[gi sicherheit 2014] moses3 - complex systems, heterogeneous attackers and versatile controls:...
DESCRIPTION
My talk at the GI Sicherheit 2014 @ Vienna on our paper.TRANSCRIPT
Complex Systems, Heterogeneous Attackersand Versatile Controls: Simulation Based
Decision Support in IT Security Management
Elmar Kiesling, Andreas Ekelhart, Bernhard Grill,Christine Strauß, Christian Stummer
SBA Research, Vienna University of Technology,University of Vienna, University of Bielefeld
March 21, 2014; Vienna, Austria
Funded by the Austrian Science Fund under project number P 23122-N23
2
2 Introduction
FrameworkKnowledge base
Attack patterns
Simulation
Optimization
Decision support
ExampleExperimental setup
Results
Conclusions
Appendix
Problem definition and approach
Objective: framework to help a decision maker choosingan “optimal” set of security controls
Solution approach:1. Model
a) IT infrastructureb) attacks and controlsc) attacker
2. Apply sets of security controls and simulate attacks3. Optimize control sets w.r.t. multiple objectives4. Support decision-maker in the selection of control
Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management
3
Introduction
3 FrameworkKnowledge base
Attack patterns
Simulation
Optimization
Decision support
ExampleExperimental setup
Results
Conclusions
Appendix
Overview
Implem
entation cost
Successful attacks
Detected attacks
Running cost
Implem
entation time
Successful attack actions
Metaheuristic optimization1 1 1 0 0 0 0 1 0 0 1 1
Attack Simulation Engine
Attack Scenario
Attackermodel
AbstractAttack Graph
Attackerobjectives
Attack PatternLinking
Knowledge base
Attack and ControlModel
System Model
Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management
4
Introduction
Framework4 Knowledge base
Attack patterns
Simulation
Optimization
Decision support
ExampleExperimental setup
Results
Conclusions
Appendix
Knowledge base
Implem
entation cost
Successful attacks
Detected attacks
Running cost
Implem
entation time
Successful attack actions
Metaheuristic optimization1 1 1 0 0 0 0 1 0 0 1 1
Attack Simulation Engine
Attack Scenario
Attackermodel
AbstractAttack Graph
Attackerobjectives
Attack PatternLinking
Knowledge base
Attack and ControlModel
System Model
Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management
5
Introduction
Framework5 Knowledge base
Attack patterns
Simulation
Optimization
Decision support
ExampleExperimental setup
Results
Conclusions
Appendix
Knowledge base
I Captures abstract attack knowledgeI Describes controls and their impact on attacksI Models the IT infrastructure
Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management
Atomic attack actions Condition propertiesPre-Conditions Post-Conditions
7
Introduction
Framework7 Knowledge base
Attack patterns
Simulation
Optimization
Decision support
ExampleExperimental setup
Results
Conclusions
Appendix
Brute force: Prolog rule formulation
Preconditionsaction_bruteForce(Attacker, TargetHost, TargetGroup):-
technicalSkillLevel(Attacker, TechnicalSkillLevel),TechnicalSkillLevel >= 1,owned(Attacker, AttackHost),connected(AttackHost, TargetHost, rdpProtocol, rdpPort),accessHost(TargetGroup, TargetHost, _),not(inGroup(Attacker, TargetGroup)).
Postconditionexec_success_action_bruteForce(Attacker, TargetHost, TargetGroup):-
assert(inGroup(Attacker, TargetGroup)).
Impactaction_impact(action_bruteForce, confidentiality).impact_success_bruteForce(Attacker, TargetHost, TargetGroup, SecurityAttribute, Impact):-
importance(TargetGroup, SecurityAttribute, Impact).
Simulation attributes/** cost, time, base probability, maxTries, simultaneous **/action_properties(action_bruteForce, 0, 18000, 0.01, 0, true).available_action(action_bruteForce).
Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management
8
Introduction
Framework8 Knowledge base
Attack patterns
Simulation
Optimization
Decision support
ExampleExperimental setup
Results
Conclusions
Appendix
Attacker, Control & Infrastucture Mod-ellingAttacker/* Attacker Properties (attacker, timeBudget, monetaryBudget, weightCosts,weightDetection, weightSuccess, weightDistance, behavioralModelClassName,pBacktrackOnSuccessAndNewActions, pSiblingOnSuccessNoNewActions,pRetryFailedAction, pBacktrackOnFailure) */attacker_properties(skilledExternal, 200000, 0, 0, 0.30, 0.40, 0.30,utilityDepthFirst, 0.1, 0.7, 0.5, 0.3).technicalSkillLevel(skilledExternal, 2).
Controlavailable_control(control_av)./****** Control Properties (abstractControl, ControlType, ControlVisible,ControlOutcome, ControlAggregationType, ControlResponseType, ControlDelay,CandidateAssetType, TargetAssetType) ******/control_properties(control_av, preventive, false, null, min, null, 0, av, hostGroup).action_has_control(action_CVE_2013_04_22, control_av).action_has_control(action_emailBackdoor, control_av).
Infrastuctureavailable_asset_type(host).host(workstation_host_1).user(administrator).userGroup(adminGroup).inGroup(administrator, adminGroup).access(adminGroup, workstation_host_1).
Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management
9
Introduction
FrameworkKnowledge base
9 Attack patterns
Simulation
Optimization
Decision support
ExampleExperimental setup
Results
Conclusions
Appendix
Attack patterns
Attack PatternLinking
Knowledge base
Attack and ControlModel
System Model
Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management
10
Introduction
FrameworkKnowledge base
10 Attack patterns
Simulation
Optimization
Decision support
ExampleExperimental setup
Results
Conclusions
Appendix
Attack pattern linking
Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management
10
Introduction
FrameworkKnowledge base
10 Attack patterns
Simulation
Optimization
Decision support
ExampleExperimental setup
Results
Conclusions
Appendix
Attack pattern linking
+
Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management
10
Introduction
FrameworkKnowledge base
10 Attack patterns
Simulation
Optimization
Decision support
ExampleExperimental setup
Results
Conclusions
Appendix
Attack pattern linking
+
Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management
10
Introduction
FrameworkKnowledge base
10 Attack patterns
Simulation
Optimization
Decision support
ExampleExperimental setup
Results
Conclusions
Appendix
Attack pattern linking
Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management
10
Introduction
FrameworkKnowledge base
10 Attack patterns
Simulation
Optimization
Decision support
ExampleExperimental setup
Results
Conclusions
Appendix
Attack pattern linking
Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management
11
Introduction
FrameworkKnowledge base
Attack patterns
11 Simulation
Optimization
Decision support
ExampleExperimental setup
Results
Conclusions
Appendix
Simulation
Attack Scenario
Attackermodel
AbstractAttack Graph
Attackerobjectives
Attack PatternLinking
Knowledge base
Attack and ControlModel
System Model
Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management
11
Introduction
FrameworkKnowledge base
Attack patterns
11 Simulation
Optimization
Decision support
ExampleExperimental setup
Results
Conclusions
Appendix
Simulation
Attack Simulation Engine
Attack Scenario
Attackermodel
AbstractAttack Graph
Attackerobjectives
Attack PatternLinking
Knowledge base
Attack and ControlModel
System Model
Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management
12
Introduction
FrameworkKnowledge base
Attack patterns
12 Simulation
Optimization
Decision support
ExampleExperimental setup
Results
Conclusions
Appendix
Discrete Event Scheduling
t=0
Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management
12
Introduction
FrameworkKnowledge base
Attack patterns
12 Simulation
Optimization
Decision support
ExampleExperimental setup
Results
Conclusions
Appendix
Discrete Event Scheduling
t=0
Action Start
Action Selection
Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management
12
Introduction
FrameworkKnowledge base
Attack patterns
12 Simulation
Optimization
Decision support
ExampleExperimental setup
Results
Conclusions
Appendix
Discrete Event Scheduling
t=0
Action Start
Action Selection
Action End
ActionExecution
Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management
12
Introduction
FrameworkKnowledge base
Attack patterns
12 Simulation
Optimization
Decision support
ExampleExperimental setup
Results
Conclusions
Appendix
Discrete Event Scheduling
t=0
Action Start
Action Selection
Action End
ActionExecution
Target Reached
Execution Result
ActionSelection
Action Start
Action End
...
Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management
12
Introduction
FrameworkKnowledge base
Attack patterns
12 Simulation
Optimization
Decision support
ExampleExperimental setup
Results
Conclusions
Appendix
Discrete Event Scheduling
t=0
Action Start
Action Selection
Action End
ActionExecution
Detection
Response
Attacker Stopped
Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management
13
Introduction
FrameworkKnowledge base
Attack patterns
Simulation
13 Optimization
Decision support
ExampleExperimental setup
Results
Conclusions
Appendix
Optimization
Attack Simulation Engine
Attack Scenario
Attackermodel
AbstractAttack Graph
Attackerobjectives
Attack PatternLinking
Knowledge base
Attack and ControlModel
System Model
Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management
13
Introduction
FrameworkKnowledge base
Attack patterns
Simulation
13 Optimization
Decision support
ExampleExperimental setup
Results
Conclusions
Appendix
Optimization
Metaheuristic optimization1 1 1 0 0 0 0 1 0 0 1 1
Attack Simulation Engine
Attack Scenario
Attackermodel
AbstractAttack Graph
Attackerobjectives
Attack PatternLinking
Knowledge base
Attack and ControlModel
System Model
Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management
14
Introduction
FrameworkKnowledge base
Attack patterns
Simulation
14 Optimization
Decision support
ExampleExperimental setup
Results
Conclusions
Appendix
Evaluation of control portfolios
CandidateControlMapGenotype
MosesEvaluator
1 1 1 0 0 0 0 1 0 0 1 1
InitializedSystemPhenotype
I Genetic algorithm adapts the control setI Performing multiple replications per control set
Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management
15
Introduction
FrameworkKnowledge base
Attack patterns
Simulation
Optimization
15 Decision support
ExampleExperimental setup
Results
Conclusions
Appendix
Decision support
Metaheuristic optimization1 1 1 0 0 0 0 1 0 0 1 1
Attack Simulation Engine
Attack Scenario
Attackermodel
AbstractAttack Graph
Attackerobjectives
Attack PatternLinking
Knowledge base
Attack and ControlModel
System Model
Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management
15
Introduction
FrameworkKnowledge base
Attack patterns
Simulation
Optimization
15 Decision support
ExampleExperimental setup
Results
Conclusions
Appendix
Decision support
Implem
entation cost
Successful attacks
Detected attacks
Running cost
Implem
entation time
Successful attack actions
Metaheuristic optimization1 1 1 0 0 0 0 1 0 0 1 1
Attack Simulation Engine
Attack Scenario
Attackermodel
AbstractAttack Graph
Attackerobjectives
Attack PatternLinking
Knowledge base
Attack and ControlModel
System Model
Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management
Decision support
18
Introduction
FrameworkKnowledge base
Attack patterns
Simulation
Optimization
Decision support
18 ExampleExperimental setup
Results
Conclusions
Appendix
Scenario domain
Clients
DMZ
Users-&-Groups
Internet
db(admingroup((3)
Servers
DB(servers(
DB2DB1 DB3
fileservers
admin(group((3)
file(server(reader(group((5)
file(server(admin(group((2)
dmz(subnet(user(group((20)
worksta@on(user(group((30)
Externala8acker Internal
a8acker
Client(1 Client(2(( Client(30((...
An@virus IDS Security(Training121Controls:
2 PatchPLogging(Policy 112 23Code(reviewR
Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management
18
Introduction
FrameworkKnowledge base
Attack patterns
Simulation
Optimization
Decision support
18 ExampleExperimental setup
Results
Conclusions
Appendix
Scenario domain
Clients
DMZ
Users-&-Groups
Internet
db(admingroup((3)
Servers
DB(servers(
DB2DB1 DB3
fileservers
admin(group((3)
file(server(reader(group((5)
file(server(admin(group((2)
dmz(subnet(user(group((20)
worksta@on(user(group((30)
Externala8acker Internal
a8acker
Client(1 Client(2(( Client(30((...
