Simulation-based optimization of IT security controls · hacktivists, script kiddies, insiders,...
Transcript of Simulation-based optimization of IT security controls · hacktivists, script kiddies, insiders,...
Simulation-based optimizationof IT security controls
Initial experiences with meta-heuristic solution procedures
Elmar Kiesling, Andreas Ekelhart, Bernhard Grill,Christine Strauß, Christian Stummer
14th EU/ME WorkshopFebruary 28 – March 1, 2013; Hamburg, Germany
Funded by the Austrian Science Fund under project number P 23122-N23
32
Introduction
FrameworkOverview
Knowledge base
Attack patterns
Simulation
Optimization
ExamplescenariosSimple
Advanced
Conclusions
EU/ME 2013 - Simulation-based optimization of IT security controls
Agenda
Introduction
FrameworkOverviewKnowledge baseAttack patternsSimulationOptimization
Example scenariosSimpleAdvanced
Conclusions
32
3 Introduction
FrameworkOverview
Knowledge base
Attack patterns
Simulation
Optimization
ExamplescenariosSimple
Advanced
Conclusions
EU/ME 2013 - Simulation-based optimization of IT security controls
IntroductionCurrent IT security management challenges
I Information systems are growing ever more complex
I Today’s serious threats are not opportunistic, butI deliberate, targeted attacksI that exploit multiple attack vectors
Isoftware vulnerabilities
Inetwork vulnerabilities
Iinsider knowledge and access
Isocial engineering techniques
I. . .
I Human threat agents are heterogeneoushacktivists, script kiddies, insiders, advanced persistent threats . . .
æ “secure against whom?”
32
3 Introduction
FrameworkOverview
Knowledge base
Attack patterns
Simulation
Optimization
ExamplescenariosSimple
Advanced
Conclusions
EU/ME 2013 - Simulation-based optimization of IT security controls
IntroductionCurrent IT security management challenges
I Information systems are growing ever more complex
I Today’s serious threats are not opportunistic, butI deliberate, targeted attacksI that exploit multiple attack vectors
Isoftware vulnerabilities
Inetwork vulnerabilities
Iinsider knowledge and access
Isocial engineering techniques
I. . .
I Human threat agents are heterogeneoushacktivists, script kiddies, insiders, advanced persistent threats . . .
æ “secure against whom?”
32
3 Introduction
FrameworkOverview
Knowledge base
Attack patterns
Simulation
Optimization
ExamplescenariosSimple
Advanced
Conclusions
EU/ME 2013 - Simulation-based optimization of IT security controls
IntroductionCurrent IT security management challenges
I Information systems are growing ever more complex
I Today’s serious threats are not opportunistic, butI deliberate, targeted attacksI that exploit multiple attack vectors
Isoftware vulnerabilities
Inetwork vulnerabilities
Iinsider knowledge and access
Isocial engineering techniques
I. . .
I Human threat agents are heterogeneoushacktivists, script kiddies, insiders, advanced persistent threats . . .
æ “secure against whom?”
32
3 Introduction
FrameworkOverview
Knowledge base
Attack patterns
Simulation
Optimization
ExamplescenariosSimple
Advanced
Conclusions
EU/ME 2013 - Simulation-based optimization of IT security controls
IntroductionCurrent IT security management challenges
I Information systems are growing ever more complex
I Today’s serious threats are not opportunistic, butI deliberate, targeted attacksI that exploit multiple attack vectors
Isoftware vulnerabilities
Inetwork vulnerabilities
Iinsider knowledge and access
Isocial engineering techniques
I. . .
I Human threat agents are heterogeneoushacktivists, script kiddies, insiders, advanced persistent threats . . .
æ “secure against whom?”
32
4 Introduction
FrameworkOverview
Knowledge base
Attack patterns
Simulation
Optimization
ExamplescenariosSimple
Advanced
Conclusions
EU/ME 2013 - Simulation-based optimization of IT security controls
IntroductionCore ideas
Security:I is meaningless without defining “against whom”I is the result of the combined e�ect of all
implemented security controlsI involves tradeo�s between multiple monetary and
non-monetary criteria
No universally “best" solution:Highly context-dependent, decisions must consider
1. “system” characteristics(physical and IT infrastructure, people etc.)
