optimal defense policies for partially
play

Optimal Defense Policies for Partially Erik Miehling Observable - PowerPoint PPT Presentation

University of Michigan - Ann Arbor Optimal Defense Policies for Partially Erik Miehling Observable Spreading Processes on Mohammad Rasouli Demosthenis Teneketzis Bayesian Attack Graphs Second ACM Workshop on Moving Target Defense (MTD 2015)


  1. University of Michigan - Ann Arbor Optimal Defense Policies for Partially Erik Miehling Observable Spreading Processes on Mohammad Rasouli Demosthenis Teneketzis Bayesian Attack Graphs Second ACM Workshop on Moving Target Defense (MTD 2015) Denver, Colorado — October 12-15, 2015 1

  2. Motivation ❖ Modern systems are becoming increasingly connected to improve operational efficiency and flexibility ❖ This convenience comes at the cost of introducing many vulnerabilities ❖ Factors from information security : ❖ Factors from MTD : Confidentiality (C) — Ensuring data does Reactiveness — should C not get into the wrong hands respond to observed changes in the system condition Integrity (I) — Maintaining accuracy/ I A trustworthiness of information Predictiveness — forecast, and prepare for, where the CIA triad Availability (A) — Ensuring that data is system will be in the future always available to trusted users 2

  3. The Conflict Environment ❖ We consider a dynamic setting where a network is continually being subjected to attacks with the objective of compromising some target resources through exploits . ❖ The defender can control services in the network to prevent the attacker from reaching the target resources. ❖ Philosophy: Automated approach to defending the network. ❖ Defense actions are observation-driven 3

  4. Contribution ❖ Contribution: We introduce a formal model which allows us to study dependencies between vulnerabilities in a system and to define (and compute) optimal defense policies. ❖ Aspects of our defense model ❖ Progressive attacks — recent exploits build upon previous exploits, progressively degrading the system ❖ Dynamic defense — defender is choosing the best action based on new information ❖ Partial knowledge — the defender is uncertain about the security of the network at any given time ❖ It is both reactive and predictive 4

  5. Attack Graphs ❖ Insufficient to look at single vulnerabilities when protecting a network ❖ Attackers combine vulnerabilities to penetrate the network ❖ Attack graphs model how multiple vulnerabilities can be combined and exploited by an attacker ❖ Explicitly takes into account paths that the attacker can take to reach the critical exploitation ❖ Can use tools such as CAULDRON * to generate attack graphs *Jajodia et al. 2010-11 5

  6. Bayesian Attack Graphs ❖ Bayesian attack graph: G = {N , θ , E , P} 11 2 12 ❖ Nodes, , represent attributes N α 12 10 1 3 α 13 : leaf nodes N L ⊆ N α 14 20 14 : critical (root) nodes N C ⊆ N R ⊆ N 4 9 19 5 13 6 15 ❖ Types, θ 17 7 : AND attributes N ∧ ⊆ N \ N L 16 8 18 : OR attributes N ∨ ⊆ N \ N L N L = { 1 , 5 , 7 , 8 , 11 , 12 , 16 , 17 , 20 } Attributes: ❖ Edges, , represent exploits N C = { 9 , 14 } ⊆ N R = { 2 , 9 , 14 , 18 } E N ∧ = { 2 , 3 , 6 , 9 , 10 , 13 , 18 , 19 } : exploits Types: E = ( i, j ) i,j ∈ N N ∨ = { 4 , 14 , 15 } Exploits: E = { (1 , 2) , (1 , 3) , . . . , (20 , 19) } ❖ Probabilities, P Probabilities: P = { α 1 , 2 , α 1 , 3 , . . . , α 20 , 19 } : exploit probabilities P = ( α ij ) ( i,j ) ∈ E 6

  7. Spreading Process ❖ The attacker’s behavior is assumed to follow a probabilistic spreading process At time : t = τ ❖ Each attribute (node) can be in one i ∈ N j of two states X i τ = 1 α jl X l X i X i τ = 0 t = 0 t = 1 α il (disabled) (enabled) k α kl ❖ Contagion seed and spread : At each time t probability that exploit will be discovered/taken 1. Each leaf attribute is enabled with by the attacker probability α i ∈ [0 , 1] (public knowledge) 2. Contagion spreads according to predecessor rules 7

  8. Spreading Process — Predecessor Rules ❖ The type of the attribute dictates the At time : t = τ nature of the spreading process j X i τ = 1 α jl m X l ❖ For AND attributes, e.g. node l τ = 0 α mk α il k α kl 8 ^ X p Q if t = 1 α pl α nk < P ( X l t +1 = 1 | X l t = 0 , X t ) = p ∈ ¯ D l p ∈ ¯ D l 0 otherwise : n set of direct predecessors 8

  9. Spreading Process — Predecessor Rules ❖ The type of the attribute dictates the At time : t = τ nature of the spreading process j X i τ = 1 α jl m X l ❖ For AND attributes, e.g. node l τ = 0 α mk α il k α kl 8 ^ X p Q if t = 1 α pl α nk < P ( X l t +1 = 1 | X l t = 0 , X t ) = p ∈ ¯ D l p ∈ ¯ D l 0 otherwise : n set of direct predecessors ❖ For OR attributes, e.g. node k 8 _ X p 1 − Q (1 − α pk ) if t = 1 < P ( X k t +1 = 1 | X k t = 0 , X t ) = p ∈ ¯ D k p ∈ ¯ D k 0 otherwise : 9

