Probabilistic reasoning with graphical security models Barbara - - PowerPoint PPT Presentation

Probabilistic reasoning with graphical security models

Barbara Kordy

Clermont-Ferrand, January 7, 2016

Digital Confidence seminar

Joint work

• Prof. Dr. Marc Pouly

Lucerne University of Applied Sciences and Arts

• Dr. Patrick Schweitzer

University of Luxembourg

Barbara Kordy 2

Probabilistic assessment of security scenarios

security model ADTree dependency model Bayesian network probabilistic assessment

• f attack–defense scenarios

with dependencies

Barbara Kordy 3

Outline

1

Attack–defense Trees

2

Probabilistic evaluation

3

Efficiency considerations

4

Wrap Up

Barbara Kordy 4

Attack–defense Trees

Modeling security scenarios

Attack–defense tree (ADTree) [JLC’14] Tree-like representation of an attack–defense scenario depicting: How to attack a system How to protect against an attack

Extend the industrially recognized model of attack trees [Schneier’99] Integrate Intuitive representation features [IJSSE’12, ICISC’12] Formal analysis techniques [GameSec’10, SIIS’11, JLC’14] Software application ADTool [QEST’13]

Barbara Kordy 5

Attack–defense Trees

Example: ADTree for infecting a computer

infect computer virus on system e-mail with attachment USB stick antivirus install antivirus run antivirus fake antivirus execute virus

Barbara Kordy 6

Attack–defense Trees

Propositional semantics for ADTrees [SIIS’11]

B – the set of non-refined nodes of ADTree t x ∈ {0, 1}B encodes whether actions from B succeed or not

Action A ∈ B succeeds if x(A) = 1 Action A ∈ B does not succeed if x(A) = 0

Boolean function ft for t ft : {0, 1}B → {0, 1} associates a Boolean value ft(x) ∈ {0, 1} with each vector x ∈ {0, 1}B x is called an attack vector if ft(x) = 1

Barbara Kordy 7

Attack–defense Trees

ADTrees as Boolean functions

Domain of ft is composed of the non-refined nodes of t Non-refined OR AND Countermeasure

A

t t' t'' t t' t'' t' t''

ft(A) = A ft = ft′ ∨ ft′′ ft = ft′ ∧ ft′′ ft = ft′ ∧ ¬ft′′

Barbara Kordy 8

Attack–defense Trees

Example: Boolean function for infecting a computer

infect computer virus on system e-mail with attachment USB stick antivirus install antivirus run antivirus fake antivirus execute virus

ft =

• (XEA ∨ XUS) ∧ ¬
• XIA ∧ (XRA ∧ ¬XFA)
• ∧ XEV

Barbara Kordy 9

Attack–defense Trees

Example: attack vector

infect computer true virus on system true e-mail with attachment true USB stick false antivirus false install antivirus true run antivirus false fake antivirus false execute virus true

ft =

• (XEA ∨ XUS) ∧ ¬
• XIA ∧ (XRA ∧ ¬XFA)
• ∧ XEV

attack vector 1 1 1

Barbara Kordy 10

Attack–defense Trees

Importance of probabilities

Knowing the probabilities of particular attacks allow us to Identify the most vulnerable components Determine the strategic points Decide which protective measures to implement

Barbara Kordy 11

Attack–defense Trees

Bottom-up evaluation of probability on ADTrees [ICISC’12]

Probability of a disjunctive subtree Probability of a conjunctive subtree Probability of a countered subtree

attack x y attack x y x y

Barbara Kordy 12

Attack–defense Trees

Bottom-up evaluation of probability on ADTrees [ICISC’12]

Probability of a disjunctive subtree Probability of a conjunctive subtree Probability of a countered subtree

attack x y attack x y x y

x + y − xy

Barbara Kordy 12

Attack–defense Trees

Bottom-up evaluation of probability on ADTrees [ICISC’12]

