a man, a plan, a

freedesktop.org X bling, system-wide IPC, universal input, desktop integration (a man, a plan, a

freedesktop.org X bling, system-wide IPC, universal input, desktop integration (a man, a plan, a canal Panama!) Daniel Stone &lt;daniel@freedesktop.org&gt; &lt;dstone@kde.org&gt; freedesktop.org projects daniel@gabe:/projects% ls | wc

574 views • 13 slides
Introduction L. Poggioli, LAL ATLAS latest news Actions list Inputs from recent

Introduction L. Poggioli, LAL ATLAS latest news Actions list Inputs from recent

Introduction L. Poggioli, LAL ATLAS latest news Actions list Inputs from recent meetings LCG-TECH ftf 16/04 https://indico.in2p3.fr/conferenceDisplay.py?confId=9731 Pre-GDB 13/05 http://indico.cern.ch/event/272787/

390 views • 14 slides
Creating a TEI-Based Website with the eXist XML Database Joseph Wicentowski, Ph.D. U.S.

Creating a TEI-Based Website with the eXist XML Database Joseph Wicentowski, Ph.D. U.S.

Creating a TEI-Based Website with the eXist XML Database Joseph Wicentowski, Ph.D. U.S. Department of State July 2010 Goals . . how to install and use eXist and oXygen to query and create a 3 . . . about eXist : a free, open-source native

669 views • 30 slides
A Secure Autonomous Document Architecture for Enterprise Digital Right Management Manuel Munier

A Secure Autonomous Document Architecture for Enterprise Digital Right Management Manuel Munier

A Secure Autonomous Document Architecture for Enterprise Digital Right Management Manuel Munier LIUPPA Universit e de Pau et des Pays de lAdour Mont de Marsan, France manuel.munier@univ-pau.fr SITIS 2011 November 28 - December 1, 2011

591 views • 36 slides
Cause-Effect Pairs Challenge Isabelle Guyon ChaLearn Thanks Initial impulse : Joris Mooij,

Cause-Effect Pairs Challenge Isabelle Guyon ChaLearn Thanks Initial impulse : Joris Mooij,

Cause-Effect Pairs Challenge Isabelle Guyon ChaLearn Thanks Initial impulse : Joris Mooij, Dominik Janzing, and Bernhard Schlkopf, from the Max Planck. Examples of algorithms and data: Povilas Daniuis, Arthur Gretton, Patrik O. Hoyer,

385 views • 35 slides
Multi-VO Support YAN Tian for Distributed Computing Group Meeting Oct. 23, 2014 StoRM + Lustre:

Multi-VO Support YAN Tian for Distributed Computing Group Meeting Oct. 23, 2014 StoRM + Lustre:

Status of Storm+Lustre and Multi-VO Support YAN Tian for Distributed Computing Group Meeting Oct. 23, 2014 StoRM + Lustre: Test Bed SE server configuration: This test machine is originally prepared for dCache+Lustre frontend, Model Dell

449 views • 12 slides
Document Engineering: Designing Documents for Transactions and Web Services OASIS Symposium - 10

Document Engineering: Designing Documents for Transactions and Web Services OASIS Symposium - 10

Document Engineering: Designing Documents for Transactions and We... file:///C:/Documents%20and%20Settings/glushko/My%20Documents/L... Document Engineering: Designing Documents for Transactions and Web Services OASIS Symposium - 10 May 2006

936 views • 46 slides
1 Today's Speakers From Control Risks Control Risks 3 Luke Fardell James Lythe Shaun Flint

1 Today's Speakers From Control Risks Control Risks 3 Luke Fardell James Lythe Shaun Flint

Control Risks 1 Today's Speakers From Control Risks Control Risks 3 Luke Fardell James Lythe Shaun Flint Consultant Associate Director Associate Director Cyber Protect Digital Forensics Crisis Management Global Cyber Security trends

801 views • 31 slides

More recommend