towards a quantitative approach to attack response
play

Towards a Quantitative Approach to Attack Response Response Herv - PowerPoint PPT Presentation

May 29, 2023 •169 likes •575 views

Towards a Quantitative Approach to Attack Response Response Herv Debar Using work performed during the PhD theses of Yohann Thomas, Nizar Kheir, Gustavo Gonzalez-Granadillo Institut Mines-Tlcom Operational security timeline

  1. Towards a Quantitative Approach to Attack Response Response Hervé Debar Using work performed during the PhD theses of Yohann Thomas, Nizar Kheir, Gustavo Gonzalez-Granadillo Institut Mines-Télécom

  2. « Operational security » timeline Anomaly Detection Misuse Misuse Alert Alert Detection Detection Detection Correlation Too many SIEM alerts Diagnosis Analytics & reaction? 1980 1980 1990 1990 2000 2000 2005 2005 2010 2010 2015 2015 2 2015/11/20 Institut Mines-Télécom Towards a quantitative approach to attack response

  3. Reaction models ■ Alert-triggered ● Network-based − Reset connection, block flow, … ● System-based − Kill process, disable account, … ● Independant actions, repeated for each and every alert − Marginal improvement with integration in the Bro − Marginal improvement with integration in the Bro framework[RAID2015] ■ Policy-triggered ● Workflow − Select appropriate rule − Deploy rule ■ Issues ● Multiple attacks ● Continuous operation 3 2015/11/20 Institut Mines-Télécom Towards a quantitative approach to attack response

  4. Dynamic reaction model ■ Feedback control loop [Thomas et al. 2007] ● Definition of a contextual security policy ● Contexts are influenced by IDMEF messages ● Deployed policies adjust configuration to attack configuration to attack ■ Pros ● Dynamic adjustment of posture ■ Issues ● Pre-registration of contexts, one per CVE ● Finding PEPs ● Conflict management − Programmatic context combination 4 2015/11/20 Institut Mines-Télécom Towards a quantitative approach to attack response

  5. Finding the right PEPs ■ Problem: given a set of PEPs, which one is the best suited to handle an alert ? ● Capability − In transit • Network (block, kill connection, …) • System (kill process − In acces − In acces • Authentication (directories, …) • Communication (DHCP address, …) ● Geography − Will the PEP intersect with the malicious activity ? ■ Proposal [Kheir 2010]: service dependency model ● AADL (hierarchical) provide-require interfaces ● Down-the-chain: find appropriate PEP ● Up-the-chain: find collateral damages 5 2015/11/20 Institut Mines-Télécom Towards a quantitative approach to attack response

  6. Challenges going forward ■ How to select an appropriate countermeasure from a group of candidates? ● Qualitative, quantitative or a combined approach? ● Which parameters to consider in the evaluation of security solutions? ■ Once a countermeasure is selected, is it possible to combine it with other solutions? ● ● How to calculate the combined countermeasure cost? How to calculate the combined countermeasure cost? ● How to calculate the combined mitigation level? ■ How to manage problems when proposing a solution that generates conflicts on the system? ● What to do when solutions are mutually exclusive? ■ How to select optimal solutions for a multiple attack scenario? ● How to calculate the combined attack surface? ● One solution or a combined solution for a multiple attack? 6 2015/11/20 Institut Mines-Télécom Towards a quantitative approach to attack response

  7. Cost Sensitive Models 7 2015/11/20 Institut Mines-Télécom Towards a quantitative approach to attack response

  8. Initial Return On Response Investment (RORI) Index RORI = (ICb – RC) – OC x 100 CD + OC Kheir et al. Where ICb � Intrusion Impact in the absence of security measures. ICb � Intrusion Impact in the absence of security measures. RC � Combined Impact for both intrusion and response. CD � Response collateral damage (cost added by the countermeasure). OC � Operational cost that includes response set-up and deployment costs. Constraints � The absolute value of ICb and RC are difficult to estimate. � Evaluation of doing nothing. � RORI is not normalized to the size and complexity of the infrastructure 8 2015/11/20 Institut Mines-Télécom Towards a quantitative approach to attack response

