Probabilistic Assessment of Security Scenarios –Challenges and Solutions
Barbara Kordy
Joint work with Marc Pouly, Patrick Schweitzer
INRIA Rennes, May 16, 2014
Formal Methods and Security seminar
Who am I?
2005–2008 Ph.D. Student and Moniteur, Université d’Orléans, FranceAutomates pour l’Analyse de Documents XML Compressés, Applications à la Sécurité d’Accès
2009–2014 Research Associate, University of LuxembourgFormal methods for modeling and analysis of real-life security problems
Barbara Kordy 2
Probabilistic Assessment of Security Scenarios
security modelADTree
dependency modelBayesian network
probabilistic assessmentof attack–defense scenarios
with dependencies
Barbara Kordy 3
Outline
1 Attack–defense Trees
2 Probabilistic Evaluation
3 Efficiency Considerations
4 Wrap Up
Barbara Kordy 4
Attack–defense Trees
Modeling Security Scenarios
Attack–defense tree (ADTree) [FAST’10]
Tree-like representation of an attack–defense scenario depicting:How to attack a systemHow to protect against an attack
Extend the industrially recognized model of attack trees [Schneier’99]
Integrate
Intuitive representation features [IJSSE’12, ICISC’12]Formal analysis techniques [GameSec’10, SIIS’11, JLC’14]Software application ADTool [QEST’13]
Barbara Kordy 5
Attack–defense Trees
Example: ADTree for Infecting a Computer
infect computer
virus on system
e-mail with attachment USB stick antivirus
install antivirus run antivirus
fake antivirus
execute virus
Barbara Kordy 6
Attack–defense Trees
Propositional Semantics for ADTrees [SIIS’11]
B – the set of non-refined nodes of ADTree t
x ∈ {0, 1}B encodes whether actions from B succeed or notAction A ∈ B succeeds if x(A) = 1Action A ∈ B does not succeed if x(A) = 0
Boolean function ft for t
ft : {0, 1}B → {0, 1} associates a Boolean value ft(x) ∈ {0, 1}with each vector x ∈ {0, 1}B
x is called an attack vector if ft(x) = 1
Barbara Kordy 7
Attack–defense Trees
ADTrees as Boolean Functions
Domain of ft is composed of the non-refined nodes of t
Non-refined OR AND Countermeasure
A
t
t' t''
t
t' t''
t'
t''
ft(A) = A ft = ft′ ∨ ft′′ ft = ft′ ∧ ft′′ ft = ft′ ∧ ¬ft′′
Barbara Kordy 8
Attack–defense Trees
Example: Boolean Function for Infecting a Computer
infect computer
virus on system
e-mail with attachment USB stick antivirus
install antivirus run antivirus
fake antivirus
execute virus
ft =(
(XEA ∨ XUS) ∧ ¬(XIA ∧ (XRA ∧ ¬XFA)
))∧ XEV
Barbara Kordy 9
Attack–defense Trees
Example: Attack Vector
infect computertrue
virus on systemtrue
e-mail with attachmenttrue
USB stickfalse
antivirusfalse
install antivirustrue
run antivirusfalse
fake antivirusfalse
execute virustrue
ft =(
(XEA ∨ XUS) ∧ ¬(XIA ∧ (XRA ∧ ¬XFA)
))∧ XEV
attack vector 1 0 1 0 0 1Barbara Kordy 10
Attack–defense Trees
Importance of Probabilities
Knowing the probabilities of particular attacks allow us to
Identify the most vulnerable componentsDetermine the strategic pointsDecide which defensive measures to implement
Barbara Kordy 11
Attack–defense Trees
Bottom-Up Evaluation of Probability on ADTrees [ICISC’12]
Probability of adisjunctive subtree
Probability of aconjunctive subtree
Probability of acountered subtree
attack
x y
attack
x y
x
y
x + y − xy xy x(1− y)
Similarly for subtrees rooted in a defense node
Barbara Kordy 12
Attack–defense Trees
Bottom-Up Evaluation of Probability on ADTrees [ICISC’12]
Probability of adisjunctive subtree
Probability of aconjunctive subtree
