Beyond attack trees: Attack and defense modeling with BDMP (Boolean logic Driven Markov Processes) September 13th 2011 SaToSS Seminar, Luxembourg Ludovic Piètre-Cambacédès 1 Marc Bouissou 1,2 1 EDF R&D, 2 École Centrale Paris
Beyond attack trees:Attack and defense modeling with BDMP(Boolean logic Driven Markov Processes)
September 13th 2011SaToSS Seminar, Luxembourg
Ludovic Piètre-Cambacédès1
Marc Bouissou1,2
1EDF R&D, 2École Centrale Paris
Agenda
IntroductionGraphical attack modeling and relevance of BDMP
Attack and defense modeling with BDMPFormalism description
Theoretical basis and description
Examples & quantifications
Recent advancesEnhancements and complementary tools
Perspectives and on-going work
Conclusion and Q&A
1
Graphical representation of an attack processRed-team, risk analysis
Formalize reasoning
Share standpoints
Enhance coverage
Graphical modeling of computer attacks
An active field of researchDifferent trade-offs
Ease of appropriationReadabilityModeling powerQuantification capabilitiesScalability
(1999)
(1994)
(2000)
(1996)
2
BDMP, the potential for an attractive trade-off
Interest proven in reliability and safety engineering
⇒ Adaptation to attack modeling
Dynamic
Readable
Tractable
Invented and used at EDF (NPP safety,substations, data centers reliability,…)
Complete theory and software framework
3
In a nutshell…The look of a classical attack tree
Objective = top event
Logical gates AND, OR, etc.
Triggers {T }
Leaves under two modes« Idle » and « Active »
Triggered Markov processes
Interest of BDMP in securityDynamical (> attack trees)
Readable (close to attack trees)
BDMP – Application to attack modeling
Social engineering
Wardialing
RAS ownership
Vulnerability identification
Logged into the RAS
Brute force Vulnerability exploitation
AND
OR
OR AND
RAS access granted
Vulnerability found and exploitedAuthentication by password
4
RAS attack BDMP – A simple use-case
Social engineering
Wardialing
RAS ownership
Vulnerability identification
Logged into the RAS
Brute force Vulnerability exploitation
AND
OR
OR AND
RAS access granted
Vulnerability found and exploitedAuthentication by password
5
RAS attack BDMP – Step 0 (attack just started)
Social engineering
Wardialing
RAS ownership
Vulnerability identification
Logged into the RAS
Brute force Vulnerability exploitation
AND
OR
OR AND
Logged into the RAS
Vulnerability found and exploitedAuthentication by password
6
RAS attack BDMP – Step 1
Social engineering
Wardialing
RAS ownership
Vulnerability identification
Logged into the RAS
Vulnerability exploitation
AND
OR
OR AND
Logged into the RAS
Vulnerability found and exploitedAuthentication by password
Brute force
7
RAS attack BDMP – Step 1
Social engineering
Wardialing
RAS ownership
Vulnerability identification
Logged into the RAS
Vulnerability exploitation
AND
OR
OR AND
Logged into the RAS
Vulnerability found and exploitedAuthentication by password
Brute force
7
RAS attack BDMP – Step 1
Social engineering
RAS ownership
Vulnerability identification
Logged into the RAS
Brute force Vulnerability exploitation
AND
OR
OR AND
RAS access granted
Vulnerability found and exploitedAuthentication by password
Wardialing
7
RAS attack BDMP – Step 2
Social engineering
RAS ownership
Logged into the RAS
Brute force Vulnerability exploitation
AND
OR
OR AND
RAS access granted
Vulnerability found and exploitedAuthentication by password
Wardialing
Vulnerability identification
8
RAS attack BDMP – Step 2
Social engineering
RAS ownership
Logged into the RAS
Brute force Vulnerability exploitation
AND
OR
OR AND
RAS access granted
Vulnerability found and exploitedAuthentication by password
Wardialing
Vulnerability identification
8
RAS attack BDMP – Step 3
Social engineering
RAS ownership
Logged into the RAS
Brute force Vulnerability exploitation
AND
OR
OR AND
RAS access granted
Vulnerability found and exploitedAuthentication by password
Wardialing
Vulnerability identification
9
RAS attack BDMP – Attacker’s objective reached
Social engineering
RAS ownership
Logged into the RAS
Brute force
AND
OR
OR AND
RAS access granted
Vulnerability found and exploitedAuthentication by password
Vulnerability exploitation
Vulnerability identification
Wardialing
10
BDMP for attack modeling – Types of leaves
Attack scenarios ⇒ 3 kinds of security leavesModeling of attacker’s actions
AA (Attacker Action) leaves, timed leaves (1/ λ = MTTS)
Modeling of security eventsTSE (Timed Security Event) leaves, timed as well
ISE (Instantaneous Security Event) leaves, instantaneous (γ)ISE!
