Attack trees: Formalisms, Variants, and...
Transcript of Attack trees: Formalisms, Variants, and...
Attack trees: Formalisms, Variants,
and Applications
Dr. Dan (DongSeong) Kim
University of Canterbury, New Zealand
Outline
• Attack trees formalisms
• Attack trees variants
• Attack trees representations
– Graphical
– Textual
• Applications of attack trees
2/53
Attack Trees Formalisms
4/53
Attack trees formalisms
• References
– Schneiner Bob Jr. 99
– Moore, CMU TR 01
– Mauw, ICISC 04
– Ray, ESORICS 05
5/53
B. Schneier's paper
• No formalism was proposed
• Represented attack trees in a graphical/textual
form using AND and/or OR nodes
• Showed different values can be assigned to the
leaf nodes
– Boolean (P/I), continuous node values (cost, prob.
of success of a given attack)
• A PGP (pretty good privacy) Example
6/53
Moore et al. paper
P. Moore, R. J. Ellision, R. C. Linger, Attack Modeling for Information Security and Survivability,
Technical Note, CMU/SEI-2001-TN-001, March 2001.
• Structure and semantics
7/53
Moore et al. paper
• Attack tree refinement
– Attack tree – AND, OR : formalizm
– Attack pattern
• Define as a generic representation of a deliberate, malicious attack
that commonly occurs in specific context
– Attack profile contains
• A common reference model
• A set of variants
• A set of attack patterns
• A glossary of defined terms and phrases
– Attack library (attack forests)
• Provide a set of attack profiles
8/53
Moore et al. paper
• Applying attack patterns
9/53
Mauw paper
• Attack trees and attack suite (attack patterns, intrusion
scenarios)
– Attack suite: combinations of attack components (nodes)
• An attack tree simply defines a collection of possible attacks
• Internal branching structure of an attack tree will not be expressed in the
attack suite.
– Bundles
• Connections from a node to a multi-set of nodes
S. Mauw and M. Oostdijk. Foundations of attack trees. In Dongho Won and Seungjoo Kim, editors, International Conference on Information Security and Cryptology,
LNCS 3935, pages 186-198, Seoul, Korea, December 2005. Springer-Verlag, Berlin.
10/53
Mauw paper
• Transformations
– Two structurally different attack trees may intuitively capture the same
information.
– The difference in structuring can arise from a different approach
towards partitioning the attacks
bundle
13/53
Mauw paper
• Projections
– By manipulating attack trees one can get answers
to questions like
– “show all attacks that do not require special
equipment”,
– or “which attacks incur a damage over 1000 US
dollars?”
• Requires an attribute incurred damage and a predicate
on its domain, . Taking the projection of
an attack suite boils down to selecting the attacks that
satisfy the predicate.
( ) 1000P n n
14/53
I. Ray paper
cf. components in Mauw
I. Ray and N. Poolsapassit, Using Attack Trees to Identify Attacks from Authorized Insiders, ESORICS 2005
15/53
I. Ray paper (cont.)
cf. attributes in Mauw
Outline
• Attack trees formalisms
• Attack trees variants
• Attack trees representations
– Graphical
– Textual
• Applications of attack trees
16/53
Attack tree variants
18/53
What variants?
• In terms of
– Input value (attributes, label)
– Output measures (projection)
– Representation of semantic and structure in
graphical/textual ways
• AND, OR
• O-AND (Ordered AND)
• Sequential/parallel
• Conditional
Attack Trees with
dynamic gates
19/53
Input value
• Value can be codified in the leaf nodes
– Prob. of success of a given attack
– Conditional probability
– Impact (e.g., 0-10)
– Risk = Impact*prob. of success of a given attack.
– Cost (e.g., attack cost, security investment cost)
– Attacker skill (e.g., Hight/Medium/Low, …)
– Attack difficulty, e.g. 1-10
– Probability of getting caught
– Penalty
– Combined
20/53
Output measures
• They are depending on input value
– Probability of attack success
– Sum of cost
– Risk
– Vulnerability
– Survivability
– Others
• appeared applications of attack trees in more detail.
Outline
• Attack trees formalisms
• Attack trees variants
• Attack trees representations
– Graphical
– Textual
• Applications of attack trees
21/53
Attack trees representations
22/53
23/53
Graphical Representation
• Structure and semantics
Schneier’s paper
24/53
Graphical Representation
– AND
– OR
1) P. Moore, R. J. Ellision, R. C. Linger, Attack Modeling for Information Security and Survivability,
2) Technical Note, CMU/SEI-2001-TN-001, March 2001.
25/53
Graphical Representation
A Practical Approach to Threat Modeling, TR, 2006
26/53
Graphical Representation
27/53
Graphical Representation
C. Fung, et al. Survivability Analysis of Distributed Systems using Attack Tree Methodology, MILCOM05
28/53
Graphical Representation
A. Jurgenson and J. Willemson, Processing Multi-parameter Attack trees with Estimated Parameter Values, Proc. IWSEC 2007
29/53
Graphical Representation
• COND (conditional) – Indicates that an agent may decide whether or not they want to achieve the
goal.