An@virus IDS Security(Training121Controls:
2 PatchPLogging(Policy 112 23Code(reviewR
Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management
18
Introduction
FrameworkKnowledge base
Attack patterns
Simulation
Optimization
Decision support
18 ExampleExperimental setup
Results
Conclusions
Appendix
Scenario domain
Clients
DMZ
Users-&-Groups
Internet
db(admingroup((3)
Servers
DB(servers(
DB2DB1 DB3
fileservers
admin(group((3)
file(server(reader(group((5)
file(server(admin(group((2)
dmz(subnet(user(group((20)
worksta@on(user(group((30)
Externala8acker Internal
a8acker
Client(1 Client(2(( Client(30((...
An@virus IDS Security(Training121Controls:
2 PatchPLogging(Policy 112 23Code(reviewR
58 binary decision variables (> 1017 control-asset assignments)Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management
19
Introduction
FrameworkKnowledge base
Attack patterns
Simulation
Optimization
Decision support
Example19 Experimental setup
Results
Conclusions
Appendix
Adversary types
Characteristicstime (mins) wdet wsuc wdist access
Employee 2500 0.45 0.25 0.3 workstationsAdministrator 5000 0.5 0.2 0.3 all hostsSkilled External 3333 0.3 0.4 0.3 -Unskilled External 1667 0.3 0.4 0.3 -APT ∞ 0.5 0.2 0.3 -
Available actions (based on skill level, access)Employee (skill: 0) shoulderSurfingUnskilled external (skill: 1) spearfish
sqlInjectionsocialAttackbruteForceemailKeyloggeremailBackdoor
Skilled external (skill: 2) + bufferOverflow+ directoryTraversal
Admin (skill: 2) (all above)Advanced persistent threat (skill: 3) + zeroDay
Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management
20
Introduction
FrameworkKnowledge base
Attack patterns
Simulation
Optimization
Decision support
Example20 Experimental setup
Results
Conclusions
Appendix
Optimization objectives
1. Minimize cost of controls2. Minimize target condition achievement3. Maximize detection of attacks4. Minimize confidentiality impact (L/M/H)5. Minimize integrity impact (L/M/H)6. Minimize availability impact (L/M/H)
L/M/H: low, medium, high in lexicographic order
Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management
21
Introduction
FrameworkKnowledge base
Attack patterns
Simulation
Optimization
Decision support
Example21 Experimental setup
Results
Conclusions
Appendix
Parameter settings
Simulation: 50 replications per control set
Optimization: 500 generationsI Population
I α = 100 (population size)I µ = 25 (number of parents per generation)I λ = 25 (number of offsprings per generation)I Initialization: ~1, ~0, remaining random
(i.e., each control included with p = 0.5)I Selection: NSGA2, 2 tournamentsI Crossover: 2-point crossover @ rate 0.95I Mutation: mixed permutation (insert, revert, swap)
rate 1/n
Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management
22
Introduction
FrameworkKnowledge base
Attack patterns
Simulation
Optimization
Decision support
ExampleExperimental setup
22 Results
Conclusions
Appendix
Results
Full enumeration for this scenario would take about109 years
Runtime (3GHz Xeon, currently only single core used)∼ 90 mins (admin) – ∼ 50 hrs (APT)
Proposed efficient solutionsI administrator: 2I employee: 58I unskilled external: 104I skilled external: 306I advanced persistent threat: 251
Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management
example attack trace
av1
on s
ubne
t1H
osts
av1
on d
mzH
osts
av1
on d
bSer
verH
osts
av1
on fi
leSe
rver
Hos
tsav
1 on
wor
ksta
tionH
osts
av2
on s
ubne
t1H
osts
av2
on d
mzH
osts
av2
on d
bSer
verH
osts
av2
on fi
leSe
rver
Hos
tsav
2 on
wor
ksta
tionH
osts
ids1
on
subn
et1H
osts
ids1
on
dmzH
osts
ids1
on
dbSe
rver
Hos
tsid
s1 o
n fil
eSer
verH
osts
ids1
on
work
stat
ionH
osts
ids2
on
subn
et1H
osts
ids2
on
dmzH
osts
ids2
on
dbSe
rver
Hos
tsid
s2 o
n fil
eSer
verH
osts
