NETWORK DEFENCE USING ATTACKER-DEFENDER INTERACTION MODELLING Wednesday nd June, Jana Medková Pavel Čeleda
NETWORK DEFENCE USINGATTACKER-DEFENDER INTERACTIONMODELLINGWednesday 22nd June, 2016
Jana MedkováPavel Čeleda
Research ProblemAutomated selection of response actions
The cyber attacks grow both in number and speed
Network security still lacks an efficient attack response systemcapable of running autonomouslyCyber attack and defence is very complex
We are always uncertain about the state of the networkWe don’t know the attacker’s objectives and previous actions (andwhether he is an attacker at all)The number of attack vectors is ever growing
Network Defence Using Interaction ModellingPage 2 / 12
Research ProblemAutomated selection of response actions
The cyber attacks grow both in number and speed
Network security still lacks an efficient attack response systemcapable of running autonomouslyCyber attack and defence is very complex
We are always uncertain about the state of the networkWe don’t know the attacker’s objectives and previous actions (andwhether he is an attacker at all)The number of attack vectors is ever growing
Network Defence Using Interaction ModellingPage 2 / 12
Research ProblemAutomated selection of response actions
The cyber attacks grow both in number and speedNetwork security still lacks an efficient attack response systemcapable of running autonomously
Cyber attack and defence is very complexWe are always uncertain about the state of the networkWe don’t know the attacker’s objectives and previous actions (andwhether he is an attacker at all)The number of attack vectors is ever growing
Network Defence Using Interaction ModellingPage 2 / 12
Research ProblemAutomated selection of response actions
The cyber attacks grow both in number and speedNetwork security still lacks an efficient attack response systemcapable of running autonomouslyCyber attack and defence is very complex
We are always uncertain about the state of the networkWe don’t know the attacker’s objectives and previous actions (andwhether he is an attacker at all)The number of attack vectors is ever growing
Network Defence Using Interaction ModellingPage 2 / 12
Attack Response
Network Defence Using Interaction ModellingPage 3 / 12
Attack Response
Network Defence Using Interaction ModellingPage 3 / 12
Attack Response
securityevent
Logs
History
Knowlegde
Network Defence Using Interaction ModellingPage 3 / 12
Attack Response
securityevent
Logs
History
Knowlegde
Network Defence Using Interaction ModellingPage 3 / 12
Attack Response
securityevent
Logs
History
Knowlegde
reconfiguration
Network Defence Using Interaction ModellingPage 3 / 12
Attack Response
securityevent
Logs
History
Knowlegde
reconfiguration
ObserveAct
OrientDecide
Network Defence Using Interaction ModellingPage 3 / 12
Attack Response
securityevent
Logs
History
Knowlegde
reconfiguration
ObserveAct
OrientDecide
IDS
Network Defence Using Interaction ModellingPage 3 / 12
Attack Response
securityevent
Logs
History
Knowlegde
reconfiguration
ObserveAct
OrientDecide
IDS
SIEM
Network Defence Using Interaction ModellingPage 3 / 12
Attack Response
securityevent
Logs
History
Knowlegde
reconfiguration
ObserveAct
OrientDecide
IDS
SIEM
SDN
Network Defence Using Interaction ModellingPage 3 / 12
Attack Response
securityevent
Logs
History
Knowlegde
reconfiguration
ObserveAct
OrientDecide
IDS
SIEM
SDN
?
Network Defence Using Interaction ModellingPage 3 / 12
Research GoalUtilizing a model of interaction between anattacker and a defender to create morerefined network defence strategy
Select response based on received security events andknowledge of the networkInclude the attacker’s motivation in the decision process
Network Defence Using Interaction ModellingPage 4 / 12
Research GoalUtilizing a model of interaction between anattacker and a defender to create morerefined network defence strategy
Select response based on received security events andknowledge of the networkInclude the attacker’s motivation in the decision process
Network Defence Using Interaction ModellingPage 4 / 12
Research TopicsResearch Question IHow can we model the interaction between an attacker and adefender?
Research areas
Modelling the interaction between an attacker and a defendermodel the interactionreasonable input parametersoptimal actions for defender and attackercomputational feasibility for large networks
Network Defence Using Interaction ModellingPage 5 / 12
Research TopicsResearch Question IHow can we model the interaction between an attacker and adefender?Research areas
Modelling the interaction between an attacker and a defendermodel the interactionreasonable input parametersoptimal actions for defender and attackercomputational feasibility for large networks
Network Defence Using Interaction ModellingPage 5 / 12
Research TopicsResearch Question IIHow can we use the model to form a network defence strategy?