TSE
Attachement execution by the target
ISE!
Successful payload execution
Email preparation and sending
AND
Remote_installationAttack by malicious attachement
Successful attack
TSE
11
Triggered Markov processes (e.g., AA leaf without detection)
Leaf specifications for AA, ISE and TSE
Detection and reaction modelingFour types (IOFA): Initial, On-going, Final, A posteriori
Three modes instead of two
Idle, Active Detected, and Active Undetected
BDMP for attack modeling – Going deeper
Potential Success On-going SuccessλP ⇄ O (with Pr = 1)
S ⇄ S (with Pr = 1)
Idle Mode Active Mode← Transfer →
12
Detections/reactions for AA leaves
Idle Mode Active Undetected Mode
Active Detected Mode Transfer functions
PotentialUndetected
Success Undetected
SuccessDetected
PotentialDetected
λS/ND
λD(O)
Success Undetected
1 - γD(F)
γD(F)
λD(A)
Success with
Potential Detection
Si←1
Di←1
SuccessDetectedDetected
On-goingUndetected
On-goingDetected
SuccessDetected
λS/D
Si←1
(PU)={Pr(OU)=1 – γD(I), Pr(D)=γD(I), Pr(SD)=0, Pr(SU)=0}(PD)= {Pr(OU)=0, Pr(D)=1, Pr(SD)=0, Pr(SU)=0}(SU)={Pr(OU)= 0, Pr(D)= 0, Pr(SD)= 0,Pr(SU)= 1}(SD)={Pr(OU)= 0, Pr(D)= 0, Pr(SD)= 1,Pr(SU)= 0}
if 1 00→
[…]13
Formal foundations – snapshot 1/3
A (security-oriented) BDMP (A, r, T, P) is made ofAn attack tree A = {E, L, g}
a set E = G U B, where G is a set of gates and B a set of basic events(E, L) a directed acyclic graph, with L a set of oriented edges (i, j)a function g, defining the gates (g:G N*, with g(i) the gate parameter k)
A main top objective rSet of triggers T is a subset of (E - {r})x(E - {r}) such that
G1
r
f1 f2
G2
f3 f4
g(r)=2
g(G2)=1g(G1)=1
ljkiTlkTjiandjiTji ≠⇒≠∈∀∈∀≠∈∀ ,),(,),(,),(14
Formal foundations – snapshot 2/3
P= , triggered Markov Processes
Pi=
, and three homogeneous Markov process
o For k in {0, 1} (modes), state-space of
o , subset of successes/security event realizations
o , subset of detected states
[… ] “probability transfer functions” with
o is a probability distribution on such that
o [….] x 5
ik
ik AS ⊂
{ } EiiP ∈
{ }iiiiiiii ffffftZtZtZ 011010111011010011100 ,,,,),(),(),( →→→→→
)(0 tZ i )(11 tZ i)(10 tZ i
Aki Z tk
i ( )
ik
ik AD ⊂
)(100 xf i→ )(011 xf i
→
)(, 1000 xfAx ii→∈∀ iA10
and 1)))(((1
10010 ∑ ∈ → =⇒∈ iSjii jxfSx 1)))(((
110010 ∑ ∈ → =⇒∈ iDj
ii jxfDx
{ }iiii ffff 0110101110110 ,,, →→→→
15
( )1/ =∈∃≡ ij DBiD
Formal foundations – snapshot 3/3
Four families of Boolean functions of the timeStructure functions
Process selectorsIf i is a root of A, then Xi = 1 else
Relevance indicators
If i = r (final objective), then Xi = 1 else
Detection status indicators
EiiS ∈)(,Gi∈∀ )(
)(igSS
isonsjji ≥≡ ∑
∈
