Probabilistic Assessment of Security Scenarios –Challenges and Solutions

Barbara Kordy

Joint work with Marc Pouly, Patrick Schweitzer

INRIA Rennes, May 16, 2014

Formal Methods and Security seminar

Who am I?

2005–2008 Ph.D. Student and Moniteur, Université d’Orléans, FranceAutomates pour l’Analyse de Documents XML Compressés, Applications à la Sécurité d’Accès

2009–2014 Research Associate, University of LuxembourgFormal methods for modeling and analysis of real-life security problems

Barbara Kordy 2

Probabilistic Assessment of Security Scenarios

security modelADTree

dependency modelBayesian network

probabilistic assessmentof attack–defense scenarios

with dependencies

Barbara Kordy 3

Outline

1 Attack–defense Trees

2 Probabilistic Evaluation

3 Efficiency Considerations

4 Wrap Up

Barbara Kordy 4

Attack–defense Trees

Modeling Security Scenarios

Attack–defense tree (ADTree) [FAST’10]

Tree-like representation of an attack–defense scenario depicting:How to attack a systemHow to protect against an attack

Extend the industrially recognized model of attack trees [Schneier’99]

Integrate

Intuitive representation features [IJSSE’12, ICISC’12]Formal analysis techniques [GameSec’10, SIIS’11, JLC’14]Software application ADTool [QEST’13]

Barbara Kordy 5

Attack–defense Trees

Example: ADTree for Infecting a Computer

infect computer

virus on system

e-mail with attachment USB stick antivirus

install antivirus run antivirus

fake antivirus

execute virus

Barbara Kordy 6

Attack–defense Trees

Propositional Semantics for ADTrees [SIIS’11]

B – the set of non-refined nodes of ADTree t

x ∈ {0, 1}B encodes whether actions from B succeed or notAction A ∈ B succeeds if x(A) = 1Action A ∈ B does not succeed if x(A) = 0

Boolean function ft for t

ft : {0, 1}B → {0, 1} associates a Boolean value ft(x) ∈ {0, 1}with each vector x ∈ {0, 1}B

x is called an attack vector if ft(x) = 1

Barbara Kordy 7

Attack–defense Trees

ADTrees as Boolean Functions

Domain of ft is composed of the non-refined nodes of t

Non-refined OR AND Countermeasure

A

t

t' t''

t

t' t''

t'

t''

ft(A) = A ft = ft′ ∨ ft′′ ft = ft′ ∧ ft′′ ft = ft′ ∧ ¬ft′′

Barbara Kordy 8

Attack–defense Trees

Example: Boolean Function for Infecting a Computer

infect computer

virus on system

e-mail with attachment USB stick antivirus

install antivirus run antivirus

fake antivirus

execute virus

ft =(

(XEA ∨ XUS) ∧ ¬(XIA ∧ (XRA ∧ ¬XFA)

))∧ XEV

Barbara Kordy 9

Attack–defense Trees

Example: Attack Vector

infect computertrue

virus on systemtrue

e-mail with attachmenttrue

USB stickfalse

antivirusfalse

install antivirustrue

run antivirusfalse

fake antivirusfalse

execute virustrue

ft =(

(XEA ∨ XUS) ∧ ¬(XIA ∧ (XRA ∧ ¬XFA)

))∧ XEV

attack vector 1 0 1 0 0 1Barbara Kordy 10

Attack–defense Trees

Importance of Probabilities

Knowing the probabilities of particular attacks allow us to

Identify the most vulnerable componentsDetermine the strategic pointsDecide which defensive measures to implement

Barbara Kordy 11

Attack–defense Trees

Bottom-Up Evaluation of Probability on ADTrees [ICISC’12]

Probability of adisjunctive subtree

Probability of aconjunctive subtree

Probability of acountered subtree

attack

x y

attack

x y

x

y

x + y − xy xy x(1− y)

Similarly for subtrees rooted in a defense node

Barbara Kordy 12

Attack–defense Trees

Bottom-Up Evaluation of Probability on ADTrees [ICISC’12]

Probability of adisjunctive subtree

Probability of aconjunctive subtree

Probability of acountered subtree

attack

x y

attack

x y

x

y

x + y − xy

xy x(1− y)

Similarly for subtrees rooted in a defense node

Barbara Kordy 12

Attack–defense Trees

Bottom-Up Evaluation of Probability on ADTrees [ICISC’12]

