beyond attack trees: attack and defense modeling with bdmpcracking _alternatives. or....

Beyond attack trees:Attack and defense modeling with BDMP(Boolean logic Driven Markov Processes)

September 13th 2011SaToSS Seminar, Luxembourg

Ludovic Piètre-Cambacédès1

Marc Bouissou1,2

1EDF R&D, 2École Centrale Paris

Agenda

IntroductionGraphical attack modeling and relevance of BDMP

Attack and defense modeling with BDMPFormalism description

Theoretical basis and description

Examples & quantifications

Recent advancesEnhancements and complementary tools

Perspectives and on-going work

Conclusion and Q&A

1

Graphical representation of an attack processRed-team, risk analysis

Formalize reasoning

Share standpoints

Enhance coverage

Graphical modeling of computer attacks

An active field of researchDifferent trade-offs

Ease of appropriationReadabilityModeling powerQuantification capabilitiesScalability

(1999)

(1994)

(2000)

(1996)

2

BDMP, the potential for an attractive trade-off

Interest proven in reliability and safety engineering

⇒ Adaptation to attack modeling

Dynamic

Readable

Tractable

Invented and used at EDF (NPP safety,substations, data centers reliability,…)

Complete theory and software framework

3

In a nutshell…The look of a classical attack tree

Objective = top event

Logical gates AND, OR, etc.

Triggers {T }

Leaves under two modes« Idle » and « Active »

Triggered Markov processes

Interest of BDMP in securityDynamical (> attack trees)

Readable (close to attack trees)

BDMP – Application to attack modeling

Social engineering

Wardialing

RAS ownership

Vulnerability identification

Logged into the RAS

Brute force Vulnerability exploitation

AND

OR

OR AND

RAS access granted

Vulnerability found and exploitedAuthentication by password

4

RAS attack BDMP – A simple use-case

Social engineering

Wardialing

RAS ownership


Logged into the RAS


AND

OR

OR AND

RAS access granted


5

RAS attack BDMP – Step 0 (attack just started)

Social engineering

Wardialing

RAS ownership


Logged into the RAS


AND

OR

OR AND

Logged into the RAS


6

RAS attack BDMP – Step 1

Social engineering

Wardialing

RAS ownership


Logged into the RAS

Vulnerability exploitation

AND

OR

OR AND

Logged into the RAS


Brute force

7


Social engineering

RAS ownership


Logged into the RAS


AND

OR

OR AND

RAS access granted


Wardialing

7


Social engineering

RAS ownership

Logged into the RAS


AND

OR

OR AND

RAS access granted


Wardialing


8


Social engineering

RAS ownership

Logged into the RAS


AND

OR

OR AND

RAS access granted


Wardialing


9

RAS attack BDMP – Attacker’s objective reached

Social engineering

RAS ownership

Logged into the RAS

Brute force

AND

OR

OR AND

RAS access granted


Vulnerability exploitation


Wardialing

10

BDMP for attack modeling – Types of leaves

Attack scenarios ⇒ 3 kinds of security leavesModeling of attacker’s actions

AA (Attacker Action) leaves, timed leaves (1/ λ = MTTS)

Modeling of security eventsTSE (Timed Security Event) leaves, timed as well

ISE (Instantaneous Security Event) leaves, instantaneous (γ)ISE!

TSE

Attachement execution by the target

ISE!

Successful payload execution

Email preparation and sending

AND

Remote_installationAttack by malicious attachement

Successful attack

TSE

11

Triggered Markov processes (e.g., AA leaf without detection)

Leaf specifications for AA, ISE and TSE

Detection and reaction modelingFour types (IOFA): Initial, On-going, Final, A posteriori

Three modes instead of two

Idle, Active Detected, and Active Undetected

BDMP for attack modeling – Going deeper

Potential Success On-going SuccessλP ⇄ O (with Pr = 1)

S ⇄ S (with Pr = 1)

Idle Mode Active Mode← Transfer →

12

Detections/reactions for AA leaves

Idle Mode Active Undetected Mode

Active Detected Mode Transfer functions

PotentialUndetected

Success Undetected

SuccessDetected

PotentialDetected

λS/ND

λD(O)

Success Undetected

1 - γD(F)

γD(F)

λD(A)