Probability of a disjunctive subtree Probability of a conjunctive subtree Probability of a countered subtree

attack x y attack x y x y

x + y − xy xy

Barbara Kordy 12

Attack–defense Trees

Bottom-up evaluation of probability on ADTrees [ICISC’12]

Probability of a disjunctive subtree Probability of a conjunctive subtree Probability of a countered subtree

attack x y attack x y x y

x + y − xy xy x(1 − y)

Barbara Kordy 12

Attack–defense Trees

Bottom-up evaluation of probability on ADTrees [ICISC’12]

Probability of a disjunctive subtree Probability of a conjunctive subtree Probability of a countered subtree

attack x y attack x y x y

x + y − xy xy x(1 − y) Similarly for subtrees rooted in a defense node

Barbara Kordy 12

Attack–defense Trees

Example: probability for infecting a computer

infect computer 0.669375 virus on system 0.74375 e-mail with attachment 0.5 USB stick 0.75 antivirus 0.15000000000000002 install antivirus 0.8 run antivirus 0.25 fake antivirus 0.25 execute virus 0.9 Barbara Kordy 13

Attack–defense Trees

Limitations

The bottom-up procedure does not take dependencies between actions into account. However, in practice Installing and running an antivirus Distributing and executing a virus are not independent actions. Thus, the standard bottom-up evaluation is not suitable for probabilistic assessment of attack–defense trees.

Barbara Kordy 14

Attack–defense Trees

Challenges

1 How to design the appropriate formalism? 2 How to ensure that calculations reflect the reality? 3 How to guarantee the efficiency of the evaluation? Barbara Kordy 15

Probabilistic evaluation

Proposed Framework [INS’16]

security model ADTree

Probabilistic evaluation

Proposed Framework [INS’16]

security model ADTree dependency model Bayesian network

Probabilistic evaluation

Proposed Framework [INS’16]

security model ADTree dependency model Bayesian network probabilistic assessment

• f attack–defense scenarios

with dependencies

Barbara Kordy 16

Probabilistic evaluation

Modeling probability of dependent actions

Bayesian network A directed, acyclic graph that reflects the conditional interdependencies between variables associated with the nodes of the network Dependent variables Conditional probability table for Y X Y p(Y = 1|X = 1) = 0.7 p(Y = 1|X = 0) = 0.2 p(Y = 0|X = 1) = 0.3 p(Y = 0|X = 0) = 0.8

Barbara Kordy 17

Probabilistic evaluation

Constructing Bayesian network BNt for ADTree t

From an ADTree t – ADTree B – set of all non-refined nodes of t To a Bayesian network Elements of B are nodes of the Bayesian network BNt Relations between actions are depicted by edges in BNt Conditional probability tables quantify dependencies between actions

Barbara Kordy 18

Probabilistic evaluation

Example: BNt for infecting a computer ADTree

e-mail with attachment execute virus fake antivirus USB stick

p(XUS = 1|XFA = 1) = 0.4 p(XUS = 1|XFA = 0) = 0.5 p(XEV = 1|XEA = 1, XUS = 1) = 0.9 p(XEV = 1|XEA = 1, XUS = 0) = 0.2 p(XEV = 1|XEA = 0, XUS = 1) = 0.8 p(XEV = 1|XEA = 0, XUS = 0) = 0.1 p(XEA = 1|XFA = 1) = 0.9 p(XEA = 1|XFA = 0) = 0.5 p(XFA = 1) = 0.3

install antivirus run antivirus

p(XIA = 1) = 0.6 p(XRA = 1|XIA = 1) = 0.9 p(XRA = 1|XIA = 0) = 0.0

Barbara Kordy 19

Probabilistic evaluation

Joint probability distribution for network BNt

e-mail with attachment execute virus fake antivirus USB stick install antivirus run antivirus p(XEA, XUS, XIA, XRA, XFA, XEV) = p(XEV|XEA, XUS)×p(XEA|XFA)×p(XUS|XFA)×p(XFA)×p(XRA|XIA)×p(XIA)

