A Kolmogorov Complexity Approach for Measuring Attack Path

ComplexityBy Nwokedi C. Idika & Bharat Bhargava

Presented by Bharat Bhargava

Outline

•Motivation

•The Kolmogorov Complexity Method (KCM)

•The K-step Capability Accumulation Metric (KCA)

•Applying KCM to KCA

Motivation•Perfect enterprise security is impossible

to achieve, and must be approximated

•The difficulty associated with causing a security breach is used as an indicator of the quality of an enterprise’s security

•The ability of an attacker to exploit a vulnerability is referred to as exploitability

Exploitability is Important

•Common Vulnerability Scoring System (CVSS)

•exploitability is incorporated scoring of vulnerabilities

•Computer Emergency Response Team/ Coordination Center (CERT/CC)

•has a numeric score based exploitability

•SANS Critical Vulnerability Analysis Scale Rating

•2 of its 4 ratings include exploitability

Thus, assessing the difficulty of attack paths is important!

Representing Attack Paths with Attack Graphs

Total Attack Paths: 4

Issues with Representation

• Counting the number of paths is straightforward (usually)

• Measuring the complexity of each attack is non-trivial

• Choices for determining attack complexity have been made in the literature

• However, these choices lack consistency, and fail to make some of the modeler’s assumptions explicit

If security metrics will become more of a science, we will need a standard way of

communicating our measurements!

What We Would Like•A standard way of measuring attack

path complexity that is grounded in some sound theory

•A attack path measurement approach that incorporates the assumptions of the modeler

•A way of measuring attack paths that provides a modeler sufficient flexibility to model the attack path as desired

The Kolmogorov Complexity Method achieves these aims

Kolmogorov Complexity (KC)

•KC determines a string’s complexity by using the size of the smallest program that can produce that string

•Let K be a the function that returns the KC of a string

•Given strings x1 and x2, if K(x1) < K(x2), then x2 is more complex than x1

Idea: If we model attack paths as strings, we can apply KC to attack paths

Representing Attack Paths

• Alphabet

• A corresponds to the set of all exploits (i.e., instances of vulnerabilities) found in all attack graphs under consideration

• Constants

• ε is the empty string

• vi ∈ A denotes that an exploit from an attack graph

• ∅ corresponds to the empty set

Representing Attack Paths (II)

• Operators

• Let S and T be two strings composed of characters from A

• Let E1 and E2 be expressions in the language

• ST evaluates to the concatenation of strings S and T

• () provides priority ordering

• (S)+ denotes that S may repeat one or more times

Representing Attack Paths (III)

• Operators (continued...)

• Sk evaluates to k instances of S concatenated together

• E1[k]E2 evaluates to the insertion of E1 into

index k of E2 where the first character of E2 is index 0 (the above can be generalized to E1

[k1],[k2],...[kn]E2)

• E1l,[k]E2 concatenate E1

l to E2 and insert E1 into the kth index of E2

• E1l[k]E2 inserts E1

l into the kth index of E2

The Kolmogorov Complexity Method (KCM) Applied to an

Attack Path

Quantitative Representation: v1v1v1v2v3v1v1

Qualitative Representations: v13,2[2]v2v3, v1

3,

[2]v2v3v1, v13v2v3v1v1

Each representation makes explicit distinct assumptions about the attack path

KCM Can Handle Cyclic Attack Paths

A Representation: v12(v1v2v3)+v1

2

Outline

•Motivation

•The Kolmogorov Complexity Method (KCM)

•The K-step Capability Accumulation Metric (KCA)

•Applying KCM to KCA

Previously Proposed Metrics

•Capability Metrics: measure security in terms of an attacker’s capability • Number of Paths (Ortalo et al. ’99), Weakest Adversary

(Pamula et al. ’06), Network Compromise Percentage (Lippmann et al. ’06)

•Complexity Metrics: measure security in terms of effort• Shortest Path (Phillips & Swiler ’98), Mean of Path Lengths

(Li & Vaughn ’06)

The K-Step Capability Accumulation Metric (KCA)

•KCA is a hybrid of a complexity metric and a capability metric

•More than how difficult it is to cause a security breach, or what capabilities can an attacker obtain, KCA is concerned with the amount of capability an attacker can attain for varying levels of attack effort

Intuition: In general, a network that can be compromised in a single attack step is less secure than

another network that requires a series of multiple attack steps to compromise the network

KCA: Comparing 2 Attack Graphs

G1G2

KCA1(G1) = KCA1(G2)

KCA2(G1) < KCA2(G2)

G1 is more secure than G2

Adapting KCA for KCM

• Assuming the KCM qualitative representation

• Cappi(G) = ∪ capabilities(pi)

• Let q1 through qn be quantitative representations of the attack paths p1 through pn respectively

• qj0...i is the substring of qj from index 0 to

index i

• qji is the ith position of of qj

Adapting KCA for KCM (II)

•Similar definitions exist for s

•e(sj0...i) = qj

0...m, such that sji = qj

m and qj

m ≠ qjm+1 also ∀ v ∈ qj

0...m, v ∈ sj

0...i

•This gives the following:

•KCAk(G) = ∪i=1kCape(sj0...i)(G), for all

attack paths j

Summary

•We have proposed a methodology for measuring attack paths, the Kolmogorov Complexity Method (KCM)

•We have proposed a novel security metric that combines complexity and capabilities obtained by the attacker, the K-step Capability Accumulation Metric (KCA)

•We have shown that KCM can be applied to a security metric, namely, KCA

Thank You