,Bj∈∀ jX
jXj jj SS ∈Ζ≡ , with Xj = 0 or 1, indicating the mode in which Pj is at time t
EiiX ∈)(
( ) ( )[ ]0),/(0),(, =∧∈∈∃∨=⇒∈∈∀¬≡ xxi STixExXLixExX
EiiY ∈)(
( ) ( )0),/(0),/( =∧∈∈∃∨=∧∧∈∈∃≡ yxxi STyiEySYLixExY
EiiD ∈)(( ) ( )1/ =∧≠∈∃∨∈Ζ≡ j
iX
iXi DijBjDD ii
,Bi∈∀ ,Gj∈∀16
RobustnessTheorem 1: (Si)(Xi)(Yi) )(Di) are computable whatever the BDMP structure
Theorem 2 : Any BDMP, defined at time t by the modes and the Pi states, is avalid homogeneous Markov process
Combinatory reduction by “relevant event filtering”
Mathematical properties
After attack step P2, all the others Pi are not relevantanymore: nothing is changed for “r” if we inhibit them
The number of sequences leading to the top objective iso n, if we filter the relevant events ({P1,Q},{P2,Q},…)o exponential otherwise ({P1,Q},{P1,P2,Q}, {P1,P3,Q},…)
Ei∈
1)'(1)(,',, =⇒=≥∀∀∈∀ tStStttBi iiTheorem 3: if the Pi are such that * anddetection aspects are not considered, Pr(Sr(t)=1) is unchanged whetherirrelevant event (Yi=0) are trimmed or not.
* This is always the case in our framework
Quantifications
Time-independent (static) - Classical attack tree parametersMonetary cost scenario cost, average attack cost
Boolean indicators (specific requirements, properties)
Minimum attacker skills
Time-domain analysis – Leveraging the BDMP frameworkQuantification tools, algorithms and optimizations
Efficient sequence exploration with trimmingProbability to reach the objective in a given timeOverall mean time to the attack successProbability of each explored sequenceOrdered list of sequences
18
Another use-case OR
Cracking_alternatives
OR
Password_attacksPassword_attacks
BruteforceBruteforce
AND
Social_Engineering_Success
Generic_reconnaissanceEmail_trap_executionEmail_trap_execution
AND
Keylogger_Success
OR
Keylogger_installation_alternatives Password_interceptedPassword_intercepted
AND
PhysicalPhysical
Physical_reconnaissancePhysical_reconnaissance
Keylogger_local_installation
AND
Remote
AND
Appropriate_payloadAppropriate_payload
Payload_crafting
AND
Non_technical_alt_successNon_technical_alt_success
User_trapped
Phone_trap_execution
OR
Non_technical_alt
Remote_PhaseRemote_Phase Physical_PhasePhysical_Phase
AND
Remote_installationRemote_installation
AND
Physical_installationPhysical_installation
AND
KeyloggerKeylogger
AND
Social_engineeringSocial_engineering
Social_Eng_Phase Keylogger_phaseDictionaryGuessing
Crafted_attachement_openedCrafted_attachement_opened
Social_Engineering_SuccessCracking_alternatives Keylogger_Success
Keylogger_installation_alternatives
RemoteNon_technical_alt
Emailed_file_execution
Password_found
TSE
TSE ISE!
ISE!
