attack defense tree methodology for security assessment
play

AttackDefense Tree Methodology for Security Assessment Barbara - PowerPoint PPT Presentation

AttackDefense Tree Methodology for Security Assessment Barbara Kordy Joint work with Patrick Schweitzer, Sjouke Mauw, Saa Radomirovi Barbara Kordy, UL ATREES project funded by National Research Fund CORE grant No. C08/IS/26 1 Outline


  1. Attack–Defense Tree Methodology for Security Assessment Barbara Kordy Joint work with Patrick Schweitzer, Sjouke Mauw, Saša Radomirović Barbara Kordy, UL ATREES project funded by National Research Fund CORE grant No. C08/IS/26 1

  2. Outline Attack–defense trees 1 Semantics 2 Quantitative analysis 3 Computational complexity 4 Attack–defense trees in practice 5 Barbara Kordy, UL ATREES project funded by National Research Fund CORE grant No. C08/IS/26 2

  3. Outline Attack–defense trees 1 Semantics 2 Quantitative analysis 3 Computational complexity 4 Attack–defense trees in practice 5 Barbara Kordy, UL ATREES project funded by National Research Fund CORE grant No. C08/IS/26 3

  4. Attack trees Definition Attack tree (ATree) – tree-like representation of an attacker’s goal recursively refined into conjunctive or disjunctive sub-goals. Methodology to describe security weaknesses of a system Proposed by Schneier Attack trees: Modeling Security Threats , ’99 Formalized by Mauw and Oostdijk Foundations of Attack Trees [ICISC’05] Barbara Kordy, UL ATREES project funded by National Research Fund CORE grant No. C08/IS/26 4

  5. Example: attacking a bank account � attack node bank disjunctive refinement account conjunctive refinement atm online user pin card password name find key eavesdrop phishing note logger Barbara Kordy, UL ATREES project funded by National Research Fund CORE grant No. C08/IS/26 5

  6. Limitations of attack trees Only attacker’s point of view No defensive measures No attacker/defender interactions No evolutionary aspects Barbara Kordy, UL ATREES project funded by National Research Fund CORE grant No. C08/IS/26 6

  7. Attack–defense trees Definition Attack–defense tree (ADTree) – attack tree extended with possibly refined or countered defensive actions. Introduced by Kordy et al. in Foundations of Attack–Defense Trees [FAST’10] Barbara Kordy, UL ATREES project funded by National Research Fund CORE grant No. C08/IS/26 7

  8. Example: attacking and defending a bank account � attack node bank defense node � account disjunctive refinement conjunctive refinement countermeasure atm online user card pin password name find key 2nd auth. Eavesdrop phishing note factor logger pin key memorize malware fobs pad force browser os Barbara Kordy, UL ATREES project funded by National Research Fund CORE grant No. C08/IS/26 8

  9. Interesting questions Equivalent representations of the same scenario (semantics) Quantitative analysis (attributes) Computational complexity of ATrees and ADTrees (querying) Practical applications (case studies) Barbara Kordy, UL ATREES project funded by National Research Fund CORE grant No. C08/IS/26 9

  10. Outline Attack–defense trees 1 Semantics 2 Quantitative analysis 3 Computational complexity 4 Attack–defense trees in practice 5 Barbara Kordy, UL ATREES project funded by National Research Fund CORE grant No. C08/IS/26 10

  11. Semantics for ADTrees Semantics define which ADTrees represent the same scenario. Definition Semantics for ADTrees – equivalence relation on ADTrees. Propositional semantics Semantics induced by a De Morgan lattice Multiset semantics Equational semantics Barbara Kordy, UL ATREES project funded by National Research Fund CORE grant No. C08/IS/26 11

  12. Propositional semantics for ADTrees In the propositional semantics ADTrees represent Boolean functions. Barbara Kordy, UL ATREES project funded by National Research Fund CORE grant No. C08/IS/26 12

  13. Example: propositional interpretation of an ADTree � �� � ( key fobs ∨ pin pad ) ∧ ¬ malware f = ( pin ∧ card ) ∨ online ∧ ¬ bank account atm online 2nd auth. card pin factor pin key malware pad fobs Details Barbara Kordy, UL ATREES project funded by National Research Fund CORE grant No. C08/IS/26 13

  14. Propositional semantics ≡ P In the propositional semantics ADTress represent the same scenario if the corresponding Boolean functions are equivalent. Barbara Kordy, UL ATREES project funded by National Research Fund CORE grant No. C08/IS/26 14

  15. Example: propositionally equivalent ADTrees rob use deposit hammer box ≡ P access use bank hammer use use hammer key ( hammer ∨ key ) ∧ hammer hammer The two trees are equivalent in the propositional semantics, because in propositional logics we have absorption law ( hammer ∨ key ) ∧ hammer ≡ hammer Barbara Kordy, UL ATREES project funded by National Research Fund CORE grant No. C08/IS/26 15