Probability of acountered subtree
attack
x y
attack
x y
x
y
x + y − xy
xy x(1− y)
Similarly for subtrees rooted in a defense node
Barbara Kordy 12
Attack–defense Trees
Bottom-Up Evaluation of Probability on ADTrees [ICISC’12]
Probability of adisjunctive subtree
Probability of aconjunctive subtree
Probability of acountered subtree
attack
x y
attack
x y
x
y
x + y − xy xy
x(1− y)
Similarly for subtrees rooted in a defense node
Barbara Kordy 12
Attack–defense Trees
Bottom-Up Evaluation of Probability on ADTrees [ICISC’12]
Probability of adisjunctive subtree
Probability of aconjunctive subtree
Probability of acountered subtree
attack
x y
attack
x y
x
y
x + y − xy xy x(1− y)
Similarly for subtrees rooted in a defense node
Barbara Kordy 12
Attack–defense Trees
Bottom-Up Evaluation of Probability on ADTrees [ICISC’12]
Probability of adisjunctive subtree
Probability of aconjunctive subtree
Probability of acountered subtree
attack
x y
attack
x y
x
y
x + y − xy xy x(1− y)
Similarly for subtrees rooted in a defense node
Barbara Kordy 12
Attack–defense Trees
Example: Probability for Infecting a Computer
infect computer0.669375
virus on system0.74375
e-mail with attachment0.5
USB stick0.75
antivirus0.15000000000000002
install antivirus0.8
run antivirus0.25
fake antivirus0.25
execute virus0.9
Barbara Kordy 13
Attack–defense Trees
Limitations
The bottom-up procedure does not take dependencies betweenactions into account.
However, in practiceInstalling and running an antivirusDistributing and executing a virus
are not independent actions.
Thus, the standard bottom-up evaluation is not suitable for probabilisticassessment of attack–defense trees.
Barbara Kordy 14
Attack–defense Trees
Challenges
1 How to design the appropriate formalism?
2 How to ensure that calculations reflect the reality?
3 How to guarantee the efficiency of the evaluation?
Barbara Kordy 15
Probabilistic Evaluation
Proposed Framework [iFM’14]
security modelADTree
dependency modelBayesian network
probabilistic assessmentof attack–defense scenarios
with dependencies
Barbara Kordy 16
Probabilistic Evaluation
Proposed Framework [iFM’14]
security modelADTree
dependency modelBayesian network
probabilistic assessmentof attack–defense scenarios
with dependencies
Barbara Kordy 16
Probabilistic Evaluation
Proposed Framework [iFM’14]
security modelADTree
dependency modelBayesian network
probabilistic assessmentof attack–defense scenarios
with dependencies
Barbara Kordy 16
Probabilistic Evaluation
Modeling Probability of Dependent Actions
Bayesian networkA directed, acyclic graph that reflects the conditional interdependenciesbetween variables associated with the nodes of the network
Dependent variables Conditional probability table for Y
X Y
p(Y = 1|X = 1) = 0.7p(Y = 1|X = 0) = 0.2p(Y = 0|X = 1) = 0.3p(Y = 0|X = 0) = 0.8
Barbara Kordy 17
Probabilistic Evaluation
Constructing Bayesian Network BNt for ADTree t
From an ADTreet – ADTreeB – set of all non-refined nodes of t
To a Bayesian networkElements of B are nodes of the Bayesian network BNt
Relations between actions are depicted by edges in BNt
Conditional probability tables quantify dependencies between actions
Barbara Kordy 18
Probabilistic Evaluation
Example: BNt for Infecting a Computer ADTree
e-mail with attachment
execute virusfake antivirus
USB stick
p(XUS = 1|XFA = 1) = 0.4p(XUS = 1|XFA = 0) = 0.5
