Beyond attack trees: dynamic security modeling with Boolean logic Driven Markov Processes (BDMP) Ludovic Piètre-Cambacédès1,2, Marc Bouissou1 1
Electricité de France (EDF) R&D, Clamart, France Institut Telecom, Telecom ParisTech, CNRS LTCI, Paris, France {ludovic.pietre-cambacedes, marc.bouissou}@edf.fr
2
Abstract— Boolean logic Driven Markov Processes (BDMP) are a powerful modeling tool used in the reliability and safety domains. We propose to take advantage of their capabilities to go beyond the traditional techniques used to model attack scenarios. In particular we show how this new approach can be seen as preferable to attack trees and Petri net-based methods. Attack trees are inherently static and limited to independent events, whereas BDMP are dynamic and can take into account simple dependences. This allows the modeling of attack sequences, but also of defensive aspects such as detections. Petri net-based approaches are highly flexible but often lack readability and scalability; BDMP representations are close to attack trees, inheriting their readability and easy appropriation. Moreover, BDMP have mathematical properties leading to drastic reductions of combinatorial problems, allowing efficient scenarios processing and time dependent quantifications. Finally, limits and improvement perspectives are discussed. Keywords— security, attack trees, BDMP, dynamic modeling.
I.
INTRODUCTION
Formal graphical modeling of attacks is a precious tool for security analysts. It can help qualitatively by structuring the analysis and ensuring a better coverage of the attack possibilities, and provide in some cases a framework for quantitative considerations. In particular, any rigorous security risk analysis involves some sorts of attack scenarios identification and likelihood evaluation. Formal graphical attack modeling techniques can provide a prime support in these tasks. In [1], we introduced the promising potential of adapting the BDMP (Boolean logic Driven Markov processes) formalism, initially used in reliability and safety engineering, to the security domain. The present article provides both the theoretical foundations and an overview of the wide modeling capabilities of such a use. It is structured as follows. Section II gives a review of the main existing attack modeling techniques. Section III provides the theoretical background needed to use BDMP in a security context; a basic use-case is then introduced. Section IV deals with quantifications and advanced modeling capabilities; they are illustrated with the use-case formerly introduced. Section V compares our approach to classical attack trees and Petri net-based models. Finally, present limits, on-going developments and perspectives are discussed in Section VI, before concluding the paper.
II.
A REVIEW OF FORMAL GRAPHICAL SECURITY MODELS
A. Historical perspective and key developments Graphical representations of computer attacks can be traced back about 25 years ago, with the early concerns for computer security of the US Department of Defense and its standards [2]. Inspired by this work and fault trees of the reliability area, threat trees were defined and used in the early 90’s [3, 4]. Dacier et al published in 1994 the first mathematically sound graphical formal security model with Privilege Graphs [5]. In the end of the 90’s, Philipps et al developed computer-aided attack graph construction, capturing dynamic attack behaviors while helping the analyst by providing templates libraries and automated template matching procedures [6, 7]. At the same period, attack trees were put in the limelight by Schneier [8,9]: directly inspired by fault trees and threat trees, they soon gained a wide popularity and have since been applied to all sorts of contexts (e.g. protocol security [10], online banking [11], Supervisory Control And Data Acquisition (SCADA) systems [12, 13] or ad-hoc networks [14]). Their ease of appropriation and the numerous examples found in the literature make attack trees one of the dominant paradigms. In fact, their main alternatives rely on the use of Petri networks, primarily proposed for security modeling by Ho et al for intrusion detection [15], and through the form of attack nets by McDermott in 2000 [16]. Numerous derivatives have since meaningfully extended these works [17-19], while direct connections have been recently established between attack trees and Petri net-based approaches [20, 21]. In addition to attack trees and Petri net-based approaches, several alternatives have then been introduced. From 2002, attack-graph generation by model-checking entered the scene with the work of Sheyner et al [22] and Amman et al [23] (See [24] for a review). It is still a very active field of research (e.g. [25-27]). Compromise-graph with a hybrid Time-To-Compromise metric were developed by McQueen et al in 2006 [28], and associated to an attack zone statespace model by Leversage and Byres [29]. Bayesian networks were used to model network security issues in [3032]. Dynamic Fault Trees (DFT) have been recently considered by Khand [33] in the area, although not addressing quantification issues.
B. A Large Spectrum of Techniques The previous paragraph gives a good idea of the extreme diversity of the existing graphical security models. Table I is an attempt to structure them, grouping the cited references under generic categories, and pointing to new ones when relevant. It does not aim to be exhaustive but rather to provide an indicative overview of the available techniques in the domain. A first differentiation can be made between static (or structural) models, which do not take into account the time dimension, and dynamic (or behavioral) ones, which do. The latter models have been themselves subjectively grouped under two large categories: “low level” approaches, usually involving graphs with numerous states and machineoriented representations, and “high level” ones, with compact representations, optimized for human interpretation. TABLE I.
MODELS CATEGORIZATION
Type Static/ Structural
Family Attack trees (AT)
Dynamic/ Behavioural
Bayesian net. Stochastic statespace models
“Low level” (state-graphs) Dynamic/ Behavioural “High level” (compact)
“Modelchecking” enabled Computerassisted design Petri net-based Dynamic Bayesian net. DFT-based
Model names and references Threat tree, Vulnerability tree [3,4], Augmented vulnerability tree [12], AT definitions [8,9,34-36], AT applications [11-14], Defense tree [37], Protection tree [11] [30], Defense graphs[31], [38] Priviledge graph [5,39], Compromise graph [28], State-space predator model[29] Attack graph [22-27], Logical attack graph [25], Coordinated attack graph [40] [6,7], Goal-inducing attack chains[41] [15], attack net [16], PE net [21], [42] [32] [33]
All those approaches enable different balances between readability, scalability, modeling power and quantification capabilities. Our proposal based on BDMP presented in the rest of this paper can claim an attractive trade-off with respect to these criteria. III.
