Mitigating Security Risks Through Attack Strategies Exploration

Abstract

Security assessment of organization’s information systems is becoming increasingly complex due to their growing sizes and underlying architectures, e.g., cloud. Analyzing potential attacks is a pragmatic approach that provides insightful information to achieve this purpose. In this work, we propose to synthesize defense configurations to counter sophisticated attack strategies minimizing resource usage while ensuring a high probability of success. For this, we combine Statistical Model Checking techniques with Genetic Algorithms. Experiments performed on real-life case studies show substantial improvements compared to existing techniques.

A Case Studies Description

In the following case study descriptions, attack actions are characterized by their lower (LB) and upper (UB) time bounds, the required resources (Cost) and their probability to succeed (Env). In the ADTs, attack actions are represented by ellipses and defense actions by rectangles.

1.1 A.1 An Organization System Attack (ORGA) [5]

See (Fig. 6).

Fig. 6.

ORGA case study description

1.2 A.2 Resetting a BGP Session (BGP) [3]

We constructed this case study based on [11], in which detection and mitigation events are attached with success probabilities (resp. \(P_D\) and \(P_M\)). We transpose these probabilities to the attack actions in a straightforward manner: the probability of an attack action to succeed is computed as the probability that all the implemented countermeasures set to block it, fail. For example, the attack action sa can be blocked by both defense actions au and rn. So, the probability of sa to succeed equals \(Env(sa) = (1-P_{D1}\times P_{M1})\times (1-P_{D2}\times P_{M2})\), where \(P_{D1}\), \(P_{D2}\), \(P_{M1}\) and \(P_{M2}\) are given in [11]. Note that, in our case, a pair of detection-mitigation events is combined is a single defense action. For example, \(P_{D1}\) and \(P_{M1}\) are merged into a defense au, and, \(P_{D2}\) and \(P_{M2}\) into the defense action rn. Also, the defense mechanisms are fixed before starting an analysis and have a probability 1 (Fig. 7).

Fig. 7.

Resetting a BGP session description

Fig. 8.

SCADA system description

Fig. 9.

A Malicious Insider attack (MI) description

1.3 A.3 Supervisory Control and Data Acquisition System (SCADA) [1]

Similarly to BGP, SCADA is inspired from [11]. This case study represents an example of how attack trees are used to answer the failure assessment problem where attack actions represent the possible hardware/software failures. Since we are interested to identify what an attacker can do to reach a malicious goal on a system, we then interpret these attack actions as an attacker trying to trigger a hardware/software failure. So, in addition to the transposition from probabilities of successful defenses to probabilities of successful attack actions, Env also scales with the probability of failures. For example, the probability of g1 to succeed, provided it is guarded by a defense rst1, is computed as: \(Env(g1) = P_{g1} \times (1- P_D \times P_M)\), where the probabilities of a failure of the controlling agent one \(P_{g1}\), the detection of its failure \(P_D\) and its restarting \(P_M\) are given in [11].

In Fig. 8a, the operator “2/3” is a shortcut designating the case where at least two events \(s_i\) and \(s_j\) occur, with \(i\ne j\). It is equivalent to the boolean expression \(\phi = (s1 \wedge s2)\vee (s1 \wedge s3)\vee (s2 \wedge s3)\).

1.4 A.4 A Malicious Insider Attack (MI) [2]

In what follows, we describe a Malicious Insider attack (MI). It is presented in [11] and is adapted to our context in a similar way to BGP (Fig. 9).