p(XEV = 1|XEA = 1,XUS = 1) = 0.9p(XEV = 1|XEA = 1,XUS = 0) = 0.2p(XEV = 1|XEA = 0,XUS = 1) = 0.8p(XEV = 1|XEA = 0,XUS = 0) = 0.1
p(XEA = 1|XFA = 1) = 0.9p(XEA = 1|XFA = 0) = 0.5
p(XFA = 1) = 0.3
install antivirus run antivirusp(XIA = 1) = 0.6 p(XRA = 1|XIA = 1) = 0.9
p(XRA = 1|XIA = 0) = 0.0
Barbara Kordy 19
Probabilistic Evaluation
Joint Probability Distribution for the Network BNt
e-mail with attachment
execute virusfake antivirus
USB stick
install antivirus run antivirus
p(XEA,XUS,XIA,XRA,XFA,XEV) =
p(XEV|XEA,XUS)×p(XEA|XFA)×p(XUS|XFA)×p(XFA)×p(XRA|XIA)×p(XIA)
Barbara Kordy 20
Probabilistic Evaluation
Propositional Semantics Using Algebraic Operations
Non-refined OR AND Countermeasure
A
t
t' t''
t
t' t''
t'
t''
ft(A) = A ft = ft′ ∨ ft′′ ft = ft′ ∧ ft′′ ft = ft′ ∧ ¬ft′′
idA max{ft′ , ft′′} ft′ × ft′′ ft′ × (1− ft′′)
Barbara Kordy 21
Probabilistic Evaluation
Propositional Semantics Using Algebraic Operations
Non-refined OR AND Countermeasure
A
t
t' t''
t
t' t''
t'
t''
ft(A) = A ft = ft′ ∨ ft′′ ft = ft′ ∧ ft′′ ft = ft′ ∧ ¬ft′′
idA max{ft′ , ft′′} ft′ × ft′′ ft′ × (1− ft′′)
Barbara Kordy 21
Probabilistic Evaluation
Probability Computation
x ∈ {0, 1}B – vector of successful/unsuccessful actions
Probability of attack vector x
ft(x)× p(x)
Probability related to ADTree t
P(t) =∑
x∈{0,1}Bft(x)× p(x)
Probability of the most probable attack vector
Pmax(t) = maxx∈{0,1}B
ft(x)× p(x)
Barbara Kordy 22
Probabilistic Evaluation
Compatibility Results [iFM’14]
TheoremProbability computations on propositionally equivalent ADTrees yield thesame result.
ObservationFor ADTree t without dependent actions, P(t) coincides with the resultof the bottom-up computation.
Barbara Kordy 23
Efficiency Considerations
Efficiency Problems
P(t) =∑
x∈{0,1}Bft(x)× p(x) Pmax(t) = max
x∈{0,1}Bft(x)× p(x)
The number of configurations x grows exponentially with the numberof involved actions. For large systems, it is therefore not feasible to
Enumerate all the values of ftEnumerate all the values of the joint probability distribution for BNt
Barbara Kordy 24
Efficiency Considerations
security modelADTree
dependency modelBayesian network
probabilistic assessmentof attack–defense scenarios
with dependencies
constraintreasoningfusion
Barbara Kordy 25
Efficiency Considerations
security modelADTree
dependency modelBayesian network
probabilistic assessmentof attack–defense scenarios
with dependencies
constraintreasoningfusion
Barbara Kordy 25
Efficiency Considerations
Local Indicators
ft =(
(XEA ∨ XUS)︸ ︷︷ ︸Y1
∧¬(XIA ∧ (XRA ∧ ¬XFA)︸ ︷︷ ︸
Y2
)︸ ︷︷ ︸
Y3
)
︸ ︷︷ ︸Y4
∧ XEV
︸ ︷︷ ︸Yt
φ1(Y1,XEA,XUS) = 1 exactly if Y1 = max{XEA,XUS}φ2(Y2,XRA,XFA) = 1 exactly if Y2 = XRA × (1− XFA)
φ3(Y3,XIA,Y2) = 1 exactly if Y3 = XIA × Y2
φ4(Y4,Y1,Y3) = 1 exactly if Y4 = Y1 × (1− Y3)
φ5(Yt ,Y4,XEV) = 1 exactly if Yt = Y4 × XEV
Barbara Kordy 26
Efficiency Considerations
Global indicator function φt for ADTree t
Domain of φt :Non-refined nodes of tInner variables of all local indicators
Global indicator function φt = product of all local indicators φi
φt(
Y=inner variables︷ ︸︸ ︷Y1,Y2,Y3,Y4,Yt ,
B=non-refined nodes︷ ︸︸ ︷XEA,XUS,XIA,XRA,XFA,XEV) =
φ1(Y1,XEA,XUS)× φ2(Y2,XRA,XFA)× φ3(Y3,XIA,Y2)×φ4(Y4,Y1,Y3)× φ5(Yt ,Y4,XEV)
Φt indicates valid assignments with respect to ft
Barbara Kordy 27
Efficiency Considerations
Important Property
TheoremConsider an ADTree t over the set of non-refined nodes B and the globalindicator function φt with the set of inner variables Y.