  10. Defender’s Observations ❖ Defender only partially observes this process probability β i = P ( Y i t = 1 | X i t = 1) of detection ❖ Rationale : defender may not know the full capability of the attacker at any given time Assumption : No false positives can occur. P ( Y i t = 1 | X i t = 0) = 0 disabled attribute ❖ Defender thus observes a subset of enabled enabled & undetected nodes that have been discovered at each enabled & detected time-step Y t ∈ { 0 , 1 } N 10

  11. Defender’s Countermeasures ❖ The defender uses network services as countermeasures ❖ Existence of exploits depend on services ❖ For example ❖ Secure Shell (SSH) ❖ File Transfer Protocol (FTP) ❖ Port scanning ❖ etc. ❖ Defender can thus temporarily block or disable these services to stop the attacker from progressing through the network 11

  12. Defender’s Countermeasures ❖ Suppose there are a set of M 11 { u 1 , . . . , u M } services 2 12 ❖ Taking action corresponds u m 10 u 1 1 3 to disabling service m 20 14 ❖ disables a subset of the u m 4 9 19 nodes W u m 5 13 6 15 17 X i = 0 , i ∈ W u m 7 16 8 18 ❖ Action at time t u t ∈ U = ℘ ( { u 1 , . . . , u M } ) W u 1 = { 1 } 12

  13. Defender’s Countermeasures ❖ Suppose there are a set of M 11 { u 1 , . . . , u M } services 2 12 ❖ Taking action corresponds u m 10 1 3 to disabling service m 20 14 ❖ disables a subset of the u m 4 9 19 nodes W u m 5 13 u 2 6 15 17 X i = 0 , i ∈ W u m u 2 7 16 8 18 ❖ Action at time t u t ∈ U = ℘ ( { u 1 , . . . , u M } ) W u 2 = { 5 , 17 } 13

  14. Defender’s Countermeasures ❖ Suppose there are a set of M 11 { u 1 , . . . , u M } services 2 12 ❖ Taking action corresponds u m 10 1 3 to disabling service m 20 14 ❖ disables a subset of the u m 4 9 19 nodes W u m 5 13 u 3 6 15 17 X i = 0 , i ∈ W u m 7 16 8 18 ❖ Action at time t u t ∈ U = ℘ ( { u 1 , . . . , u M } ) W u 3 = { 13 } 14

  15. Defender’s Countermeasures ❖ Suppose there are a set of u 4 M 11 { u 1 , . . . , u M } services u 5 2 12 ❖ Taking action corresponds u m 10 u 1 1 3 to disabling service m 20 14 ❖ disables a subset of the u m u 5 4 9 19 nodes W u m 5 13 u 2 u 3 6 15 17 X i = 0 , i ∈ W u m u 2 7 16 8 u 6 18 ❖ Action at time t u 4 u 4 u t ∈ U = ℘ ( { u 1 , . . . , u M } ) Assumption : All leaf nodes are covered by at least one service. 15

  16. Cost Function ❖ Cost of taking action in state : C ( x, u ) x ∈ X u ∈ U ❖ Confidentiality & Integrity factor: state is less costly x than state ˆ x C ( x, · ) < C (ˆ x, · ) ˆ x x ❖ Availability factor: an action that has a higher negative impact ˆ u on availability than another action should satisfy: u C ( · , u ) < C ( · , ˆ u ) 16

  17. Monotone States (monotone states under general topology) 2 3 2 3 2 3 2 3 Assumption : The only 1 1 1 1 5 5 5 5 feasible states are 4 4 4 4 monotone . 6 6 6 6 (monotone states under AND topology) 2 3 2 3 2 3 Assumption : The attack 1 1 1 graph only contains 5 5 5 4 4 4 AND nodes. 6 6 6 simplifying assumption 17

  18. Defender’s Information States ❖ Define the history up to time t as H t = ( π 0 , U 1 , Y 1 , U 2 , Y 2 , . . . , U t − 1 , Y t ) ❖ We capture by an information state Π t = ( Π 1 t , . . . , Π K t ) ∈ ∆ ( X ) H t Π i t = P ( X t = x i | H t ) space of monotone states X . . . x 1 x 2 x 3 x 4 x K ❖ Information state obeys the update rule T : ∆ ( X ) × Y × U → ∆ ( X ) π t +1 = T ( π t , y t +1 , u t ) 18

  19. Defender’s Optimization Problem ❖ Choose a control policy that solves g : ∆ ( X ) → U , g ∈ G ( ∞ ) X � Π 0 = π 0 � g ∈ G E g ρ t C ( Π t , U t ) min t =0 subject to U t = g ( Π t ) Π t +1 = T ( Π t , Y t +1 , U t ) ❖ The above is a Partially Observable Markov Decision Process (POMDP) 19

  20. Dynamic Programming Solution ❖ The optimal policy achieves the minimum expected discounted g ∗ total cost. ❖ The Bellman equation for the corresponding value function is: V ∗ n o X V ∗ ( π ) = min V ∗ ( T ( π , y, u )) C ( π , u ) + ρ P π ,u y u ∈ U y ∈ Y for all . π ∈ ∆ ( X ) dimensionality of this term is greatly reduced due to the monotonicity assumption

Recommend


More recommend