Probability of adisjunctive subtree

Probability of aconjunctive subtree

Probability of acountered subtree

attack

x y

attack

x y

x

y

x + y − xy xy

x(1− y)

Similarly for subtrees rooted in a defense node

Barbara Kordy 12

Attack–defense Trees

Bottom-Up Evaluation of Probability on ADTrees [ICISC’12]

Probability of adisjunctive subtree

Probability of aconjunctive subtree

Probability of acountered subtree

attack

x y

attack

x y

x

y

x + y − xy xy x(1− y)

Similarly for subtrees rooted in a defense node

Barbara Kordy 12

Attack–defense Trees

Bottom-Up Evaluation of Probability on ADTrees [ICISC’12]

Probability of adisjunctive subtree

Probability of aconjunctive subtree

Probability of acountered subtree

attack

x y

attack

x y

x

y

x + y − xy xy x(1− y)

Similarly for subtrees rooted in a defense node

Barbara Kordy 12

Attack–defense Trees

Example: Probability for Infecting a Computer

infect computer0.669375

virus on system0.74375

e-mail with attachment0.5

USB stick0.75

antivirus0.15000000000000002

install antivirus0.8

run antivirus0.25

fake antivirus0.25

execute virus0.9

Barbara Kordy 13

Attack–defense Trees

Limitations

The bottom-up procedure does not take dependencies betweenactions into account.

However, in practiceInstalling and running an antivirusDistributing and executing a virus

are not independent actions.

Thus, the standard bottom-up evaluation is not suitable for probabilisticassessment of attack–defense trees.

Barbara Kordy 14

Attack–defense Trees

Challenges

1 How to design the appropriate formalism?

2 How to ensure that calculations reflect the reality?

3 How to guarantee the efficiency of the evaluation?

Barbara Kordy 15

Probabilistic Evaluation

Proposed Framework [iFM’14]

security modelADTree

dependency modelBayesian network

probabilistic assessmentof attack–defense scenarios

with dependencies

Barbara Kordy 16

Probabilistic Evaluation

Proposed Framework [iFM’14]

security modelADTree

dependency modelBayesian network

probabilistic assessmentof attack–defense scenarios

with dependencies

Barbara Kordy 16

Probabilistic Evaluation

Proposed Framework [iFM’14]

security modelADTree

dependency modelBayesian network

probabilistic assessmentof attack–defense scenarios

with dependencies

Barbara Kordy 16

Probabilistic Evaluation

Modeling Probability of Dependent Actions

Bayesian networkA directed, acyclic graph that reflects the conditional interdependenciesbetween variables associated with the nodes of the network

Dependent variables Conditional probability table for Y

X Y

p(Y = 1|X = 1) = 0.7p(Y = 1|X = 0) = 0.2p(Y = 0|X = 1) = 0.3p(Y = 0|X = 0) = 0.8

Barbara Kordy 17

Probabilistic Evaluation

Constructing Bayesian Network BNt for ADTree t

From an ADTreet – ADTreeB – set of all non-refined nodes of t

To a Bayesian networkElements of B are nodes of the Bayesian network BNt

Relations between actions are depicted by edges in BNt

Conditional probability tables quantify dependencies between actions

Barbara Kordy 18

Probabilistic Evaluation

Example: BNt for Infecting a Computer ADTree

e-mail with attachment

execute virusfake antivirus

USB stick

p(XUS = 1|XFA = 1) = 0.4p(XUS = 1|XFA = 0) = 0.5

p(XEV = 1|XEA = 1,XUS = 1) = 0.9p(XEV = 1|XEA = 1,XUS = 0) = 0.2p(XEV = 1|XEA = 0,XUS = 1) = 0.8p(XEV = 1|XEA = 0,XUS = 0) = 0.1

p(XEA = 1|XFA = 1) = 0.9p(XEA = 1|XFA = 0) = 0.5

p(XFA = 1) = 0.3

install antivirus run antivirusp(XIA = 1) = 0.6 p(XRA = 1|XIA = 1) = 0.9

p(XRA = 1|XIA = 0) = 0.0

Barbara Kordy 19

Probabilistic Evaluation

Joint Probability Distribution for the Network BNt

e-mail with attachment

execute virusfake antivirus

USB stick

install antivirus run antivirus

p(XEA,XUS,XIA,XRA,XFA,XEV) =

p(XEV|XEA,XUS)×p(XEA|XFA)×p(XUS|XFA)×p(XFA)×p(XRA|XIA)×p(XIA)

