probabilistic reasoning with graphical security models
play

Probabilistic reasoning with graphical security models Barbara - PowerPoint PPT Presentation

Probabilistic reasoning with graphical security models Barbara Kordy Clermont-Ferrand, January 7, 2016 Digital Confidence seminar Joint work Prof. Dr. Marc Pouly Lucerne University of Applied Sciences and Arts Dr. Patrick Schweitzer


  1. Probabilistic reasoning with graphical security models Barbara Kordy Clermont-Ferrand, January 7, 2016 Digital Confidence seminar

  2. Joint work Prof. Dr. Marc Pouly Lucerne University of Applied Sciences and Arts Dr. Patrick Schweitzer University of Luxembourg Barbara Kordy 2

  3. Probabilistic assessment of security scenarios dependency model security model Bayesian network ADTree probabilistic assessment of attack–defense scenarios with dependencies Barbara Kordy 3

  4. Outline Attack–defense Trees 1 Probabilistic evaluation 2 Efficiency considerations 3 Wrap Up 4 Barbara Kordy 4

  5. Attack–defense Trees Modeling security scenarios Attack–defense tree (ADTree) [JLC’14] Tree-like representation of an attack–defense scenario depicting: How to attack a system How to protect against an attack Extend the industrially recognized model of attack trees [Schneier’99] Integrate Intuitive representation features [IJSSE’12, ICISC’12] Formal analysis techniques [GameSec’10, SIIS’11, JLC’14] Software application ADTool [QEST’13] Barbara Kordy 5

  6. Attack–defense Trees Example: ADTree for infecting a computer infect computer virus on system execute virus e-mail with attachment USB stick antivirus install antivirus run antivirus fake antivirus Barbara Kordy 6

  7. Attack–defense Trees Propositional semantics for ADTrees [SIIS’11] B – the set of non-refined nodes of ADTree t x ∈ { 0 , 1 } B encodes whether actions from B succeed or not Action A ∈ B succeeds if x ( A ) = 1 Action A ∈ B does not succeed if x ( A ) = 0 Boolean function f t for t f t : { 0 , 1 } B → { 0 , 1 } associates a Boolean value f t ( x ) ∈ { 0 , 1 } with each vector x ∈ { 0 , 1 } B x is called an attack vector if f t ( x ) = 1 Barbara Kordy 7

  8. Attack–defense Trees ADTrees as Boolean functions Domain of f t is composed of the non-refined nodes of t Non-refined OR AND Countermeasure t' t t A t'' t' t'' t' t'' f t ( A ) = A f t = f t ′ ∨ f t ′′ f t = f t ′ ∧ f t ′′ f t = f t ′ ∧ ¬ f t ′′ Barbara Kordy 8

  9. Attack–defense Trees Example: Boolean function for infecting a computer infect computer virus on system execute virus e-mail with attachment USB stick antivirus install antivirus run antivirus fake antivirus � �� � f t = ( X EA ∨ X US ) ∧ ¬ X IA ∧ ( X RA ∧ ¬ X FA ) ∧ X EV Barbara Kordy 9

  10. Attack–defense Trees Example: attack vector infect computer true virus on system execute virus true true e-mail with attachment USB stick antivirus true false false install antivirus run antivirus true false fake antivirus false � �� � f t = ( X EA ∨ X US ) ∧ ¬ X IA ∧ ( X RA ∧ ¬ X FA ) ∧ X EV attack vector 1 0 1 0 0 1 Barbara Kordy 10

  11. Attack–defense Trees Importance of probabilities Knowing the probabilities of particular attacks allow us to Identify the most vulnerable components Determine the strategic points Decide which protective measures to implement Barbara Kordy 11

  12. Attack–defense Trees Bottom-up evaluation of probability on ADTrees [ICISC’12] Probability of a Probability of a Probability of a disjunctive subtree conjunctive subtree countered subtree attack attack x x y x y y Barbara Kordy 12

  13. Attack–defense Trees Bottom-up evaluation of probability on ADTrees [ICISC’12] Probability of a Probability of a Probability of a disjunctive subtree conjunctive subtree countered subtree attack attack x x y x y y x + y − xy Barbara Kordy 12

  14. Attack–defense Trees Bottom-up evaluation of probability on ADTrees [ICISC’12] Probability of a Probability of a Probability of a disjunctive subtree conjunctive subtree countered subtree attack attack x x y x y y xy x + y − xy Barbara Kordy 12

  15. Attack–defense Trees Bottom-up evaluation of probability on ADTrees [ICISC’12] Probability of a Probability of a Probability of a disjunctive subtree conjunctive subtree countered subtree attack attack x x y x y y xy x + y − xy x ( 1 − y ) Barbara Kordy 12

  16. Attack–defense Trees Bottom-up evaluation of probability on ADTrees [ICISC’12] Probability of a Probability of a Probability of a disjunctive subtree conjunctive subtree countered subtree attack attack x x y x y y xy x + y − xy x ( 1 − y ) Similarly for subtrees rooted in a defense node Barbara Kordy 12

  17. Attack–defense Trees Example: probability for infecting a computer infect computer 0.669375 virus on system execute virus 0.74375 0.9 e-mail with attachment USB stick antivirus 0.5 0.75 0.15000000000000002 install antivirus run antivirus 0.8 0.25 fake antivirus 0.25 Barbara Kordy 13