Barbara Kordy 20

Probabilistic evaluation

Propositional semantics using algebraic operations

Non-refined OR AND Countermeasure

A

t t' t'' t t' t'' t' t''

ft(A) = A ft = ft′ ∨ ft′′ ft = ft′ ∧ ft′′ ft = ft′ ∧ ¬ft′′

Barbara Kordy 21

Probabilistic evaluation

Propositional semantics using algebraic operations

Non-refined OR AND Countermeasure

A

t t' t'' t t' t'' t' t''

ft(A) = A ft = ft′ ∨ ft′′ ft = ft′ ∧ ft′′ ft = ft′ ∧ ¬ft′′ idA max{ft′, ft′′} ft′ × ft′′ ft′ × (1 − ft′′)

Barbara Kordy 21

Probabilistic evaluation

Probability computation

x ∈ {0, 1}B – vector of successful/unsuccessful actions Probability of attack vector x ft(x) × p(x) Probability related to ADTree t P(t) =

• x∈{0,1}B

ft(x) × p(x) Probability of the most probable attack vector Pmax(t) = max

x∈{0,1}B ft(x) × p(x)

Barbara Kordy 22

Probabilistic evaluation

Compatibility results

Theorem Probability computations on propositionally equivalent ADTrees yield the same result. Observation For ADTree t without dependent actions, P(t) coincides with the result

• f the bottom-up computation.

Barbara Kordy 23

Efficiency considerations

Efficiency problems

P(t) =

• x∈{0,1}B

ft(x) × p(x) Pmax(t) = max

x∈{0,1}B ft(x) × p(x)

The number of configurations x grows exponentially with the number

• f involved actions. For large systems, it is therefore not feasible to

Enumerate all the values of ft Enumerate all the values of the joint probability distribution for BNt

Barbara Kordy 24

Efficiency considerations

security model ADTree dependency model Bayesian network probabilistic assessment

• f attack–defense scenarios

with dependencies

Efficiency considerations

security model ADTree dependency model Bayesian network probabilistic assessment

• f attack–defense scenarios

with dependencies constraint reasoning fusion

Barbara Kordy 25

Efficiency considerations

Local indicators

ft =

• (XEA ∨ XUS)
• Y1

∧¬

• XIA ∧ (XRA ∧ ¬XFA)
• Y2
• Y3
• Y4

∧ XEV

• Yt

φ1(Y1, XEA, XUS) = 1 exactly if Y1 = max{XEA, XUS} φ2(Y2, XRA, XFA) = 1 exactly if Y2 = XRA × (1 − XFA) φ3(Y3, XIA, Y2) = 1 exactly if Y3 = XIA × Y2 φ4(Y4, Y1, Y3) = 1 exactly if Y4 = Y1 × (1 − Y3) φ5(Yt, Y4, XEV) = 1 exactly if Yt = Y4 × XEV

Barbara Kordy 26

Efficiency considerations

Global indicator function φt for ADTree t

Domain of φt: Non-refined nodes of t Inner variables of all local indicators Global indicator function φt = product of all local indicators φi φt(

Y=inner variables

• Y1, Y2, Y3, Y4, Yt,

B=non-refined nodes

• XEA, XUS, XIA, XRA, XFA, XEV) =

φ1(Y1, XEA, XUS) × φ2(Y2, XRA, XFA) × φ3(Y3, XIA, Y2)× φ4(Y4, Y1, Y3) × φ5(Yt, Y4, XEV) Φt indicates valid assignments with respect to ft