DYNAMIC SECURITY MODELING WITH BDMP
A. Short Presentation of BDMP BDMP are a formal graphical model originally used in the reliability and safety areas. It assigns a new semantics to the traditional graphical representation of fault trees [43], augmented by a new kind of links. These links are called “triggers” and are represented by dotted arrows. In a first approach, they allow modeling of sequences and simple dependencies by conditionally “activating” sub-trees of the global structure. A more precise definition is given in paragraphs B.1) and B.2) of this section. In fact, they enable the analyst to combine conventional fault trees and Markov models in a brand new way. The BDMP formalism has two advantages over conventional models used in dependability assessment: it allows the definition of complex dynamic models while remaining nearly as readable and easy to build as fault trees, and it enables an efficient processing for
BDMP that are equivalent to Markov processes with huge state spaces. In particular, it allows obtaining relevant qualitative information in the form of minimal sequences leading to the occurrence of the top event. The formal and original definition of BDMP, the demonstration of their mathematical properties, and several examples of their modeling power and ease of use are presented in [44]. BDMP can be used to build models simply and quickly for many situations that are very common in dependability studies, e.g. standby redundancies (simple or in cascade), common cause failures in function or at startup, multiphase functioning or mutually exclusive failure modes. At EDF, they have been the core of dozens of quantitative dependability analyses of complex, reconfigurable and repairable systems. These systems include power substations and electrical supplies of data centers [45], manufacturing plants, offshore windmill farms, safety systems of nuclear power plants and hydraulic safety systems of dams. B. The BDMP Formalism Applied to Security BDMP have originally assigned a new semantics to the traditional graphical representation of fault trees. It is also possible to take advantage of this formalism in the security field by modifying the traditional attack trees semantics. The general idea of BDMP applied to security is to associate a Markov process to each leaf of an attack tree. The leaves represent attack steps, or in some cases security events, as described in 3) and 4). The attack tree is the “structure function” of the system. The basic Markov processes have the following specificities: • They have two “modes”, corresponding to the fact that the attack steps that they model are on-going, or not yet undertaken by the attacker. As a consequence, we will call them “Active” and “Idle” modes. In the theoretical framework presented in this section, we will also refer to them respectively by mode 1 and mode 0. • At any time, the choice of the mode of one of the Markov processes (unless it is independent) depends on the value of a Boolean function of other processes. When the processes are independent, it corresponds to a classical attack tree, the leaves of which are associated to independent Markov processes. 1) The elements of a BDMP A security-oriented BDMP (A, r, T, P) is made of: a multi-top coherent attack tree A, a main top event r of A, a set T of triggers, a set P of “triggered Markov processes” Pi associated to the leaves of A, the definition of two categories of states for the processes Pi. A trigger is represented graphically with a dotted arrow. The origin and the target of a trigger can be any gate or leaf of A. However, two triggers must not have the same target. This means that it is sometimes necessary to create a secondary top (like G1 in Fig. 1) whose only function is to define the origin of a trigger.
BDMP, in particular when there are several triggers, can be found in [44]. Several triggered processes are also described, in particular “the warm standby leaf” and the “on-demand repairable failure leaf” often used in reliability and safety studies. In 3) and 4), we focus on simpler leaves which are sufficient to use BDMP in security contexts. In fact, our approach makes only use of a small subset of the BDMP capabilities, as explained in Section IV.
r G3
G2
G1
f1
f3
f2
f4
Figure 1. Example of a simple BDMP.
Fig. 1 is an example of graphical representation of all the notions of BDMP. In this example, we have an attack tree with two tops: r (the main one) and G1. The basic attack steps are f1, f2, f3, and f4: they can belong to one of the two standard triggered Markov processes defined below. There is only one trigger, from G1 to G2. 2) General definition of a “triggered Markov process” Such a process Pi is associated to each leaf of the attack tree. Pi is the following set of elements: •
{Z
}
i 0
{
}
(t ), Z 1i (t ), f 0i→1 , f 1i→0 , where Z 0i (t ), Z 1i (t ) are two homogeneous Markov processes with discrete state spaces. For k in {0,1}, the state space i i i of Z ki (t ) is Ak . Each Ak contains a subset S k which generally corresponds to attack success states of the attack step modeled by the process Pi. • f 0i→1 and f 1i→ 0 are two “probability transfer functions” defined as follows: - for any x ∈ A0i , f 0i→1 ( x ) is a probability distribution on
∑
j∈S1i
(f
i 0→1
i 1
A , such that if x ∈ S , then i 0
( x))( j ) = 1
- for any x ∈ A1i , distribution on
f 1i→0 ( x ) is a probability
A0i , such that if x ∈ S1i , then
∑ j∈S i ( f1→i 0 ( x))( j ) = 1 0
Such a process is said to be “triggered” because it switches instantaneously from one of its modes to the other one, via the relevant transfer function, according to the state of some externally defined Boolean variable, called “process selector”. For example, when the process Z 0i is in a given state x, if the process selector changes from 0 to 1, i f 0i→1 ( x ) defines the set of states of A1 that Pi can go to (instantaneously) with associated probabilities. From that instant, Z 0i is no longer relevant, and the state of Pi is defined by Z 1i . The two next subsections present concrete examples. The process selectors are defined by means of triggers. A trigger can modify the mode of the processes associated to the leaves of the sub-tree its points at, when the event that is the origin of the trigger changes from FALSE to TRUE (or conversely). The complete definition of the semantics of a
3) The “attack step” leaf This leaf is an adaptation of the “cold-standby nonrepairable leaf” [44] to the security context. It is used to model an attack step towards the main attack goal of the BDMP. The Active mode corresponds to ongoing attempts by an attacker to realize a given attack step, for which the time needed for a success is exponentially distributed with parameter λ. The corresponding possible states in this mode are “Ongoing” (O) and “Success” (S). The Idle mode of this leaf simply represents the fact that no action of this sort is taken at this stage by the attacker. In this mode, the attack step can only be in a unique state called “Potential” (P). Figure 2 represents the corresponding Markov model and the associated graphical representation. P
O
Idle
λ
!
