Simulation-based optimization of IT security controls · hacktivists, script kiddies, insiders,...

Simulation-based optimizationof IT security controls

Initial experiences with meta-heuristic solution procedures

Elmar Kiesling, Andreas Ekelhart, Bernhard Grill,Christine Strauß, Christian Stummer

14th EU/ME WorkshopFebruary 28 – March 1, 2013; Hamburg, Germany

Funded by the Austrian Science Fund under project number P 23122-N23

32

Introduction

FrameworkOverview

Knowledge base

Attack patterns

Simulation

Optimization

ExamplescenariosSimple

Advanced

Conclusions

EU/ME 2013 - Simulation-based optimization of IT security controls

Agenda

Introduction

FrameworkOverviewKnowledge baseAttack patternsSimulationOptimization

Example scenariosSimpleAdvanced

Conclusions

32

3 Introduction

FrameworkOverview

Knowledge base

Attack patterns

Simulation

Optimization


Advanced

Conclusions


IntroductionCurrent IT security management challenges

I Information systems are growing ever more complex

I Today’s serious threats are not opportunistic, butI deliberate, targeted attacksI that exploit multiple attack vectors

Isoftware vulnerabilities

Inetwork vulnerabilities

Iinsider knowledge and access

Isocial engineering techniques

I. . .

I Human threat agents are heterogeneoushacktivists, script kiddies, insiders, advanced persistent threats . . .

æ “secure against whom?”

32

4 Introduction

FrameworkOverview

Knowledge base

Attack patterns

Simulation

Optimization


Advanced

Conclusions


IntroductionCore ideas

Security:I is meaningless without defining “against whom”I is the result of the combined e�ect of all

implemented security controlsI involves tradeo�s between multiple monetary and

non-monetary criteria

No universally “best" solution:Highly context-dependent, decisions must consider

1. “system” characteristics(physical and IT infrastructure, people etc.)

2. the threat model3. available resources4. decision-makers’ risk preferences

32

Introduction

Framework5 Overview

Knowledge base

Attack patterns

Simulation

Optimization


Advanced

Conclusions


FrameworkOverview

Objective: choose an “optimal" set of security controls

Approach:1. Model

I abstract causal structures (attack actions)I attack agent behaviorI context (assets, employees . . . )

2. Apply control sets and simulating attacks3. Identify e�cient sets of controls through

multi-criteria optimization

32

Introduction

Framework6 Overview

Knowledge base

Attack patterns

Simulation

Optimization


Advanced

Conclusions


FrameworkOverview

Implem

entation cost

Successful attacks

Detected attacks

Running cost

Implem

entation time

Successful attack actions

Metaheuristic optimization1 1 1 0 0 0 0 1 0 0 1 1

Attack Simulation Engine

Attack Scenario

Attackermodel

AbstractAttack Graph

Attackerobjectives

Attack PatternLinking

Knowledge base

Attack and ControlModel

System Model

32

Introduction

FrameworkOverview

7 Knowledge base

Attack patterns

Simulation

Optimization


Advanced

Conclusions


FrameworkOverview

Implem

entation cost

Successful attacks

Detected attacks

Running cost

Implem

entation time




Attack Scenario

Attackermodel


Attackerobjectives


Knowledge base


System Model

32

Introduction

FrameworkOverview

8 Knowledge base

Attack patterns

Simulation

Optimization


Advanced

Conclusions


FrameworkKnowledge base

I Abstract attack knowledge (causal structure)+ system structure knowledge

I Initial experiments with OWL ontologiesI Current rule-based implementation: SWI-Prolog1

1http://www.swi-prolog.org/man/clpfd.html

32

Introduction

FrameworkOverview

8 Knowledge base

Attack patterns

Simulation

Optimization


Advanced

Conclusions


FrameworkKnowledge base

32

Introduction

FrameworkOverview

Knowledge base

9 Attack patterns

Simulation

Optimization


Advanced

Conclusions


FrameworkOverview


Knowledge base


System Model

32

Introduction

FrameworkOverview

Knowledge base

10 Attack patterns

Simulation

Optimization


Advanced

Conclusions


FrameworkAttack pattern linking

32

Introduction

FrameworkOverview

Knowledge base

10 Attack patterns

Simulation

Optimization


Advanced

Conclusions



+

32

Introduction

FrameworkOverview

Knowledge base

10 Attack patterns

Simulation

Optimization


Advanced

Conclusions



32

Introduction

FrameworkOverview

Knowledge base

11 Attack patterns

Simulation

Optimization


Advanced

Conclusions



32

Introduction

FrameworkOverview

Knowledge base

Attack patterns

12 Simulation

Optimization


Advanced

Conclusions


FrameworkOverview

Attack Scenario

Attackermodel


Attackerobjectives


Knowledge base


System Model

32

Introduction

FrameworkOverview

Knowledge base

Attack patterns

13 Simulation

Optimization


Advanced

Conclusions


FrameworkOverview

Attack Scenario

Attackermodel


Attackerobjectives


Knowledge base


System Model

32

Introduction

FrameworkOverview

Knowledge base

Attack patterns

13 Simulation

Optimization


Advanced

Conclusions


FrameworkOverview


Attack Scenario

Attackermodel


Attackerobjectives


Knowledge base


System Model

32

Introduction

FrameworkOverview

Knowledge base

Attack patterns

14 Simulation

Optimization


Advanced

Conclusions


SimulationDiscrete Event Scheduling

Action StartEvent

...

