Complex Systems A Simulation-Based Approach Current Prototype Conclusions A Simulation-Driven Approach for Assessing Risks of Complex Systems Fabrizio Baiardi 1 Claudio Telmon 1 Daniele Sgandurra 2 1 Dipartimento di Informatica, Universit` a di Pisa, Italy 2 Istituto di Informatica e Telematica, CNR, Pisa, Italy 13th European Workshop on Dependable Computing 11 May 2011 1/29 Fabrizio Baiardi, Claudio Telmon, Daniele Sgandurra Universit` a di Pisa, IIT-CNR
Complex Systems A Simulation-Based Approach Current Prototype Conclusions Outline Complex Systems 1 A Simulation-Based Approach 2 Current Prototype 3 Conclusions 4 2/29 Fabrizio Baiardi, Claudio Telmon, Daniele Sgandurra Universit` a di Pisa, IIT-CNR
Complex Systems A Simulation-Based Approach Current Prototype Conclusions Complexity of Attacks In the past: direct attacks: e.g., ping-of-death. Nowadays: complex attacks or attack plans: multi-steps attacks: modem+router+firewall+IDS+server+virtualization layer. Example: VMware Guest to Host escape requires 18 steps ( BHUSA09 , Cloudburst ); 12 steps to defeat Vista Data Execution Prevention. Advanced persistent threat (APT): “a group with both the capability and the intent to persistently and effectively target a specific entity”. 3/29 Fabrizio Baiardi, Claudio Telmon, Daniele Sgandurra Universit` a di Pisa, IIT-CNR
Complex Systems A Simulation-Based Approach Current Prototype Conclusions Current Approaches to Model Complex Attacks Need to consider all the possible states ( ` a la model checking): a vulnerability has not been discovered; 1 a vulnerability has been discovered; 2 a vulnerability has been discovered but is unknown; 3 the vulnerability is known; 4 the vulnerability is known and a threat can exploit it; 5 ... 6 Markov chain-based approaches: need to consider all the transitions, which depend upon: strategies of the threats; correlations among vulnerabilities. State explosion. High complexity. 4/29 Fabrizio Baiardi, Claudio Telmon, Daniele Sgandurra Universit` a di Pisa, IIT-CNR
Complex Systems A Simulation-Based Approach Current Prototype Conclusions Analytical Models Existing analytical models cannot predict distributions, because of: systemic factors: vulnerabilities; relations among components. complex threat models: knowledge; expertise in implementation of attacks; risk aversion. 5/29 Fabrizio Baiardi, Claudio Telmon, Daniele Sgandurra Universit` a di Pisa, IIT-CNR
Complex Systems A Simulation-Based Approach Current Prototype Conclusions Suggested Approach Computation of probabilities that attack plans are discovered, successfully implemented, and their impacts. Risk management-based approach: average of impacts and distribution probability of attacks; not interested in worst-case values only. 6/29 Fabrizio Baiardi, Claudio Telmon, Daniele Sgandurra Universit` a di Pisa, IIT-CNR
Complex Systems A Simulation-Based Approach Current Prototype Conclusions A Simulation-Based Approach To model alternative implementations of a system. To model and anticipate the evolution of complex systems: and to compute average impact of attacks. To avoid flaw of averages when using correlated functions. To evaluate the impact of a vulnerability that may be discovered in the future. 7/29 Fabrizio Baiardi, Claudio Telmon, Daniele Sgandurra Universit` a di Pisa, IIT-CNR
Complex Systems A Simulation-Based Approach Current Prototype Conclusions Attack Graph Formal framework to describe attack plans. Our definition: AttGr ( S , ag ), of a threat agent ag , with respect to a system S , is a direct acyclic graph that describes all the attack plans ag can implement to achieve one of its goals: each node n corresponds to a set of rights, r ( n ), of ag on S ; 1 there is an arc from n 1 to n 2 labelled by at for any at where: 2 r ( n 1 ) ⊇ pre ( at ), r ( n 2 ) = r ( n 1 ) ∪ post ( at ), ∃ x ∈ post ( at ) such that x / ∈ r ( n 1 ). ag owns all the resources in res ( at ) for each attack at labelling 3 an arc of AttGr ( S , ag ); final nodes are the goals of the attackers. 4 8/29 Fabrizio Baiardi, Claudio Telmon, Daniele Sgandurra Universit` a di Pisa, IIT-CNR
Complex Systems A Simulation-Based Approach Current Prototype Conclusions Attack Graph: Example A Test Network A planner-based approach to generate and analyze minimal attack graph 9/29 Fabrizio Baiardi, Claudio Telmon, Daniele Sgandurra Universit` a di Pisa, IIT-CNR