ids2
on
work
stat
ionH
osts
patc
hCVE
_201
3_04
_22
on s
ubne
t1H
osts
patc
hCVE
_201
3_04
_22
on d
mzH
osts
patc
hCVE
_201
3_04
_22
on d
bSer
verH
osts
patc
hCVE
_201
3_04
_22
on fi
leSe
rver
Hos
tspa
tchC
VE_2
013_
04_2
2 on
wor
ksta
tionH
osts
logP
olic
y1 o
n su
bnet
1Hos
tslo
gPol
icy1
on
dmzH
osts
logP
olic
y1 o
n db
Serv
erH
osts
logP
olic
y1 o
n fil
eSer
verH
osts
logP
olic
y1 o
n wo
rkst
atio
nHos
tswe
bSer
verH
arde
ning
1 on
sub
net1
Hos
tswe
bSer
verH
arde
ning
1 on
dm
zHos
tswe
bSer
verH
arde
ning
1 on
dbS
erve
rHos
tswe
bSer
verH
arde
ning
1 on
file
Serv
erH
osts
webS
erve
rHar
deni
ng1
on w
orks
tatio
nHos
tsco
deR
evie
w1
on s
ubne
t1H
osts
code
Rev
iew
1 on
dm
zHos
tsco
deR
evie
w1
on d
bSer
verH
osts
code
Rev
iew
1 on
file
Serv
erH
osts
code
Rev
iew
1 on
wor
ksta
tionH
osts
secu
rityT
rain
ing1
on
adm
inG
roup
secu
rityT
rain
ing1
on
dbAd
min
Gro
upse
curit
yTra
inin
g1 o
n su
bnet
1Use
rGro
upse
curit
yTra
inin
g1 o
n fil
eSer
verU
serG
roup
secu
rityT
rain
ing1
on
fileS
erve
rUse
rRea
derG
roup
secu
rityT
rain
ing1
on
work
stat
ionU
serG
roup
secu
rityT
rain
ing2
on
adm
inG
roup
secu
rityT
rain
ing2
on
dbAd
min
Gro
upse
curit
yTra
inin
g2 o
n su
bnet
1Use
rGro
upse
curit
yTra
inin
g2 o
n fil
eSer
verU
serG
roup
secu
rityT
rain
ing2
on
fileS
erve
rUse
rRea
derG
roup
secu
rityT
rain
ing2
on
work
stat
ionU
serG
roup
secu
rityT
rain
ing3
on
adm
inG
roup
secu
rityT
rain
ing3
on
dbAd
min
Gro
upse
curit
yTra
inin
g3 o
n su
bnet
1Use
rGro
upse
curit
yTra
inin
g3 o
n fil
eSer
verU
serG
roup
secu
rityT
rain
ing3
on
fileS
erve
rUse
rRea
derG
roup
secu
rityT
rain
ing3
on
work
stat
ionU
serG
roup
Cos
tTa
rget
con
ditio
n re
ache
dD
etec
ted
atta
cks
Con
fiden
tialit
y hi
ghC
onfid
entia
lity
med
ium
Con
fiden
tialit
y lo
wIn
tegr
ity h
igh
Inte
grity
med
ium
Inte
grity
low
Avai
labi
lity
high
Avai
labi
lity
med
ium
Avai
labi
lity
low
RESULTS
Uns
kille
d Ex
tern
alSk
illed
Exte
rnal
APT
Emp-
loye
e
AV IDS Patch Log Hard-ening
CodeReview Security Training
AV1 AV2 IDS1 IDS2 Train 1 Train 2 Train 3
CostTarget condition reached
Detected attacksConfidentiality impact
Integrity impactAvailability impact
MLH MLH MLH
Results:Overview
av1
on s
ubne
t1H
osts
av1
on d
mzH
osts
av1
on d
bSer
verH
osts
av1
on fi
leSe
rver
Hos
tsav
1 on
wor
ksta
tionH
osts
av2
on s
ubne
t1H
osts
av2
on d
mzH
osts
av2
on d
bSer
verH
osts
av2
on fi
leSe
rver
Hos
tsav
2 on
wor
ksta
tionH
osts
ids1
on
subn
et1H
osts
ids1
on
dmzH
osts
ids1
on
dbSe
rver
Hos
tsid
s1 o
n fil
eSer
verH
osts
ids1
on
work
stat
ionH
osts
ids2
on
subn
et1H
osts
ids2
on
dmzH
osts
ids2
on
dbSe
rver
Hos
tsid
s2 o
n fil
eSer
verH
osts
ids2
on
work
stat
ionH
osts
patc
hCVE
_201
3_04
_22
on s
ubne
t1H
osts
patc
hCVE
_201
3_04
_22
on d
mzH
osts
patc
hCVE
_201
3_04
_22
on d
bSer
verH
osts
patc
hCVE
_201
3_04
_22
on fi
leSe
rver
Hos
tspa
tchC
VE_2
013_
04_2
2 on
wor
ksta
tionH
osts
logP
olic
y1 o
n su
bnet
1Hos
tslo
gPol
icy1
on
dmzH
osts
logP
olic
y1 o
n db
Serv
erH
osts
logP
olic
y1 o
n fil
eSer
verH
osts
logP
olic
y1 o
n wo
rkst
atio
nHos
tswe
bSer
verH
arde
ning
1 on
sub
net1
Hos
tswe
bSer
verH
arde
ning
1 on
dm
zHos
tswe
bSer
verH
arde
ning
1 on
dbS
erve
rHos
tswe
bSer
verH
arde
ning
1 on
file
Serv
erH
osts
webS
erve
rHar
deni
ng1
on w
orks
tatio
nHos
tsco
deR
evie
w1
on s
ubne
t1H
osts
code
Rev
iew
1 on
dm
zHos
tsco
deR
evie
w1
on d
bSer
verH
osts
code
Rev
iew
1 on
file
Serv
erH
osts
code
Rev
iew
1 on
wor
ksta
tionH
osts
secu
rityT
rain
ing1
on
adm
inG
roup
secu
rityT
rain
ing1
on
dbAd
min
Gro
upse
curit
yTra
inin
g1 o
n su
bnet
1Use
rGro
upse
curit
yTra
inin
g1 o
n fil
eSer
verU
serG
roup
secu
rityT
rain
ing1
on
fileS
erve
rUse
rRea
derG
roup
secu
rityT
rain
ing1
on
work
stat
ionU
serG
roup
secu
rityT
rain
ing2
on
adm
inG
roup
secu
rityT
rain
ing2
on
dbAd
min