Password cracking
Social engineering
Keylogger
19
OR
Cracking_alternatives
OR
Password_attacksPassword_attacks
BruteforceBruteforce
AND
Social_Engineering_Success
Generic_reconnaissanceEmail_trap_executionEmail_trap_execution
AND
Keylogger_Success
OR
Keylogger_installation_alternatives Password_interceptedPassword_intercepted
AND
PhysicalPhysical
Physical_reconnaissancePhysical_reconnaissance
Keylogger_local_installation
AND
Remote
AND
Appropriate_payloadAppropriate_payload
Payload_crafting
AND
Non_technical_alt_successNon_technical_alt_success
User_trapped
Phone_trap_execution
OR
Non_technical_alt
Remote_PhaseRemote_Phase Physical_PhasePhysical_Phase
AND
Remote_installationRemote_installation
AND
Physical_installationPhysical_installation
AND
KeyloggerKeylogger
AND
Social_engineeringSocial_engineering
Social_Eng_Phase Keylogger_phaseDictionaryGuessing
Crafted_attachement_openedCrafted_attachement_opened
Social_Engineering_SuccessCracking_alternatives Keylogger_Success
Keylogger_installation_alternatives
RemoteNon_technical_alt
Emailed_file_execution
Password_found
TSE
TSE ISE!
ISE!
λ=0 λ=0 λ=3.802x10-7
(MTTS~a month)2 days
λ=1.157x10-5
(MTTS~a day)λ=1.157x10-5
(MTTS~a day)λ=5.787x10-6
(MTTS~2 days)
γ =0.33
2 days
5 days
λ=5.787x10-6 (MTTS~2 days)
λ=1.157x10-5 (MTTS~a day) γ =0.1
3 days
λ=5.787x10-6
(MTTS~2 days)
λ=1.157x10-5
(MTTS~a day)
λ=1.157x10-5
(MTTS~a day)
Another use-caseExample of parameterization
20
Overall probability in a week = 0.422 (MTTS = 22 days)
Ordered list of attack sequences (654 sequences)
Results
21
OR
Cracking_alternatives
OR
Password_attacksPassword_attacks
BruteforceBruteforce
AND
Social_Engineering_Success
Generic_reconnaissanceEmail_trap_executionEmail_trap_execution
AND
Keylogger_Success
OR
Keylogger_installation_alternatives Password_interceptedPassword_intercepted
AND
PhysicalPhysical
Physical_reconnaissancePhysical_reconnaissance
Keylogger_local_installation
AND
Remote
AND
Appropriate_payloadAppropriate_payload
Payload_crafting
AND
Non_technical_alt_successNon_technical_alt_success
User_trapped
Phone_trap_execution
OR
Non_technical_alt
Remote_PhaseRemote_Phase Physical_PhasePhysical_Phase
AND
Remote_installationRemote_installation
AND
Physical_installationPhysical_installation
AND
KeyloggerKeylogger
AND
Social_engineeringSocial_engineering
Social_Eng_Phase Keylogger_phaseDictionaryGuessing
Crafted_attachement_openedCrafted_attachement_opened
Social_Engineering_SuccessCracking_alternatives Keylogger_Success
Keylogger_installation_alternatives
RemoteNon_technical_alt
Emailed_file_execution
Password_found
TSE
TSE ISE!
ISE!
λ=0 λ=0 λ=3.802x10-7
(MTTS~a month)2 days
λ=1.157x10-5
(MTTS~a day)λ=1.157x10-5
(MTTS~a day)λ=5.787x10-6
(MTTS~2 days)
γ =0.33
2 days
5 days
λ=5.787x10-6 (MTTS~2 days)
λ=1.157x10-5 (MTTS~a day) γ =0.1
3 days
λ=5.787x10-6
(MTTS~2 days)
λ=1.157x10-5
(MTTS~a day)
λ=1.157x10-5
(MTTS~a day)
Example of parameterization
With detection
22
OR
Cracking_alternatives
OR
Password_attacksPassword_attacks
BruteforceBruteforce
AND
Social_Engineering_Success
Generic_reconnaissanceEmail_trap_executionEmail_trap_execution
AND
Keylogger_Success
OR
Keylogger_installation_alternatives Password_interceptedPassword_intercepted
AND
PhysicalPhysical
Physical_reconnaissancePhysical_reconnaissance
Keylogger_local_installation
AND
Remote
AND
Appropriate_payloadAppropriate_payload
Payload_crafting
AND
Non_technical_alt_successNon_technical_alt_success
User_trapped
Phone_trap_execution
OR
Non_technical_alt
Remote_PhaseRemote_Phase Physical_PhasePhysical_Phase
AND
Remote_installationRemote_installation
AND
Physical_installationPhysical_installation
AND
KeyloggerKeylogger
AND
Social_engineeringSocial_engineering
Social_Eng_Phase Keylogger_phaseDictionaryGuessing
Crafted_attachement_openedCrafted_attachement_opened
Social_Engineering_SuccessCracking_alternatives Keylogger_Success
Keylogger_installation_alternatives
RemoteNon_technical_alt
Emailed_file_execution
Password_found
TSE
TSE ISE!