Barbara Kordy 27

Efficiency considerations

Important property

Theorem Consider an ADTree t over the set of non-refined nodes B and the global indicator function φt with the set of inner variables Y. ∀x ∈ {0, 1}B ∃!y ∈ {0, 1}Y, such that φt(y, x) = 1 Corollary: ∀x ∈ {0, 1}B max

y∈{0,1}Y φt(y, x) =

• y∈{0,1}Y

φt(y, x) = 1

Barbara Kordy 28

Efficiency considerations

Filtering interesting assignments of φt

t A B

φt(Yt = 1, XA = 1, XB = 1) = 1 φt(Yt = 1, XA = 1, XB = 0) = 1 φt(Yt = 1, XA = 0, XB = 1) = 1 φt(Yt = 0, XA = 0, XB = 0) = 1 We are only interested in assignments such that φt = 1 and Yt = 1 Yt × φt(y, x)

Barbara Kordy 29

Efficiency considerations

Expressing ft with its global indicator

∀x ∈ {0, 1}B : max

y∈{0,1}Y φt(y, x) =

• y∈{0,1}Y

φt(y, x) = 1 ∀x ∈ {0, 1}B max

y∈{0,1}Y

• Yt × φt(y, x)
• =
• y∈{0,1}Y
• Yt × φt(y, x)
• =

= ft(x) =

• 1,

if x is an attack vector 0,

• therwise

Barbara Kordy 30

Efficiency considerations

Factorized form for probability formulas

Probability of attack vector x ft(x) × p(x) = max

y∈{0,1}Y

• Yt × φt(y, x) × p(x)
• Probability related to ADTree t

P(t) =

• x∈{0,1}B

ft(x) × p(x) =

• (y,x)∈{0,1}Y∪B
• Yt × φt(y, x) × p(x)
• Probability of the most probable attack vector

Pmax(t) = max

x∈{0,1}B ft(x) × p(x) =

max

(y,x)∈{0,1}Y∪B

• Yt × φt(y, x) × p(x)
• Barbara Kordy

31

Efficiency considerations

Our framework in the context of semiring theory

Inference problem over the arithmetic semiring R, +, × P(t) =

• (y,x)∈{0,1}Y∪B
• Yt × φt(y, x) × p(x)
• Inference problem over the product t-norm semiring [0, 1], max, ×

Pmax(t) = max

(y,x)∈{0,1}Y∪B

• Yt × φt(y, x) × p(x)
• Barbara Kordy

32

Efficiency considerations

Local computation

Powerful local computation algorithms Fusion Variable elimination

• smart distributivity

P(t) Complexity bound Using Nenok tool [IJAIT’10] Direct computation 211 3.422sec Using fusion 24 0.031sec Complexity bounded by a structural parameter of the problem

Barbara Kordy 33

Wrap Up

Summary

Barbara Kordy 34

Wrap Up

Summary

security model ADTree

Wrap Up

Summary

security model ADTree dependency model Bayesian network

Wrap Up

Summary

security model ADTree dependency model Bayesian network probabilistic assessment

• f attack–defense scenarios

with dependencies

Wrap Up

Summary

security model ADTree dependency model Bayesian network probabilistic assessment

• f attack–defense scenarios

with dependencies constraint reasoning fusion

Barbara Kordy 34

Wrap Up

Addressing challenges

1 How to design the appropriate formalism? 2 How to ensure that calculations reflect the reality? 3 How to guarantee the efficiency of the evaluation? Barbara Kordy 35

Wrap Up

Addressing challenges

1 How to design the appropriate formalism?

Used by industry, intuitive & well formalized Security model and dependency network are kept separated

2 How to ensure that calculations reflect the reality? 3 How to guarantee the efficiency of the evaluation? Barbara Kordy 35

Wrap Up

Addressing challenges

1 How to design the appropriate formalism?

Used by industry, intuitive & well formalized Security model and dependency network are kept separated

2 How to ensure that calculations reflect the reality?

Real-life data take dependencies into account Complement ADTree with additional information

3 How to guarantee the efficiency of the evaluation? Barbara Kordy 35

Wrap Up

Addressing challenges

1 How to design the appropriate formalism?

Used by industry, intuitive & well formalized Security model and dependency network are kept separated

2 How to ensure that calculations reflect the reality?

Real-life data take dependencies into account Complement ADTree with additional information

3 How to guarantee the efficiency of the evaluation?

Local computation algorithms Existing software tools, well-known heuristics

Barbara Kordy 35

Wrap Up

Where to take it from here?