  9. Countermeasure Selection Model (1/2) Improved Return On Response Investment RORI = (ALE x RM) – ARC x 100 ARC + AIV Fixed Parameters Fixed Parameters Variable Parameters Variable Parameters Risk Mitigation (RM) � Percentage of Annual Loss Expectancy (ALE) � Impact Cost in the absence of reduction of the total incident cost after the implementation of a countermeasure countermeasures (e.g., $/year). Annual Response Cost (ARC) � costs Annual Infrastructure Value (AIV) � Fixed costs regardless of the associated to a given countermeasure implemented CMs (e.g., $/year). (e.g., $/year). 9 2015/11/20 Institut Mines-Télécom Towards a quantitative approach to attack response

  10. Countermeasure Selection Model (2/2) Improved Return On Response Investment RORI = (ALE x RM) – ARC x 100 ARC + AIV Improvements Improvements � The ICb – RC parameters are substituted by ALE x RM, which reduces error magnitude. � The introduction of AIV handles the case of selecting no countermeasure. � The AIV provides a response relative to the size of the infrastructure. ALE: Annual Loss Expectancy AIV: Annual Infrastructure Value RM: Risk Mitigation ARC: Annual Response Cost 10 2015/11/20 Institut Mines-Télécom Towards a quantitative approach to attack response

  11. Countermeasure Selection Process ■ Limitations ● Accuracy in the estimation of the different RORI parameters. ● The process does not consider inter-dependence among countermeasures. ● ● RORI does not discusses RORI does not discusses restrictions or conflicts between countermeasures. ● RORI limits the action of only one countermeasure over a given attack. ALE: Annual Loss Expectancy AIV: Annual Infrastructure Value RM: Risk Mitigation ARC: Annual Response Cost 11 2015/11/20 Institut Mines-Télécom Towards a quantitative approach to attack response

  12. Sensitivity Analysis (1/3) ■ RORI RORI = (ALE x RM) – ARC x 100 ARC + AIV Worst Scenario Perfect Mitigation ALE x RM << ARC ALE x RM << ARC RM = 1, ARC=0 RM = 1, ARC=0 -ARC ALE ARC+AIV AIV If ALE x RM = ARC � RORI = 0 If ALE x RM < ARC � RORI < 0 ALE: Annual Loss Expectancy If ALE x RM > ARC � RORI > 0 AIV: Annual Infrastructure Value RM: Risk Mitigation ARC: Annual Response Cost 12 2015/11/20 Institut Mines-Télécom Towards a quantitative approach to attack response

  13. Sensitivity Analysis (2/3) Main Results RORI = (ALE x RM) – ARC x 100 ARC + AIV ARC vs. AIV ~ ~ Weak Weak If ARC << AIV � RORI = ALE x RM / AIV If ARC << AIV � RORI = ALE x RM / AIV If ARC >> AIV � RORI = (ALE x RM) – ARC / ARC ~ Strong ALE vs. AIV Negative ~ If ALE << AIV � RORI = – ARC / ARC + AIV If ALE >> AIV � RORI = (ALE x RM) – ARC / ARC ~ Positive ALE: Annual Loss Expectancy AIV: Annual Infrastructure Value RM: Risk Mitigation ARC: Annual Response Cost 13 2015/11/20 Institut Mines-Télécom Towards a quantitative approach to attack response

  14. Sensitivity Analysis (3/3) Main Results RORI = (ALE x RM) – ARC x 100 ARC + AIV ALE vs. ARC Negative Negative ~ ~ If ALE << ARC � RORI = – ARC / ARC + AIV If ALE << ARC � RORI = – ARC / ARC + AIV ~ If ALE >> ARC � RORI = ALE x RM / AIV Positive Risk Mitigation (RM) ~ Positive If RM increases � RORI = ALE – ARC / ARC + AIV ~ If RM decreases � RORI = – ARC / ARC + AIV Negative ALE: Annual Loss Expectancy AIV: Annual Infrastructure Value RM: Risk Mitigation ARC: Annual Response Cost 14 2015/11/20 Institut Mines-Télécom Towards a quantitative approach to attack response