2. the threat model3. available resources4. decision-makers’ risk preferences
32
4 Introduction
FrameworkOverview
Knowledge base
Attack patterns
Simulation
Optimization
ExamplescenariosSimple
Advanced
Conclusions
EU/ME 2013 - Simulation-based optimization of IT security controls
IntroductionCore ideas
Security:I is meaningless without defining “against whom”I is the result of the combined e�ect of all
implemented security controlsI involves tradeo�s between multiple monetary and
non-monetary criteria
No universally “best" solution:Highly context-dependent, decisions must consider
1. “system” characteristics(physical and IT infrastructure, people etc.)
2. the threat model3. available resources4. decision-makers’ risk preferences
32
Introduction
Framework5 Overview
Knowledge base
Attack patterns
Simulation
Optimization
ExamplescenariosSimple
Advanced
Conclusions
EU/ME 2013 - Simulation-based optimization of IT security controls
FrameworkOverview
Objective: choose an “optimal" set of security controls
Approach:1. Model
I abstract causal structures (attack actions)I attack agent behaviorI context (assets, employees . . . )
2. Apply control sets and simulating attacks3. Identify e�cient sets of controls through
multi-criteria optimization
32
Introduction
Framework6 Overview
Knowledge base
Attack patterns
Simulation
Optimization
ExamplescenariosSimple
Advanced
Conclusions
EU/ME 2013 - Simulation-based optimization of IT security controls
FrameworkOverview
Implem
entation cost
Successful attacks
Detected attacks
Running cost
Implem
entation time
Successful attack actions
Metaheuristic optimization1 1 1 0 0 0 0 1 0 0 1 1
Attack Simulation Engine
Attack Scenario
Attackermodel
AbstractAttack Graph
Attackerobjectives
Attack PatternLinking
Knowledge base
Attack and ControlModel
System Model
32
Introduction
FrameworkOverview
7 Knowledge base
Attack patterns
Simulation
Optimization
ExamplescenariosSimple
Advanced
Conclusions
EU/ME 2013 - Simulation-based optimization of IT security controls
FrameworkOverview
Implem
entation cost
Successful attacks
Detected attacks
Running cost
Implem
entation time
Successful attack actions
Metaheuristic optimization1 1 1 0 0 0 0 1 0 0 1 1
Attack Simulation Engine
Attack Scenario
Attackermodel
AbstractAttack Graph
Attackerobjectives
Attack PatternLinking
Knowledge base
Attack and ControlModel
System Model
32
Introduction
FrameworkOverview
8 Knowledge base
Attack patterns
Simulation
Optimization
ExamplescenariosSimple
Advanced
Conclusions
EU/ME 2013 - Simulation-based optimization of IT security controls
FrameworkKnowledge base
I Abstract attack knowledge (causal structure)+ system structure knowledge
I Initial experiments with OWL ontologiesI Current rule-based implementation: SWI-Prolog1
1http://www.swi-prolog.org/man/clpfd.html
32
Introduction
FrameworkOverview
8 Knowledge base
Attack patterns
Simulation
Optimization
ExamplescenariosSimple
Advanced
Conclusions
EU/ME 2013 - Simulation-based optimization of IT security controls
FrameworkKnowledge base
32
Introduction
FrameworkOverview
Knowledge base
9 Attack patterns
Simulation
Optimization
ExamplescenariosSimple
Advanced
Conclusions
EU/ME 2013 - Simulation-based optimization of IT security controls
FrameworkOverview
Attack PatternLinking
Knowledge base
Attack and ControlModel
System Model
32
Introduction
FrameworkOverview
Knowledge base
10 Attack patterns
Simulation
Optimization
ExamplescenariosSimple
Advanced