Find the best elimination sequence for Bayesian ADTrees

NP-complete in general Prediction is possible for specific families of graphs

Extend to probability distributions

Probability dependent on time

Interface ADTool [QEST’13] with Nenok

Automated probability assessment of large scale scenarios

Barbara Kordy 36

Wrap Up

Take home message

Key to success Appropriate technique Components Attributes Well-founded model Syntax Semantics Erroneous results Understand theory

Barbara Kordy 37

References

References I

Barbara Kordy, Marc Pouly, and Patrick Schweitzer. Probabilistic Reasoning with Graphical Security Models. Information Sciences, Elsevier (to appear), 2016. Barbara Kordy, Sjouke Mauw, Saša Radomirović, and Patrick Schweitzer. Attack–Defense Trees. Journal of Logic and Computation (JLC), 24(1):55–87, 2014. Barbara Kordy, Ludovic Piètre-Cambacédès, and Patrick Schweitzer. DAG-Based Attack and Defense Modeling: Don’t Miss the Forest for the Attack Trees. Computer Science Review, Elsevier, 13–14(0):1–38, 2014. Marc Pouly. Nenok - a software architecture for generic inference. International Journal on Artificial Intelligence Tools, 19(1):65–99, 2010. Barbara Kordy, Sjouke Mauw, and Patrick Schweitzer. Quantitative Questions on Attack–Defense Trees. In Taekyoung Kwon, Mun-Kyu Lee, and Daesung Kwon, editors, Information Security and Cryptology (ICISC 2012), volume 7839 of LNCS, pages 49–64. Springer, 2013. Barbara Kordy, Marc Pouly, and Patrick Schweitzer. A Probabilistic Framework for Security Scenarios with Dependent Actions. In Integrated Formal Methods (iFM 2014), LNCS, pages 256–271. Springer, 2014. Barbara Kordy 38

References

References II

Barbara Kordy, Marc Pouly, and Patrick Schweitzer. Computational Aspects of Attack–Defense Trees. In P. Bouvry, M. A. Klopotek, F. Leprevost, M. Marciniak, A. Mykowiecka, and H. Rybinski, editors, Security & Intelligent Information Systems (SIIS 2011), volume 7053 of LNCS, pages 103–116. Springer, 2012. Barbara Kordy, Piotr Kordy, Sjouke Mauw, and Patrick Schweitzer. ADTool: Security Analysis with Attack–Defense Trees. In Kaustubh R. Joshi, Markus Siegle, Mariëlle Stoelinga, and Pedro R. D’Argenio, editors, Quantitative Evaluation of Systems (QEST 2013), volume 8054 of LNCS, pages 173–176. Springer, 2013. Barbara Kordy, Sjouke Mauw, Matthijs Melissen, and Patrick Schweitzer. Attack–Defense Trees and Two-Player Binary Zero-Sum Extensive Form Games Are Equivalent. In Tansu Alpcan, Levente Buttyán, and John S. Baras, editors, Decision and Game Theory for Security (GameSec 2010), volume 6442 of LNCS, pages 245–256. Springer, 2010. Alessandra Bagnato, Barbara Kordy, Per Håkon Meland, and Patrick Schweitzer. Attribute Decoration of Attack–Defense Trees. International Journal of Secure Software Engineering (IJSSE), 3(2):1–35, 2012. Bruce Schneier. Attack Trees.

• Dr. Dobb’s Journal of Software Tools, 24(12):21–29, 1999.

Barbara Kordy 39