  15. Multiple counter-measures ? We do not go from 0 to 1, but from n to n+1 15 2015/11/20 Institut Mines-Télécom Towards a quantitative approach to attack response

  16. How to combine two or more countermeasures? � Annual Response Cost (ARC) ARC = ∑ (direct cost + indirect cost) � Risk Mitigation (RM) RM = Surface Covered x Efficiency No exact values � Approximations No exact values � Approximations Optimistic Optimistic Average Average Pessimistic Pessimistic ARC(CM 1 ⋃ CM 2 ) = ARC(CM 1 ⋃ CM 2 ) = ARC(CM 1 ⋃ CM 2 ) = max{ARC(CM 1 ) , ARC(CM 2 )} ARC(CM 1 ) + ARC(CM 2 ) ARC(CM 1 ) + ARC(CM 2 ) 2 RM(CM 1 ⋃ CM 2 ) = RM(CM 1 ⋃ CM 2 ) = RM(CM 1 ⋃ CM 2 ) = RM(CM 1 ) + RM(CM 2 ) max{RM(CM 1 ) , RM(CM 2 )} RM(CM 1 ) + RM(CM 2 ) 2 16 2015/11/20 Institut Mines-Télécom Towards a quantitative approach to attack response

  17. Combinatorial Axioms Axiom 1: The cost of a combined countermeasure is equal to the sum of all CM 2 CM 1 individual countermeasure’s cost. CM 1 ⋂CM 2 ARC(C 1 ⋃ C 2 ) = ARC(C 1 ) + ARC(C 2 ) Axiom 2: The risk mitigation (RM) for a combined solution is calculated by adding the effectiveness (EF) of SC(C 1 ⋂ C 2 ) = SC(C 1 ⋂ C 2 ) MIN + SC(C 1 ⋂ C 2 ) MAX countermeasures over the different 2 surfaces they cover (SC) minus their intersection. RM(C 1 ⋃ C 2 ) = SC(C 1 ) x EF(C 1 ) + SC(C 2 ) x EF(C 2 ) – SC(C 1 ⋂ C 2 ) x min{EF(C 1 ), EF(C 2 )} 17 2015/11/20 Institut Mines-Télécom Towards a quantitative approach to attack response

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

An Across-The-Curriculum Approach to Quantitative Literacy in Environmental Studies Ben Steele,

An Across-The-Curriculum Approach to Quantitative Literacy in Environmental Studies Ben Steele,

An Across-The-Curriculum Approach to Quantitative Literacy in Environmental Studies Ben Steele, Semra Kilic-Bahi, Nick Baer, Leon Malan, Laura Alexander, Harvey Pine Colby-Sawyer College New London, NH Quantitative Reasoning and the

646 views • 17 slides
Proposed Approach for Crediting a Law Enforcement Response to a 14 November 2017 Physical

Proposed Approach for Crediting a Law Enforcement Response to a 14 November 2017 Physical

Proposed Approach for Crediting a Law Enforcement Response to a 14 November 2017 Physical Attack on a Nuclear Power Plant U.S. Security Programs U.S. Nuclear Regulatory Commission Ensures that licensee security programs and

468 views • 11 slides
Response to an alleged bio-attack capacity to support national responses through the European

Response to an alleged bio-attack capacity to support national responses through the European

Response to an alleged bio-attack capacity to support national responses through the European Union Dr. Christiane Hoehn Office of the EU representative on non-proliferation and disarmament Madrid 17 June 2010 1 Content 1) CBRN Action

468 views • 15 slides
Practical key recovery attack against APOP , an MD5 based challenge response authentication. By

Practical key recovery attack against APOP , an MD5 based challenge response authentication. By

Practical key recovery attack against APOP , an MD5 based challenge response authentication. By Gaetan Leurent Presented by:- Guided By:- Raagi Sukhlecha Prof. Anish Mathuria Lalit Agarwal Outline Introduction APOP What is

953 views • 79 slides
a.k.a. Flight or Fight Response: Is a physiological reaction that occurs in response to a perceived

a.k.a. Flight or Fight Response: Is a physiological reaction that occurs in response to a perceived