∀x ∈ {0, 1}B ∃!y ∈ {0, 1}Y , such that φt(y, x) = 1
Corollary: ∀x ∈ {0, 1}B
maxy∈{0,1}Y
φt(y, x) =∑
y∈{0,1}Yφt(y, x) = 1
Barbara Kordy 28
Efficiency Considerations
Filtering Interesting Assignments of φt
t
A B
φt(Yt = 1,XA = 1,XB = 1) = 1φt(Yt = 1,XA = 1,XB = 0) = 1φt(Yt = 1,XA = 0,XB = 1) = 1φt(Yt = 0,XA = 0,XB = 0) = 1
We are only interested in assignments such that φt = 1 and Yt = 1
Yt × φt(y, x)
Barbara Kordy 29
Efficiency Considerations
Expressing ft with its Global Indicator
∀x ∈ {0, 1}B : maxy∈{0,1}Y
φt(y, x) =∑
y∈{0,1}Yφt(y, x) = 1
∀x ∈ {0, 1}B
maxy∈{0,1}Y
(Yt × φt(y, x)
)=
∑y∈{0,1}Y
(Yt × φt(y, x)
)=
= ft(x) =
{1, if x is an attack vector0, otherwise
Barbara Kordy 30
Efficiency Considerations
Factorized Form for Probability Formulas
Probability of attack vector x
ft(x)× p(x) = maxy∈{0,1}Y
(Yt × φt(y, x)× p(x)
)
Probability related to ADTree t
P(t) =∑
x∈{0,1}Bft(x)× p(x) =
∑(y,x)∈{0,1}Y∪B
(Yt × φt(y, x)× p(x)
)
Probability of the most probable attack vector
Pmax(t) = maxx∈{0,1}B
ft(x)× p(x) = max(y,x)∈{0,1}Y∪B
(Yt × φt(y, x)× p(x)
)Barbara Kordy 31
Efficiency Considerations
Our Framework in the Context of Semiring Theory
Inference problem over the arithmetic semiring 〈R,+,×〉
P(t) =∑
(y,x)∈{0,1}Y∪B
(Yt × φt(y, x)× p(x)
)
Inference problem over the product t-norm semiring 〈[0, 1],max,×〉
Pmax(t) = max(y,x)∈{0,1}Y∪B
(Yt × φt(y, x)× p(x)
)
Barbara Kordy 32
Efficiency Considerations
Local Computation
Powerful local computation algorithms
FusionVariable elimination
}smart distributivity
P(t) Complexity bound Using Nenok tool [IJAIT’10]
Direct computation 211 3.422sec
Using fusion 25 0.031sec
Complexity bounded by a structural parameter of the problem
Barbara Kordy 33
Wrap Up
Summary
security modelADTree
dependency modelBayesian network
probabilistic assessmentof attack–defense scenarios
with dependencies
constraintreasoningfusion
Barbara Kordy 34
Wrap Up
Summary
security modelADTree
dependency modelBayesian network
probabilistic assessmentof attack–defense scenarios
with dependencies
constraintreasoningfusion
Barbara Kordy 34
Wrap Up
Summary
security modelADTree
dependency modelBayesian network
probabilistic assessmentof attack–defense scenarios
with dependencies
constraintreasoningfusion
Barbara Kordy 34
Wrap Up
Summary
security modelADTree
dependency modelBayesian network
probabilistic assessmentof attack–defense scenarios
with dependencies
constraintreasoningfusion
Barbara Kordy 34
Wrap Up
Summary
security modelADTree
dependency modelBayesian network
probabilistic assessmentof attack–defense scenarios
with dependencies
constraintreasoningfusion
Barbara Kordy 34
Wrap Up
Addressing Challenges
1 How to design the appropriate formalism?
Used by industry, intuitive & well formalizedSecurity model and dependency network are kept separated
2 How to ensure that calculations reflect the reality?
Real-life data take dependencies into accountComplement ADTree with additional information
3 How to guarantee the efficiency of the evaluation?
Local computation algorithmsExisting software tools, well-known heuristics
Barbara Kordy 35
Wrap Up
Addressing Challenges
1 How to design the appropriate formalism?
Used by industry, intuitive & well formalizedSecurity model and dependency network are kept separated
2 How to ensure that calculations reflect the reality?
Real-life data take dependencies into accountComplement ADTree with additional information
3 How to guarantee the efficiency of the evaluation?
Local computation algorithmsExisting software tools, well-known heuristics
Barbara Kordy 35
Wrap Up
Addressing Challenges
1 How to design the appropriate formalism?
Used by industry, intuitive & well formalizedSecurity model and dependency network are kept separated
2 How to ensure that calculations reflect the reality?Real-life data take dependencies into accountComplement ADTree with additional information
3 How to guarantee the efficiency of the evaluation?
Local computation algorithmsExisting software tools, well-known heuristics
Barbara Kordy 35
Wrap Up
Addressing Challenges
1 How to design the appropriate formalism?
Used by industry, intuitive & well formalizedSecurity model and dependency network are kept separated
2 How to ensure that calculations reflect the reality?Real-life data take dependencies into accountComplement ADTree with additional information
3 How to guarantee the efficiency of the evaluation?
Local computation algorithmsExisting software tools, well-known heuristics
Barbara Kordy 35
Wrap Up
Where to take it from here?