Gro
upse
curit
yTra
inin
g2 o
n su
bnet
1Use
rGro
upse
curit
yTra
inin
g2 o
n fil
eSer
verU
serG
roup
secu
rityT
rain
ing2
on
fileS
erve
rUse
rRea
derG
roup
secu
rityT
rain
ing2
on
work
stat
ionU
serG
roup
secu
rityT
rain
ing3
on
adm
inG
roup
secu
rityT
rain
ing3
on
dbAd
min
Gro
upse
curit
yTra
inin
g3 o
n su
bnet
1Use
rGro
upse
curit
yTra
inin
g3 o
n fil
eSer
verU
serG
roup
secu
rityT
rain
ing3
on
fileS
erve
rUse
rRea
derG
roup
secu
rityT
rain
ing3
on
work
stat
ionU
serG
roup
Cos
tTa
rget
con
ditio
n re
ache
dD
etec
ted
atta
cks
Con
fiden
tialit
y hi
ghC
onfid
entia
lity
med
ium
Con
fiden
tialit
y lo
wIn
tegr
ity h
igh
Inte
grity
med
ium
Inte
grity
low
Avai
labi
lity
high
Avai
labi
lity
med
ium
Avai
labi
lity
low
Results:Em
ployee
av1
on s
ubne
t1H
osts
av1
on d
mzH
osts
av1
on d
bSer
verH
osts
av1
on fi
leSe
rver
Hos
tsav
1 on
wor
ksta
tionH
osts
av2
on s
ubne
t1H
osts
av2
on d
mzH
osts
av2
on d
bSer
verH
osts
av2
on fi
leSe
rver
Hos
tsav
2 on
wor
ksta
tionH
osts
ids1
on
subn
et1H
osts
ids1
on
dmzH
osts
ids1
on
dbSe
rver
Hos
tsid
s1 o
n fil
eSer
verH
osts
ids1
on
work
stat
ionH
osts
ids2
on
subn
et1H
osts
ids2
on
dmzH
osts
ids2
on
dbSe
rver
Hos
tsid
s2 o
n fil
eSer
verH
osts
ids2
on
work
stat
ionH
osts
patc
hCVE
_201
3_04
_22
on s
ubne
t1H
osts
patc
hCVE
_201
3_04
_22
on d
mzH
osts
patc
hCVE
_201
3_04
_22
on d
bSer
verH
osts
patc
hCVE
_201
3_04
_22
on fi
leSe
rver
Hos
tspa
tchC
VE_2
013_
04_2
2 on
wor
ksta
tionH
osts
logP
olic
y1 o
n su
bnet
1Hos
tslo
gPol
icy1
on
dmzH
osts
logP
olic
y1 o
n db
Serv
erH
osts
logP
olic
y1 o
n fil
eSer
verH
osts
logP
olic
y1 o
n wo
rkst
atio
nHos
tswe
bSer
verH
arde
ning
1 on
sub
net1
Hos
tswe
bSer
verH
arde
ning
1 on
dm
zHos
tswe
bSer
verH
arde
ning
1 on
dbS
erve
rHos
tswe
bSer
verH
arde
ning
1 on
file
Serv
erH
osts
webS
erve
rHar
deni
ng1
on w
orks
tatio
nHos
tsco
deR
evie
w1
on s
ubne
t1H
osts
code
Rev
iew
1 on
dm
zHos
tsco
deR
evie
w1
on d
bSer
verH
osts
code
Rev
iew
1 on
file
Serv
erH
osts
code
Rev
iew
1 on
wor
ksta
tionH
osts
secu
rityT
rain
ing1
on
adm
inG
roup
secu
rityT
rain
ing1
on
dbAd
min
Gro
upse
curit
yTra
inin
g1 o
n su
bnet
1Use
rGro
upse
curit
yTra
inin
g1 o
n fil
eSer
verU
serG
roup
secu
rityT
rain
ing1
on
fileS
erve
rUse
rRea
derG
roup
secu
rityT
rain
ing1
on
work
stat
ionU
serG
roup
secu
rityT
rain
ing2
on
adm
inG
roup
secu
rityT
rain
ing2
on
dbAd
min
Gro
upse
curit
yTra
inin
g2 o
n su
bnet
1Use
rGro
upse
curit
yTra
inin
g2 o
n fil
eSer
verU
serG
roup
secu
rityT
rain
ing2
on
fileS
erve
rUse
rRea
derG
roup
secu
rityT
rain
ing2
on
work
stat
ionU
serG
roup
secu
rityT
rain
ing3
on
adm
inG
roup
secu
rityT
rain
ing3
on
dbAd
min
Gro
upse
curit
yTra
inin
g3 o
n su
bnet
1Use
rGro
upse
curit
yTra
inin
g3 o
n fil
eSer
verU
serG
roup
secu
rityT
rain
ing3
on
fileS
erve
rUse
rRea
derG
roup
secu
rityT
rain
ing3
on
work
stat
ionU
serG
roup
Cos
tTa
rget
con
ditio
n re
ache
dD
etec
ted
atta
cks
Con
fiden
tialit
y hi
ghC
onfid
entia
lity
med
ium
Con
fiden
tialit
y lo
wIn
tegr
ity h
igh
Inte
grity
med
ium
Inte
grity
low
Avai
labi
lity
high
Avai
labi
lity
med
ium
Avai
labi
lity
low
No effective technical controlsResults:Em
ployee
av1
on s
ubne
t1H
osts
av1
on d
mzH
osts
av1
on d
bSer
verH
osts
av1
on fi
leSe
rver
Hos
tsav
1 on
wor
ksta
tionH
osts
av2
on s
ubne
t1H
osts
av2
on d
mzH
osts
av2
on d
bSer
verH
osts
av2
on fi
leSe
rver
Hos
tsav
2 on
wor
ksta
tionH
osts
ids1
on
subn
et1H
osts
ids1
on
dmzH
osts
ids1
on
dbSe
rver
Hos
tsid
s1 o
n fil
eSer
verH
osts
ids1
on
work
stat
ionH
osts
ids2
on
subn
et1H
osts
ids2
on
dmzH
osts
ids2
on
dbSe
rver
Hos
tsid
s2 o
n fil
eSer
verH
osts
ids2
on
work
stat
ionH
osts
patc
hCVE
_201
3_04
_22
on s
ubne
t1H
osts
patc
hCVE
_201
3_04
_22
on d
mzH
osts
patc
hCVE
_201
3_04
_22
on d
bSer
verH
osts
patc
hCVE
_201
3_04
_22
on fi
leSe
rver
Hos
tspa