S
Active
Figure 2. The “attack step” leaf: Markov model and associated icon.
The associated transfer function f 0→1 is as follows: f 0 →1 ( P ) = {Pr(O ) = 1, Pr( S ) = 0}
(1)
Equation (1) means that when the value of the process selector changes from 0 (Idle) to 1 (Active), the attack step state goes from Potential to On-going with probability 1. There is no need to define the transfer function f1→ 0 , since an attack step is never “undone” in our models: the process selector never returns from 1 to 0. 4) The “instantaneous security event” (ISE) leaf This leaf is an adaptation of the “on-demand nonrepairable failure” leaf of the original BDMP definition [44] for security issues. It is used in advanced security modeling (cf. Section IV) to take into account security events, such as detections, that can happen instantaneously, with a probability γ, when the process selector changes from 0 to 1. In Idle mode, the security event cannot occur and stays in the state “Potential” (P). In the Active mode, the event is either “Realized” (R) or “Not-Realized” (N). Figure 3 represents the corresponding Markov model and the associated graphical representation. P Idle
N
R
I !
Active
Figure 3. The I.S.E. leaf Markov model and associated icon.
With this leaf, state changes cannot be “spontaneous”; they are necessarily the result of the application of the
transfer function f 0→1 , consecutive to a mode change. The associated transfer function f 0→1 is as follows: f 0 →1 ( P ) = {Pr( N ) = 1 − γ , Pr( R ) = γ } (2) In this case again, the definition of f1→ 0 is superfluous. The simple use of the two kinds of leaves described above opens a wide scope of security modeling possibilities, as illustrated in the next paragraph and in Section IV. C. A Basic Example of Attack Modeling with BDMP Fig. 4 gives a simplified example of an attack modeling with the BDMP formalism. The attack objective is to take ownership of a Remote Access Server (RAS) connected to a dial-in modem. This example is intended to show how attack sequences can be easily represented and taken into account with BDMP. For the sake of conciseness, only a few security techniques and attack scenarios are represented here. The attack steps are modeled by “attack step” leaves, described previously. Their realization leads to the top event through the logical structure function embodied by the logical gates. It is conditioned by the triggers activation of the active modes of the associated processes. Indeed, the triggers allow a clear representation of the attack sequences: the Wardialing attack step must succeed first before the right side sub-tree is “activated” i.e. its attack step leaves put in Active mode. Recursively, the second trigger makes the Exploit_vulnerability attack step active only when the attacker has succeeded in the step Find_vulnerability. RAS_ownership RAS_ownership
AND Logged_into_the_RAS
!
OR RAS_access_granted RAS_access_granted
Wardialing Wardialing
OR
AND
Authentication_with_password Authentication_with_password
!
Bruteforce Bruteforce
!
Social_engineering Social_engineering
Vulnerability_found_and_exploited Vulnerability_found_and_exploited
!
!
Find_vulnerability Exploit_vulnerability Find_vulnerability Exploit_vulnerability
Figure 4. RAS attack basic modeling with BDMP
Note that the hierarchical nature of the model makes it possible to choose the degree of detail and decomposition of the attack steps. In Fig. 4 for instance, the attack step Social_engineering could have been decomposed into much more detailed sub-steps.
IV.
QUANTIFICATIONS AND ADVANCED MODELING
A. Software Support for BDMP Modeling EDF has developed the KB3 software suite for dependability studies [46]. It enables automatic construction of structural or behavioral models by graphical assembly of elementary components described in knowledge bases. Knowledge bases contain generic descriptions of the components typically encountered in a given kind of study. They allow modularity and expert knowledge reusability. They are written in FIGARO, an object language developed by EDF [47], specifically designed to build stochastic models. A specific knowledge base has been developed to implement the BDMP formalism. It allows easy graphical modeling, interactive simulation and automatic processing for quantification. B. Time Dependent Quantifications 1) Sequence exploration and trimming In essence, BDMP can be seen as a compact and readable representation specifying potentially huge Markov chains. The main problem with Markov analysis is the combinatorial explosion of the state space that usually severely limits the use of matrix-based analytical methods. This led EDF to develop FigSeq [48], a tool designed and optimized to process large Markovian models by an original analytical method: the search and quantification of sequences leading the system to an undesirable state. This method allows making mastered approximations by limiting the sequence exploration to those having a probability greater than a given threshold; besides, it considerably helps in the model validation and in the detection of the most critical vulnerabilities of a system. For small models like those given in this article, exact calculations can be made by exploring exhaustively the sequences and using the closed form expressions for the probabilities of sequences given in [49]. Nevertheless, the method used by FigSeq, even if it is very efficient on large Markov models, has its limits. BDMP bring further enhancement thanks to their native trimming mechanism. The combinatorial explosion in the processing needed to quantify a BDMP model is considerably limited by the use of the notion of relevant event, and the associated trimming mechanism [44, 46]. For instance, as soon as one of the sons of an OR gate, modeling different attack techniques possibilities for a given intermediate objective, takes the value “true”, the values of the other sons (and descendants) are not “relevant” anymore; the corresponding events are then inhibited. In fact, the trimming of irrelevant leaves generally corresponds to the inhibition of additional attack attempts of an already successful attack phase. This simplification is meaningful and limits considerably combinatory explosion issues. The analysis by sequences allows us to compute the probability for the attacker to reach his objective in a given time, the probability of each explored sequence and the overall mean time to the attack success (summing the sequences mean durations weighted by their asymptotic probability). In every case, the errors upper bounds can be