Conclusions
EU/ME 2013 - Simulation-based optimization of IT security controls
FrameworkAttack pattern linking
32
Introduction
FrameworkOverview
Knowledge base
10 Attack patterns
Simulation
Optimization
ExamplescenariosSimple
Advanced
Conclusions
EU/ME 2013 - Simulation-based optimization of IT security controls
FrameworkAttack pattern linking
+
32
Introduction
FrameworkOverview
Knowledge base
10 Attack patterns
Simulation
Optimization
ExamplescenariosSimple
Advanced
Conclusions
EU/ME 2013 - Simulation-based optimization of IT security controls
FrameworkAttack pattern linking
+
32
Introduction
FrameworkOverview
Knowledge base
10 Attack patterns
Simulation
Optimization
ExamplescenariosSimple
Advanced
Conclusions
EU/ME 2013 - Simulation-based optimization of IT security controls
FrameworkAttack pattern linking
32
Introduction
FrameworkOverview
Knowledge base
11 Attack patterns
Simulation
Optimization
ExamplescenariosSimple
Advanced
Conclusions
EU/ME 2013 - Simulation-based optimization of IT security controls
FrameworkAttack pattern linking
32
Introduction
FrameworkOverview
Knowledge base
Attack patterns
12 Simulation
Optimization
ExamplescenariosSimple
Advanced
Conclusions
EU/ME 2013 - Simulation-based optimization of IT security controls
FrameworkOverview
Attack Scenario
Attackermodel
AbstractAttack Graph
Attackerobjectives
Attack PatternLinking
Knowledge base
Attack and ControlModel
System Model
32
Introduction
FrameworkOverview
Knowledge base
Attack patterns
13 Simulation
Optimization
ExamplescenariosSimple
Advanced
Conclusions
EU/ME 2013 - Simulation-based optimization of IT security controls
FrameworkOverview
Attack Scenario
Attackermodel
AbstractAttack Graph
Attackerobjectives
Attack PatternLinking
Knowledge base
Attack and ControlModel
System Model
32
Introduction
FrameworkOverview
Knowledge base
Attack patterns
13 Simulation
Optimization
ExamplescenariosSimple
Advanced
Conclusions
EU/ME 2013 - Simulation-based optimization of IT security controls
FrameworkOverview
Attack Simulation Engine
Attack Scenario
Attackermodel
AbstractAttack Graph
Attackerobjectives
Attack PatternLinking
Knowledge base
Attack and ControlModel
System Model
32
Introduction
FrameworkOverview
Knowledge base
Attack patterns
14 Simulation
Optimization
ExamplescenariosSimple
Advanced
Conclusions
EU/ME 2013 - Simulation-based optimization of IT security controls
SimulationDiscrete Event Scheduling
Action StartEvent
...
t=0
Action Selection
32
Introduction
FrameworkOverview
Knowledge base
Attack patterns
14 Simulation
Optimization
ExamplescenariosSimple
Advanced
Conclusions
EU/ME 2013 - Simulation-based optimization of IT security controls
SimulationDiscrete Event Scheduling
Action StartEvent
...
t=0
Action Selection
Action EndEvent
ActionExecution
32
Introduction
FrameworkOverview
Knowledge base
Attack patterns
14 Simulation
Optimization
ExamplescenariosSimple
Advanced
Conclusions
EU/ME 2013 - Simulation-based optimization of IT security controls
SimulationDiscrete Event Scheduling
Action StartEvent
...
t=0
Action Selection
Action EndEvent
ActionExecution
Target Reached
Event
Execution Result
ActionSelection
Action StartEvent
Action EndEvent
... Action EndEvent
32
Introduction
FrameworkOverview
Knowledge base
Attack patterns
14 Simulation
Optimization
ExamplescenariosSimple
Advanced
Conclusions
EU/ME 2013 - Simulation-based optimization of IT security controls
SimulationDiscrete Event Scheduling
Action StartEvent
...
