Squeezing State Spaces of (Attack-Defence) Trees l Knapik 1 Wojciech - - PowerPoint PPT Presentation

squeezing state spaces of attack defence trees
SMART_READER_LITE
LIVE PREVIEW

Squeezing State Spaces of (Attack-Defence) Trees l Knapik 1 Wojciech - - PowerPoint PPT Presentation

Aug 14, 2023 140 likes •391 views

Squeezing State Spaces of (Attack-Defence) Trees l Knapik 1 Wojciech Penczek 1 Micha Laure Petrucci 2 Teofil Sidoruk 1 1 Institute of Computer Science, Polish Academy of Sciences 2 LIPN, CNRS UMR 7030, Universit e Sorbonne Paris Nord LAMAS

slide-1
SLIDE 1

Squeezing State Spaces of (Attack-Defence) Trees

Micha l Knapik1 Wojciech Penczek1 Laure Petrucci2 Teofil Sidoruk1

1Institute of Computer Science, Polish Academy of Sciences 2LIPN, CNRS UMR 7030, Universit´

e Sorbonne Paris Nord

LAMAS May 10, 2020

  • M. Knapik, W. Penczek, L. Petrucci, T. Sidoruk

Squeezing State Spaces of (AD)Trees LAMAS, May 2020 1 / 11

slide-2
SLIDE 2

Motivation

Attack-Defence Trees [Kordy et al., 2011, Aslanyan and Nielson, 2015]

allow for studying interactions between attacker and defender parties: ◮ performance ◮ feasibility

An agent-aware model

◮ asynchronous multi-agent systems, an automata-based formalism [Jamroga et al., 2018] ◮ extended with attributes and functions ◮ quantitative and qualitative analysis

  • M. Knapik, W. Penczek, L. Petrucci, T. Sidoruk

Squeezing State Spaces of (AD)Trees LAMAS, May 2020 2 / 11

slide-3
SLIDE 3

Attack-Defence Trees

TS p TF ST b f GA h e

Name Cost Time TS (treasure stolen) p (police) e 100 10 min TF (thieves fleeing) ST (steal treasure) 2 min b (bribe gatekeeper) e 500 1 h f (force arm. door) e 100 2 h GA (get away) h (helicopter) e 500 3 min e (emergency exit) 10 min Condition for TS: init time(p) > init time(ST) + time(GA)

  • M. Knapik, W. Penczek, L. Petrucci, T. Sidoruk

Squeezing State Spaces of (AD)Trees LAMAS, May 2020 3 / 11

slide-4
SLIDE 4

Exhaustive analysis

◮ Build the EAMAS by replacing each ADTree node by an automaton ◮ State space explosion

Modelling with reduced patterns [Arias et al., 2019] A

a1 an · · · l0 l1 l2 · · · ln lA l ′

1

? a

1

  • k

?a2 ok A !A ok ?a1 nok ?a2 nok . . . ?an nok !A nok

  • M. Knapik, W. Penczek, L. Petrucci, T. Sidoruk

Squeezing State Spaces of (AD)Trees LAMAS, May 2020 4 / 11

slide-5
SLIDE 5

Exhaustive analysis

◮ Build the EAMAS by replacing each ADTree node by an automaton ◮ State space explosion

Modelling with reduced patterns [Arias et al., 2019] A

a1 an · · · l0 l1 l2 · · · ln lA l ′

1

? a

1

  • k

?a2 ok A !A ok ?a1 nok ?a2 nok . . . ?an nok !A nok

  • M. Knapik, W. Penczek, L. Petrucci, T. Sidoruk

Squeezing State Spaces of (AD)Trees LAMAS, May 2020 4 / 11

slide-6
SLIDE 6

Exhaustive analysis

◮ Build the EAMAS by replacing each ADTree node by an automaton ◮ State space explosion

Modelling with reduced patterns [Arias et al., 2019] Goes beyond POR! A

a1 an · · · l0 l1 l2 · · · ln lA l ′

1

? a

1

  • k

?a2 ok A !A ok ?a1 nok ?a2 nok . . . ?an nok !A nok

  • M. Knapik, W. Penczek, L. Petrucci, T. Sidoruk

Squeezing State Spaces of (AD)Trees LAMAS, May 2020 4 / 11

slide-7
SLIDE 7

Exhaustive analysis

◮ Build the EAMAS by replacing each ADTree node by an automaton ◮ State space explosion

Modelling with reduced patterns [Arias et al., 2019] Goes beyond POR! A

a1 an · · · l0 l1 l2 · · · ln lA l ′

1

? a

1

  • k

?a2 ok A !A ok ?a1 nok ?a2 nok . . . ?an nok !A nok

Patterns state space reduction is not enough!