tchC
VE_2
013_
04_2
2 on
wor
ksta
tionH
osts
logP
olic
y1 o
n su
bnet
1Hos
tslo
gPol
icy1
on
dmzH
osts
logP
olic
y1 o
n db
Serv
erH
osts
logP
olic
y1 o
n fil
eSer
verH
osts
logP
olic
y1 o
n wo
rkst
atio
nHos
tswe
bSer
verH
arde
ning
1 on
sub
net1
Hos
tswe
bSer
verH
arde
ning
1 on
dm
zHos
tswe
bSer
verH
arde
ning
1 on
dbS
erve
rHos
tswe
bSer
verH
arde
ning
1 on
file
Serv
erH
osts
webS
erve
rHar
deni
ng1
on w
orks
tatio
nHos
tsco
deR
evie
w1
on s
ubne
t1H
osts
code
Rev
iew
1 on
dm
zHos
tsco
deR
evie
w1
on d
bSer
verH
osts
code
Rev
iew
1 on
file
Serv
erH
osts
code
Rev
iew
1 on
wor
ksta
tionH
osts
secu
rityT
rain
ing1
on
adm
inG
roup
secu
rityT
rain
ing1
on
dbAd
min
Gro
upse
curit
yTra
inin
g1 o
n su
bnet
1Use
rGro
upse
curit
yTra
inin
g1 o
n fil
eSer
verU
serG
roup
secu
rityT
rain
ing1
on
fileS
erve
rUse
rRea
derG
roup
secu
rityT
rain
ing1
on
work
stat
ionU
serG
roup
secu
rityT
rain
ing2
on
adm
inG
roup
secu
rityT
rain
ing2
on
dbAd
min
Gro
upse
curit
yTra
inin
g2 o
n su
bnet
1Use
rGro
upse
curit
yTra
inin
g2 o
n fil
eSer
verU
serG
roup
secu
rityT
rain
ing2
on
fileS
erve
rUse
rRea
derG
roup
secu
rityT
rain
ing2
on
work
stat
ionU
serG
roup
secu
rityT
rain
ing3
on
adm
inG
roup
secu
rityT
rain
ing3
on
dbAd
min
Gro
upse
curit
yTra
inin
g3 o
n su
bnet
1Use
rGro
upse
curit
yTra
inin
g3 o
n fil
eSer
verU
serG
roup
secu
rityT
rain
ing3
on
fileS
erve
rUse
rRea
derG
roup
secu
rityT
rain
ing3
on
work
stat
ionU
serG
roup
Cos
tTa
rget
con
ditio
n re
ache
dD
etec
ted
atta
cks
Con
fiden
tialit
y hi
ghC
onfid
entia
lity
med
ium
Con
fiden
tialit
y lo
wIn
tegr
ity h
igh
Inte
grity
med
ium
Inte
grity
low
Avai
labi
lity
high
Avai
labi
lity
med
ium
Avai
labi
lity
low
Security trainings are effectiveResults:Em
ployee
av1
on s
ubne
t1H
osts
av1
on d
mzH
osts
av1
on d
bSer
verH
osts
av1
on fi
leSe
rver
Hos
tsav
1 on
wor
ksta
tionH
osts
av2
on s
ubne
t1H
osts
av2
on d
mzH
osts
av2
on d
bSer
verH
osts
av2
on fi
leSe
rver
Hos
tsav
2 on
wor
ksta
tionH
osts
ids1
on
subn
et1H
osts
ids1
on
dmzH
osts
ids1
on
dbSe
rver
Hos
tsid
s1 o
n fil
eSer
verH
osts
ids1
on
work
stat
ionH
osts
ids2
on
subn
et1H
osts
ids2
on
dmzH
osts
ids2
on
dbSe
rver
Hos
tsid
s2 o
n fil
eSer
verH
osts
ids2
on
work
stat
ionH
osts
patc
hCVE
_201
3_04
_22
on s
ubne
t1H
osts
patc
hCVE
_201
3_04
_22
on d
mzH
osts
patc
hCVE
_201
3_04
_22
on d
bSer
verH
osts
patc
hCVE
_201
3_04
_22
on fi
leSe
rver
Hos
tspa
tchC
VE_2
013_
04_2
2 on
wor
ksta
tionH
osts
logP
olic
y1 o
n su
bnet
1Hos
tslo
gPol
icy1
on
dmzH
osts
logP
olic
y1 o
n db
Serv
erH
osts
logP
olic
y1 o
n fil
eSer
verH
osts
logP
olic
y1 o
n wo
rkst
atio
nHos
tswe
bSer
verH
arde
ning
1 on
sub
net1
Hos
tswe
bSer
verH
arde
ning
1 on
dm
zHos
tswe
bSer
verH
arde
ning
1 on
dbS
erve
rHos
tswe
bSer
verH
arde
ning
1 on
file
Serv
erH
osts
webS
erve
rHar
deni
ng1
on w
orks
tatio
nHos
tsco
deR
evie
w1
on s
ubne
t1H
osts
code
Rev
iew
1 on
dm
zHos
tsco
deR
evie
w1
on d
bSer
verH
osts
code
Rev
iew
1 on
file
Serv
erH
osts
code
Rev
iew
1 on
wor
ksta
tionH
osts
secu
rityT
rain
ing1
on
adm
inG
roup
secu
rityT
rain
ing1
on
dbAd
min
Gro
upse
curit
yTra
inin
g1 o
n su
bnet
1Use
rGro
upse
curit
yTra
inin
g1 o
n fil
eSer
verU
serG
roup
secu
rityT
rain
ing1
on
fileS
erve
rUse
rRea
derG
roup
secu
rityT
rain
ing1
on
work
stat
ionU
serG
roup
secu
rityT
rain
ing2
on
adm
inG
roup
secu
rityT
rain
ing2
on
dbAd
min
Gro
upse
curit
yTra
inin
g2 o
n su
bnet
1Use
rGro
upse
curit
yTra
inin
g2 o
n fil
eSer
verU
serG
roup
secu
rityT
rain
ing2
on
fileS
erve
rUse
rRea
derG
roup
secu
rityT
rain
ing2
on
work
stat
ionU
serG
roup
secu
rityT
rain
ing3
on
adm
inG
roup
secu
rityT
rain
ing3
on
dbAd
min
Gro
upse
curit
yTra
inin
g3 o
n su
bnet
1Use
rGro
upse
curit
yTra
inin
g3 o
n fil
eSer
verU
serG
roup
secu
rityT
rain
ing3
on
fileS
erve
rUse
rRea
derG
roup
secu
rityT
rain