t=0
Action Selection
DetectionEvent Response
Attacker Stopped
Event
Action EndEvent
ActionExecution
Target Reached
Event
Execution Result
ActionSelection
Action StartEvent
Action EndEvent
... Action EndEvent
32
Introduction
FrameworkOverview
Knowledge base
Attack patterns
15 Simulation
Optimization
ExamplescenariosSimple
Advanced
Conclusions
EU/ME 2013 - Simulation-based optimization of IT security controls
SimulationExample attack sequence
32
Introduction
FrameworkOverview
Knowledge base
Attack patterns
Simulation
16 Optimization
ExamplescenariosSimple
Advanced
Conclusions
EU/ME 2013 - Simulation-based optimization of IT security controls
FrameworkOverview
Attack Simulation Engine
Attack Scenario
Attackermodel
AbstractAttack Graph
Attackerobjectives
Attack PatternLinking
Knowledge base
Attack and ControlModel
System Model
32
Introduction
FrameworkOverview
Knowledge base
Attack patterns
Simulation
16 Optimization
ExamplescenariosSimple
Advanced
Conclusions
EU/ME 2013 - Simulation-based optimization of IT security controls
FrameworkOverview
Metaheuristic optimization1 1 1 0 0 0 0 1 0 0 1 1
Attack Simulation Engine
Attack Scenario
Attackermodel
AbstractAttack Graph
Attackerobjectives
Attack PatternLinking
Knowledge base
Attack and ControlModel
System Model
32
Introduction
FrameworkOverview
Knowledge base
Attack patterns
Simulation
16 Optimization
ExamplescenariosSimple
Advanced
Conclusions
EU/ME 2013 - Simulation-based optimization of IT security controls
FrameworkOverview
Implem
entation cost
Successful attacks
Detected attacks
Running cost
Implem
entation time
Successful attack actions
Metaheuristic optimization1 1 1 0 0 0 0 1 0 0 1 1
Attack Simulation Engine
Attack Scenario
Attackermodel
AbstractAttack Graph
Attackerobjectives
Attack PatternLinking
Knowledge base
Attack and ControlModel
System Model
32
Introduction
FrameworkOverview
Knowledge base
Attack patterns
Simulation
17 Optimization
ExamplescenariosSimple
Advanced
Conclusions
EU/ME 2013 - Simulation-based optimization of IT security controls
OptimizationOpt4j-based implementation
Optimizer Operator Genotype Creator
DecoderPhenotype
Evaluator
IndividualPopulation
Archive Objectives
updates
updates
uses varies creates
uses
decodes
uses
evaluates
contains
contains
updates contains
Source: adapted from ?
32
Introduction
FrameworkOverview
Knowledge base
Attack patterns
Simulation
17 Optimization
ExamplescenariosSimple
Advanced
Conclusions
EU/ME 2013 - Simulation-based optimization of IT security controls
OptimizationOpt4j-based implementation
Optimizer Operator CandidateControlMapGenotype
CandidateControlMapGenotypeCreator
CandidateControlMapGenotypeDecoder
MosesEvaluator
IndividualPopulation
Archive Objectives
updates
updates
uses varies creates
uses
decodes
uses
evaluates
contains
contains
updates containsInitializedSystemPhenotype
Source: adapted from ?
32
Introduction
FrameworkOverview
Knowledge base
Attack patterns
Simulation
18 Optimization
ExamplescenariosSimple
Advanced
Conclusions
EU/ME 2013 - Simulation-based optimization of IT security controls
OptimizationEvaluation of candidate control portfolios
CandidateControlMapGenotype
MosesEvaluator
1 1 1 0 0 0 0 1 0 0 1 1
InitializedSystemPhenotype
I Probabilistic, requires many replications percandidate control set
I Currently reduced to a deterministic problem usingexpected/median/worst case values etc.
32
Introduction
FrameworkOverview
Knowledge base
Attack patterns
Simulation
Optimization
Examplescenarios
19 Simple
Advanced
Conclusions
EU/ME 2013 - Simulation-based optimization of IT security controls
Simple ScenarioDomain
Worksta(ons
Database-servers
External-network
A4acker
Internet
A4ack-client
Users-&-Groups
Administrators
Users
Client-1
Client-3
Data1 Data2
DB1 DB2---
Emp-4
Emp-1
Emp-3
Client-2--Emp-2
32
Introduction
FrameworkOverview
Knowledge base