  • M. Knapik, W. Penczek, L. Petrucci, T. Sidoruk

Squeezing State Spaces of (AD)Trees LAMAS, May 2020 4 / 11

slide-8
SLIDE 8

Outline

1

Guarded Update Systems General Definition Properties for Tree Topologies

2

Layered Reduction for Trees

3

Experiments

4

Conclusion & Perspectives

  • M. Knapik, W. Penczek, L. Petrucci, T. Sidoruk

Squeezing State Spaces of (AD)Trees LAMAS, May 2020 5 / 11

slide-9
SLIDE 9

Guarded Update Systems

Asynchronous product of automata equipped with: ◮ integer variables ◮ guards: boolean formulae over linear terms on variables ◮ updates: assignments obtained by functions over variables ◮ in synchronised transitions, a variable should not be updated more than once

GUS synchronisation topology

◮ nodes: individual automata ◮ edges: connect nodes that share a synchronised transition

  • M. Knapik, W. Penczek, L. Petrucci, T. Sidoruk

Squeezing State Spaces of (AD)Trees LAMAS, May 2020 6 / 11

slide-10
SLIDE 10

Guarded Update Systems

Asynchronous product of automata equipped with: ◮ integer variables ◮ guards: boolean formulae over linear terms on variables ◮ updates: assignments obtained by functions over variables ◮ in synchronised transitions, a variable should not be updated more than once

GUS synchronisation topology

◮ nodes: individual automata ◮ edges: connect nodes that share a synchronised transition

  • M. Knapik, W. Penczek, L. Petrucci, T. Sidoruk

Squeezing State Spaces of (AD)Trees LAMAS, May 2020 6 / 11

slide-11
SLIDE 11

Properties for Tree Topologies

Precedence

Actions synchronised with children actions occur before the other ones

Root-directed Synchronisation Tree

Precedence is satisfied for the whole tree

Update separability

◮ a variable is updated in at most one component ◮ it is tested only in the ancestors of this component in the tree

ADTrees topologies are root-directed and update-separable

  • M. Knapik, W. Penczek, L. Petrucci, T. Sidoruk

Squeezing State Spaces of (AD)Trees LAMAS, May 2020 7 / 11

slide-12
SLIDE 12

Properties for Tree Topologies

Precedence

Actions synchronised with children actions occur before the other ones

Root-directed Synchronisation Tree

Precedence is satisfied for the whole tree

Update separability

◮ a variable is updated in at most one component ◮ it is tested only in the ancestors of this component in the tree

ADTrees topologies are root-directed and update-separable

  • M. Knapik, W. Penczek, L. Petrucci, T. Sidoruk

Squeezing State Spaces of (AD)Trees LAMAS, May 2020 7 / 11

slide-13
SLIDE 13

Layered Reduction for Trees

l0 l1 l2 ?out1 v ≥ 0 ?out2 MF l0 l1 ?in1 !out1 MN1 l0 l1 l2 ?in2 ?in3 ?in4 !out2 MN2 l0 !in1 MC1 l0 l1 l2 !in2 !in3 v := 1 MC2 l0 !in4 MC3

State space size

Full: 14 states, 19 edges Reduced: 12 states, 14 edges

  • M. Knapik, W. Penczek, L. Petrucci, T. Sidoruk

Squeezing State Spaces of (AD)Trees LAMAS, May 2020 8 / 11

slide-14
SLIDE 14

Layered Reduction for Trees

l0 l1 l2 ?out1 v ≥ 0 ?out2, d1 := d1 + 2 MF l0 l1 ?in1, d2 := d2 + 1 !out1 MN1 l0 l1 l2 ?in2 ?in3, d2 := d2 + 2 ?in4, d2 := d2 + 2 !out2 MN2 l0 !in1 MC1 l0 l1 l2 !in2 !in3 v := 1 MC2 l0 !in4 MC3

State space size

Full: 14 states, 19 edges Reduced: 12 states, 14 edges

  • M. Knapik, W. Penczek, L. Petrucci, T. Sidoruk

Squeezing State Spaces of (AD)Trees LAMAS, May 2020 8 / 11

slide-15
SLIDE 15

Layered Reduction for Trees

l0 l1 l2 ?out1 v ≥ 0 ?out2, d1 := d1 + 2 MF l0 l1 ?in1, d2 := d2 + 1 d2 = 3, !out1 MN1 l0 l1 l2 ?in2 ?in3, d2 := d2 + 2 ?in4, d2 := d2 + 2 d2 = 3, !out2 MN2 l0 !in1 MC1 l0 l1 l2 !in2 !in3 v := 1 MC2 l0 !in4 MC3

State space size

Full: 14 states, 19 edges Reduced: 12 states, 14 edges

  • M. Knapik, W. Penczek, L. Petrucci, T. Sidoruk

Squeezing State Spaces of (AD)Trees LAMAS, May 2020 8 / 11

slide-16
SLIDE 16

Layered Reduction for Trees

l0 l1 l2 ?out1 v ≥ 0 ?out2, d1 := d1 + 2 MF l0 l1 ?in1, d2 := d2 + 1 d2 = 3, !out1 MN1 l0 l1 l2 ?in2 ?in3, d2 := d2 + 2 ?in4, d2 := d2 + 2 d2 = 3, !out2 MN2 l0 !in1 MC1 l0 l1 l2 !in2 !in3 v := 1 MC2 l0 !in4 MC3