– For the agent to traverse a COND node, two questions must be answered by the agent
• 1. do I want to perform this action? => determined by a prob. Table based on the type of attacker.
• 2. are the necessary preconditions met for me to take this actions? => satisfied by a lookup table to the agent‟s state table.
M. S. Lathrop, L. Hill, L. Surdu, Modeling Network Attacks, Proc. IAW 2002.
30/53
Graphical Representation
Z. Gan, J. Tang, P. Wu, and V. varadharajan, A Novel Security Risk Evaluation for Information System, FCST
2007
– extend the concept the attack tree and introduce
another relation - CAND (Conditional AND).
• The CAND node relation between nodes represent that
the upper goal is achieved if all subgoals are achieved
under certain condition.
31/53
Graphical Representation
S. Camtepe and B. Yener, Modeling and Detection of Complex Attacks, securecom07
– O-AND (Ordered-AND), cf. later sequential AND
– Combination of graph and fault tree (ftree)
32/53
Graphical Representation
S. Bistarelli, M. Dall’Aglio, and P. Peretti, Strategic Games on Attack Trees, FAST 2006
Defense tree,
compare it with protection trees ROI (return on investment)
ROA (return on Attack)
33/53
Textual representation
Schneier’s paper
34/53
Textual representation
35/53
Textual representation
36/53
Textual representation
E. Park, J. Yun, H. In, Simulating Cyber intrusion using Ordered UML Model-based scenarios, AsiaSim04
• Sequential/parallel
– Sequential AND-OR : series
– Parallel AND-OR
Outline
• Attack trees formalisms
• Attack trees variants
• Attack trees representations
– Graphical
– Textual
• Applications of attack trees
37/53
Applications of Attack trees
39/53
Category of applications • System level
– Host forensics
– Web Server
• Network level – Intrusion Detection Systems
– DDoS attack
– BGP
– MANETs
– Wireless LAN
• Hybrid (system & network level) – Survivability analysis
– Vulnerability analysis
– Risk analysis
• applications – E-voting
– Copyright Protection Protocols
– Attacks to user authentication
– Analyze security for online banking system
– Defense trees for economic evaluation of security investments
• Misc – Network attack simulator
– Intrusion signature based on Honeypot
40/53
Log file investigation
N. Poolsapassit and I. Ray, Investigating Computer Attacks using Attack Trees, Chap. 23, Proc. of IP 2007
41/53
Web server hacking
T. Tidwell, R. Larson, K. Fitch, and J. Hale, Modeling Internet Attacks, WIAS 2001
42/53
DDoS attack and protection trees
43/53
Modeling and analysis of Attacks on MANET
routing in AODV
P. Ebiner and T. Bucher, Modeling and Analysis of Attacks on the MANET routing in AODV, ADHOC-NOW 2006
44/53
Detect selfish nodes in MANETs
F. Kargl, A. Klenk, S. Schlott, and M. Weber, Advanced Detection of Selfish or Malicious Nodes in Ad Hoc Networks,
ESAS 2004
45/53
Survivability (attack resiliency) Analysis
Generating Intrusion Scenarios ->cost (difficulty) ->min.
difficulty == attack resiliency
46/53
Vulnerability analysis
J. Eom et al,Active Cyber Attack Model for Network System’s Vulnerability Assessment, Proc. ICISS 2008
Attack Damage Assessment (ADA) is to
assess how long target system
is interrupted by DoS attack.
47/53
e-Voting system
A. Buldas and T. Magi, Practical Security Analysis of E-voting Systems. IWSEC07
48/53
Copyright Protection Protocol
•M. Higuero et al, Application of ‘Attack Trees’ Techniques to Copyright Protection Protocols Using Watermarking
•and Definition of a New Transactions Protocol SecDP (Secure Distribution Protocol), MIPS 2004.
49/53
Attacks to user authentication
Biometric User Authentication for it Security
From Fundamentals to Handwriting, Fundamentals in User Authentication, chap 4.
50/53
Analyze security for online banking system
K. Edge, R. Raines, R. Bennington, and C. Reuter, The Use of Attack and Protection Trees
to Analyze Security for an Online Banking System, HICSS 2007
51/53
Defense trees for economic evaluation of security
investments
S. Bistarelli, F. Fioravanti, P. Peretti, Defense trees for economic evaluation of security investments, AReS 2006
52/53
A Network Security Simulator
that uses attack trees
Simulation
was done over
100,000
nodes.
53/53
Comparison
• Attack trees vs. Fault trees (in SHARPE) Atree Ftree
parameters Prob. of success of a given attack
Conditional probability
Impact (e.g., 0-10)
Risk.
Cost
Attacker skill
Attack difficulty, e.g. 1-10
Probability of getting caught
Penalty
Combined
Failure rates
Prob. of failure
Weibull failure distribution
Hypoexponential distribution
Hyperexponential distribution
Mixture distribution
Defective distribution
Oneshot distribution
Bionomial distribution
Output Cost to attacks
Risk
Vulnerability
Survivability (not T1A1)
Intrusion scenarios
Reliability
Unreliability
PQCDF(pq cumulative distribution f)
Mincuts
MTTF
Variance
54/53
References 1. S. Bistarelli, M. Dall‟Aglio, and P. Peretti, Strategic Games on Attack Trees, Proc.
