Attack Trees: semi-adaptive model Aivo Jürgenson 2 , 3 Jan Willemson 1 1 Cybernetica, Tartu, Estonia 2 Tallinn University of Technology, Tallinn, Estonia 3 Elion Enterprises Ltd, Tallinn, Estonia 1st February 2009 Jürgenson,Willemson (Estonia) Attack Trees: semi-adaptive model 1st February 2009 1 / 13
Outline of the talk 1 Introduction to multi-parameter attack trees 2 Semi-adaptive model 3 Semi-adaptive blocking model 4 Results and Questions Jürgenson,Willemson (Estonia) Attack Trees: semi-adaptive model 1st February 2009 2 / 13
Attack trees (J. D. Weiss 1991, B. Schneier 1999) ∨ Obtain ad- ministrator privileges ∨ ∨ Obtain ad- Access ministrator system password console ∨ & Enter Look over Corrupt Guess computer admin operator password center shoulder Encounter Break into Obtain Unattended simple computer password guest password center file Jürgenson,Willemson (Estonia) Attack Trees: semi-adaptive model 1st February 2009 3 / 13
Attacker financial game (A. Buldas et al. 2006) Jürgenson,Willemson (Estonia) Attack Trees: semi-adaptive model 1st February 2009 4 / 13
Attacker financial game (A. Buldas et al. 2006) Preventive yes Attack prepa- Gains from security p ration costs the attack broken? ( 1 − p ) no yes yes Attacker Attacker Penalty paid Penalty paid caught? caught? q + q − ( 1 − q + ) no ( 1 − q − ) no Outcome = Outcome = Outcome = Outcome = − Cost + − Cost − − Cost − Cost + Gains Gains − Penalties − Penalties + Jürgenson,Willemson (Estonia) Attack Trees: semi-adaptive model 1st February 2009 4 / 13
Attacker financial game (A. Buldas et al. 2006) Preventive yes Attack prepa- Gains from security p ration costs the attack broken? ( 1 − p ) no yes yes Attacker Attacker Penalty paid Penalty paid caught? caught? q + q − ( 1 − q + ) no ( 1 − q − ) no Outcome = Outcome = Outcome = Outcome = − Cost + − Cost − − Cost − Cost + Gains Gains − Penalties − Penalties + Jürgenson,Willemson (Estonia) Attack Trees: semi-adaptive model 1st February 2009 4 / 13
Attacker financial game (A. Buldas et al. 2006) Preventive yes Attack prepa- Gains from security p ration costs the attack broken? ( 1 − p ) no yes yes Attacker Attacker Penalty paid Penalty paid caught? caught? q + q − ( 1 − q + ) no ( 1 − q − ) no Outcome = Outcome = Outcome = Outcome = − Cost + − Cost − − Cost − Cost + Gains Gains − Penalties − Penalties + Jürgenson,Willemson (Estonia) Attack Trees: semi-adaptive model 1st February 2009 4 / 13
Attacker financial game (A. Buldas et al. 2006) Preventive yes Attack prepa- Gains from security p ration costs the attack broken? ( 1 − p ) no yes yes Penalties + Attacker Attacker Penalties − caught? caught? paid paid q + q − ( 1 − q + ) no ( 1 − q − ) no Outcome = Outcome = Outcome = Outcome = − Cost + − Cost − − Cost − Cost + Gains Gains − Penalties − Penalties + Jürgenson,Willemson (Estonia) Attack Trees: semi-adaptive model 1st February 2009 4 / 13
Attacker financial game (A. Buldas et al. 2006) Preventive yes Attack prepa- Gains from security p ration costs the attack broken? ( 1 − p ) no yes yes Penalties + Attacker Attacker Penalties − caught? caught? paid paid q + q − ( 1 − q + ) no ( 1 − q − ) no Outcome = Outcome = Outcome = Outcome = − Cost + − Cost − − Cost − Cost + Gains Gains − Penalties − Penalties + Jürgenson,Willemson (Estonia) Attack Trees: semi-adaptive model 1st February 2009 4 / 13
Multi-parameter Attack Trees (A. Buldas et al., 2006) Gains – the value gained from the successful attack Cost i – the cost of the elementary attack, p i – success probability π − i = q − i · Penalty − – the expected penalty, unsuccessful attack i π + i = q + i · Penalty + – the expected penalty, successful attack i Jürgenson,Willemson (Estonia) Attack Trees: semi-adaptive model 1st February 2009 5 / 13
Multi-parameter Attack Trees (A. Buldas et al., 2006) Gains – the value gained from the successful attack Cost i – the cost of the elementary attack, p i – success probability π − i = q − i · Penalty − – the expected penalty, unsuccessful attack i π + i = q + i · Penalty + – the expected penalty, successful attack i � ( Cost 1 , p 1 , π + 1 , π − 1 ) , if Outcome 1 > Outcome 2 ( Cost , p , π + , π − ) = ( Cost 2 , p 2 , π + 2 , π − 2 ) , if Outcome 1 ≤ Outcome 2 Outcome i = p i · Gains − Cost i − p i · π + i − ( 1 − p i ) · π − i Jürgenson,Willemson (Estonia) Attack Trees: semi-adaptive model 1st February 2009 5 / 13
