attack trees: formalisms, variants, and...

Attack trees: Formalisms, Variants,

and Applications

Dr. Dan (DongSeong) Kim

University of Canterbury, New Zealand

[email protected]

mailto:[email protected]

Outline

• Attack trees formalisms

• Attack trees variants

• Attack trees representations

– Graphical

– Textual

• Applications of attack trees

2/53

Attack Trees Formalisms

4/53

Attack trees formalisms

• References

– Schneiner Bob Jr. 99

– Moore, CMU TR 01

– Mauw, ICISC 04

– Ray, ESORICS 05

5/53

B. Schneier's paper

• No formalism was proposed

• Represented attack trees in a graphical/textual

form using AND and/or OR nodes

• Showed different values can be assigned to the

leaf nodes

– Boolean (P/I), continuous node values (cost, prob.

of success of a given attack)

• A PGP (pretty good privacy) Example

6/53

Moore et al. paper

P. Moore, R. J. Ellision, R. C. Linger, Attack Modeling for Information Security and Survivability,

Technical Note, CMU/SEI-2001-TN-001, March 2001.

• Structure and semantics

7/53

Moore et al. paper

• Attack tree refinement

– Attack tree – AND, OR : formalizm

– Attack pattern

• Define as a generic representation of a deliberate, malicious attack

that commonly occurs in specific context

– Attack profile contains

• A common reference model

• A set of variants

• A set of attack patterns

• A glossary of defined terms and phrases

– Attack library (attack forests)

• Provide a set of attack profiles

8/53

Moore et al. paper

• Applying attack patterns

9/53

Mauw paper

• Attack trees and attack suite (attack patterns, intrusion

scenarios)

– Attack suite: combinations of attack components (nodes)

• An attack tree simply defines a collection of possible attacks

• Internal branching structure of an attack tree will not be expressed in the

attack suite.

– Bundles

• Connections from a node to a multi-set of nodes

S. Mauw and M. Oostdijk. Foundations of attack trees. In Dongho Won and Seungjoo Kim, editors, International Conference on Information Security and Cryptology,

LNCS 3935, pages 186-198, Seoul, Korea, December 2005. Springer-Verlag, Berlin.

10/53

Mauw paper

• Transformations

– Two structurally different attack trees may intuitively capture the same

information.

– The difference in structuring can arise from a different approach

towards partitioning the attacks

bundle

13/53

Mauw paper

• Projections

– By manipulating attack trees one can get answers

to questions like

– “show all attacks that do not require special

equipment”,

– or “which attacks incur a damage over 1000 US

dollars?”

• Requires an attribute incurred damage and a predicate

on its domain, . Taking the projection of

an attack suite boils down to selecting the attacks that

satisfy the predicate.

( ) 1000P n n

14/53

I. Ray paper

cf. components in Mauw

I. Ray and N. Poolsapassit, Using Attack Trees to Identify Attacks from Authorized Insiders, ESORICS 2005

15/53

I. Ray paper (cont.)

cf. attributes in Mauw

Outline




– Graphical

– Textual


16/53

Attack tree variants

18/53

What variants?

• In terms of

– Input value (attributes, label)

– Output measures (projection)

– Representation of semantic and structure in

graphical/textual ways

• AND, OR

• O-AND (Ordered AND)

• Sequential/parallel

• Conditional

Attack Trees with

dynamic gates

19/53

Input value

• Value can be codified in the leaf nodes

– Prob. of success of a given attack

– Conditional probability

– Impact (e.g., 0-10)

– Risk = Impact*prob. of success of a given attack.

– Cost (e.g., attack cost, security investment cost)

– Attacker skill (e.g., Hight/Medium/Low, …)

– Attack difficulty, e.g. 1-10

– Probability of getting caught

– Penalty

– Combined

20/53

Output measures

• They are depending on input value

– Probability of attack success

– Sum of cost

– Risk

– Vulnerability

– Survivability

– Others

• appeared applications of attack trees in more detail.

Outline




– Graphical

– Textual


21/53

Attack trees representations

22/53

23/53

Graphical Representation

• Structure and semantics

Schneier’s paper

24/53


– AND

– OR

1) P. Moore, R. J. Ellision, R. C. Linger, Attack Modeling for Information Security and Survivability,

2) Technical Note, CMU/SEI-2001-TN-001, March 2001.

25/53


A Practical Approach to Threat Modeling, TR, 2006

26/53


27/53


C. Fung, et al. Survivability Analysis of Distributed Systems using Attack Tree Methodology, MILCOM05

28/53


A. Jurgenson and J. Willemson, Processing Multi-parameter Attack trees with Estimated Parameter Values, Proc. IWSEC 2007

29/53


• COND (conditional) – Indicates that an agent may decide whether or not they want to achieve the

goal.

– For the agent to traverse a COND node, two questions must be answered by the agent

• 1. do I want to perform this action? => determined by a prob. Table based on the type of attacker.