Find the best elimination sequence for Bayesian ADTreesNP-complete in generalPrediction is possible for specific families of graphs
Extend to probability distributionsProbability dependent on time
Interface ADTool [QEST’13] with NenokAutomated probability assessment of large scale scenarios
Barbara Kordy 36
Thank you for your attention!
Follow Up Project
Attack–Defense Trees: Theory Meets Practice2014–2017
Ph.D. vacancy:http://satoss.uni.lu/vacancies/phd2014.php
Contact information:Barbara Kordy [email protected]
Barbara Kordy 37
References
References I
Bruce Schneier.Attack Trees.Dr. Dobb’s Journal of Software Tools, 24(12):21–29, 1999.
Barbara Kordy, Sjouke Mauw, Matthijs Melissen, and Patrick Schweitzer.Attack–Defense Trees and Two-Player Binary Zero-Sum Extensive Form Games AreEquivalent.In Tansu Alpcan, Levente Buttyán, and John S. Baras, editors, Decision and Game Theoryfor Security (GameSec 2010), volume 6442 of LNCS, pages 245–256. Springer, 2010.
Barbara Kordy, Sjouke Mauw, Saša Radomirović, and Patrick Schweitzer.Foundations of Attack–Defense Trees.In Pierpaolo Degano, Sandro Etalle, and Joshua Guttman, editors, Formal Aspects ofSecurity and Trust (FAST 2010), volume 6561 of LNCS, pages 80–95. Springer, 2011.
Marc Pouly.Nenok - a software architecture for generic inference.International Journal on Artificial Intelligence Tools, 19(1):65–99, 2010.
Barbara Kordy 38
References
References II
Barbara Kordy, Marc Pouly, and Patrick Schweitzer.Computational Aspects of Attack–Defense Trees.In P. Bouvry, M. A. Klopotek, F. Leprevost, M. Marciniak, A. Mykowiecka, andH. Rybinski, editors, Security & Intelligent Information Systems (SIIS 2011), volume 7053of LNCS, pages 103–116. Springer, 2012.
Barbara Kordy, Sjouke Mauw, Saša Radomirović, and Patrick Schweitzer.Attack–Defense Trees.Journal of Logic and Computation (JLC), 24(1):55–87, 2014.
Barbara Kordy, Piotr Kordy, Sjouke Mauw, and Patrick Schweitzer.ADTool: Security Analysis with Attack–Defense Trees.In Kaustubh R. Joshi, Markus Siegle, Mariëlle Stoelinga, and Pedro R. D’Argenio, editors,Quantitative Evaluation of Systems (QEST 2013), volume 8054 of LNCS, pages 173–176.Springer, 2013.
Alessandra Bagnato, Barbara Kordy, Per Håkon Meland, and Patrick Schweitzer.Attribute Decoration of Attack–Defense Trees.International Journal of Secure Software Engineering (IJSSE), 3(2):1–35, 2012.[IGI Global’s 2012 Best Article Award].
Barbara Kordy 39
References
References III
Barbara Kordy, Sjouke Mauw, and Patrick Schweitzer.Quantitative Questions on Attack–Defense Trees.In Taekyoung Kwon, Mun-Kyu Lee, and Daesung Kwon, editors, Information Security andCryptology (ICISC 2012), volume 7839 of LNCS, pages 49–64. Springer, 2013.
Barbara Kordy, Marc Pouly, and Patrick Schweitzer.A Probabilistic Framework for Security Scenarios with Dependent Actions.2014.Under review.
Barbara Kordy, Ludovic Piètre-Cambacédès, and Patrick Schweitzer.DAG-Based Attack and Defense Modeling: Don’t Miss the Forest for the Attack Trees.2013.Under submission, pre-print available at http://arxiv.org/abs/1303.7397.
Barbara Kordy 40