computed. BDMP with more than 100 leaves are routinely processed in reliability studies at EDF: the method should also be scalable in security applications. 2) The “Mean Time To Attack Step Realization” metric In order to take advantage of the mathematical properties of BDMP and the full capabilities of the associated software tools, Markov processes must be used, as previously indicated in the leaves description. This involves in particular exponential distributions to model attack step durations. This hypothesis is specifically discussed in Section VI. Similarly to the Mean Time To Breach (MTTB) defined in [50], Mean Effort To Security Failure (METSF) used in [5,39] or the Mean Time To Security Failure (MTTSF) in [51], it is then possible to define the MTTASR, Mean Time To Attack Step Realization, of an “attack step leaf” i by MTTASRi = 1 / λi, with λi the exponential distribution parameter associated to its Markov process. 3) Example of time dependent quantifications In this framework, the quantifications allowed by BDMP and the KB3 software suite can be illustrated with the RAS attack previous example (Fig. 4). For this purpose, the following parameters have been arbitrarily chosen for the different attack steps, with the second as time unit: • For the Bruteforce, Find_vulnerability, -4 Exploit_vulnerability attack steps: λ=10 , which corresponds to a MTTASR~ 2.8 h, • For Wardialing: λ=10-5, i.e. MTTASR ~ 28 h, • For the social_engineering attack on password: λ=5.10-6, i.e. MTTASR ~ 55 h. With such values, the overall MTTASR is 1.07 x 105 s, i.e. about 30 hours, whereas the probability for the attacker to reach his objective in one day is about 0.55. Note that such a probability can be computed for any arbitrary time. Table II lists the different sequences of events leading to a successful RAS attack, in a one-day mission time (86400 s). They are ordered along their respective contributions, indicated in the last column, to the overall probability of success for the attacker. The average duration of each attack sequence is also indicated. These figures have been obtained by Figseq (cf. Section IV.B.1). TABLE II.
SEQUENCES QUANTIFICATION BY FIGSEQ
Sequences Attack steps
λ
[Wardialing, Bruteforce] [Wardialing, Find_vuln, Bruteforce] [Wardialing, Find_vuln, Exploit vuln] [Wardialing, Social_eng.] [Wardialing, Find_vuln, Social_eng.]
10-5 10-4 10-5 10-4 10-4 10-5 10-4 10-4 10-5 5.10-6 10-5 10-4 5.10-6
_
Probability in mission time
Average duration after init.
Contribution
0.2717
4.878 x 103
0.4977
0.1272
9.756 x 103
0.2329
0.1272
9.756 x 103
0.2329
0.0136
4.878 x 103
0.02487
0.0064
9.756 x 103
0.01164
C. Time-independent and Attack Tree-like Quantifications In addition to time dependent quantifications, BDMP allow also for time-independent metrics computation, classically associated to attack trees. Their general principle consists in attributing different static values (discussed later on) to the attack tree leaves, and either “propagate” them towards the top following specific rules depending on the nature of the values and the gates [11], or use them for given paths towards the top event for scenarios analysis purposes [52]. New quantitative information can then be computed about the global attack tree or the different attack scenarios. Of course, a first kind of value attributed to attack tree leaves corresponds to fixed probabilities: once minimal cut sets computed by techniques commonly employed with fault trees [43], they allow ranking of the most probable scenarios, providing the steps are considered independent [52]. We will not consider here these values, as this aspect is already covered in BDMP by the stochastic processes parameters associated to the leaves. In addition to such values, many other quantifications and attack tree calculations have been proposed in the literature. Cost and Boolean indicators are certainly among the first and most widely used (e.g. [9]). The former consists into defining usually a monetary cost for the attacker, corresponding to each possible attack step, in order to compute the total cost of an attack scenario, or the global mean cost to reach the objective. The latter consists into marking each leaf by a Boolean indicator corresponding to a specific property or requirement, for instance the need for internal knowledge, insider support, or the need for a specific tool or piece of information. Once the scenarios of interest identified (by means of minimal cut-sets computation in the case of attack trees, by sequence exploration for BDMP), it is then possible to know if they imply the associated property or requirement. Consolidated analysis can also be made about the overall structure. A third example deals with attacker skills: each attack step can be labeled with a minimum necessary attack skill level, fixed on an arbitrary scale (e.g. an explicit one like “low / intermediate / high / expert”) [9,11]. It is then possible to establish a minimum skill level for a given attack scenario, by taking the maximum value among the leaves forming the considered scenario. Note that this complements other parameters reflecting the attacker profile, in particular the MTTASR. In fact, it is possible to generalize these examples as particular cases of respectively continuous, Boolean and discrete indicators. Many instantiations of these types can be defined by the analyst, providing their behavior is mathematically specified for quantification (e.g. by sum, min, max, arithmetic average, etc.). For instance, [11] makes use of cost, impact, and risk values, but also probability of detection, technical skill required, inconvenience to user and damage cost to the system. [12] defines a “threat impact” and a “cyber-vulnerability index”. In every case, these indicators can support the analyst into defining filtering criteria and thresholds to sort and
better characterize attack scenarios. For example, one may want to consider only attack scenarios involving a maximum cost threshold, reflecting a given attacker profile, or excluding insider collaboration. In fact, the sequence exploration approach, described in IV.A and natural support for BDMP quantification, makes these calculations straightforward. Filtering criteria can be applied as posttreatments on the sequences exploration raw results, but also embedded into the sequence exploration computation, leading to fastest processing by potential extra-pruning. This last approach has not been yet implemented, but is identified as an interesting perspective, pushing further the KB3/FigSeq software tool suite capabilities. More generally, the use of metrics and indicators as presented in this paragraph can help enriching considerably the analysis, and may turn sequences ranking into a multi-factor optimization problem. Several approaches can then be adopted (e.g. [11, 53]).
phases: this is consistent with the general theory of BDMP. Finally, note that if the use of an exponential distribution may seem questionable for a phase length, this hypothesis can be relaxed in the framework envisaged in Section VI. AND
Logged_into_the_RAS Logged_into_the_RAS !
