Introduction State of the art Hybrid Risk Assessment Model Conclusion Hybrid Risk Assessment Model based on Bayesian Networks Francois-Xavier Aguessy, Olivier Bettan, Gregory Blanc, Vania Conan, and Herve Debar francois-xavier.aguessy@telecom-sudparis.eu Thales Communications & Security, Paris, France Telecom SudParis, Institut Mines-Télécom, Évry, France IWSEC 2016, Tokyo, September 12 th , 2016 François-Xavier Aguessy Hybrid Risk Assessment Model based on Bayesian Networks 1 / 20
Introduction State of the art Hybrid Risk Assessment Model Conclusion Outline Introduction 1 2 State of the art 3 Hybrid Risk Assessment Model 4 Conclusion François-Xavier Aguessy Hybrid Risk Assessment Model based on Bayesian Networks 2 / 20
Introduction State of the art Hybrid Risk Assessment Model Conclusion Introduction Context: Increase in the number and complexity of attacks. Need means to know the attacks that can happen, are happening, and to prevent them. Goal: Modelling multi-step attacks for Dynamic Risk Assessment. Assess the level of security of an information system according to security alerts. Determine the attacks that are currently happening. Know how the attacker arrived here and what he could do next. Models based on attack graph. François-Xavier Aguessy Hybrid Risk Assessment Model based on Bayesian Networks 3 / 20
Introduction Attack Graphs State of the art Dynamic Risk Assessment models Hybrid Risk Assessment Model Cycle problem Conclusion Outline Introduction 1 State of the art 2 Attack Graphs Dynamic Risk Assessment models Cycle problem 3 Hybrid Risk Assessment Model 4 Conclusion François-Xavier Aguessy Hybrid Risk Assessment Model based on Bayesian Networks 4 / 20
Introduction Attack Graphs State of the art Dynamic Risk Assessment models Hybrid Risk Assessment Model Cycle problem Conclusion Attack graphs First representation of network attacks. Several formalisms regrouped under the name Attack Graph . Logical attack graphs: AND/OR directed graph, Nodes are logical facts reachable by an attacker, Leaves represent the preconditions used to achieve goals. Topological attack graphs: Based on logical attack graphs, More concise and understandable, Nodes are machines or IP addresses linked by attack steps. François-Xavier Aguessy Hybrid Risk Assessment Model based on Bayesian Networks 5 / 20
Introduction Attack Graphs State of the art Dynamic Risk Assessment models Hybrid Risk Assessment Model Cycle problem Conclusion Attack graphs 17:hacl(internet,webServer,tcp,80):1 18:attackerLocated(internet):1 16:RULE 6 (direct network access):0 15:netAccess(webServer,tcp,80):0 20:vulExists(webServer,'CAN-2002-0392',httpd,remoteExploit,privEscalation):1 14:RULE 2 (remote exploit of a server program):0 13:execCode(webServer,apache):0 François-Xavier Aguessy Hybrid Risk Assessment Model based on Bayesian Networks 5 / 20
Introduction Attack Graphs State of the art Dynamic Risk Assessment models Hybrid Risk Assessment Model Cycle problem Conclusion Attack graphs First representation of network attacks. Several formalisms regrouped under the name Attack Graph . Logical attack graphs: AND/OR directed graph, Nodes are logical facts reachable by an attacker, Leaves represent the preconditions used to achieve goals. Topological attack graphs: Based on logical attack graphs, More concise and understandable, Nodes are machines or IP addresses linked by attack steps. François-Xavier Aguessy Hybrid Risk Assessment Model based on Bayesian Networks 5 / 20
Introduction Attack Graphs State of the art Dynamic Risk Assessment models Hybrid Risk Assessment Model Cycle problem Conclusion Attack graphs H1 H2 H3 François-Xavier Aguessy Hybrid Risk Assessment Model based on Bayesian Networks 5 / 20
Introduction Attack Graphs State of the art Dynamic Risk Assessment models Hybrid Risk Assessment Model Cycle problem Conclusion Dynamic Risk Assessment models Attack graphs: � Technology mastered, � Contains accurate description of multi-steps attacks, × Not created to model on-going attacks (no nodes for detection/alerts, no position of attacker). Attack nets: � Concurrency and progress of several attacks, × Attacker can not be in several places (several privileges), × Difficult to add tokens (representing alerts) during runtime. Bayesian attack graphs: � Powerful tools to compute and propagate probabilities, � Description of attacks more expressive (no-more AND/OR), × Size of Conditional Probability Tables × Management of cycles (Bayesian networks need acyclic graphs). François-Xavier Aguessy Hybrid Risk Assessment Model based on Bayesian Networks 6 / 20