Attack patterns
Simulation
Optimization
Examplescenarios
19 Simple
Advanced
Conclusions
EU/ME 2013 - Simulation-based optimization of IT security controls
Simple ScenarioDomain
Worksta(ons
Database-servers
External-network
A4acker
Internet
A4ack-client
Users-&-Groups
Administrators
Users
Client-1
Client-3
Data1 Data2
DB1 DB2---
Emp-4
Emp-1
Emp-3
Client-2--Emp-2
An(virus-1 Intrusion-detec(on-system-1Intrusion-detec(on-system-2 Security-TrainingTIDS2
AV1
An(virus-2Patch-CVE_04_22P
AV2
IDS1
32
Introduction
FrameworkOverview
Knowledge base
Attack patterns
Simulation
Optimization
Examplescenarios
19 Simple
Advanced
Conclusions
EU/ME 2013 - Simulation-based optimization of IT security controls
Simple ScenarioDomain
Worksta(ons
Database-servers
External-network
A4acker
Internet
A4ack-client
Users-&-Groups
Administrators
Users
Client-1
Client-3
Data1 Data2
DB1 DB2---
Emp-4
Emp-1
Emp-3
Client-2--Emp-2
An(virus-1 Intrusion-detec(on-system-1Intrusion-detec(on-system-2 Security-TrainingTIDS2
AV1
An(virus-2Patch-CVE_04_22P
AV2
IDS1
32
Introduction
FrameworkOverview
Knowledge base
Attack patterns
Simulation
Optimization
Examplescenarios
20 Simple
Advanced
Conclusions
EU/ME 2013 - Simulation-based optimization of IT security controls
Simple ScenarioDecision variables and objectives
Decision space: 12 binary variables
Objectives:1. Cost (MIN)2. Successful attack actions ratio (MIN)3. Target condition reached average (MIN)4. Share of undetected detectable attack actions
(MIN)
Attacker objective: access Data1 on DB1
32
Introduction
FrameworkOverview
Knowledge base
Attack patterns
Simulation
Optimization
Examplescenarios
21 Simple
Advanced
Conclusions
EU/ME 2013 - Simulation-based optimization of IT security controls
Simple scenarioAlgorithms and parameter settings
Simulation parametersI 50 replications per candidate setI Random “drill-down” decision model
Optimization parameters (NSGA2 and SPEA2)I Generations: 100I Population size (–): 100I Number of parents per generation (µ): 25I Number of o�springs per generation (⁄): 25I Crossover:
I Rate: 0.95I Single crossover point
I Mutation: constant rate 0.05
32
Introduction
FrameworkOverview
Knowledge base
Attack patterns
Simulation
Optimization
Examplescenarios
22 Simple
Advanced
Conclusions
EU/ME 2013 - Simulation-based optimization of IT security controls
Initial ResultsSimple scenario
Runtime (search space: 212)I per replication: ≥ 25ms (3GHz DualCore Xeon)I per evaluation: ≥ 1, 250ms (50 replications)I total: CE: 183min, NSGA2: 61min, SPEA2: 70min
E�cient solutions:
32
Introduction
FrameworkOverview
Knowledge base
Attack patterns
Simulation
Optimization
Examplescenarios
23 Simple
Advanced
Conclusions
EU/ME 2013 - Simulation-based optimization of IT security controls
Initial ResultsSimple scenario
Q4(A)= 1|CE |
qrœCE
minzœA
D(z,r)
32
Introduction
FrameworkOverview
Knowledge base
Attack patterns
Simulation
Optimization
Examplescenarios
24 Simple
Advanced
Conclusions
EU/ME 2013 - Simulation-based optimization of IT security controls
Simple scenarioExample e�cient solution
Worksta(ons
Database-servers
External-network
A4acker
Internet
A4ack-client
Users-&-Groups
Administrators
Users
Client-1
Client-3
Data1 Data2
DB1 DB2---
Emp-4
Emp-1
Emp-3
Client-2--Emp-2
An(virus-1 Intrusion-detec(on-system-1Intrusion-detec(on-system-2 Security-TrainingTIDS2
AV1
An(virus-2Patch-CVE_04_22P
AV2
IDS1
T
T
P
IDS2
AV1
IDS1
Cost 22.400Successful attack actions ratio 0.000558Target condition reached average 0.018519Share of undetected detectable attack actions 0.083333
32
Introduction
FrameworkOverview
Knowledge base
Attack patterns
Simulation
Optimization
ExamplescenariosSimple
25 Advanced
Conclusions
EU/ME 2013 - Simulation-based optimization of IT security controls
Advanced ScenarioDomain
Servers
DMZ
DMZ)hosts)(5)
ClientsExternal)network
A:acker
Internet
.".".