Barbara Kordy 20

Probabilistic Evaluation

Propositional Semantics Using Algebraic Operations

Non-refined OR AND Countermeasure

A

t

t' t''

t

t' t''

t'

t''

ft(A) = A ft = ft′ ∨ ft′′ ft = ft′ ∧ ft′′ ft = ft′ ∧ ¬ft′′

idA max{ft′ , ft′′} ft′ × ft′′ ft′ × (1− ft′′)

Barbara Kordy 21

Probabilistic Evaluation

Propositional Semantics Using Algebraic Operations

Non-refined OR AND Countermeasure

A

t

t' t''

t

t' t''

t'

t''

ft(A) = A ft = ft′ ∨ ft′′ ft = ft′ ∧ ft′′ ft = ft′ ∧ ¬ft′′

idA max{ft′ , ft′′} ft′ × ft′′ ft′ × (1− ft′′)

Barbara Kordy 21

Probabilistic Evaluation

Probability Computation

x ∈ {0, 1}B – vector of successful/unsuccessful actions

Probability of attack vector x

ft(x)× p(x)

Probability related to ADTree t

P(t) =∑

x∈{0,1}Bft(x)× p(x)

Probability of the most probable attack vector

Pmax(t) = maxx∈{0,1}B

ft(x)× p(x)

Barbara Kordy 22

Probabilistic Evaluation

Compatibility Results [iFM’14]

TheoremProbability computations on propositionally equivalent ADTrees yield thesame result.

ObservationFor ADTree t without dependent actions, P(t) coincides with the resultof the bottom-up computation.

Barbara Kordy 23

Efficiency Considerations

Efficiency Problems

P(t) =∑

x∈{0,1}Bft(x)× p(x) Pmax(t) = max

x∈{0,1}Bft(x)× p(x)

The number of configurations x grows exponentially with the numberof involved actions. For large systems, it is therefore not feasible to

Enumerate all the values of ftEnumerate all the values of the joint probability distribution for BNt

Barbara Kordy 24

Efficiency Considerations

security modelADTree

dependency modelBayesian network

probabilistic assessmentof attack–defense scenarios

with dependencies

constraintreasoningfusion

Barbara Kordy 25

Efficiency Considerations

security modelADTree

dependency modelBayesian network

probabilistic assessmentof attack–defense scenarios

with dependencies

constraintreasoningfusion

Barbara Kordy 25

Efficiency Considerations

Local Indicators

ft =(

(XEA ∨ XUS)︸ ︷︷ ︸Y1

∧¬(XIA ∧ (XRA ∧ ¬XFA)︸ ︷︷ ︸

Y2

)︸ ︷︷ ︸

Y3

)

︸ ︷︷ ︸Y4

∧ XEV

︸ ︷︷ ︸Yt

φ1(Y1,XEA,XUS) = 1 exactly if Y1 = max{XEA,XUS}φ2(Y2,XRA,XFA) = 1 exactly if Y2 = XRA × (1− XFA)

φ3(Y3,XIA,Y2) = 1 exactly if Y3 = XIA × Y2

φ4(Y4,Y1,Y3) = 1 exactly if Y4 = Y1 × (1− Y3)

φ5(Yt ,Y4,XEV) = 1 exactly if Yt = Y4 × XEV

Barbara Kordy 26

Efficiency Considerations

Global indicator function φt for ADTree t

Domain of φt :Non-refined nodes of tInner variables of all local indicators

Global indicator function φt = product of all local indicators φi

φt(

Y=inner variables︷ ︸︸ ︷Y1,Y2,Y3,Y4,Yt ,

B=non-refined nodes︷ ︸︸ ︷XEA,XUS,XIA,XRA,XFA,XEV) =

φ1(Y1,XEA,XUS)× φ2(Y2,XRA,XFA)× φ3(Y3,XIA,Y2)×φ4(Y4,Y1,Y3)× φ5(Yt ,Y4,XEV)

Φt indicates valid assignments with respect to ft

Barbara Kordy 27

Efficiency Considerations

Important Property

TheoremConsider an ADTree t over the set of non-refined nodes B and the globalindicator function φt with the set of inner variables Y.