FAST 2006
2. S. Bistarelli, F. Fioravanti, P. Peretti, Defense trees for economic evaluation of security investments, Proc. AReS 2006
3. A. Buldas and T. Magi, Practical Security Analysis of E-voting Systems. Proc. IWSEC07
4. A. Bulda, P. Laud, J. Priisalu, M. Saarepera, J. Willemson, Rational Choice of Security Measures Via Multi-parameter Attack Trees, Proc. CRITIS 2006.
5. S. Camtepe and B. Yener, Modeling and Detection of Complex Attacks, Proc. securecom 2007
6. K. Daley, R. Larson, J. Dawkins, A Structural Framework for Modeling Multi-Stage Network Attacks, Proc. ICPPW 2002.
7. P. Ebiner and T. Bucher, Modeling and Analysis of Attacks on the MANET routing in AODV, Proc. ADHOC-NOW 2006
8. K. Edge, R. Raines, R. Bennington, and C. Reuter, The Use of Attack and Protection Trees to Analyze Security for an Online Banking System, Proc. HICSS 2007
9. J. Eom et al, Active Cyber Attack Model for Network System‟s Vulnerability Assessment, Proc. ICISS 2008
10. I. N. Fovino and M. Masera, Through the Description of Attacks: A Multidimensional View, SAFECOMP 2006.
55/53
References
11. C. Fung, et al. Survivability Analysis of Distributed Systems using Attack Tree Methodology, Proc. MILCOM 2005
12. M. Higuero et al, Application of „Attack Trees‟ Techniques to Copyright Protection Protocols Using Watermarking and Definition of a New Transactions Protocol SecDP (Secure Distribution Protocol), Proc. MIPS 2004.
13. S. Huang, Z. Li, L. Wang, Minining Attack Correlation Scenarios Based on Multi-agent System, Proc. HCII 207.
14. A. Jurgenson and J. Willemson, Processing Multi-parameter Attack trees with Estimated Parameter Values, Proc. IWSEC 2007
15. K. Juszxzyszyn, N. T. Nguyen, G. Kolaxzek, A. Grzech, A. Piexzynska, and R. Katarzyniak, Agent-Based Approach for Distributed Intrusion Detection System Design, Proc. of ICCS 2006.
16. F. Kargl, A. Klenk, S. Schlott, and M. Weber, Advanced Detection of Selfish or Malicious Nodes in Ad Hoc Networks, Proc. ESAS 2004
17. M. S. Lathrop, L. Hill, L. Surdu, Modeling Network Attacks, Proc. IAW 2002.
18. P. Moore, R. J. Ellision, R. C. Linger, Attack Modeling for Information Security and Survivability, Technical Note, CMU/SEI-2001-TN-001, March 2001.
19. S. Mauw and M. Oostdijk. Foundations of attack trees. Proc. ICICS 2005.
20. T. Olzak, A Practical Approach to Threat Modeling, TR, 2006
56/53
References 21. I. Ray and N. Poolsapassit, Using Attack Trees to Identify Attacks from
Authorized Insiders, Proc. ESORICS 2005
22. E. Park, J. Yun, H. In, Simulating Cyber intrusion using Ordered UML Model-based scenarios, Proc. AsiaSim04
23. N. Poolsapassit and I. Ray, Investigating Computer Attacks using Attack Trees, Chap. 23, Proc. IP 2007
24. C.-W. Ten, C-C. Liu, M. Govindarasu, Vulnerability Assessment of Cybersecurity for SCADA Systems Using Attack Trees, Proc. PESGM 2007.
25. T. Tidwell, R. Larson, K. Fitch, and J. Hale, Modeling Internet Attacks, Proc. WIAS 2001
26. C. Vielhauer, Biometric User Authentication for it Security: From Fundamentals to Handwriting, Chap 4.
27. P. Wu, and V. varadharajan, A Novel Security Risk Evaluation for Information System, Proc. FCST 2007
28. R. R. Yager, OWA trees and their role in security modeling using attack trees, Information Science 176, pp.2933-2959, 2006.
29. Z. Zhang, P.-H. Ho, X. Lin, H. Shen, Janus: A Two-Sided Analytical Model for Multi-Stage Coordinated Attacks, Proc. ICISC 2006.
57/53
AttackTree+
• http://www.isograph-oftware.com/atpover.htm
– Indicator:
• Indicator name
• Indicator description
• minimum
• Maximum
• Default
• Logical expression – AND/OR
– Multiple indicators (combined) at a time
• Cost, equipment, probability, frequency
58/53
AttackTree+
• Consequence
– Financial
– Reputation
– Safety
– Political
– Environmental
– Operational
– Communications
– Security
– Other values
59/53
AttackTree+
• Event probability [0,1]
– Or Frequency of event
• Analysis
– Outcome
– Mini-cut set (display with different color, trace)