t=0

Action Selection

32

Introduction

FrameworkOverview

Knowledge base

Attack patterns

14 Simulation

Optimization


Advanced

Conclusions



Action StartEvent

...

t=0

Action Selection

Action EndEvent

ActionExecution

32

Introduction

FrameworkOverview

Knowledge base

Attack patterns

14 Simulation

Optimization


Advanced

Conclusions



Action StartEvent

...

t=0

Action Selection

Action EndEvent

ActionExecution

Target Reached

Event

Execution Result

ActionSelection

Action StartEvent

Action EndEvent

... Action EndEvent

32

Introduction

FrameworkOverview

Knowledge base

Attack patterns

14 Simulation

Optimization


Advanced

Conclusions



Action StartEvent

...

t=0

Action Selection

DetectionEvent Response

Attacker Stopped

Event

Action EndEvent

ActionExecution

Target Reached

Event

Execution Result

ActionSelection

Action StartEvent

Action EndEvent

... Action EndEvent

32

Introduction

FrameworkOverview

Knowledge base

Attack patterns

15 Simulation

Optimization


Advanced

Conclusions


SimulationExample attack sequence

32

Introduction

FrameworkOverview

Knowledge base

Attack patterns

Simulation

16 Optimization


Advanced

Conclusions


FrameworkOverview


Attack Scenario

Attackermodel


Attackerobjectives


Knowledge base


System Model

32

Introduction

FrameworkOverview

Knowledge base

Attack patterns

Simulation

16 Optimization


Advanced

Conclusions


FrameworkOverview



Attack Scenario

Attackermodel


Attackerobjectives


Knowledge base


System Model

32

Introduction

FrameworkOverview

Knowledge base

Attack patterns

Simulation

16 Optimization


Advanced

Conclusions


FrameworkOverview

Implem

entation cost

Successful attacks

Detected attacks

Running cost

Implem

entation time




Attack Scenario

Attackermodel


Attackerobjectives


Knowledge base


System Model

32

Introduction

FrameworkOverview

Knowledge base

Attack patterns

Simulation

17 Optimization


Advanced

Conclusions


OptimizationOpt4j-based implementation

Optimizer Operator Genotype Creator

DecoderPhenotype

Evaluator

IndividualPopulation

Archive Objectives

updates

updates

uses varies creates

uses

decodes

uses

evaluates

contains

contains

updates contains

Source: adapted from ?

32

Introduction

FrameworkOverview

Knowledge base

Attack patterns

Simulation

17 Optimization


Advanced

Conclusions


OptimizationOpt4j-based implementation

Optimizer Operator CandidateControlMapGenotype

CandidateControlMapGenotypeCreator

CandidateControlMapGenotypeDecoder

MosesEvaluator

IndividualPopulation

Archive Objectives

updates

updates

uses varies creates

uses

decodes

uses

evaluates

contains

contains

updates containsInitializedSystemPhenotype

Source: adapted from ?

32

Introduction

FrameworkOverview

Knowledge base

Attack patterns

Simulation

18 Optimization


Advanced

Conclusions


OptimizationEvaluation of candidate control portfolios

CandidateControlMapGenotype

MosesEvaluator

1 1 1 0 0 0 0 1 0 0 1 1

InitializedSystemPhenotype

I Probabilistic, requires many replications percandidate control set

I Currently reduced to a deterministic problem usingexpected/median/worst case values etc.

32

Introduction

FrameworkOverview

Knowledge base

Attack patterns

Simulation

Optimization

Examplescenarios

19 Simple

Advanced

Conclusions


Simple ScenarioDomain

Worksta(ons

Database-servers

External-network

A4acker

Internet

A4ack-client

Users-&-Groups

Administrators

Users

Client-1

Client-3

Data1 Data2

DB1 DB2---

Emp-4

Emp-1

Emp-3

Client-2--Emp-2

32

Introduction

FrameworkOverview

Knowledge base

Attack patterns

Simulation

Optimization

Examplescenarios

19 Simple

Advanced

Conclusions


Simple ScenarioDomain

Worksta(ons

Database-servers

External-network

A4acker

Internet

A4ack-client

Users-&-Groups

Administrators

Users

Client-1

Client-3

Data1 Data2

DB1 DB2---

Emp-4

Emp-1

Emp-3

Client-2--Emp-2

An(virus-1 Intrusion-detec(on-system-1Intrusion-detec(on-system-2 Security-TrainingTIDS2