The Stress Response a.k.a. Flight or Fight Response: Is a physiological reaction that occurs in response to a perceived harmful event, attack or threat to survival (or ego, or happiness invested thought) 114 EGO: I - Any thing that I think

543 views • 41 slides
Logistic Regression Linear regression is designed for a quantitative response variable; in the

Logistic Regression Linear regression is designed for a quantitative response variable; in the

ST 370 Probability and Statistics for Engineers Logistic Regression Linear regression is designed for a quantitative response variable; in the model equation Y = 0 + 1 x + , the random noise term is usually assumed to be at least

322 views • 15 slides
Quantitative Ethics Victor Piercey Joint Math Meetings 2015 San Antonio, TX Quantitative Reasoning

Quantitative Ethics Victor Piercey Joint Math Meetings 2015 San Antonio, TX Quantitative Reasoning

Quantitative Reasoning for Business An Inquiry-Based Approach Quantitative Ethics Victor Piercey Joint Math Meetings 2015 San Antonio, TX Quantitative Reasoning for Business An Inquiry-Based Approach Typical questions : Which is more accurate?

523 views • 19 slides
A DEPTS : Adaptive Intrusion Response using Attack Graphs in an e-Commerce Environment Bingrui

A DEPTS : Adaptive Intrusion Response using Attack Graphs in an e-Commerce Environment Bingrui

A DEPTS : Adaptive Intrusion Response using Attack Graphs in an e-Commerce Environment Bingrui Foo, Yu-Sung Wu, Yu-Chun Mao, Saurabh Bagchi, Eugene Spafford Purdue University Dependable Computing Systems Lab (http://shay.ecn.purdue.edu/~dcsl)

608 views • 23 slides
Sneak Attack LESSON 12 Your Response to the Lesson What was most interesting in the Bible story?

Sneak Attack LESSON 12 Your Response to the Lesson What was most interesting in the Bible story?

Sneak Attack LESSON 12 Your Response to the Lesson What was most interesting in the Bible story? What activity was most enjoyable? What new things did you learn? Activity A Hail to the Chief Work together to illustrate a message, using

356 views • 22 slides
Better heart attack and chest pain care - Shaping our local response Dr Doug Skehan Clinical

Better heart attack and chest pain care - Shaping our local response Dr Doug Skehan Clinical

Better heart attack and chest pain care - Shaping our local response Dr Doug Skehan Clinical Director Cardio-Respiratory Services, UHL What are we proposing locally? UHLs vision is: To be the number one major provider of emergency and

328 views • 14 slides
A Scalable Approach to Attack Graph Generation By Ou, Boyer, McQueen Presented By: Philip Koshy

A Scalable Approach to Attack Graph Generation By Ou, Boyer, McQueen Presented By: Philip Koshy

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA A Scalable Approach to Attack Graph Generation By Ou, Boyer,

591 views • 33 slides
201ab Quantitative methods ANCOVA E D V UL | UCSD Psychology What does ANCOVA do? In an ANOVA ,

201ab Quantitative methods ANCOVA E D V UL | UCSD Psychology What does ANCOVA do? In an ANOVA ,

201ab Quantitative methods ANCOVA E D V UL | UCSD Psychology What does ANCOVA do? In an ANOVA , we compare the variation in means of the response/dependent variable across factor levels to the remaining variability around the means. Response

483 views • 29 slides
Attack on Traffic Systems These attack examples have happened in the past. We will take an

Attack on Traffic Systems These attack examples have happened in the past. We will take an

From start to finish how a cyber attack would be performed on traffic system, we will go over first day &gt;&gt; exploitation of the device &gt;&gt; the real-world aftermath. Mission Secure, Inc. Attack on Traffic Systems These attack examples

556 views • 18 slides
Incident Response and Information Sharing A Practical Approach Rapha el Vinot - TLP:GREEN May

Incident Response and Information Sharing A Practical Approach Rapha el Vinot - TLP:GREEN May

Incident Response and Information Sharing A Practical Approach Rapha el Vinot - TLP:GREEN May 22, 2015 The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to provide a systematic response

407 views • 13 slides
Response function method Response function method An analytical approach to the solution of