• 2. are the necessary preconditions met for me to take this actions? => satisfied by a lookup table to the agent‟s state table.

M. S. Lathrop, L. Hill, L. Surdu, Modeling Network Attacks, Proc. IAW 2002.

30/53


Z. Gan, J. Tang, P. Wu, and V. varadharajan, A Novel Security Risk Evaluation for Information System, FCST

2007

– extend the concept the attack tree and introduce

another relation - CAND (Conditional AND).

• The CAND node relation between nodes represent that

the upper goal is achieved if all subgoals are achieved

under certain condition.

31/53


S. Camtepe and B. Yener, Modeling and Detection of Complex Attacks, securecom07

– O-AND (Ordered-AND), cf. later sequential AND

– Combination of graph and fault tree (ftree)

32/53


S. Bistarelli, M. Dall’Aglio, and P. Peretti, Strategic Games on Attack Trees, FAST 2006

Defense tree,

compare it with protection trees ROI (return on investment)

ROA (return on Attack)

33/53

Textual representation

Schneier’s paper

34/53


35/53


36/53


E. Park, J. Yun, H. In, Simulating Cyber intrusion using Ordered UML Model-based scenarios, AsiaSim04

• Sequential/parallel

– Sequential AND-OR : series

– Parallel AND-OR

Outline




– Graphical

– Textual


37/53

Applications of Attack trees

39/53

Category of applications • System level

– Host forensics

– Web Server

• Network level – Intrusion Detection Systems

– DDoS attack

– BGP

– MANETs

– Wireless LAN

• Hybrid (system & network level) – Survivability analysis

– Vulnerability analysis

– Risk analysis

• applications – E-voting

– Copyright Protection Protocols

– Attacks to user authentication

– Analyze security for online banking system

– Defense trees for economic evaluation of security investments

• Misc – Network attack simulator

– Intrusion signature based on Honeypot

40/53

Log file investigation

N. Poolsapassit and I. Ray, Investigating Computer Attacks using Attack Trees, Chap. 23, Proc. of IP 2007

41/53

Web server hacking

T. Tidwell, R. Larson, K. Fitch, and J. Hale, Modeling Internet Attacks, WIAS 2001

42/53

DDoS attack and protection trees

43/53

Modeling and analysis of Attacks on MANET

routing in AODV

P. Ebiner and T. Bucher, Modeling and Analysis of Attacks on the MANET routing in AODV, ADHOC-NOW 2006

44/53

Detect selfish nodes in MANETs

F. Kargl, A. Klenk, S. Schlott, and M. Weber, Advanced Detection of Selfish or Malicious Nodes in Ad Hoc Networks,

ESAS 2004

45/53

Survivability (attack resiliency) Analysis

Generating Intrusion Scenarios ->cost (difficulty) ->min.

difficulty == attack resiliency

46/53

Vulnerability analysis

J. Eom et al,Active Cyber Attack Model for Network System’s Vulnerability Assessment, Proc. ICISS 2008

Attack Damage Assessment (ADA) is to

assess how long target system

is interrupted by DoS attack.

47/53

e-Voting system

A. Buldas and T. Magi, Practical Security Analysis of E-voting Systems. IWSEC07

48/53

Copyright Protection Protocol

•M. Higuero et al, Application of ‘Attack Trees’ Techniques to Copyright Protection Protocols Using Watermarking

•and Definition of a New Transactions Protocol SecDP (Secure Distribution Protocol), MIPS 2004.

49/53

Attacks to user authentication

Biometric User Authentication for it Security

From Fundamentals to Handwriting, Fundamentals in User Authentication, chap 4.

50/53

Analyze security for online banking system

K. Edge, R. Raines, R. Bennington, and C. Reuter, The Use of Attack and Protection Trees

to Analyze Security for an Online Banking System, HICSS 2007

51/53

Defense trees for economic evaluation of security

investments

S. Bistarelli, F. Fioravanti, P. Peretti, Defense trees for economic evaluation of security investments, AReS 2006

52/53

A Network Security Simulator

that uses attack trees

Simulation

was done over

100,000

nodes.

53/53

Comparison

• Attack trees vs. Fault trees (in SHARPE) Atree Ftree

parameters Prob. of success of a given attack

Conditional probability

Impact (e.g., 0-10)

Risk.

Cost

Attacker skill

Attack difficulty, e.g. 1-10

Probability of getting caught

Penalty

Combined

Failure rates

Prob. of failure

Weibull failure distribution

Hypoexponential distribution

Hyperexponential distribution

Mixture distribution

Defective distribution

Oneshot distribution

Bionomial distribution

Output Cost to attacks

Risk

Vulnerability

Survivability (not T1A1)

Intrusion scenarios

Reliability

Unreliability

PQCDF(pq cumulative distribution f)

Mincuts

MTTF

Variance

54/53

References 1. S. Bistarelli, M. Dall‟Aglio, and P. Peretti, Strategic Games on Attack Trees, Proc.