OR
RAS_access_granted RAS_access_granted
Wardialing Wardialing
AND
AND
Pwd_attack_success Pwd_attack_success
Pwd attacks phase
Exploit attack success
Exploit_attack_phase OR
D. Modeling Phased Attack Steps So far, the triggers have allowed modeling the attack sequence decomposition, in which certain steps are possible only if some others have been successfully accomplished. Nevertheless, once the leaves are in active mode, the associated stochastic processes are all started in parallel, modeling concurrent attempts by the attacker. Going back to the RAS attack example, the left trigger models the fact that the modem tone must be found by wardialing before any concrete attack attempts on the RAS. This said, once the wardialing successful, both the password attack techniques (i.e. the Bruteforce and the Social_engineering leaves) and the search for software vulnerability (the Find_vulnerability leaf) are undertaken in parallel by the attacker. Note that this explains the second and fifth sequences of Table II in which the attack step Find_vulnerability is in fact useless for the final attack goal realization. Depending on the attacker profile, it may be more realistic to model a phased approach, the attacker trying first the password attack techniques, and if still unsuccessful after a given time, switching to another approach, namely the software vulnerability one. It is possible to model this kind of behavior with a new type of leaf, the phase leaf, introduced for reliability studies of phased missions systems with BDMP in [54]. Fig. 5 uses it into the RAS attack case, in order to model the attacker behavior previously discussed. Represented with a clock, the behavior of this leaf is as follows: if no trigger points at it, it is initialized in the TRUE state and becomes FALSE after an exponentially distributed time. If a trigger points at it, it is initialized in the FALSE state and when the origin of the trigger changes from the TRUE to the FALSE state, the leaf instantaneously becomes TRUE. It goes back to the FALSE state after an exponentially distributed time. This kind of behavior makes it easy to link an arbitrary number of phases. It is even possible to define a cyclic chain of
AND
Authentication_with_password Authentication_with_password
!
Bruteforce
! Social_engineering Social_engineering
Vulnerability_found_and_exploited !
!
Exploit_vulnerability Find_vulnerability Find_vulnerability
Figure 5. RAS attack modeling with phases
E. Going Further: Integrating Detection The flexibility of the BDMP formalism allows us to enlarge the scope, and take into consideration not only the attacker side, but also defensive aspects, such as attack detection. Different kinds of detection can be modeled, depending on the moments the detection can arise: • The most straightforward way is to model an instantaneous detection possibility only when a given attack step is successfully completed. This implies that the unfruitful attempts are considered invisible to the defender. The use of a trigger and an instantaneous security event leaf of parameter γ, representing the probability of non-detection, are then sufficient, as illustrated in part (a) of Fig. 6. • In alternative situations, the detections may happen during an undergoing attack step, modeling potentially visible attempts of the attacker. This requires extending the basic BDMP leaves with a small dedicated Petri net as shown in part (b) of Fig. 6. This small Petri net can be embedded and connected to the global BDMP, under the form of a Petri leaf, symbolized in the right corner of (b). The detection is modeled by an exponential transition of parameter λd at the upper part of the Petri net, while the concurrent attack attempts are modeled by an exponential transition at the lower part of the Petri net, consistently with the classical attack step leaf definition.
•
Finally, the combination of the two approaches is also possible, as shown in part (c) of Fig. 6. (a)
RAS_ownership
AND
AND
Logged_into_the_RAS
Attack_step_successful_and_undetected I !
!
OR
!
Non_detection_of_success Non_detection_of_success
Wardialing Wardialing
RAS_access_granted RAS_access_granted
Attack_step_susceptible_to_detection Attack_step_susceptible_to_detection
(b) S
OR
AND
Authentication_with_password Authentication_with_password
Vulnerability_found_and_exploited Vulnerability_found_and_exploited
Detection_during_attempts Detection_during_attempts
0 0 0
Ongoing Ongoing
Start_attack_attempts Start_attack_attempts
Attack_detected_before_success Attack_detected_before_success Successful_attack_not_detected Successful_attack_not_detected
!
Bruteforce_notdetected Social_engin. Bruteforce_notdetected
Attack_success Attack_success
(c)
!
AND
Find_vulnerability Find_vuln.
Non_detected_exploited_vuln Non_detected_exploited_vuln
!
Exploit_vuln Exploit_vuln
I !
Non_detection Non_detection
Figure 7. RAS attack with detections.
AND Non_detected_attempts_and_success I ! Succees_non_detection Non_detection_of_success
Detection_during_attempts
Figure 6. Detection modeling with BDMP.
Considering again the RAS attack example, it is straightforward to integrate the detection dimension in the corresponding BDMP, as illustrated in Fig. 7. In this case, the detection is considered possible during password bruteforce attempts, making use of the type (b) detection with a parameter λd, while the exploitation of a vulnerability has been considered as detectable only at the moment when the attacker succeeds in his task (type (a) detection).
The effects of detections are then to be decided by the analyst. It is for example possible to consider that once detected, the attack is systematically thwarted. Another alternative is to let the attacker go on, but integrate the fact that he has been detected in the ranking process of attack sequences. V.
COMPARATIVE DISCUSSION
A. First Focus: BDMP vs. Attack Trees Despite their visual similarity, BDMP and attack trees are fundamentally different: as already stated, BDMP is a dynamic model whereas attack trees are inherently static. Considering the dynamic nature of security issues, this represents a major advantage for BDMP. In particular, attack sequences and phases are absolutely impossible to represent and take into account with classical attack trees, while being essential part of attack scenarios modeling. Moreover, even if there have been different attempts to adapt attack trees for defense modeling [37,11], their static nature do not allow to take into account defensive aspects in their time-dependant dimension as described in paragraph III.D and in IV.B. More generally, time dependent analysis and quantifications are by definition out of reach for static models. Fig. 8 represents the RAS attack under classical attack tree formalism. Without the triggers, there is for example no formal way to state that connectivity to the modem must be established, through wardialing, before any password or vulnerability exploitation attacks.