  16. Multiset semantics ≡ M ADTrees are interpreted as sets of multisets. Each multiset represents a possible way of attacking. In the multiset semantics ADTrees represent the same scenario if the corresponding sets of multisets are equal. Barbara Kordy, UL ATREES project funded by National Research Fund CORE grant No. C08/IS/26 16

  17. Example: ADTrees not equivalent in the multiset semantics rob deposit box use hammer access use �≡ M bank hammer use use hammer key {{ | hammer , hammer | } , { | key , hammer | }} {{ | hammer | }} The two trees are not equivalent in the multiset semantics, because {{ | hammer , hammer | } , { | key , hammer | }} � = {{ | hammer | }} . Barbara Kordy, UL ATREES project funded by National Research Fund CORE grant No. C08/IS/26 17

  18. Different semantics – different equivalence classes rob deposit box ≡ P use hammer access use bank hammer �≡ M use use hammer key The choice of an appropriate semantics depends on considered applications and assumptions. Barbara Kordy, UL ATREES project funded by National Research Fund CORE grant No. C08/IS/26 18

  19. Outline Attack–defense trees 1 Semantics 2 Quantitative analysis 3 Computational complexity 4 Attack–defense trees in practice 5 Barbara Kordy, UL ATREES project funded by National Research Fund CORE grant No. C08/IS/26 19

  20. Motivation Quantitative analysis of an attack–defense scenario Standard questions What is the minimal cost of an attack? What is the expected impact of a considered attack? Is special equipment required to attack? Bivariate questions How long does it take to secure a system, when the attacker has a limited budget? How does the scenario change if both, the attacker and the defender are affected by a power outage? Barbara Kordy, UL ATREES project funded by National Research Fund CORE grant No. C08/IS/26 20

  21. Calculation of attributes Bottom-up algorithm Basic assignment – values assigned to basic actions Attribute domain – operators specifying how to compute values for other nodes Intuitive idea of Schneier Attack trees: Modelling Security Threats , ’99 Formalization by Mauw and Oostdijk for attack trees Foundations of Attack Trees , [ICISC’05] Extension to attack–defense trees by Kordy et al. Foundations of Attack–Defense Trees , [FAST’10] Barbara Kordy, UL ATREES project funded by National Research Fund CORE grant No. C08/IS/26 21

  22. Attribute: minimal time of an attack Question: What is the minimal time needed to achieve a considered attack? Attribute domain: Values from N ∪ {∞} ∞ = action not under control of the attacker ( ∨ A , ∧ A , ∨ D , ∧ D , c A , c D ) = ( min , + , + , min , + , min ) Barbara Kordy, UL ATREES project funded by National Research Fund CORE grant No. C08/IS/26 22

  23. Attribute domain for minimal time ∨ ∨ ∨ A : min { x , y } ∨ D : x + y y x x y ∧ ∧ ∧ A : x + y ∧ D : min { x , y } y x x y x x c A : x + y c D : min { x , y } y y Barbara Kordy, UL ATREES project funded by National Research Fund CORE grant No. C08/IS/26 23

  24. Example: computation of minimal time on an ADTree ( ∨ A , ∧ A , ∨ D , ∧ D , c A , c D ) = ( min , + , + , min , + , min ) 5 use hammer 2 3 use use hammer key 3 2 Details Barbara Kordy, UL ATREES project funded by National Research Fund CORE grant No. C08/IS/26 24

  25. Semantics and attribute domains Recall: t and t ′ are equivalent in the propositional semantics. t ′ = use t = hammer 5 3 use hammer 2 3 use use key hammer 3 2 time ( t ′ ) = 3 time ( t ) = 5 Problem: t ≡ P t ′ , but time ( t ) � = time ( t ′ ) Solution: Compatibility notion Barbara Kordy, UL ATREES project funded by National Research Fund CORE grant No. C08/IS/26 25

  26. Compatibility of an attribute with a semantics Compatibility defines which semantics should be used in combination with which attribute. Definition Attribute α is compatible with semantics ≡ for ADTrees iff ∀ t , t ′ ∈ ADTrees, t ≡ t ′ = ⇒ α ( t ) = α ( t ′ ) . Problem: How to check compatibility? Solution: Complete set of axioms for a semantics. Details Barbara Kordy, UL ATREES project funded by National Research Fund CORE grant No. C08/IS/26 26

  27. Axiomatization of semantics Definition A set E of ADTree transformations is a complete set of axioms for a semantics for ADTrees iff equivalent ADTrees can be obtained from each other by application of transformations from E . Problem: How to find a complete set of axioms for a semantics? Solution: This is difficult. . . Barbara Kordy, UL ATREES project funded by National Research Fund CORE grant No. C08/IS/26 27

Recommend


More recommend