Probabilistic reasoning with graphical security models Barbara - PowerPoint PPT Presentation

Probabilistic reasoning with graphical security models Barbara Kordy Clermont-Ferrand, January 7, 2016 Digital Confidence seminar

Joint work Prof. Dr. Marc Pouly Lucerne University of Applied Sciences and Arts Dr. Patrick Schweitzer University of Luxembourg Barbara Kordy 2

Probabilistic assessment of security scenarios dependency model security model Bayesian network ADTree probabilistic assessment of attack–defense scenarios with dependencies Barbara Kordy 3

Outline Attack–defense Trees 1 Probabilistic evaluation 2 Efficiency considerations 3 Wrap Up 4 Barbara Kordy 4

Attack–defense Trees Modeling security scenarios Attack–defense tree (ADTree) [JLC’14] Tree-like representation of an attack–defense scenario depicting: How to attack a system How to protect against an attack Extend the industrially recognized model of attack trees [Schneier’99] Integrate Intuitive representation features [IJSSE’12, ICISC’12] Formal analysis techniques [GameSec’10, SIIS’11, JLC’14] Software application ADTool [QEST’13] Barbara Kordy 5

Attack–defense Trees Example: ADTree for infecting a computer infect computer virus on system execute virus e-mail with attachment USB stick antivirus install antivirus run antivirus fake antivirus Barbara Kordy 6

Attack–defense Trees Propositional semantics for ADTrees [SIIS’11] B – the set of non-refined nodes of ADTree t x ∈ { 0 , 1 } B encodes whether actions from B succeed or not Action A ∈ B succeeds if x ( A ) = 1 Action A ∈ B does not succeed if x ( A ) = 0 Boolean function f t for t f t : { 0 , 1 } B → { 0 , 1 } associates a Boolean value f t ( x ) ∈ { 0 , 1 } with each vector x ∈ { 0 , 1 } B x is called an attack vector if f t ( x ) = 1 Barbara Kordy 7

Attack–defense Trees ADTrees as Boolean functions Domain of f t is composed of the non-refined nodes of t Non-refined OR AND Countermeasure t' t t A t'' t' t'' t' t'' f t ( A ) = A f t = f t ′ ∨ f t ′′ f t = f t ′ ∧ f t ′′ f t = f t ′ ∧ ¬ f t ′′ Barbara Kordy 8

Attack–defense Trees Example: Boolean function for infecting a computer infect computer virus on system execute virus e-mail with attachment USB stick antivirus install antivirus run antivirus fake antivirus � �� � f t = ( X EA ∨ X US ) ∧ ¬ X IA ∧ ( X RA ∧ ¬ X FA ) ∧ X EV Barbara Kordy 9

Attack–defense Trees Example: attack vector infect computer true virus on system execute virus true true e-mail with attachment USB stick antivirus true false false install antivirus run antivirus true false fake antivirus false � �� � f t = ( X EA ∨ X US ) ∧ ¬ X IA ∧ ( X RA ∧ ¬ X FA ) ∧ X EV attack vector 1 0 1 0 0 1 Barbara Kordy 10

Attack–defense Trees Importance of probabilities Knowing the probabilities of particular attacks allow us to Identify the most vulnerable components Determine the strategic points Decide which protective measures to implement Barbara Kordy 11

Attack–defense Trees Bottom-up evaluation of probability on ADTrees [ICISC’12] Probability of a Probability of a Probability of a disjunctive subtree conjunctive subtree countered subtree attack attack x x y x y y Barbara Kordy 12

Attack–defense Trees Bottom-up evaluation of probability on ADTrees [ICISC’12] Probability of a Probability of a Probability of a disjunctive subtree conjunctive subtree countered subtree attack attack x x y x y y x + y − xy Barbara Kordy 12

Attack–defense Trees Bottom-up evaluation of probability on ADTrees [ICISC’12] Probability of a Probability of a Probability of a disjunctive subtree conjunctive subtree countered subtree attack attack x x y x y y xy x + y − xy Barbara Kordy 12

Attack–defense Trees Bottom-up evaluation of probability on ADTrees [ICISC’12] Probability of a Probability of a Probability of a disjunctive subtree conjunctive subtree countered subtree attack attack x x y x y y xy x + y − xy x ( 1 − y ) Barbara Kordy 12

Attack–defense Trees Bottom-up evaluation of probability on ADTrees [ICISC’12] Probability of a Probability of a Probability of a disjunctive subtree conjunctive subtree countered subtree attack attack x x y x y y xy x + y − xy x ( 1 − y ) Similarly for subtrees rooted in a defense node Barbara Kordy 12

Attack–defense Trees Example: probability for infecting a computer infect computer 0.669375 virus on system execute virus 0.74375 0.9 e-mail with attachment USB stick antivirus 0.5 0.75 0.15000000000000002 install antivirus run antivirus 0.8 0.25 fake antivirus 0.25 Barbara Kordy 13