Multi-parameter Attack Trees (A. Buldas et al., 2006) Gains – the value gained from the successful attack Cost i – the cost of the elementary attack, p i – success probability π − i = q − i · Penalty − – the expected penalty, unsuccessful attack i π + i = q + i · Penalty + – the expected penalty, successful attack i � ( Cost 1 , p 1 , π + 1 , π − 1 ) , if Outcome 1 > Outcome 2 ( Cost , p , π + , π − ) = ( Cost 2 , p 2 , π + 2 , π − 2 ) , if Outcome 1 ≤ Outcome 2 Outcome i = p i · Gains − Cost i − p i · π + i − ( 1 − p i ) · π − i π + = π + 1 + π + Cost = Cost 1 + Cost 2 , p = p 1 · p 2 , 2 , p 1 ( 1 − p 2 )( π + 1 + π + 1 + π − 2 ) + ( 1 − p 1 ) p 2 ( π − 2 ) π − = + 1 − p 1 p 2 +( 1 − p 1 )( 1 − p 2 )( π − 1 + π − 2 ) 1 − p 1 p 2 Jürgenson,Willemson (Estonia) Attack Trees: semi-adaptive model 1st February 2009 5 / 13
Attacker adaptiveness Current models all assume that all attacks take place simultanously, in the same time. In the real life, attacker has the option to choose different strategy during the execution of attack tree, after some elementary attack succeeds, or fails. Jürgenson,Willemson (Estonia) Attack Trees: semi-adaptive model 1st February 2009 6 / 13
Attacker adaptiveness Current models all assume that all attacks take place simultanously, in the same time. In the real life, attacker has the option to choose different strategy during the execution of attack tree, after some elementary attack succeeds, or fails. Full-adaptive model attacker can choose any not-used attack for the next step, rather complicated to analyze, we will not go there. Jürgenson,Willemson (Estonia) Attack Trees: semi-adaptive model 1st February 2009 6 / 13
Attacker adaptiveness Current models all assume that all attacks take place simultanously, in the same time. In the real life, attacker has the option to choose different strategy during the execution of attack tree, after some elementary attack succeeds, or fails. Full-adaptive model attacker can choose any not-used attack for the next step, rather complicated to analyze, we will not go there. Semi-adaptive model attacker fixes the order of the attacks, attacker has the option to skip some attacks from the previously fixed order. Jürgenson,Willemson (Estonia) Attack Trees: semi-adaptive model 1st February 2009 6 / 13
Semi-adaptive model Simplified attacker actions: Create the attack tree F with the set of elementary attacks X = { X 1 , X 2 , . . . , X n } . Jürgenson,Willemson (Estonia) Attack Trees: semi-adaptive model 1st February 2009 7 / 13
Semi-adaptive model Simplified attacker actions: Create the attack tree F with the set of elementary attacks X = { X 1 , X 2 , . . . , X n } . Choose subset S ⊆ X and create the subtree, i.e. choose one possible way of realizing the attack tree F . Jürgenson,Willemson (Estonia) Attack Trees: semi-adaptive model 1st February 2009 7 / 13
Semi-adaptive model Simplified attacker actions: Create the attack tree F with the set of elementary attacks X = { X 1 , X 2 , . . . , X n } . Choose subset S ⊆ X and create the subtree, i.e. choose one possible way of realizing the attack tree F . Choose the permutation α for the subset S , i.e. choose the order of the attacks, eq α = { X 2 , X 3 , X 1 } . Jürgenson,Willemson (Estonia) Attack Trees: semi-adaptive model 1st February 2009 7 / 13
Semi-adaptive model Simplified attacker actions: Create the attack tree F with the set of elementary attacks X = { X 1 , X 2 , . . . , X n } . Choose subset S ⊆ X and create the subtree, i.e. choose one possible way of realizing the attack tree F . Choose the permutation α for the subset S , i.e. choose the order of the attacks, eq α = { X 2 , X 3 , X 1 } . Evaluate the outcome of the subtree S and permutation α . Jürgenson,Willemson (Estonia) Attack Trees: semi-adaptive model 1st February 2009 7 / 13
Semi-adaptive model Simplified attacker actions: Create the attack tree F with the set of elementary attacks X = { X 1 , X 2 , . . . , X n } . Choose subset S ⊆ X and create the subtree, i.e. choose one possible way of realizing the attack tree F . Choose the permutation α for the subset S , i.e. choose the order of the attacks, eq α = { X 2 , X 3 , X 1 } . Evaluate the outcome of the subtree S and permutation α . Choose the maximum outcome for all different combinations of permuations α and subtrees S . Jürgenson,Willemson (Estonia) Attack Trees: semi-adaptive model 1st February 2009 7 / 13
Evaluating the outcome of attack tree Outcome semiadaptive = max { Outcome α : S ⊆ X , F ( S := true ) = true , α } n � Outcome α = p α · Gains − p α, i · Expenses i i = 1 Jürgenson,Willemson (Estonia) Attack Trees: semi-adaptive model 1st February 2009 8 / 13
Recommend
More recommend