PETERSON SURFACE and a hyperbolic paraboloid for a surface of transla- M(P)-F(P, t);:;;' 0, tion). These surfaces were first considered by K.M. i.e. if each input place of it has at least one token. The Peterson as examples of surfaces allowing of a deforma- firing of t given M replaces the latter by M' in accor- tion over a principal base. dance with the following rule: for any pEP, I.Kh. Sabitov M"(p) = M(P)-F(P, t)+F(t,p), Editorial comments. For references see also Peterson correspondence. i.e. t removes a token from each input place, and adds a token to each output place. If several transitions can AMS 1980 Subject Classification: 53A05 fire, some one of them fires. The net halts if at some PETRI NET - A mathematical model of discrete marking (a deadlock marking) none of the transitions dynamical systems, including data systems (parallel can fire. For a given initial marking, a Petri net can programs, operating systems, computers and their generate by virtue of its indeterminate operation vari- ous sets of firing sequences. These form words over the equipments, and computer networks), which is oriented alphabet T, and the set of all words generated by the to the qualitative analysis and synthesis of such systems (discovering deadlocks or conflict situations and Petri net is called its language. Two Petri nets are bottlenecks, computer-aided synthesis of parallel pro- equivalent if they generate the same language. grams and computer components, etc.). It was intro- Research on Petri nets is conducted along two lines. duced by C. Petri in the 1960-s. A Petri net is a set The mathematical theory is advanced by a formal N=(T, P, F, M o ), where T is a finite set of symbols analysis of their properties. The most interesting prob- lems include recognizing deadlock situations, recogniz- called transitions, P is a finite set of symbols called places, P n ing equivalence of nets from the languages they gen- T = 0, F is an incidence function: erate, evaluating complexity of nets, and comparing the F: TXP U PX T {O, I}, expressive power for various subclasses of Petri nets and M 0 is an initial marking and their extensions. It has been found that the deadlock problem is solvable, and the properties of the Mo:P {O, I, ... }. Introduction Attack Graphs State of the art class of languages generated by Petri nets have been Dynamic Risk Assessment models Hybrid Risk Assessment Model Informally speaking, a Petri net is a labelled oriented Cycle problem Conclusion examined. This class is strictly contained in the class of Dynamic Risk Assessment models graph having a set of vertices T U P (see Fig.). recursively-enumerable languages and strictly includes the class of regular languages, while it partially inter- sects with the class of context-free languages. The second line is the use of Petri nets as the basis of models for discrete dynamical systems in information technology, economics, digital engineering, etc. In distinction to finite automata (cf. Automaton, fin- ite), which are used to describe global changes in the From a place-vertex pEP, represented by a circle, states of a system, Petri nets concentrate on local François-Xavier Aguessy Hybrid Risk Assessment Model based on Bayesian Networks 6 / 20 there runs an arc to a transition-vertex tET, events (these correspond to transitions), local condi- represented by a rectangle, if and only if tions (these correspond to places), and local links between events and conditions. Therefore, one can give F(p, t) = 1 a more adequate simulation of distributed asynchro- (p is the input place for t; in the figure P={Pl,P2,P3}, nous systems in terms of Petri nets rather than auto- T= {a, b, c, d}). From a transition-vertex t there runs mata. an arc to the place-vertex p if and only if References F(t,p) = 1 [I] PETERSON. 1.L.: Perri neT Theon' and The modelling 0lIT.lrems. (p is an output place for n. The place P can be marked Prentice Hall. 1'181. [2] KOTOV, V.E.: Petri nets, Moscow. 1986 (in Russian). with a marking Mo(p )7'=0, which is frequently [3] STARKE. P.H.: Petri-Nelze. Deutsch. Verlag Wissenschaft.. represented by a corresponding number of tokens. 1981. [4] REISSIG. W.: Pelri nm. Springer. 1985. The dynamics of the modelled system is described in VE. Kotov terms of the functioning of the Petri net. The net Editorial comments. Being a baSIC model of parallel operates in discrete time by passing from marking to computations, Petri nets have been studied very extensively marking. Each marking is a function during recent years. There is a yearly conference on Petri M: P--4{O, I, ... }: a change in the marking (bcginning nets. The best overview of currently active research is con- with ,\1IJ) is performed by a net transition. A transition tained in the proceedings of thiS conference, published by t E T can fire with marking M if for any pEP. Springer. The monograph [A 1] contains a brief account on 144
Recommend
More recommend