FAST 2006

2. S. Bistarelli, F. Fioravanti, P. Peretti, Defense trees for economic evaluation of security investments, Proc. AReS 2006

3. A. Buldas and T. Magi, Practical Security Analysis of E-voting Systems. Proc. IWSEC07

4. A. Bulda, P. Laud, J. Priisalu, M. Saarepera, J. Willemson, Rational Choice of Security Measures Via Multi-parameter Attack Trees, Proc. CRITIS 2006.

5. S. Camtepe and B. Yener, Modeling and Detection of Complex Attacks, Proc. securecom 2007

6. K. Daley, R. Larson, J. Dawkins, A Structural Framework for Modeling Multi-Stage Network Attacks, Proc. ICPPW 2002.

7. P. Ebiner and T. Bucher, Modeling and Analysis of Attacks on the MANET routing in AODV, Proc. ADHOC-NOW 2006

8. K. Edge, R. Raines, R. Bennington, and C. Reuter, The Use of Attack and Protection Trees to Analyze Security for an Online Banking System, Proc. HICSS 2007

9. J. Eom et al, Active Cyber Attack Model for Network System‟s Vulnerability Assessment, Proc. ICISS 2008

10. I. N. Fovino and M. Masera, Through the Description of Attacks: A Multidimensional View, SAFECOMP 2006.

55/53

References

11. C. Fung, et al. Survivability Analysis of Distributed Systems using Attack Tree Methodology, Proc. MILCOM 2005

12. M. Higuero et al, Application of „Attack Trees‟ Techniques to Copyright Protection Protocols Using Watermarking and Definition of a New Transactions Protocol SecDP (Secure Distribution Protocol), Proc. MIPS 2004.

13. S. Huang, Z. Li, L. Wang, Minining Attack Correlation Scenarios Based on Multi-agent System, Proc. HCII 207.

14. A. Jurgenson and J. Willemson, Processing Multi-parameter Attack trees with Estimated Parameter Values, Proc. IWSEC 2007

15. K. Juszxzyszyn, N. T. Nguyen, G. Kolaxzek, A. Grzech, A. Piexzynska, and R. Katarzyniak, Agent-Based Approach for Distributed Intrusion Detection System Design, Proc. of ICCS 2006.

16. F. Kargl, A. Klenk, S. Schlott, and M. Weber, Advanced Detection of Selfish or Malicious Nodes in Ad Hoc Networks, Proc. ESAS 2004

17. M. S. Lathrop, L. Hill, L. Surdu, Modeling Network Attacks, Proc. IAW 2002.

18. P. Moore, R. J. Ellision, R. C. Linger, Attack Modeling for Information Security and Survivability, Technical Note, CMU/SEI-2001-TN-001, March 2001.

19. S. Mauw and M. Oostdijk. Foundations of attack trees. Proc. ICICS 2005.

20. T. Olzak, A Practical Approach to Threat Modeling, TR, 2006

56/53

References 21. I. Ray and N. Poolsapassit, Using Attack Trees to Identify Attacks from

Authorized Insiders, Proc. ESORICS 2005

22. E. Park, J. Yun, H. In, Simulating Cyber intrusion using Ordered UML Model-based scenarios, Proc. AsiaSim04

23. N. Poolsapassit and I. Ray, Investigating Computer Attacks using Attack Trees, Chap. 23, Proc. IP 2007

24. C.-W. Ten, C-C. Liu, M. Govindarasu, Vulnerability Assessment of Cybersecurity for SCADA Systems Using Attack Trees, Proc. PESGM 2007.

25. T. Tidwell, R. Larson, K. Fitch, and J. Hale, Modeling Internet Attacks, Proc. WIAS 2001

26. C. Vielhauer, Biometric User Authentication for it Security: From Fundamentals to Handwriting, Chap 4.

27. P. Wu, and V. varadharajan, A Novel Security Risk Evaluation for Information System, Proc. FCST 2007

28. R. R. Yager, OWA trees and their role in security modeling using attack trees, Information Science 176, pp.2933-2959, 2006.

29. Z. Zhang, P.-H. Ho, X. Lin, H. Shen, Janus: A Two-Sided Analytical Model for Multi-Stage Coordinated Attacks, Proc. ICISC 2006.

57/53

AttackTree+

• http://www.isograph-oftware.com/atpover.htm

– Indicator:

• Indicator name

• Indicator description

• minimum

• Maximum

• Default

• Logical expression – AND/OR

– Multiple indicators (combined) at a time

• Cost, equipment, probability, frequency

58/53

AttackTree+

• Consequence

– Financial

– Reputation

– Safety

– Political

– Environmental

– Operational

– Communications

– Security

– Other values

59/53

AttackTree+

• Event probability [0,1]

– Or Frequency of event

• Analysis

– Outcome

– Mini-cut set (display with different color, trace)

attack trees: formalisms, variants, and...

Documents