Success with

Potential Detection

Si←1

Di←1

SuccessDetectedDetected

On-goingUndetected

On-goingDetected

SuccessDetected

λS/D

Si←1

(PU)={Pr(OU)=1 – γD(I), Pr(D)=γD(I), Pr(SD)=0, Pr(SU)=0}(PD)= {Pr(OU)=0, Pr(D)=1, Pr(SD)=0, Pr(SU)=0}(SU)={Pr(OU)= 0, Pr(D)= 0, Pr(SD)= 0,Pr(SU)= 1}(SD)={Pr(OU)= 0, Pr(D)= 0, Pr(SD)= 1,Pr(SU)= 0}

if 1 00→

[…]13

Formal foundations – snapshot 1/3

A (security-oriented) BDMP (A, r, T, P) is made ofAn attack tree A = {E, L, g}

a set E = G U B, where G is a set of gates and B a set of basic events(E, L) a directed acyclic graph, with L a set of oriented edges (i, j)a function g, defining the gates (g:G N*, with g(i) the gate parameter k)

A main top objective rSet of triggers T is a subset of (E - {r})x(E - {r}) such that

G1

r

f1 f2

G2

f3 f4

g(r)=2

g(G2)=1g(G1)=1

ljkiTlkTjiandjiTji ≠⇒≠∈∀∈∀≠∈∀ ,),(,),(,),(14


P= , triggered Markov Processes

Pi=

, and three homogeneous Markov process

o For k in {0, 1} (modes), state-space of

o , subset of successes/security event realizations

o , subset of detected states

[… ] “probability transfer functions” with

o is a probability distribution on such that

o [….] x 5

ik

ik AS ⊂

{ } EiiP ∈

{ }iiiiiiii ffffftZtZtZ 011010111011010011100 ,,,,),(),(),( →→→→→

)(0 tZ i )(11 tZ i)(10 tZ i

Aki Z tk

i ( )

ik

ik AD ⊂

)(100 xf i→ )(011 xf i

→

)(, 1000 xfAx ii→∈∀ iA10

and 1)))(((1

10010 ∑ ∈ → =⇒∈ iSjii jxfSx 1)))(((

110010 ∑ ∈ → =⇒∈ iDj

ii jxfDx

{ }iiii ffff 0110101110110 ,,, →→→→

15

( )1/ =∈∃≡ ij DBiD


Four families of Boolean functions of the timeStructure functions

Process selectorsIf i is a root of A, then Xi = 1 else

Relevance indicators

If i = r (final objective), then Xi = 1 else

Detection status indicators

EiiS ∈)(,Gi∈∀ )(

)(igSS

isonsjji ≥≡ ∑

∈

,Bj∈∀ jX

jXj jj SS ∈Ζ≡ , with Xj = 0 or 1, indicating the mode in which Pj is at time t

EiiX ∈)(

( ) ( )[ ]0),/(0),(, =∧∈∈∃∨=⇒∈∈∀¬≡ xxi STixExXLixExX

EiiY ∈)(

( ) ( )0),/(0),/( =∧∈∈∃∨=∧∧∈∈∃≡ yxxi STyiEySYLixExY

EiiD ∈)(( ) ( )1/ =∧≠∈∃∨∈Ζ≡ j

iX

iXi DijBjDD ii

,Bi∈∀ ,Gj∈∀16

RobustnessTheorem 1: (Si)(Xi)(Yi) )(Di) are computable whatever the BDMP structure

Theorem 2 : Any BDMP, defined at time t by the modes and the Pi states, is avalid homogeneous Markov process

Combinatory reduction by “relevant event filtering”

Mathematical properties

After attack step P2, all the others Pi are not relevantanymore: nothing is changed for “r” if we inhibit them

The number of sequences leading to the top objective iso n, if we filter the relevant events ({P1,Q},{P2,Q},…)o exponential otherwise ({P1,Q},{P1,P2,Q}, {P1,P3,Q},…)

Ei∈

1)'(1)(,',, =⇒=≥∀∀∈∀ tStStttBi iiTheorem 3: if the Pi are such that * anddetection aspects are not considered, Pr(Sr(t)=1) is unchanged whetherirrelevant event (Yi=0) are trimmed or not.

* This is always the case in our framework

Quantifications

Time-independent (static) - Classical attack tree parametersMonetary cost scenario cost, average attack cost

Boolean indicators (specific requirements, properties)

Minimum attacker skills

Time-domain analysis – Leveraging the BDMP frameworkQuantification tools, algorithms and optimizations

Efficient sequence exploration with trimmingProbability to reach the objective in a given timeOverall mean time to the attack successProbability of each explored sequenceOrdered list of sequences