Response function method Response function method An analytical approach to the solution of

Response function method Response function method An analytical approach to the solution of ordinary and partial differential equations using the Laplace transform: An equation in the time domain is transformed into a subsidiary equation

164 views • 14 slides
Quantitative Quantitative Quantitative Quantitative Modal Modal Transition Transition

Quantitative Quantitative Quantitative Quantitative Modal Modal Transition Transition

Quantitative Quantitative Quantitative Quantitative Modal Modal Transition Transition Systems Systems Kim Guldstrand Larsen Aalborg University Aalborg University, DENMARK The Early Days Edinburgh 83-85 Milner Symposium, Kim

661 views • 47 slides
Measuring Software Security Defining Security Metrics Dr. Bill Young Department of Computer

Measuring Software Security Defining Security Metrics Dr. Bill Young Department of Computer

Measuring Software Security Defining Security Metrics Dr. Bill Young Department of Computer Science University of Texas at Austin Last updated: May 1, 2015 at 08:15 Dr. Bill Young: 1 Metrics Talk: OAG IV&amp;V Why Is CyberSecurity Hard? Why

854 views • 21 slides
The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich and Christian Rechberger University of Luxembourg and DTU (Denmark) Presented by Yu Sasaki (NTT, Japan) 15 August 2013 Authenticated encryption

556 views • 22 slides
Security Metrics, Security Investment Models and Intro to R Tyler Moore CSE 7338 Computer

Security Metrics, Security Investment Models and Intro to R Tyler Moore CSE 7338 Computer

Notes Security Metrics, Security Investment Models and Intro to R Tyler Moore CSE 7338 Computer Science &amp; Engineering Department, SMU, Dallas, TX Lecture 2 Notes Outline Managing security investment 1 Security metrics 2 R 3

605 views • 16 slides
G. G. Stokes 1857 Stokes diagram with Stokes directions Halo at with singular directions

G. G. Stokes 1857 Stokes diagram with Stokes directions Halo at with singular directions

G. G. Stokes 1857 Stokes diagram with Stokes directions Halo at with singular directions Stokes diagram with Stokes directions Halo at with singular directions Stokes diagram with Stokes directions Halo at with singular directions

1.79k views • 130 slides
Q&amp;A in Google Slides: A guide for language teachers By Joe Dale Introduction The Q&amp;A

Q&amp;A in Google Slides: A guide for language teachers By Joe Dale Introduction The Q&amp;A

Q&amp;A in Google Slides: A guide for language teachers By Joe Dale Introduction The Q&amp;A option in Google Slides allows students to give written feedback and have it displayed during a live presentation by a teacher. The teacher chooses

206 views • 9 slides
Outline 1 The topic 2 Decision support systems 3 Modeling 3.4 Constraints Computing with

Outline 1 The topic 2 Decision support systems 3 Modeling 3.4 Constraints Computing with

Outline 1 The topic 2 Decision support systems 3 Modeling 3.4 Constraints Computing with relations Finite domains Solution algorithms Complexity vs. completeness Model-Based Systems &amp; Qualitative Reasoning WS 11/12 EMDS 3

623 views • 21 slides
Less is More: Nystr om Computational Regularization Alessandro Rudi , Raffaello Camoriano,

Less is More: Nystr om Computational Regularization Alessandro Rudi , Raffaello Camoriano,

Less is More: Nystr om Computational Regularization Alessandro Rudi , Raffaello Camoriano, Lorenzo Rosasco University of Genova - Istituto Italiano di Tecnologia Massachusetts Institute of Technology ale rudi@mit.edu Dec 10th NIPS 2015 A

566 views • 54 slides
Busy Developer Dr. Jim Webber Chief Scientist, Neo Technology @jimwebber Roadmap Imprisoned

Busy Developer Dr. Jim Webber Chief Scientist, Neo Technology @jimwebber Roadmap Imprisoned

A Little Graph Theory for the Busy Developer Dr. Jim Webber Chief Scientist, Neo Technology @jimwebber Roadmap Imprisoned data Graph models Graph theory Local properties, global behaviours Predictive techniques Graph

1.22k views • 73 slides

More recommend