VI.
RAS_ownership
A. Security Stochastic Modeling
AND Logged_into_the_RAS
OR RAS_access_granted
Wardialing
AND
OR
Vulnerability_found_and_exploited Vulnerability_found_and_exploited
Authentication_with_password
Bruteforce
LIMITS AND PERSPECTIVES
Social_engineering
Find_vulnerability
Exploit_vulnerability
Figure 8. RAS attack classical attack tree.
B. Second Focus: BDMP vs. Petri Net-based Approaches Petri nets and their numerous variants [55], which include GSPNs (Generalized Stochastic Petri Nets) or SANs (Stochastic Activity Networks)[56], are more powerful and general than BDMP. However, especially when structure functions are involved, they often result in either complex (e.g. with GSPNs) or elliptic (e.g. with SANs) graphical representations. In fact, BDMP offer in many cases a much clearer and more straightforward modeling framework. To illustrate this advantage, Fig. 9 shows a GSPN equivalent to the BDMP of Fig. 4 (dotted lines represent inhibitor arcs). Qualitatively, the two figures can be visually compared. The BDMP model has needed the input of twenty graphical components whereas the GSPN has needed more than fifty. Moreover, in order to mimic the trimming mechanism, native and implicit in BDMP (cf. Section IV.B.1)), it would be necessary to add lots of inhibitor arcs. This would become extremely error prone in a large model. LoggedIntoTheRAS it_4
RAS_access_granted RAS_access_granted
it_3
it_2 it_2
it_3
1) On the relevance of exponential distributions As indicated in paragraph IV.A, BDMP are based on Markov processes and the use of exponential distributions. This framework is a necessary condition to prove the mathematical properties of BDMP allowing for efficient time dependent quantifications. In particular, it makes BDMP a valid description of a global homogeneous Markov process [44]. In fact, considering its nice mathematical properties, such a framework is commonly adopted for stochastic modeling in the reliability area. But if the associated memory-less property can be justified for components with constant accidental failure rates, it can be questioned for security modeling, where the intelligent nature of the attacker may require more elaborated modeling. In fact, the idea of using exponential distributions for security has been introduced by Littlewood et al in 1993 [57]. The work of Dacier et al previously introduced relies on the same mathematical background. A first experiment published in 1996 by Jonsson and Olovsson supports the relevance of using exponential distributions in certain conditions [50]. Considering the attack process split into three phases (learning, standard and innovative phases), their experimental results indicate that the times between breaches can be considered as exponentially distributed. Since then, this approximation has been commonly used: for instance, by Ortalo et al and their experimental work on Privilege graph [39], by Gupta et al in their evaluation of intrusion-tolerant server architectures with SANs [58], or more recently in Sallhammar’s doctoral work on stochastic models for combined security and dependability evaluation [59]. Nevertheless, alternative models have also been proposed, getting rid of the memory-less condition. For example, Madan et al develop a semi-Markovian framework, enabling support for much more diverse types of distribution to model the attack effort (namely hyper or hypoexponential, Weibull, gamma and log-logistic distributions, all used in the reliability domain)[51]. McQueen et al model attack behavior with the help of three distinct stochastic processes, respectively based on gamma, beta and exponential distributions [60]. This model is used in [28] and slightly modified in [29]. 2) Towards Boolean logic Driven Stochastic Processes
SuccessWardialing SuccessWardialing VulnerabilityFoundAndExploited VulnerabilityFoundAndExploited
A5
it_1 it_1
PotentialWardialing PotentialWardialing
AuthenticationWithPassword AuthenticationWithPassword
A1
PotentialBruteforce PotentialBruteforce
A2
PotentialSocialEng PotentialSocialEng
SuccessFindVuln
SuccessExploitVuln
A3
A4
PotentialExploitVuln PotentialFindVuln PotentialExploitVuln PotentialFindVuln
Figure 9. RAS attack Petri net equivalent model.
In fact, stochastic modeling of security is per nature a challenging problem, exacerbated by the lack of security data to base the approximations, and maybe more deeply, the epistemological difficulty to model intelligent behaviors. No one-size-fits-all model exists, and it may seem too restrictive to be limited to the use of exponential distributions. In this optic, it is possible to extend BDMP to the use of nonexponential distributions. This would not affect much their advantageous graphical representation, but most of their mathematical properties allowing efficient quantitative analysis would not stand anymore. Monte-Carlo simulation would then become the unique way to obtain numerical
values associated to the sequences processing. Out of the Markovian framework, such a version should be renamed BDSP for Boolean logic Driven Stochastic Processes. We have planned to formalize them, and use them in conjunction with McQueen’s and other alternative models in future work. B. Going Further in Defense Modeling When attack detection occurs, it may be of interest to model subtler behaviors than the one discussed in Section IV. Security reactions could in particular change the possible attack steps for the attacker, both in terms of available possibilities and in terms of difficulty. Extensions to triggers semantics and usage may help modeling such changes. New kind of leaves could also be introduced, enabling for instance “Non-detected” and “Detected” modes with different success rates, or relying on more elaborated basis than two-states Markov chains.
VII. CONCLUSION The adaptation of the BDMP formalism to security modeling offers an original and advantageous trade-off between readability, modeling power, scalability and quantification capabilities, in particular with respect to attack trees and Petri-net based approaches. A Markovian framework is needed to take the maximum benefit of the BDMP mathematical properties. In this context, sequence exploration techniques and the trimming mechanism allow for efficient time dependent quantifications. Monte-Carlo simulation can be used in more general cases. Such developments are left for future research. More generally, future work will most likely enhance further the security modeling capabilities of this novel approach, and may also help bridging the gap between safety and security analysis. REFERENCES
C. Dedicated Software Implementations The actual use of BDMP for security modeling and quantification still currently relies on a software suite version dedicated to reliability and safety studies. Native features and parameters are diverted from their original purposes to fit with security considerations, allowing implementation of the main principles presented in this article. An explicitly security-oriented KB3 extension is in project. New leaves and gates will be defined and packaged in order to be directly usable for the security analyst. Attack and security patterns libraries may also be built to support the user in its model constructions [36]. Finally, we intend to adapt the quantifications tools along the ideas presented in this research, especially to integrate properly the security indicators discussed in IV.B.