ISE!
γD/R = 0 γD/NR = 0.5
λD(O)=3.858x10-6
(MTTS~3 days)λD(O)=3.472x10-5 (MTTS~8 hours)γD(F) = 0.1
γD/R = 0.1 γD/NR = 0.33
λ=0 λ=0 λ=3.802x10-7
(MTTS~a month)2 days
λ=1.157x10-5
(MTTS~a day)λ=1.157x10-5
(MTTS~a day)λ=5.787x10-6
(MTTS~2 days)
γ =0.33
2 days
5 days
λ=5.787x10-6 (MTTS~2 days)
λ=1.157x10-5 (MTTS~a day) γ =0.1
3 days
λ=5.787x10-6
(MTTS~2 days) λ=1.157x10-5
(MTTS~a day)
λ=1.157x10-5
(MTTS~a day)
Example of parameterization In orange, the detection parametersWith detection
22
OR
Cracking_alternatives
OR
Password_attacksPassword_attacks
BruteforceBruteforce
AND
Social_Engineering_Success
Generic_reconnaissanceEmail_trap_executionEmail_trap_execution
AND
Keylogger_Success
OR
Keylogger_installation_alternatives Password_interceptedPassword_intercepted
AND
PhysicalPhysical
Physical_reconnaissancePhysical_reconnaissance
Keylogger_local_installation
AND
Remote
AND
Appropriate_payloadAppropriate_payload
Payload_crafting
AND
Non_technical_alt_successNon_technical_alt_success
User_trapped
Phone_trap_execution
OR
Non_technical_alt
Remote_PhaseRemote_Phase Physical_PhasePhysical_Phase
AND
Remote_installationRemote_installation
AND
Physical_installationPhysical_installation
AND
KeyloggerKeylogger
AND
Social_engineeringSocial_engineering
Social_Eng_Phase Keylogger_phaseDictionaryGuessing
Crafted_attachement_openedCrafted_attachement_opened
Social_Engineering_SuccessCracking_alternatives Keylogger_Success
Keylogger_installation_alternatives
RemoteNon_technical_alt
Emailed_file_execution
Password_found
TSE
TSE ISE!
ISE!
γD/R = 0 γD/NR = 0.5
λD(O)=3.858x10-6
(MTTS~3 days)λD(O)=3.472x10-5 (MTTS~8 hours)γD(F) = 0.1
γD/R = 0.1 γD/NR = 0.33
λ=0 λ=0 λ=3.802x10-7
(MTTS~a month)2 days
λ=1.157x10-5
(MTTS~a day)λ=1.157x10-5
(MTTS~a day)λ=5.787x10-6
(MTTS~2 days)
γ =0.33
2 days
5 days
λ=5.787x10-6 (MTTS~2 days)
λ=1.157x10-5 (MTTS~a day) γ =0.1
3 days
λ=5.787x10-6
(MTTS~2 days) λ=1.157x10-5
(MTTS~a day)
λ=1.157x10-5
(MTTS~a day)
λS/D=5.787x10-6 (MTTS~2 days)
λS/D=5.787x10-6
(MTTS~2 days)
λS/D=2.893x10-6
(MTTS~4 days)
λS/D=5.787x10-6
(MTTS~2 days)
Example of parameterization In orange, the detection parametersIn red, the reaction parametersWith detection
22
ResultsProbability of success within a week = 0.364 (-14 %)
Representative sequences (4231 vs 654)
23
Recent enhancements & complementary tools
Sequence analysisFiltering by static/time-independant parameters, i.e. attacker profile
Sequence presentation (visual conventions)
Sensitivity analysisOptimize security efforts
Most “significant” leaves
Iterated treatments
0,3
0,4
0,5
0,6
0,7
0,8
0,9
1,0
0,0
0,1
0,2
0,3
0,4
0,5
0,6
0,7
0,8
0,9
1,0
1,1
1,2
1,3
1,4
1,5
1,6
1,7
1,8
1,9
2,0
Atta
ck s
ucce
ss p
roba
bilit
y (w
ithin
a w
eek)
λ0/λ (i.e. MTTS/MTTS0)
Keylogger local installation
Brute force
Payload crafting
Generic reconnaissance
0,2
0,3
0,4
0,5
0,6
0,7
0,8
0 0,1 0,2 0,3 0,4 0,5 0,6 0,7 0,8 0,9 1
Atta
cksu
cces
spr
ob.