18

Another use-case OR

Cracking_alternatives

OR

Password_attacksPassword_attacks

BruteforceBruteforce

AND

Social_Engineering_Success

Generic_reconnaissanceEmail_trap_executionEmail_trap_execution

AND

Keylogger_Success

OR

Keylogger_installation_alternatives Password_interceptedPassword_intercepted

AND

PhysicalPhysical

Physical_reconnaissancePhysical_reconnaissance

Keylogger_local_installation

AND

Remote

AND

Appropriate_payloadAppropriate_payload

Payload_crafting

AND

Non_technical_alt_successNon_technical_alt_success

User_trapped

Phone_trap_execution

OR

Non_technical_alt

Remote_PhaseRemote_Phase Physical_PhasePhysical_Phase

AND

Remote_installationRemote_installation

AND

Physical_installationPhysical_installation

AND

KeyloggerKeylogger

AND

Social_engineeringSocial_engineering

Social_Eng_Phase Keylogger_phaseDictionaryGuessing

Crafted_attachement_openedCrafted_attachement_opened

Social_Engineering_SuccessCracking_alternatives Keylogger_Success

Keylogger_installation_alternatives

RemoteNon_technical_alt

Emailed_file_execution

Password_found

TSE

TSE ISE!

ISE!

Password cracking

Social engineering

Keylogger

19

OR


OR



AND



AND

Keylogger_Success

OR


AND

PhysicalPhysical



AND

Remote

AND


Payload_crafting

AND


User_trapped


OR

Non_technical_alt


AND


AND


AND

KeyloggerKeylogger

AND








Password_found

TSE

TSE ISE!

ISE!

λ=0 λ=0 λ=3.802x10-7

(MTTS~a month)2 days

λ=1.157x10-5

(MTTS~a day)λ=1.157x10-5


(MTTS~2 days)

γ =0.33

2 days

5 days

λ=5.787x10-6 (MTTS~2 days)

λ=1.157x10-5 (MTTS~a day) γ =0.1

3 days

λ=5.787x10-6

(MTTS~2 days)

λ=1.157x10-5

(MTTS~a day)

λ=1.157x10-5

(MTTS~a day)

Another use-caseExample of parameterization

20

Overall probability in a week = 0.422 (MTTS = 22 days)

Ordered list of attack sequences (654 sequences)

Results

21

OR


OR



AND



AND

Keylogger_Success

OR


AND

PhysicalPhysical



AND

Remote

AND


Payload_crafting

AND


User_trapped


OR

Non_technical_alt


AND


AND


AND

KeyloggerKeylogger

AND








Password_found

TSE

TSE ISE!

ISE!

λ=0 λ=0 λ=3.802x10-7


λ=1.157x10-5



(MTTS~2 days)

γ =0.33

2 days

5 days

λ=5.787x10-6 (MTTS~2 days)

λ=1.157x10-5 (MTTS~a day) γ =0.1

3 days

λ=5.787x10-6

(MTTS~2 days)

λ=1.157x10-5

(MTTS~a day)

λ=1.157x10-5

(MTTS~a day)

Example of parameterization

With detection

22

OR


OR



AND



AND

Keylogger_Success

OR


AND

PhysicalPhysical



AND

Remote

AND


Payload_crafting

AND


User_trapped


OR

Non_technical_alt


AND


AND


AND

KeyloggerKeylogger

AND








Password_found

TSE

TSE ISE!

ISE!

γD/R = 0 γD/NR = 0.5

λD(O)=3.858x10-6

(MTTS~3 days)λD(O)=3.472x10-5 (MTTS~8 hours)γD(F) = 0.1

γD/R = 0.1 γD/NR = 0.33

λ=0 λ=0 λ=3.802x10-7


λ=1.157x10-5



(MTTS~2 days)

γ =0.33

2 days

5 days

λ=5.787x10-6 (MTTS~2 days)

λ=1.157x10-5 (MTTS~a day) γ =0.1

3 days

λ=5.787x10-6

(MTTS~2 days) λ=1.157x10-5

(MTTS~a day)

λ=1.157x10-5

(MTTS~a day)

Example of parameterization In orange, the detection parametersWith detection

22

OR


OR



AND



AND

Keylogger_Success

OR


AND

PhysicalPhysical



AND

Remote

AND


Payload_crafting

AND


User_trapped


OR

Non_technical_alt


AND


AND


AND

KeyloggerKeylogger

AND








Password_found

TSE

TSE ISE!

ISE!

γD/R = 0 γD/NR = 0.5

λD(O)=3.858x10-6

(MTTS~3 days)λD(O)=3.472x10-5 (MTTS~8 hours)γD(F) = 0.1

γD/R = 0.1 γD/NR = 0.33

λ=0 λ=0 λ=3.802x10-7


λ=1.157x10-5



(MTTS~2 days)

γ =0.33

2 days

5 days

λ=5.787x10-6 (MTTS~2 days)

λ=1.157x10-5 (MTTS~a day) γ =0.1

3 days

λ=5.787x10-6

(MTTS~2 days) λ=1.157x10-5

(MTTS~a day)

λ=1.157x10-5

(MTTS~a day)

λS/D=5.787x10-6 (MTTS~2 days)