∀x ∈ {0, 1}B ∃!y ∈ {0, 1}Y , such that φt(y, x) = 1

Corollary: ∀x ∈ {0, 1}B

maxy∈{0,1}Y

φt(y, x) =∑

y∈{0,1}Yφt(y, x) = 1

Barbara Kordy 28

Efficiency Considerations

Filtering Interesting Assignments of φt

t

A B

φt(Yt = 1,XA = 1,XB = 1) = 1φt(Yt = 1,XA = 1,XB = 0) = 1φt(Yt = 1,XA = 0,XB = 1) = 1φt(Yt = 0,XA = 0,XB = 0) = 1

We are only interested in assignments such that φt = 1 and Yt = 1

Yt × φt(y, x)

Barbara Kordy 29

Efficiency Considerations

Expressing ft with its Global Indicator

∀x ∈ {0, 1}B : maxy∈{0,1}Y

φt(y, x) =∑

y∈{0,1}Yφt(y, x) = 1

∀x ∈ {0, 1}B

maxy∈{0,1}Y

(Yt × φt(y, x)

)=

∑y∈{0,1}Y

(Yt × φt(y, x)

)=

= ft(x) =

{1, if x is an attack vector0, otherwise

Barbara Kordy 30

Efficiency Considerations

Factorized Form for Probability Formulas

Probability of attack vector x

ft(x)× p(x) = maxy∈{0,1}Y

(Yt × φt(y, x)× p(x)

)

Probability related to ADTree t

P(t) =∑

x∈{0,1}Bft(x)× p(x) =

∑(y,x)∈{0,1}Y∪B

(Yt × φt(y, x)× p(x)

)

Probability of the most probable attack vector

Pmax(t) = maxx∈{0,1}B

ft(x)× p(x) = max(y,x)∈{0,1}Y∪B

(Yt × φt(y, x)× p(x)

)Barbara Kordy 31

Efficiency Considerations

Our Framework in the Context of Semiring Theory

Inference problem over the arithmetic semiring 〈R,+,×〉

P(t) =∑

(y,x)∈{0,1}Y∪B

(Yt × φt(y, x)× p(x)

)

Inference problem over the product t-norm semiring 〈[0, 1],max,×〉

Pmax(t) = max(y,x)∈{0,1}Y∪B

(Yt × φt(y, x)× p(x)

)

Barbara Kordy 32

Efficiency Considerations

Local Computation

Powerful local computation algorithms

FusionVariable elimination

}smart distributivity

P(t) Complexity bound Using Nenok tool [IJAIT’10]

Direct computation 211 3.422sec

Using fusion 25 0.031sec

Complexity bounded by a structural parameter of the problem

Barbara Kordy 33

Wrap Up

Summary

security modelADTree

dependency modelBayesian network

probabilistic assessmentof attack–defense scenarios

with dependencies

constraintreasoningfusion

Barbara Kordy 34

Wrap Up

Summary

security modelADTree

dependency modelBayesian network

probabilistic assessmentof attack–defense scenarios

with dependencies

constraintreasoningfusion

Barbara Kordy 34

Wrap Up

Summary

security modelADTree

dependency modelBayesian network

probabilistic assessmentof attack–defense scenarios

with dependencies

constraintreasoningfusion

Barbara Kordy 34

Wrap Up

Summary

security modelADTree

dependency modelBayesian network

probabilistic assessmentof attack–defense scenarios

with dependencies

constraintreasoningfusion

Barbara Kordy 34

Wrap Up

Summary

security modelADTree

dependency modelBayesian network

probabilistic assessmentof attack–defense scenarios

with dependencies

constraintreasoningfusion

Barbara Kordy 34

Wrap Up

Addressing Challenges

1 How to design the appropriate formalism?

Used by industry, intuitive & well formalizedSecurity model and dependency network are kept separated

2 How to ensure that calculations reflect the reality?

Real-life data take dependencies into accountComplement ADTree with additional information

3 How to guarantee the efficiency of the evaluation?

Local computation algorithmsExisting software tools, well-known heuristics

Barbara Kordy 35

Wrap Up

Addressing Challenges

1 How to design the appropriate formalism?

Used by industry, intuitive & well formalizedSecurity model and dependency network are kept separated

2 How to ensure that calculations reflect the reality?

Real-life data take dependencies into accountComplement ADTree with additional information

3 How to guarantee the efficiency of the evaluation?

Local computation algorithmsExisting software tools, well-known heuristics

Barbara Kordy 35

Wrap Up

Addressing Challenges

1 How to design the appropriate formalism?

Used by industry, intuitive & well formalizedSecurity model and dependency network are kept separated

2 How to ensure that calculations reflect the reality?Real-life data take dependencies into accountComplement ADTree with additional information

3 How to guarantee the efficiency of the evaluation?

Local computation algorithmsExisting software tools, well-known heuristics

Barbara Kordy 35

Wrap Up

Addressing Challenges

1 How to design the appropriate formalism?

Used by industry, intuitive & well formalizedSecurity model and dependency network are kept separated

2 How to ensure that calculations reflect the reality?Real-life data take dependencies into accountComplement ADTree with additional information

3 How to guarantee the efficiency of the evaluation?

Local computation algorithmsExisting software tools, well-known heuristics

Barbara Kordy 35

Wrap Up

Where to take it from here?