[1]
D. Extending the scope
[9]
1) To other fields of security The prime focus of this research has been cyber-security in its most common acceptance, i.e. digital systems protection against malicious cyber-attacks. Nevertheless, this new modeling approach can encompass other security areas, including physical security. In particular, beyond the attack trees related work previously cited, all security modeling based on a fault tree like formalism (e.g. [61] for physical protection, [62] for nuclear safeguards, [63] for terrorist risks) may benefit from this new modeling capabilities. 2) Safety and security issues integration Safety and security issues are intimately associated, but characterizing with rigor their relations and interdependences is still an open issue [64]. Nevertheless, the tremendous evolution of digital systems and their use in risk-prone industries make this better characterization crucial, as safetyrelated systems are getting exposed to new cyber-security risks. The BDMP formalism initially adapted to safety studies and extended by this work for security modeling, constitutes an ideal common ground for such investigations.
[2] [3] [4] [5] [6] [7] [8]
[10] [11] [12]
[13] [14] [15] [16] [17]
L. Piètre-Cambacédès and M. Bouissou, “The promising potential of the BDMP formalism for security modeling,” Supp. Vol. Proc. DSN’09 (Fast Abstract), Estoril, Portugal. US DoD, MIL-STD-1785, “System security engineering program management requirements,” 1988. J. D. Weiss, “A system security engineering process,” Proc. 14th Nat. Comp. Sec. Conf., Washington D.C., USA, 1991. E.G. Amoroso, Fundamentals of computer security technology, Prentice-Hall, Chapter 2, pp. 15-30, 1994. M. Dacier, Y. Deswarte, “Privilege Graph: an Extension to the Typed Access Matrix Model,” Proc. ESORICS, 1994. C. Phillips, L.P. Swiler, “A graph-based system for network-vulnerability analysis,” Proc. WNSP’98, pp.71-79. L. Swiler, C. Phillips, D. Ellis, S. Chakerian, “Computerattack graph generation tool,” Proc. DISCEX01, pp.307-321 C. Salter et al, “Toward a secure system engineering methodolgy,” Proc. WNSP'98, USA, pp. 2-10. B. Schneier, “Attack trees: Modeling security threats,” Dr. Dobb’s Journal, Vol. 12, pp. 21-29, 1999. E. Byres, M. Franz, D. Miller, “The use of attack trees in assessing vulnerabilities in SCADA systems,” Proc. IISW'04, Lisbon, Portugal, 2004. K.S. Edge, “A framework for analyzing and mitigating the vulnerabilities of complex systems via attack and protection trees,” Ph.D. thesis, Air Force Inst. of Technology, 2007. S. Patel, J. Graham, and P. Ralston, “Quantitatively assessing the vulnerability of critical information systems: A new method for evaluating security enhancements,” Int. J. of Information Management, Vol. 28, pp. 483-491, 2008. C.-W. Ten, C.-C. Liu and M. Govindarasu, “Vulnerability assessment of cybersecurity for scada systems using attack trees,” IEEE PES General Meeting, USA, 2007, pp. 1-8. K. Karppinen, “Security measurement based on attack trees in a mobile ad hoc network environment”, M. Sc. thesis, VTT Publication 580, 2005. Y. Ho, D. Frincke and D. Tobin, “Planning, Petri nets, and intrusion detection,” Proc. 21th NISSC, USA, 1998. J.P. McDermott, “Attack net penetration testing,” Proc. WNSP’00, Ballycotton, Ireland, 2000, pp. 15-21. S. Houmb, K. Sallhammar,“Modeling system integrity of a security critical system using colored Petri nets,” Safety and Security Engineering, Wit Press, 2005, pp. 3–12.