λS/D=5.787x10-6

(MTTS~2 days)

λS/D=2.893x10-6

(MTTS~4 days)

λS/D=5.787x10-6

(MTTS~2 days)

Example of parameterization In orange, the detection parametersIn red, the reaction parametersWith detection

22

ResultsProbability of success within a week = 0.364 (-14 %)

Representative sequences (4231 vs 654)

23

Recent enhancements & complementary tools

Sequence analysisFiltering by static/time-independant parameters, i.e. attacker profile

Sequence presentation (visual conventions)

Sensitivity analysisOptimize security efforts

Most “significant” leaves

Iterated treatments

0,3

0,4

0,5

0,6

0,7

0,8

0,9

1,0

0,0

0,1

0,2

0,3

0,4

0,5

0,6

0,7

0,8

0,9

1,0

1,1

1,2

1,3

1,4

1,5

1,6

1,7

1,8

1,9

2,0

Atta

ck s

ucce

ss p

roba

bilit

y (w

ithin

a w

eek)

λ0/λ (i.e. MTTS/MTTS0)

Keylogger local installation

Brute force

Payload crafting

Generic reconnaissance

0,2

0,3

0,4

0,5

0,6

0,7

0,8

0 0,1 0,2 0,3 0,4 0,5 0,6 0,7 0,8 0,9 1

Atta

cksu

cces

spr

ob.

(in a

wee

k)

γ

Appropriate payload

User trapped

24

A few words about the implementationLeveraging of the KB3 platform (EDF)

Used at EDF for dependability studies for more than 15 years

Modularity thanks to “Knowledge Bases”, written in Figaro

A dedicated security knowledge basisImplementation was easy and fast (available on-line)

Knowledge bases

(incl. BDMP)

Figaro model(textual)

YAMS(Monte-Carlo simulation)

Figseq(path

exploration)

FigMAT-SF(matrix-based

solving)

Qualitative/quantitative results:- ordered list of sequences- probability of attack success- mean durations- etc.

Graphical modeling by the analysts

(NB: software available on-line)

25

Perspectives and on-going work

Enhance usabilityUsers’ feedback, case-studies, tutorials

Side-tools (sensitivity script HMI, etc.)

Attack pattern library

Theoretical extensionsExperiment different probability distributions (e.g., McQueen et al.)

Integration with Bayesian networks

Many attack trees extensions could be adaptedIntervals, fuzzy sets, OWA gates, game theory, etc.

Uncertainty handling and propagation

Internal and external dissemination! (thanks )

26

Conclusion

Graphical security modelingDifferent balances between readability, scalability, modeling powerand quantification capabilities

BDMP, an original and attractive trade-offWith a sound theoretical framework

Already an operational formalism

LimitsInherent limits of BDMP (e.g., with cyclic behaviors/loops)

Attacker behavior stochastic modeling – subjective probabilities

More generally, security and quantitative assessments

Complementary tool for the security analyst

27

Some referencesOn BDMP & KB3

M. Bouissou, J.L. Bon, “A new formalism that combines advantages of fault-trees and Markovmodels: Boolean logic Driven Markov Processes,” Reliability Engineering and System Safety, Vol.82, Issue 2, nov. 2003, pp. 149-163

M. Bouissou, “Automated Dependability Analysis of Complex Systems with the KB3 Workbench:the Experience of EDF R&D,” Proceedings of CIEM 2005, Bucharest, Romania, oct. 2005

Marc Bouissou’s homepage: http://marc.bouissou.free.fr/

On BDMP & SecurityL. Piètre-Cambacédès et M. Bouissou, “Attack and defense dynamic modeling with BDMP,” inProc. 5th International Conference on Mathematical Methods, Models, and Architectures forComputer Networks Security (MMM-ACNS-2010), St Petersburg, Russia, sept. 2010

L. Pietre-Cambacedes, Y. Deflesselle and M. Bouissou, "Security modeling with BDMP: fromtheory to implementation," in Proc. 6th IEEE International Conference on Network and InformationSystems Security (SAR-SSI 2011), La Rochelle, France, may 2011

L. Piètre-Cambacédès and M. Bouissou, “Modeling safety and security interdepedencies withBDMP (Boolean logic Driven Markov Processes),” Proc. IEEE International Conference onSystems, Man, and Cybernetics (SMC 2010), Istanbul, Turkey, oct. 2010.

Ludovic Pietre-Cambacedes’ homepage: http://perso.telecom-paristech.fr/~pietreca/29

http://marc.bouissou.free.fr/�

http://perso.telecom-paristech.fr/~pietreca/�

THANK YOU VERY MUCH!

beyond attack trees: attack and defense modeling with bdmpcracking _alternatives. or....

Documents