State space size

Full: 14 states, 19 edges Reduced: 12 states, 14 edges

  • M. Knapik, W. Penczek, L. Petrucci, T. Sidoruk

Squeezing State Spaces of (AD)Trees LAMAS, May 2020 8 / 11

slide-17
SLIDE 17

Experiments

Experimental setup

◮ model-checker IMITATOR (http://imitator.fr) ◮ 2.7 GHz Intel Core i7, with 16 GB of memory ◮ timeout of 30 minutes

Some case studies applying both reductions

Case study

  • vs. patterns
  • vs. full

% size % reduction % size % reduction treasure-hunters 47.44 % 52.56 % 13.26 % 86.74 % forestall 24.97 % 75.03 % 2.37 % 97.63 % iot-dev 40.90 % 59.10 % 8.53 % 91.47 % gain-admin No Timeout!

  • M. Knapik, W. Penczek, L. Petrucci, T. Sidoruk

Squeezing State Spaces of (AD)Trees LAMAS, May 2020 9 / 11

slide-18
SLIDE 18

Experiments

Experimental setup

◮ model-checker IMITATOR (http://imitator.fr) ◮ 2.7 GHz Intel Core i7, with 16 GB of memory ◮ timeout of 30 minutes

Some case studies applying both reductions

Case study

  • vs. patterns
  • vs. full

% size % reduction % size % reduction treasure-hunters 47.44 % 52.56 % 13.26 % 86.74 % forestall 24.97 % 75.03 % 2.37 % 97.63 % iot-dev 40.90 % 59.10 % 8.53 % 91.47 % gain-admin No Timeout!

  • M. Knapik, W. Penczek, L. Petrucci, T. Sidoruk

Squeezing State Spaces of (AD)Trees LAMAS, May 2020 9 / 11

slide-19
SLIDE 19

Scaling up Experiments

1 10 100 1000 10000 100000 1000000 10000000 4 4 6 8 4 6 8 10 4 6 8 10 4 6 8 10 4 6 8 4 6 4 4 2 3 3 3 4 4 4 4 5 5 5 5 6 6 6 6 7 7 7 8 8 9 10 7 9 13 15 11 15 17 23 13 17 19 25 15 19 21 27 17 21 23 19 23 21 23

Scalability of different reductions (2 child nodes)

both S both T patterns S patterns T layers S layers T no reduction S no reduction T depth width ADT nodes

  • M. Knapik, W. Penczek, L. Petrucci, T. Sidoruk

Squeezing State Spaces of (AD)Trees LAMAS, May 2020 10 / 11

slide-20
SLIDE 20

Conclusion & Perspectives

Summary

◮ A framework for model-checking systems that manipulate data ◮ Layered reduction approach to harness state space explosion ◮ Gains confirmed by extensive experiments on Attack-Defence Trees

Future work

◮ Extend the approach to DAGs ◮ Take into account the assignment of agents to ADTree nodes ◮ Study other application domains exhibiting such topologies (e.g. workflows) ◮ Use as a basis for a compositional and parallel analysis

  • M. Knapik, W. Penczek, L. Petrucci, T. Sidoruk

Squeezing State Spaces of (AD)Trees LAMAS, May 2020 11 / 11

slide-21
SLIDE 21

Conclusion & Perspectives

Summary

◮ A framework for model-checking systems that manipulate data ◮ Layered reduction approach to harness state space explosion ◮ Gains confirmed by extensive experiments on Attack-Defence Trees

Future work

◮ Extend the approach to DAGs ◮ Take into account the assignment of agents to ADTree nodes ◮ Study other application domains exhibiting such topologies (e.g. workflows) ◮ Use as a basis for a compositional and parallel analysis

  • M. Knapik, W. Penczek, L. Petrucci, T. Sidoruk

Squeezing State Spaces of (AD)Trees LAMAS, May 2020 11 / 11

slide-22
SLIDE 22

Bibliography

  • M. Knapik, W. Penczek, L. Petrucci, T. Sidoruk

Squeezing State Spaces of (AD)Trees LAMAS, May 2020 12 / 11

slide-23
SLIDE 23

References I

Arias, J., Budde, C., Penczek, W., Petrucci, L., and Stoelinga, M. (2019). Hackers vs. Security: Attack-Defence Trees as Asynchronous Multi-Agent Systems. https://arxiv.org/abs/1906.05283. Aslanyan, Z. and Nielson, F. (2015). Pareto Efficient Solutions of Attack-Defence Trees. In Principles of Security and Trust, volume 9036, pages 95–114. Springer Berlin Heidelberg. Jamroga, W., Penczek, W., Dembinski, P., and Mazurkiewicz, A. W. (2018). Towards partial order reductions for strategic ability. In AAMAS 2018, pages 156–165. ACM. Kordy, B., Mauw, S., Radomirovi´ c, S., and Schweitzer, P. (2011). Foundations of attack-defense trees. In FAST 2010, volume 6561 of LNCS, pages 80–95. Springer.

  • M. Knapik, W. Penczek, L. Petrucci, T. Sidoruk

Squeezing State Spaces of (AD)Trees LAMAS, May 2020 13 / 11