Complex Systems A Simulation-Based Approach Current Prototype Conclusions Attack Graph: Example An Attack Graph A planner-based approach to generate and analyze minimal attack graph 10/29 Fabrizio Baiardi, Claudio Telmon, Daniele Sgandurra Universit` a di Pisa, IIT-CNR
Complex Systems A Simulation-Based Approach Current Prototype Conclusions Acquisition of Rights (1) Our contribution: a state is a set of rights. A right is a pair < component , attribute > : property on an component; relation among components. Elementary attack: < component , preconditions ( A ) , postconditions ( a ) > . Advantages: easier construction of the system; easier to discover equivalent attack plans; partial knowledge of the system by the attacker; several attack strategies can be exploited in parallels. Assumption: monotonicity of rights acquisition. 11/29 Fabrizio Baiardi, Claudio Telmon, Daniele Sgandurra Universit` a di Pisa, IIT-CNR
Complex Systems A Simulation-Based Approach Current Prototype Conclusions Acquisition of Rights (2) The arc from n 1 to n 2 models the acquisition of rights when ag owns all the rights in r ( n 1 ) and it successfully implements at . The acquisition of rights through a plan, i.e. a sequence of elementary attacks, is modelled by a path of the graph. The set of rights of ag increases anytime an attack at is successful because post ( at ) � = ∅ , so that for any arc from n 1 to n 2 : r ( n 1 ) ⊂ r ( n 2 ) 12/29 Fabrizio Baiardi, Claudio Telmon, Daniele Sgandurra Universit` a di Pisa, IIT-CNR
Complex Systems A Simulation-Based Approach Current Prototype Conclusions Attack Graph: Example An Attack Graph With Rights (r=rule: precondition → postcondition) 13/29 Fabrizio Baiardi, Claudio Telmon, Daniele Sgandurra Universit` a di Pisa, IIT-CNR
Complex Systems A Simulation-Based Approach Current Prototype Conclusions Risk Assessment through a Simulator Simulation of the evolution of attack plans of distinct agents: detailed exploration of the space of attack plans. Multiple simulations return statistics on the influence of distinct sources of non-determinism in the choice/implementation of a plan: the probability of discovering system vulnerabilities; available information on these vulnerabilities; the success probability of the agent’s plans; the choice among alternative attacks in a plan. 14/29 Fabrizio Baiardi, Claudio Telmon, Daniele Sgandurra Universit` a di Pisa, IIT-CNR
Complex Systems A Simulation-Based Approach Current Prototype Conclusions Input of the Simulator Input of the simulator: a set of threat agents, each described in terms of: 1 available resources; goals; a strategy to select attacks. a set of vulnerabilities, each associated with a probability 2 distribution of being discovered; a set of elementary attacks and, for any attack: 3 the resources it requires; the vulnerabilities that enable the attack; the success probability. 15/29 Fabrizio Baiardi, Claudio Telmon, Daniele Sgandurra Universit` a di Pisa, IIT-CNR
Complex Systems A Simulation-Based Approach Current Prototype Conclusions Dynamic Vulnerabilities Vulnerabilities can be discovered or patched during the simulation: an arc is removed; an arc is added; the success probability of an attack is increased/decreased. Hard to model with most of the current approaches. Attack graph is updated accordingly. 16/29 Fabrizio Baiardi, Claudio Telmon, Daniele Sgandurra Universit` a di Pisa, IIT-CNR
Complex Systems A Simulation-Based Approach Current Prototype Conclusions Look-Ahead Degree of the Agent Mimics the discovery of attack plans by the agent. Useful to model advanced persistent threats. Example: a goal node is 2 steps far: if look-ahead is 0: random choice among the possible attacks; if look-ahead is 2: choose the attack whose goal is 1 step far; if look-ahead is 1: choose the attack whose destination node has more rights, or with a greater probability of success: draws are resolved according to the threat model. 17/29 Fabrizio Baiardi, Claudio Telmon, Daniele Sgandurra Universit` a di Pisa, IIT-CNR
Complex Systems A Simulation-Based Approach Current Prototype Conclusions Countermeasures Need to evaluate the effectiveness of alternative set of countermeasures. Useful to evaluate alternative system evolutions. We model countermeasures as arc removals. Currently, the simulator returns a set of static countermeasures = arcs to be removed taking into account: cost of each countermeasure; total investment in countermeasure selection; number of attack plans that share an arc or an attack. 18/29 Fabrizio Baiardi, Claudio Telmon, Daniele Sgandurra Universit` a di Pisa, IIT-CNR
Recommend
More recommend