ing3
on
work
stat
ionU
serG
roup
Cos
tTa
rget
con
ditio
n re
ache
dD
etec
ted
atta
cks
Con
fiden
tialit
y hi
ghC
onfid
entia
lity
med
ium
Con
fiden
tialit
y lo
wIn
tegr
ity h
igh
Inte
grity
med
ium
Inte
grity
low
Avai
labi
lity
high
Avai
labi
lity
med
ium
Avai
labi
lity
low
Results:Advancedpe
rsistentthreat
av1
on s
ubne
t1H
osts
av1
on d
mzH
osts
av1
on d
bSer
verH
osts
av1
on fi
leSe
rver
Hos
tsav
1 on
wor
ksta
tionH
osts
av2
on s
ubne
t1H
osts
av2
on d
mzH
osts
av2
on d
bSer
verH
osts
av2
on fi
leSe
rver
Hos
tsav
2 on
wor
ksta
tionH
osts
ids1
on
subn
et1H
osts
ids1
on
dmzH
osts
ids1
on
dbSe
rver
Hos
tsid
s1 o
n fil
eSer
verH
osts
ids1
on
work
stat
ionH
osts
ids2
on
subn
et1H
osts
ids2
on
dmzH
osts
ids2
on
dbSe
rver
Hos
tsid
s2 o
n fil
eSer
verH
osts
ids2
on
work
stat
ionH
osts
patc
hCVE
_201
3_04
_22
on s
ubne
t1H
osts
patc
hCVE
_201
3_04
_22
on d
mzH
osts
patc
hCVE
_201
3_04
_22
on d
bSer
verH
osts
patc
hCVE
_201
3_04
_22
on fi
leSe
rver
Hos
tspa
tchC
VE_2
013_
04_2
2 on
wor
ksta
tionH
osts
logP
olic
y1 o
n su
bnet
1Hos
tslo
gPol
icy1
on
dmzH
osts
logP
olic
y1 o
n db
Serv
erH
osts
logP
olic
y1 o
n fil
eSer
verH
osts
logP
olic
y1 o
n wo
rkst
atio
nHos
tswe
bSer
verH
arde
ning
1 on
sub
net1
Hos
tswe
bSer
verH
arde
ning
1 on
dm
zHos
tswe
bSer
verH
arde
ning
1 on
dbS
erve
rHos
tswe
bSer
verH
arde
ning
1 on
file
Serv
erH
osts
webS
erve
rHar
deni
ng1
on w
orks
tatio
nHos
tsco
deR
evie
w1
on s
ubne
t1H
osts
code
Rev
iew
1 on
dm
zHos
tsco
deR
evie
w1
on d
bSer
verH
osts
code
Rev
iew
1 on
file
Serv
erH
osts
code
Rev
iew
1 on
wor
ksta
tionH
osts
secu
rityT
rain
ing1
on
adm
inG
roup
secu
rityT
rain
ing1
on
dbAd
min
Gro
upse
curit
yTra
inin
g1 o
n su
bnet
1Use
rGro
upse
curit
yTra
inin
g1 o
n fil
eSer
verU
serG
roup
secu
rityT
rain
ing1
on
fileS
erve
rUse
rRea
derG
roup
secu
rityT
rain
ing1
on
work
stat
ionU
serG
roup
secu
rityT
rain
ing2
on
adm
inG
roup
secu
rityT
rain
ing2
on
dbAd
min
Gro
upse
curit
yTra
inin
g2 o
n su
bnet
1Use
rGro
upse
curit
yTra
inin
g2 o
n fil
eSer
verU
serG
roup
secu
rityT
rain
ing2
on
fileS
erve
rUse
rRea
derG
roup
secu
rityT
rain
ing2
on
work
stat
ionU
serG
roup
secu
rityT
rain
ing3
on
adm
inG
roup
secu
rityT
rain
ing3
on
dbAd
min
Gro
upse
curit
yTra
inin
g3 o
n su
bnet
1Use
rGro
upse
curit
yTra
inin
g3 o
n fil
eSer
verU
serG
roup
secu
rityT
rain
ing3
on
fileS
erve
rUse
rRea
derG
roup
secu
rityT
rain
ing3
on
work
stat
ionU
serG
roup
Cos
tTa
rget
con
ditio
n re
ache
dD
etec
ted
atta
cks
Con
fiden
tialit
y hi
ghC
onfid
entia
lity
med
ium
Con
fiden
tialit
y lo
wIn
tegr
ity h
igh
Inte
grity
med
ium
Inte
grity
low
Avai
labi
lity
high
Avai
labi
lity
med
ium
Avai
labi
lity
low
Wide range of effective controlsResults:Advancedpe
rsistentthreat
27
Introduction
FrameworkKnowledge base
Attack patterns
Simulation
Optimization
Decision support
ExampleExperimental setup
Results
27 Conclusions
Appendix
Conclusions
SummaryI Simulation based optimization framework increasing
IT security in given IT infrastucures with decisionsupport
Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management
28
Introduction
FrameworkKnowledge base
Attack patterns
Simulation
Optimization
Decision support
ExampleExperimental setup
Results
28 Conclusions
Appendix
Q & A
Contact:[email protected]
Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management
29
Introduction
FrameworkKnowledge base
Attack patterns
Simulation
Optimization
Decision support
ExampleExperimental setup
Results
Conclusions
29 Appendix
Implementation
Knowledge baseI Initial experiments with OWL ontologiesI SWI-Prolog:1 current rule-based implementationI JPL:2 Java access
SimulationI Java 1.6I Mason 14:3 discrete-event coreI Colt 1.2:4 random distributionsI Jung 2.0.1:5 graph structures and visualizationI Log4j, XStream, JUnit, Commons, . . .
