3. Why we need to use attack models in SIEM
systems
• Figure-out possible sequences of attacks, and to
preemptively identify the security objectives that are most
likely to be targeted by the attacker.
• Correlate sequences of alerts as they pertain to specific
actions within an attack model.
• Identify appropriate sets of countermeasures, that is
actions taken by the system to subvert the ongoing
sequence of attacker actions.
• Dynamically compute the impact of attacks and
countermeasures; the former when they violate the normal
security policy, and the latter when they modify the system
configuration, so it no longer complies with the default
policy requirements.
[Nizar Kheir, Herve Debar, etc. ]
3
4. State-of-the-art in analytical attack modelling
• Representing attack scenarios and malefactors [Schneier, 1999;
Dawkins et al., 2002;[Shepard et al., 2005; …]
• Specification of platforms, vulnerabilities, vulnerability scorings,
attacks, weaknesses and configurations [NVD; OSVDB; CVE;
CVSS; CPE; CCE; CWE; CAPEC; … ]
• Attack graphs [Ortalo et al., 1999; Ritchey&Ammann, 2000;
Sheyner et al., 2002; Rieke, 2004; Noel&Jajodia, 2005;
Lippmann&Ingols, 2006; …]
• Security metrics [Mell et al., 2007; Jaquith, 2007; Herrmann, 2007;
Jansen, 2009; …]
• Combining service dependency graphs with attack graphs [Kheir
et al., 2009; Kheir et al., 2010; …]
• Representing zero day attacks [Ingols et al., 2009; Wang et al.,
2010; …]
• Modelling of responses/countermeasures [Kheir et al., 2010; …]
4
5. Range of Alternatives for attack modelling
and simulation
Desirable realism
and accuracy,
but costly to build Packet-
CAIRN, Internet2, Investigation level
WAIL, PlanetLab, etc. of local simulation
interactions tools:
ModelNet, EmuLab, and local NS2, NS3,
VINI, DETER, etc. realization of OMNeT++
defense INET
"immersive" Framework,
mechanisms
SSF Net,
J-Sim,
Investigation DaSSF,
of global PDNS,
interactions GTNetS,
and global etc.
realization of Analytical Models (e.g.
Significantly
defense Epidemic Models,
simplified
mechanisms attack graphs, etc.)
assumptions
6. Approach Description
• The approach to attack analysis uses two groups of techniques:
1. Analytical modelling based on generating multi-level (abstract and
detailed) attack graphs and service dependencies;
2. Fine-grained modelling and simulation based on dynamical
imitation of attack and response actions by mixing analytical
modelling and packet-based simulation.
• The analytical and fine-grained modelling and simulation is highly
beneficial for deep understanding of network attacks and a prerequisite
for their prevention, detection, and mitigation.
• The approach consists in using a multi-level model of attack scenarios
and service dependencies, attack modelling and simulation to determine
a family of security metrics, comprehensive evaluation of responses,
generation of attack and response impacts.
• Important issue is providing links with Event and Information
Collection Architecture, Event-driven Process Models, Decision-
support, reaction and counter-measures and Integration, Repository
and Visualisation
6
7. Common approach to analytical attack modelling
– Generating the common attack graph based on current
and possible vulnerabilities
– Determining the current malefactors’ actions based on
correlating logs and alerts, and generating the attack
(sub)graphs for possible sequences of malefactors’
actions by modelling of malefactors’ behaviour
– Modelling possible responses (countermeasures)
– Calculating the security metrics (attack and response
impacts)
– Providing the risk analysis procedures
– Links with Event and Information Collection Architecture,
Event-driven Process Models, Decision-support, reaction
and counter-measures and Integration, Repository and
Visualisation
7
8. Key elements of architectural solutions
– Using security repository (including system configuration, malefactor
models, vulnerabilities, attacks, scores, countermeasures, etc.)