Attack–defense Trees Limitations The bottom-up procedure does not take dependencies between actions into account. However, in practice Installing and running an antivirus Distributing and executing a virus are not independent actions . Thus, the standard bottom-up evaluation is not suitable for probabilistic assessment of attack–defense trees. Barbara Kordy 14

Attack–defense Trees Challenges 1 How to design the appropriate formalism ? 2 How to ensure that calculations reflect the reality ? 3 How to guarantee the efficiency of the evaluation? Barbara Kordy 15

Probabilistic evaluation Proposed Framework [INS’16] security model ADTree

Probabilistic evaluation Proposed Framework [INS’16] dependency model security model Bayesian network ADTree

Probabilistic evaluation Proposed Framework [INS’16] dependency model security model Bayesian network ADTree probabilistic assessment of attack–defense scenarios with dependencies Barbara Kordy 16

Probabilistic evaluation Modeling probability of dependent actions Bayesian network A directed, acyclic graph that reflects the conditional interdependencies between variables associated with the nodes of the network Dependent variables Conditional probability table for Y p ( Y = 1 | X = 1 ) = 0 . 7 p ( Y = 1 | X = 0 ) = 0 . 2 X Y p ( Y = 0 | X = 1 ) = 0 . 3 p ( Y = 0 | X = 0 ) = 0 . 8 Barbara Kordy 17

Probabilistic evaluation Constructing Bayesian network BN t for ADTree t From an ADTree – ADTree t B – set of all non-refined nodes of t To a Bayesian network Elements of B are nodes of the Bayesian network BN t Relations between actions are depicted by edges in BN t Conditional probability tables quantify dependencies between actions Barbara Kordy 18

Probabilistic evaluation Example: BN t for infecting a computer ADTree p ( X EA = 1 | X FA = 1 ) = 0 . 9 p ( X EA = 1 | X FA = 0 ) = 0 . 5 e-mail with attachment fake antivirus execute virus p ( X FA = 1 ) = 0 . 3 p ( X EV = 1 | X EA = 1 , X US = 1 ) = 0 . 9 USB stick p ( X EV = 1 | X EA = 1 , X US = 0 ) = 0 . 2 p ( X US = 1 | X FA = 1 ) = 0 . 4 p ( X EV = 1 | X EA = 0 , X US = 1 ) = 0 . 8 p ( X US = 1 | X FA = 0 ) = 0 . 5 p ( X EV = 1 | X EA = 0 , X US = 0 ) = 0 . 1 install antivirus run antivirus p ( X IA = 1 ) = 0 . 6 p ( X RA = 1 | X IA = 1 ) = 0 . 9 p ( X RA = 1 | X IA = 0 ) = 0 . 0 Barbara Kordy 19

Probabilistic evaluation Joint probability distribution for network BN t e-mail with attachment fake antivirus execute virus USB stick install antivirus run antivirus p ( X EA , X US , X IA , X RA , X FA , X EV ) = p ( X EV | X EA , X US ) × p ( X EA | X FA ) × p ( X US | X FA ) × p ( X FA ) × p ( X RA | X IA ) × p ( X IA ) Barbara Kordy 20

Probabilistic evaluation Propositional semantics using algebraic operations Non-refined OR AND Countermeasure t' t t A t'' t' t'' t' t'' f t ( A ) = A f t = f t ′ ∨ f t ′′ f t = f t ′ ∧ f t ′′ f t = f t ′ ∧ ¬ f t ′′ Barbara Kordy 21

Probabilistic evaluation Propositional semantics using algebraic operations Non-refined OR AND Countermeasure t' t t A t'' t' t'' t' t'' f t ( A ) = A f t = f t ′ ∨ f t ′′ f t = f t ′ ∧ f t ′′ f t = f t ′ ∧ ¬ f t ′′ max { f t ′ , f t ′′ } f t ′ × f t ′′ f t ′ × ( 1 − f t ′′ ) id A Barbara Kordy 21

Probabilistic evaluation Probability computation x ∈ { 0 , 1 } B – vector of successful/unsuccessful actions Probability of attack vector x f t ( x ) × p ( x ) Probability related to ADTree t � P ( t ) = f t ( x ) × p ( x ) x ∈{ 0 , 1 } B Probability of the most probable attack vector P max ( t ) = x ∈{ 0 , 1 } B f t ( x ) × p ( x ) max Barbara Kordy 22

Probabilistic evaluation Compatibility results Theorem Probability computations on propositionally equivalent ADTrees yield the same result. Observation For ADTree t without dependent actions, P ( t ) coincides with the result of the bottom-up computation. Barbara Kordy 23

Efficiency considerations Efficiency problems � P ( t ) = f t ( x ) × p ( x ) P max ( t ) = x ∈{ 0 , 1 } B f t ( x ) × p ( x ) max x ∈{ 0 , 1 } B The number of configurations x grows exponentially with the number of involved actions. For large systems, it is therefore not feasible to Enumerate all the values of f t Enumerate all the values of the joint probability distribution for BN t Barbara Kordy 24

Efficiency considerations dependency model security model Bayesian network ADTree probabilistic assessment of attack–defense scenarios with dependencies