OptimizationI Opt4j 2.76: evolutionary computation framework
1 http://www.swi-prolog.org2 http://www.swi-prolog.org/packages/jpl3 http://cs.gmu.edu/~eclab/projects/mason/
4 http://acs.lbl.gov/software/colt/5 http://jung.sourceforge.net/6 http://opt4j.sourceforge.net/
Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management
30
Introduction
FrameworkKnowledge base
Attack patterns
Simulation
Optimization
Decision support
ExampleExperimental setup
Results
Conclusions
30 Appendix
Parameter settings
Simulation: 50 replications per control set
Optimization: 500 generationsI Population
I α = 100 (population size)I µ = 25 (number of parents per generation)I λ = 25 (number of offsprings per generation)I Initialization: ~1, ~0, remaining random
(i.e., each control included with p = 0.5)I Selection: NSGA2, 2 tournamentsI Crossover: 2-point crossover @ rate 0.95I Mutation: mixed permutation (insert, revert, swap)
rate 1/n
Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management
31
Introduction
FrameworkKnowledge base
Attack patterns
Simulation
Optimization
Decision support
ExampleExperimental setup
Results
Conclusions
31 Appendix
Behavioral model
Choice set:
Action Selection
Choice function: for all considered actions a ∈ A
1. Calculate distance in abstract graph:drel
a ←d(a,t)
max(d(a,t))+1
2. Calculate weight:Wa ← psuc(a)wsuc
(1− pdet(a)
)wdet (1− drel
a
)wdist
3. return weightedChoice(A,W )
Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management
31
Introduction
FrameworkKnowledge base
Attack patterns
Simulation
Optimization
Decision support
ExampleExperimental setup
Results
Conclusions
31 Appendix
Behavioral model
Choice set:
Action Selection
Choice function: for all considered actions a ∈ A
1. Calculate distance in abstract graph:drel
a ←d(a,t)
max(d(a,t))+1
2. Calculate weight:Wa ← psuc(a)wsuc
(1− pdet(a)
)wdet (1− drel
a
)wdist
3. return weightedChoice(A,W )
Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management
31
Introduction
FrameworkKnowledge base
Attack patterns
Simulation
Optimization
Decision support
ExampleExperimental setup
Results
Conclusions
31 Appendix
Behavioral model
Choice set:
Action Selection
Choice function: for all considered actions a ∈ A
1. Calculate distance in abstract graph:drel
a ←d(a,t)
max(d(a,t))+1
2. Calculate weight:Wa ← psuc(a)wsuc
(1− pdet(a)
)wdet (1− drel
a
)wdist
3. return weightedChoice(A,W )
Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management
31
Introduction
FrameworkKnowledge base
Attack patterns
Simulation
Optimization
Decision support
ExampleExperimental setup
Results
Conclusions
31 Appendix
Behavioral model
Choice set:
Action Selection
Choice function: for all considered actions a ∈ A
1. Calculate distance in abstract graph:drel
a ←d(a,t)
max(d(a,t))+1
2. Calculate weight:Wa ← psuc(a)wsuc
(1− pdet(a)
)wdet (1− drel
a
)wdist
3. return weightedChoice(A,W )
Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management
31
Introduction
FrameworkKnowledge base
Attack patterns
Simulation
Optimization
Decision support
ExampleExperimental setup
Results
Conclusions
31 Appendix
Behavioral model
Choice set:
Action Selection
pcontinueNew
Choice function: for all considered actions a ∈ A
1. Calculate distance in abstract graph:drel
a ←d(a,t)
max(d(a,t))+1
2. Calculate weight:Wa ← psuc(a)wsuc
(1− pdet(a)
)wdet (1− drel
a
)wdist
3. return weightedChoice(A,W )
Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management
31
Introduction
FrameworkKnowledge base
Attack patterns
Simulation
Optimization
Decision support
ExampleExperimental setup
Results
Conclusions
31 Appendix
Behavioral model
Choice set:
Action Selection
1 � pcontinueNew
Choice function: for all considered actions a ∈ A
1. Calculate distance in abstract graph:drel
a ←d(a,t)
max(d(a,t))+1
2. Calculate weight:Wa ← psuc(a)wsuc
(1− pdet(a)
)wdet (1− drel
a
)wdist
3. return weightedChoice(A,W )
Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management
31
Introduction
FrameworkKnowledge base
Attack patterns
Simulation
Optimization
Decision support
ExampleExperimental setup
Results
Conclusions
31 Appendix
Behavioral model
Choice set:
Action Selection
Choice function: for all considered actions a ∈ A
1. Calculate distance in abstract graph:drel
a ←d(a,t)
max(d(a,t))+1
2. Calculate weight:Wa ← psuc(a)wsuc
(1− pdet(a)
)wdet (1− drel
a
)wdist
3. return weightedChoice(A,W )
Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management
31
Introduction
FrameworkKnowledge base
Attack patterns
Simulation
Optimization
Decision support
ExampleExperimental setup
Results
Conclusions
31 Appendix
Behavioral model
Choice set:
Action Selection
pretry
Choice function: for all considered actions a ∈ A
1. Calculate distance in abstract graph:drel
a ←d(a,t)
max(d(a,t))+1
2. Calculate weight:Wa ← psuc(a)wsuc
(1− pdet(a)
)wdet (1− drel
a
)wdist
3. return weightedChoice(A,W )
Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management
31
Introduction
FrameworkKnowledge base
Attack patterns
Simulation
Optimization
Decision support
ExampleExperimental setup
Results
Conclusions
31 Appendix
Behavioral model
Choice set:
Action Selection
1 � pretry
Choice function: for all considered actions a ∈ A
1. Calculate distance in abstract graph:drel
a ←d(a,t)
max(d(a,t))+1
2. Calculate weight:Wa ← psuc(a)wsuc
(1− pdet(a)
)wdet (1− drel
a
)wdist
3. return weightedChoice(A,W )
Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management
31
Introduction
FrameworkKnowledge base
Attack patterns
Simulation
Optimization
Decision support
ExampleExperimental setup
Results
Conclusions
31 Appendix
Behavioral model
Choice set:
Action Selection
Choice function: for all considered actions a ∈ A
1. Calculate distance in abstract graph:drel
a ←d(a,t)
max(d(a,t))+1
2. Calculate weight:Wa ← psuc(a)wsuc
(1− pdet(a)
)wdet (1− drel
a
)wdist
3. return weightedChoice(A,W )
Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management
32
Introduction
FrameworkKnowledge base
Attack patterns
Simulation
Optimization
Decision support
ExampleExperimental setup
Results
Conclusions
32 Appendix
References I
S. Barnum and G. McGraw, “Knowledge for softwaresecurity,” IEEE Security Privacy, vol. 3, no. 2, pp.74–78, 2005.S. Luke, C. Cioffi-Revilla, L. Panait, and K. Sullivan,“MASON: a new multi-agent simulation toolkit,” in2004 SwarmFest Workshop, 2004.
M. Lukasiewycz, M. Glass, and F. Reimann, “Opt4Jdocumentation,” 2012. [Online]. Available:http://opt4j.sourceforge.net/documentation/2.7/book.xhtml
Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management