(in a
wee
k)
γ
Appropriate payload
User trapped
24
A few words about the implementationLeveraging of the KB3 platform (EDF)
Used at EDF for dependability studies for more than 15 years
Modularity thanks to “Knowledge Bases”, written in Figaro
A dedicated security knowledge basisImplementation was easy and fast (available on-line)
Knowledge bases
(incl. BDMP)
Figaro model(textual)
YAMS(Monte-Carlo simulation)
Figseq(path
exploration)
FigMAT-SF(matrix-based
solving)
Qualitative/quantitative results:- ordered list of sequences- probability of attack success- mean durations- etc.
Graphical modeling by the analysts
(NB: software available on-line)
25
Perspectives and on-going work
Enhance usabilityUsers’ feedback, case-studies, tutorials
Side-tools (sensitivity script HMI, etc.)
Attack pattern library
Theoretical extensionsExperiment different probability distributions (e.g., McQueen et al.)
Integration with Bayesian networks
Many attack trees extensions could be adaptedIntervals, fuzzy sets, OWA gates, game theory, etc.
Uncertainty handling and propagation
Internal and external dissemination! (thanks )
26
Conclusion
Graphical security modelingDifferent balances between readability, scalability, modeling powerand quantification capabilities
BDMP, an original and attractive trade-offWith a sound theoretical framework
Already an operational formalism
LimitsInherent limits of BDMP (e.g., with cyclic behaviors/loops)
Attacker behavior stochastic modeling – subjective probabilities
More generally, security and quantitative assessments
Complementary tool for the security analyst
27
Some referencesOn BDMP & KB3
M. Bouissou, J.L. Bon, “A new formalism that combines advantages of fault-trees and Markovmodels: Boolean logic Driven Markov Processes,” Reliability Engineering and System Safety, Vol.82, Issue 2, nov. 2003, pp. 149-163
M. Bouissou, “Automated Dependability Analysis of Complex Systems with the KB3 Workbench:the Experience of EDF R&D,” Proceedings of CIEM 2005, Bucharest, Romania, oct. 2005
Marc Bouissou’s homepage: http://marc.bouissou.free.fr/
On BDMP & SecurityL. Piètre-Cambacédès et M. Bouissou, “Attack and defense dynamic modeling with BDMP,” inProc. 5th International Conference on Mathematical Methods, Models, and Architectures forComputer Networks Security (MMM-ACNS-2010), St Petersburg, Russia, sept. 2010
L. Pietre-Cambacedes, Y. Deflesselle and M. Bouissou, "Security modeling with BDMP: fromtheory to implementation," in Proc. 6th IEEE International Conference on Network and InformationSystems Security (SAR-SSI 2011), La Rochelle, France, may 2011
L. Piètre-Cambacédès and M. Bouissou, “Modeling safety and security interdepedencies withBDMP (Boolean logic Driven Markov Processes),” Proc. IEEE International Conference onSystems, Man, and Cybernetics (SMC 2010), Istanbul, Turkey, oct. 2010.
Ludovic Pietre-Cambacedes’ homepage: http://perso.telecom-paristech.fr/~pietreca/29
THANK YOU VERY MUCH!