Research areas
Network defence strategyresponse action based on observed security alertsunknown state of the networkunknown objective and past actions of an attacker
Strategy verificationKYPO - cloud-based testbed for simulation of cyber attacks
Network Defence Using Interaction ModellingPage 6 / 12
Research TopicsResearch Question IIHow can we use the model to form a network defence strategy?Research areas
Network defence strategyresponse action based on observed security alertsunknown state of the networkunknown objective and past actions of an attacker
Strategy verificationKYPO - cloud-based testbed for simulation of cyber attacks
Network Defence Using Interaction ModellingPage 6 / 12
Research TopicsResearch Question IIHow can we use the model to form a network defence strategy?Research areas
Network defence strategyresponse action based on observed security alertsunknown state of the networkunknown objective and past actions of an attacker
Strategy verificationKYPO - cloud-based testbed for simulation of cyber attacks
Network Defence Using Interaction ModellingPage 6 / 12
Research TopicsResearch Question IIICan the human instinct and experience be included in the defencestrategy?
Research areas
How can the response selection benefit from human inputwhat in the model or strategy can be made more accurate
Merging the human intuition into decision outputhow can we make it more accurate
Network Defence Using Interaction ModellingPage 7 / 12
Research TopicsResearch Question IIICan the human instinct and experience be included in the defencestrategy?Research areas
How can the response selection benefit from human inputwhat in the model or strategy can be made more accurate
Merging the human intuition into decision outputhow can we make it more accurate
Network Defence Using Interaction ModellingPage 7 / 12
Research TopicsResearch Question IIICan the human instinct and experience be included in the defencestrategy?Research areas
How can the response selection benefit from human inputwhat in the model or strategy can be made more accurate
Merging the human intuition into decision outputhow can we make it more accurate
Network Defence Using Interaction ModellingPage 7 / 12
Proposed ApproachModelling the interaction between an attacker and a defender
Game theory toolsetUse existing or modified modelOptimal attacker’s and defender’s strategy
Estimating model parametersFormal network description
the topology of the networkthe hosts and services present in the networkthe required levels of confidentiality, availability and integrityinterdependence of servicesFormal description of attacks and responses
Network Defence Using Interaction ModellingPage 8 / 12
Proposed ApproachModelling the interaction between an attacker and a defender
Game theory toolsetUse existing or modified modelOptimal attacker’s and defender’s strategy
Estimating model parametersFormal network description
the topology of the networkthe hosts and services present in the networkthe required levels of confidentiality, availability and integrityinterdependence of servicesFormal description of attacks and responses
Network Defence Using Interaction ModellingPage 8 / 12
Proposed ApproachNetwork defence strategy
Maintain beliefs to manage uncertaintythe current state of the networkthe attacker’s past actionsthe attacker’s objective
Precomputed optimal responsesBest response action in a given situation
Network Defence Using Interaction ModellingPage 9 / 12
Proposed ApproachStrategy verification
Cloud-based testbed for simulating cyber attacksComputer Security Incident Response Team (CSIRT) trainingexercises
Adding human intuition to decision outputBlack-Litterman model in economyFormal description of human inputUpdating beliefs based on input
Network Defence Using Interaction ModellingPage 10 / 12
Proposed ApproachStrategy verification
Cloud-based testbed for simulating cyber attacksComputer Security Incident Response Team (CSIRT) trainingexercises
Adding human intuition to decision outputBlack-Litterman model in economyFormal description of human inputUpdating beliefs based on input
Network Defence Using Interaction ModellingPage 10 / 12
SummaryNetwork security requires an efficient autonomous systemwhich would select a response action based on observedsecurity events
Currently automated network defence systems react only inunambiguous situations and the rest of the events must beinvestigated by security expertsWe propose to model the interaction between an attacker and adefender to comprehend how the attacker’s goals affect hisactions and use the model as a basis for a more refined networkdefence strategy
Network Defence Using Interaction ModellingPage 11 / 12
SummaryNetwork security requires an efficient autonomous systemwhich would select a response action based on observedsecurity eventsCurrently automated network defence systems react only inunambiguous situations and the rest of the events must beinvestigated by security experts
We propose to model the interaction between an attacker and adefender to comprehend how the attacker’s goals affect hisactions and use the model as a basis for a more refined networkdefence strategy
Network Defence Using Interaction ModellingPage 11 / 12
SummaryNetwork security requires an efficient autonomous systemwhich would select a response action based on observedsecurity eventsCurrently automated network defence systems react only inunambiguous situations and the rest of the events must beinvestigated by security experts
We propose to model the interaction between an attacker and adefender to comprehend how the attacker’s goals affect hisactions and use the model as a basis for a more refined networkdefence strategy
Network Defence Using Interaction ModellingPage 11 / 12
SummaryNetwork security requires an efficient autonomous systemwhich would select a response action based on observedsecurity eventsCurrently automated network defence systems react only inunambiguous situations and the rest of the events must beinvestigated by security expertsWe propose to model the interaction between an attacker and adefender to comprehend how the attacker’s goals affect hisactions and use the model as a basis for a more refined networkdefence strategy
Network Defence Using Interaction ModellingPage 11 / 12
THANK YOU FOR YOUR ATTENTION!Jana Medková