  18. Attack–defense Trees Limitations The bottom-up procedure does not take dependencies between actions into account. However, in practice Installing and running an antivirus Distributing and executing a virus are not independent actions . Thus, the standard bottom-up evaluation is not suitable for probabilistic assessment of attack–defense trees. Barbara Kordy 14

  19. Attack–defense Trees Challenges 1 How to design the appropriate formalism ? 2 How to ensure that calculations reflect the reality ? 3 How to guarantee the efficiency of the evaluation? Barbara Kordy 15

  20. Probabilistic evaluation Proposed Framework [INS’16] security model ADTree

  21. Probabilistic evaluation Proposed Framework [INS’16] dependency model security model Bayesian network ADTree

  22. Probabilistic evaluation Proposed Framework [INS’16] dependency model security model Bayesian network ADTree probabilistic assessment of attack–defense scenarios with dependencies Barbara Kordy 16

  23. Probabilistic evaluation Modeling probability of dependent actions Bayesian network A directed, acyclic graph that reflects the conditional interdependencies between variables associated with the nodes of the network Dependent variables Conditional probability table for Y p ( Y = 1 | X = 1 ) = 0 . 7 p ( Y = 1 | X = 0 ) = 0 . 2 X Y p ( Y = 0 | X = 1 ) = 0 . 3 p ( Y = 0 | X = 0 ) = 0 . 8 Barbara Kordy 17

  24. Probabilistic evaluation Constructing Bayesian network BN t for ADTree t From an ADTree – ADTree t B – set of all non-refined nodes of t To a Bayesian network Elements of B are nodes of the Bayesian network BN t Relations between actions are depicted by edges in BN t Conditional probability tables quantify dependencies between actions Barbara Kordy 18

  25. Probabilistic evaluation Example: BN t for infecting a computer ADTree p ( X EA = 1 | X FA = 1 ) = 0 . 9 p ( X EA = 1 | X FA = 0 ) = 0 . 5 e-mail with attachment fake antivirus execute virus p ( X FA = 1 ) = 0 . 3 p ( X EV = 1 | X EA = 1 , X US = 1 ) = 0 . 9 USB stick p ( X EV = 1 | X EA = 1 , X US = 0 ) = 0 . 2 p ( X US = 1 | X FA = 1 ) = 0 . 4 p ( X EV = 1 | X EA = 0 , X US = 1 ) = 0 . 8 p ( X US = 1 | X FA = 0 ) = 0 . 5 p ( X EV = 1 | X EA = 0 , X US = 0 ) = 0 . 1 install antivirus run antivirus p ( X IA = 1 ) = 0 . 6 p ( X RA = 1 | X IA = 1 ) = 0 . 9 p ( X RA = 1 | X IA = 0 ) = 0 . 0 Barbara Kordy 19

  26. Probabilistic evaluation Joint probability distribution for network BN t e-mail with attachment fake antivirus execute virus USB stick install antivirus run antivirus p ( X EA , X US , X IA , X RA , X FA , X EV ) = p ( X EV | X EA , X US ) × p ( X EA | X FA ) × p ( X US | X FA ) × p ( X FA ) × p ( X RA | X IA ) × p ( X IA ) Barbara Kordy 20

  27. Probabilistic evaluation Propositional semantics using algebraic operations Non-refined OR AND Countermeasure t' t t A t'' t' t'' t' t'' f t ( A ) = A f t = f t ′ ∨ f t ′′ f t = f t ′ ∧ f t ′′ f t = f t ′ ∧ ¬ f t ′′ Barbara Kordy 21

  28. Probabilistic evaluation Propositional semantics using algebraic operations Non-refined OR AND Countermeasure t' t t A t'' t' t'' t' t'' f t ( A ) = A f t = f t ′ ∨ f t ′′ f t = f t ′ ∧ f t ′′ f t = f t ′ ∧ ¬ f t ′′ max { f t ′ , f t ′′ } f t ′ × f t ′′ f t ′ × ( 1 − f t ′′ ) id A Barbara Kordy 21

  29. Probabilistic evaluation Probability computation x ∈ { 0 , 1 } B – vector of successful/unsuccessful actions Probability of attack vector x f t ( x ) × p ( x ) Probability related to ADTree t � P ( t ) = f t ( x ) × p ( x ) x ∈{ 0 , 1 } B Probability of the most probable attack vector P max ( t ) = x ∈{ 0 , 1 } B f t ( x ) × p ( x ) max Barbara Kordy 22

  30. Probabilistic evaluation Compatibility results Theorem Probability computations on propositionally equivalent ADTrees yield the same result. Observation For ADTree t without dependent actions, P ( t ) coincides with the result of the bottom-up computation. Barbara Kordy 23

  31. Efficiency considerations Efficiency problems � P ( t ) = f t ( x ) × p ( x ) P max ( t ) = x ∈{ 0 , 1 } B f t ( x ) × p ( x ) max x ∈{ 0 , 1 } B The number of configurations x grows exponentially with the number of involved actions. For large systems, it is therefore not feasible to Enumerate all the values of f t Enumerate all the values of the joint probability distribution for BN t Barbara Kordy 24

  32. Efficiency considerations dependency model security model Bayesian network ADTree probabilistic assessment of attack–defense scenarios with dependencies

Recommend


More recommend