– Effective attack tree generation techniques
– Taking into account as known as well as new attacks based on zero-
day vulnerabilities
– Using Anytime algorithms for near-real time attack subgraph
(re)generation and analytical modelling
– Stochastic analytical modeling
– Combined use of attack graphs and service dependency graphs
– Calculation metrics of attack and security countermeasures
(including attack impact, response efficiency, response collateral
damages, attack potentiality, attacker skill level, etc.)
– Interactive decision support to select the solutions on security
measures/tools by defining their preferences regarding different
types of requirements (risks, costs, benefits) and setting trade-offs
between several high-level security objectives
8
10. Main components (1/3)
• User (Decision maker) interface provides the user (decision maker) with the
ability to control all components, set the needed input data, and inspect
results/reports.
• Network interface supports interaction with external environment (sending
requests to external vulnerabilities databases for updates and communicating
with data sources).
• Generator of system and security policy specification converts the
information about network configuration and security policy received from
collector or user into internal representation.
• Data controller is used to detect the incorrect or undefined data which are
necessary for the security evaluation.
• Data repository updater downloads the open databases, for example, NVD
(National Vulnerability Database), CVE (Common Vulnerabilities and
Exposures), OSVDB (Open Source Vulnerability DataBase), CAPEC (Common
Attack Pattern Enumeration and Classification), Common Configuration
Enumeration (CCE) Reference Data, Common Weakness Enumeration (CWE)
data, and translates them into database of attack actions.
10
11. Main components (2/3)
• Malefactor modeller determines a malefactor’s individual characteristics,
skill level, his initial position (insider/outsider, available points of entry, etc.),
possible actions/attacks already fulfilled (which can be predicted according
to events and alerts) and knowledge about analyzed network. Malefactor’s
skill level defines the set of actions used by malefactor and the attack
strategy.
• Attack graph generator builds attack graphs by modelling sequences of
malefactor’s attack actions in the analyzed computer network using
information about available attack actions of different types, services
dependencies, network configuration and used security policy. Attack
graphs can represent complex multi-stage attack scenarios, consisting from
various single-point attack actions.
• Generator of attack graph based on zero-day vulnerabilities builds
attack traces taking into account unknown vulnerabilities which are
required to compromise a network assets.
• Manager of service dependencies operates service dependencies for
attack modelling and security evaluation
11
12. Main components (3/3)
• Security evaluator generates combined objects of the attack graphs and service
dependencies (routes, threats), calculates metrics of combined objects on basis of
the security metrics of elementary objects, evaluates the common security level,
compares obtained results with requirements, finds “weak” places, generates
recommendations on strengthening the security level.
• Analytical attack modeller performs stochastic imitation of multi-step attacks
against (by explicitly setting different tasks for Attack graph generator and Security
Evaluator) and determining the consequences with regard to various
countermeasures and criteria defined by the decision maker.
• Module of interactive decision support allows decision makers to select the
solutions on countermeasures by defining their preferences regarding different
types of requirements and setting trade-offs between objectives. Decision support
can include three phases: (1) setting feasible security solutions (security
measures/tools); (2) identification of efficient (Pareto-optimal) security solutions; (3)
selection (generation) of final preferred solution.
• Reports generator shows vulnerabilities, represents “weak” places, generates
recommendations on strengthening the security level, etc.
• Data repository is a hybrid database, including ontological representation of
network configuration, hardware/software platform, vulnerabilities, attacks,
countermeasures, etc.
12
13. Main Components of Simulation Environment
• Simulation Framework is a discrete-event simulator. It can
use for its functioning the various domain-oriented discrete-
event simulation software tools and software libraries.
• Environment Simulation Framework is a suite of
simulation modules that allows to imitate realistically the
environment for interaction. This component implements the
communication environment and transport protocols models.
• Component-based Framework is a library that defines
basic components (agents) implemented as applications.
• Subject Domain Library is the library that contains
modules for imitation of attack and response processes. The
libraries for different domains are supposed to be
implemented and used.