Find the best elimination sequence for Bayesian ADTreesNP-complete in generalPrediction is possible for specific families of graphs

Extend to probability distributionsProbability dependent on time

Interface ADTool [QEST’13] with NenokAutomated probability assessment of large scale scenarios

Barbara Kordy 36

Thank you for your attention!

Follow Up Project

Attack–Defense Trees: Theory Meets Practice2014–2017

Ph.D. vacancy:http://satoss.uni.lu/vacancies/phd2014.php

Contact information:Barbara Kordy barbara.kordy@uni.lu

Barbara Kordy 37

References

References I

Bruce Schneier.Attack Trees.Dr. Dobb’s Journal of Software Tools, 24(12):21–29, 1999.

Barbara Kordy, Sjouke Mauw, Matthijs Melissen, and Patrick Schweitzer.Attack–Defense Trees and Two-Player Binary Zero-Sum Extensive Form Games AreEquivalent.In Tansu Alpcan, Levente Buttyán, and John S. Baras, editors, Decision and Game Theoryfor Security (GameSec 2010), volume 6442 of LNCS, pages 245–256. Springer, 2010.

Barbara Kordy, Sjouke Mauw, Saša Radomirović, and Patrick Schweitzer.Foundations of Attack–Defense Trees.In Pierpaolo Degano, Sandro Etalle, and Joshua Guttman, editors, Formal Aspects ofSecurity and Trust (FAST 2010), volume 6561 of LNCS, pages 80–95. Springer, 2011.

Marc Pouly.Nenok - a software architecture for generic inference.International Journal on Artificial Intelligence Tools, 19(1):65–99, 2010.

Barbara Kordy 38

References

References II

Barbara Kordy, Marc Pouly, and Patrick Schweitzer.Computational Aspects of Attack–Defense Trees.In P. Bouvry, M. A. Klopotek, F. Leprevost, M. Marciniak, A. Mykowiecka, andH. Rybinski, editors, Security & Intelligent Information Systems (SIIS 2011), volume 7053of LNCS, pages 103–116. Springer, 2012.

Barbara Kordy, Sjouke Mauw, Saša Radomirović, and Patrick Schweitzer.Attack–Defense Trees.Journal of Logic and Computation (JLC), 24(1):55–87, 2014.

Barbara Kordy, Piotr Kordy, Sjouke Mauw, and Patrick Schweitzer.ADTool: Security Analysis with Attack–Defense Trees.In Kaustubh R. Joshi, Markus Siegle, Mariëlle Stoelinga, and Pedro R. D’Argenio, editors,Quantitative Evaluation of Systems (QEST 2013), volume 8054 of LNCS, pages 173–176.Springer, 2013.

Alessandra Bagnato, Barbara Kordy, Per Håkon Meland, and Patrick Schweitzer.Attribute Decoration of Attack–Defense Trees.International Journal of Secure Software Engineering (IJSSE), 3(2):1–35, 2012.[IGI Global’s 2012 Best Article Award].

Barbara Kordy 39

References

References III

Barbara Kordy, Sjouke Mauw, and Patrick Schweitzer.Quantitative Questions on Attack–Defense Trees.In Taekyoung Kwon, Mun-Kyu Lee, and Daesung Kwon, editors, Information Security andCryptology (ICISC 2012), volume 7839 of LNCS, pages 49–64. Springer, 2013.

Barbara Kordy, Marc Pouly, and Patrick Schweitzer.A Probabilistic Framework for Security Scenarios with Dependent Actions.2014.Under review.

Barbara Kordy, Ludovic Piètre-Cambacédès, and Patrick Schweitzer.DAG-Based Attack and Defense Modeling: Don’t Miss the Forest for the Attack Trees.2013.Under submission, pre-print available at http://arxiv.org/abs/1303.7397.

Barbara Kordy 40