[18] [19] [20] [21] [22] [23] [24] [25] [26] [27] [28]
[29] [30] [31] [32] [33] [34] [35] [36] [37] [38] [39] [40] [41]
V. Horvath and T. Dörges, “From security patterns to implementation using Petri nets,” Proc. SESS’08, pp.17-24. C.-W. Ten, C.-C. Liu, and G. Manimaran, “Vulnerability assessment of cybersecurity for SCADA systems,” IEEE Trans. Power Systems, Vol. 23, No. 4, pp. 1836-1846, 2008. G. Dalton et al, “Analyzing attack trees using generalized stochastic Petri nets,” Proc. IAW’06, USA, pp.116-123. S. Pudar, G. Manimaran, C-C. Liu, “PENET: A practical method and tool for integrated modeling of security attacks and countermeasures,” Computers & Security, in press. O. Sheyner et al, “Automated generation and analysis of attack graphs,” Proc. IEEE Symp. S&P, pp. 273-284, 2002. P. Ammann, D. Wijesekera, S. Kaushik, “Scalable, graphbased network vulnerability analysis,” Proc. CCS’02, Alexandria, USA, pp. 217-224. R. Lippmann and K. Ingols, “An annotated review of past papers on attack graphs,” MIT Technical report, 2005. X. Ou, W. Boyer, M. McQueen, “A scalable approach to attack graph generation,” Proc. CCS'06, USA, pp. 336-345. L. Wang, A. Singhal and S. Jajodia, “Toward measuring network security using attack graphs,” Proc. QoP'07, Alexandria, USA, pp. 49-54. D. Saha, “Extending logical attack graphs for efficient vulnerability analysis,” Proc. CCS'08, USA, pp. 63-74. M. McQueen, W. Boyer, M. Flynn, and G. Beitel, “Quantitative Cyber Risk Reduction Estimation Methodology for a Small SCADA Control System,” Proc. 39th HICCS, Vol. 9, Hawai, USA, 2006. D. Leversage E. Byres, “Estimating a system's mean timeto-compromise,” IEEE Sec. & Priv., vol. 6, pp. 52-60, 2008. Y. Liu, H. Man, “Network vulnerability assessment using Bayesian networks,” Proc. SPIE, vol. 5812, pp.61-71, 2005. T. Sommestad, “Cyber security risks assessment with Bayesian defense graphs and architectural models,” Proc. 42th HICSS, 2009. M. Frigault, L. Wang, A. Singhal, S. Jajodia, “Measuring network security using dynamic Bayesian network,” Proc. QoP'08, Alexandria, USA, pp. 23-30. P. Khand, “System level security modeling using attack trees,” Proc. IC4, pp. 1-6, Karachi, Pakistan, 2009. I. Fovino, M. Masera, “Through the description of attacks: a multidimensional view,” Proc. SAFECOMP’06, pp.15-28. S. Mauw and M. Oostdijk, “Foundations of attack trees,” Proc. ICISC’05, Seoul, Korea, LNCS 3935, pp. 186-198. A. Moore, R. Ellison, R. Linger, “Attack modeling for information security and survivability,” Technical note CMU/SEI-2001-TN-001, Carnegie Mellon, 2001 S. Bistarelli, F. Fioravanti, P. Peretti, “Defense trees for economic evaluation of security investments,” Proc. ARES'06, Vienna, Austria, pp. 416-423. M. Frigault, L. Wang, “Measuring network security using Bayesian network-based attack graphs,” Proc. Compsac'08. R. Ortalo, Y. Deswarte, M. Kaaniche, “Experimenting with quantitative evaluation tools for monitoring operational security,” IEEE Trans. Soft. Eng., vol. 25, 1999, p. 633-650. S. Braynov and M. Jadliwala, “Representation and analysis of coordinated attacks,” Proc. FMSE’03, USA, pp. 43-51. J. Dawkins, J. Hale, “A systematic approach to multi-stage network attack analysis,” Proc. IWIAS’04, USA, pp. 48-56.
[42] D. Mirembe and M. Muyeba, “Threat modeling revisited: improving expressiveness of attack,” Proc. EMS’08, UK. [43] M. Rausand and A. Høyland, System Reliability Theory, 2nd edition, Wiley-Interscience, 2003. [44] M. Bouissou, J.-L. Bon, “A new formalism that combines advantages of fault-trees and Markov models: Boolean logic driven Markov processes,” Reliability Engineering and System Safety, Vol. 82, 2003 [45] P.Carer et al, “A new method for reliability assessment of electrical power supplies with standby redundancies,” Proc. PMAPS'02, Italy [46] M. Bouissou, “Automated dependability analysis of complex systems with the KB3 workbench,” Proc. CIEM’05, Bucharest, Romania. [47] M. Bouissou et al, “Knowledge modeling and reliability processing: Presentation of the FIGARO language and associated tools,” Proc. SAFECOMP’91, pp. 69-75. [48] M. Bouissou, Y. Lefebvre, “A path-based algorithm to evaluate asymptotic unavailability for large Markov models,” Proc. RAMS’02, Seattle, USA, pp.32-39. [49] P. Harrison, “Laplace transform inversion and passage time distributions in Markov processes,” Journal of Applied Probability, Vol. 27, No. 1, 1990, pp. 74-87. [50] E. Jonsson and T. Olovsson, “A quantitative model of the security intrusion process based on attacker behavior,” IEEE Trans. Soft. Engineering, Vol. 23, 1997, pp. 235-245. [51] B. Madan et al, “Modeling and quantification of security attributes of software systems,” Proc. DSN’02, Bethesda, USA, pp. 505-514. [52] R. Pullen, “AttackTree+, A computer tool for modelling attack,” Proc. 29th ESReDA Seminar, Ispra, Italy, 2006. [53] R. Dewri, N. Poolsappasit, I. Ray and D. Whitley, “Optimal security hardening using multi-objective optimization on attack tree models of networks,” Proc. CCS’07, pp.204-213. [54] M. Bouissou, Y. Dutuit, “Reliability analysis of a dynamic phased mission system: comparison of two approaches,” Proc. MMR’04, Santa Fe, USA. [55] P. J. Haas, Stochastic Petri Nets, 1st ed., Springer, 2005. [56] W. Sanders, J. Meyer, “Stochastic activity networks: formal definitions and concepts,” LNCS 2090, pp.315-343, 2002. [57] B. Littlewood et al, “Towards operational measures of computer security,” J. Comp. Sec., vol. 2, 1993, pp.211-229 [58] V. Gupta et al, “Dependability and performance evaluation of intrusion-tolerant server architectures,” Proc. LADC’03. [59] K. Sallhammar, “Stochastic models for combined security and dependability evaluation,” Ph.D. thesis, NTNU, 2007. [60] M. McQueen et al, “Time-to-compromise model for cyber risk reduction estimation,” Proc. QoP'06, USA, pp. 49-64. [61] G. Renda, S. Contini, G. Cojazzi, “On the methods to model and analyze attack scenarios with Fault Trees,” Proc. ESREL’08, Valencia, Spain. [62] G. Cojazzi, G. Renda, S. Contini, “Qualitative and quantitative analysis of safeguards logic trees,” Proc. PSAM7/ESREL'04, Berlin, Germany. [63] J. Garrick et al, “Confronting the risks of terrorism: making the right decisions,” Reliability Engineering and System Safety, Vol. 86, 2004, pp. 129-176. [64] L. Piètre-Cambacédès, C. Chaudet, “Disentangling the relations between safety and security,” Proc. AIC’09, Moscow, Russia, pp.156-161.