Users)&)Groups
workstaBon)hosts)(30)
A:ack)client
workstaBon)user)group)(30)
file)server)admin)group)(2)
admingroup)(3)
db)admin)group)(3)
Subnet1
DB)servers)(5)
Data1 Data2 Data3subnet1)user)group)(20)
file)server)reader)group)(5)
file)servers)(5)
32
Introduction
FrameworkOverview
Knowledge base
Attack patterns
Simulation
Optimization
ExamplescenariosSimple
25 Advanced
Conclusions
EU/ME 2013 - Simulation-based optimization of IT security controls
Advanced ScenarioDomain
Servers
DMZ
DMZ)hosts)(5)
ClientsExternal)network
A:acker
Internet
.".".
Users)&)Groups
workstaBon)hosts)(30)
A:ack)client
workstaBon)user)group)(30)
file)server)admin)group)(2)
admingroup)(3)
db)admin)group)(3)
Subnet1
DB)servers)(5)
Data1 Data2 Data3subnet1)user)group)(20)
file)server)reader)group)(5)
file)servers)(5)
AnBvirus)1 Intrusion)detecBon)system)1
Intrusion)detecBon)system)2Security)Training
1
2
1Applied"controls:
AnBvirus)22
Patch)CVE_2013_04_22P
Logging)Policy1
12
23
32
Introduction
FrameworkOverview
Knowledge base
Attack patterns
Simulation
Optimization
ExamplescenariosSimple
26 Advanced
Conclusions
EU/ME 2013 - Simulation-based optimization of IT security controls
Advanced ScenarioAlgorithms and parameter settings
Simulation parametersI 50 replications per candidate setI Random “drill-down” decision model
Optimization parameters (NSGA2 and SPEA2)I Generations: 400I Population size (–): 100I Number of parents per generation (µ): 25I Number of o�springs per generation (⁄): 25I Crossover:
I Rate: 0.95I Single crossover point
I Mutation: constant rate 0.05
32
Introduction
FrameworkOverview
Knowledge base
Attack patterns
Simulation
Optimization
ExamplescenariosSimple
27 Advanced
Conclusions
EU/ME 2013 - Simulation-based optimization of IT security controls
Initial ResultsAdvanced scenario
RuntimeI per replication ≥ 30ms (3GHz DualCore Xeon)I total: ≥ 4 : 30h
Proposed e�cient solutions
32
Introduction
FrameworkOverview
Knowledge base
Attack patterns
Simulation
Optimization
ExamplescenariosSimple
28 Advanced
Conclusions
EU/ME 2013 - Simulation-based optimization of IT security controls
Advanced ScenarioDomain
Servers
DMZ
DMZ)hosts)(5)
ClientsExternal)network
A:acker
Internet
.".".
Users)&)Groups
workstaBon)hosts)(30)
A:ack)client
workstaBon)user)group)(30)
file)server)admin)group)(2)
admingroup)(3)
db)admin)group)(3)
Subnet1
DB)servers)(5)
Data1 Data2 Data3subnet1)user)group)(20)
file)server)reader)group)(5)
file)servers)(5)
AnBvirus)1 Intrusion)detecBon)system)1
Intrusion)detecBon)system)2Security)Training
1
2
1Applied"controls:
AnBvirus)22
Patch)CVE_2013_04_22P
Logging)Policy1
12
23
2
2
2
1
2
1
P
P
11
1
3
1
2
Cost 15.330Successful attack actions ratio 0.0185Target condition reached average 0.0Share of undetected detectable attack actions 0.0093
32
Introduction
FrameworkOverview
Knowledge base
Attack patterns
Simulation
Optimization
ExamplescenariosSimple
Advanced
29 Conclusions
EU/ME 2013 - Simulation-based optimization of IT security controls
ConclusionsOutlook
Current research challengesI Simulation:
I Cognitive and behavioral modelI Optimization:
I Computational cost for individual portfolioevaluations
I Uncertainty of simulationI Thorough testing of optimization algorithms
(more alogrithms, performance measures acrossmultiple runs, multiple problem instances etc.)
Ideas for future workI Probabilistic dominance concepts?I Assign replications non-uniformly?I Control selection æ system design
(very large design space + constraints)
32
Introduction
FrameworkOverview
Knowledge base
Attack patterns
Simulation
Optimization
ExamplescenariosSimple
Advanced
30 Conclusions
EU/ME 2013 - Simulation-based optimization of IT security controls
Q & A
Contact:[email protected]