AV1

An(virus-2Patch-CVE_04_22P

AV2

IDS1

32

Introduction

FrameworkOverview

Knowledge base

Attack patterns

Simulation

Optimization

Examplescenarios

20 Simple

Advanced

Conclusions


Simple ScenarioDecision variables and objectives

Decision space: 12 binary variables

Objectives:1. Cost (MIN)2. Successful attack actions ratio (MIN)3. Target condition reached average (MIN)4. Share of undetected detectable attack actions

(MIN)

Attacker objective: access Data1 on DB1

32

Introduction

FrameworkOverview

Knowledge base

Attack patterns

Simulation

Optimization

Examplescenarios

21 Simple

Advanced

Conclusions


Simple scenarioAlgorithms and parameter settings

Simulation parametersI 50 replications per candidate setI Random “drill-down” decision model

Optimization parameters (NSGA2 and SPEA2)I Generations: 100I Population size (–): 100I Number of parents per generation (µ): 25I Number of o�springs per generation (⁄): 25I Crossover:

I Rate: 0.95I Single crossover point

I Mutation: constant rate 0.05

32

Introduction

FrameworkOverview

Knowledge base

Attack patterns

Simulation

Optimization

Examplescenarios

22 Simple

Advanced

Conclusions


Initial ResultsSimple scenario

Runtime (search space: 212)I per replication: ≥ 25ms (3GHz DualCore Xeon)I per evaluation: ≥ 1, 250ms (50 replications)I total: CE: 183min, NSGA2: 61min, SPEA2: 70min

E�cient solutions:

32

Introduction

FrameworkOverview

Knowledge base

Attack patterns

Simulation

Optimization

Examplescenarios

23 Simple

Advanced

Conclusions


Initial ResultsSimple scenario

Q4(A)= 1|CE |

qrœCE

minzœA

D(z,r)

32

Introduction

FrameworkOverview

Knowledge base

Attack patterns

Simulation

Optimization

Examplescenarios

24 Simple

Advanced

Conclusions


Simple scenarioExample e�cient solution

Worksta(ons

Database-servers

External-network

A4acker

Internet

A4ack-client

Users-&-Groups

Administrators

Users

Client-1

Client-3

Data1 Data2

DB1 DB2---

Emp-4

Emp-1

Emp-3

Client-2--Emp-2

An(virus-1 Intrusion-detec(on-system-1Intrusion-detec(on-system-2 Security-TrainingTIDS2

AV1

An(virus-2Patch-CVE_04_22P

AV2

IDS1

T

T

P

IDS2

AV1

IDS1

Cost 22.400Successful attack actions ratio 0.000558Target condition reached average 0.018519Share of undetected detectable attack actions 0.083333

32

Introduction

FrameworkOverview

Knowledge base

Attack patterns

Simulation

Optimization


25 Advanced

Conclusions


Advanced ScenarioDomain

Servers

DMZ

DMZ)hosts)(5)

ClientsExternal)network

A:acker

Internet

.".".

Users)&)Groups

workstaBon)hosts)(30)

A:ack)client

workstaBon)user)group)(30)

file)server)admin)group)(2)

admingroup)(3)

db)admin)group)(3)

Subnet1

DB)servers)(5)

Data1 Data2 Data3subnet1)user)group)(20)

file)server)reader)group)(5)

file)servers)(5)

32

Introduction

FrameworkOverview

Knowledge base

Attack patterns

Simulation

Optimization


25 Advanced

Conclusions



Servers

DMZ

DMZ)hosts)(5)


A:acker

Internet

.".".

Users)&)Groups


A:ack)client



admingroup)(3)

db)admin)group)(3)

Subnet1

DB)servers)(5)



file)servers)(5)

AnBvirus)1 Intrusion)detecBon)system)1

Intrusion)detecBon)system)2Security)Training

1

2

1Applied"controls:

AnBvirus)22

Patch)CVE_2013_04_22P

Logging)Policy1

12

23

32

Introduction

FrameworkOverview

Knowledge base

Attack patterns

Simulation

Optimization


26 Advanced

Conclusions


Advanced ScenarioAlgorithms and parameter settings

Simulation parametersI 50 replications per candidate setI Random “drill-down” decision model

Optimization parameters (NSGA2 and SPEA2)I Generations: 400I Population size (–): 100I Number of parents per generation (µ): 25I Number of o�springs per generation (⁄): 25I Crossover:

I Rate: 0.95I Single crossover point

I Mutation: constant rate 0.05

32

Introduction

FrameworkOverview

Knowledge base

Attack patterns

Simulation

Optimization


27 Advanced

Conclusions


Initial ResultsAdvanced scenario

RuntimeI per replication ≥ 30ms (3GHz DualCore Xeon)I total: ≥ 4 : 30h

Proposed e�cient solutions

32

Introduction

FrameworkOverview

Knowledge base

Attack patterns

Simulation

Optimization


28 Advanced

Conclusions



Servers

DMZ

DMZ)hosts)(5)


A:acker

Internet

.".".

Users)&)Groups


A:ack)client



admingroup)(3)

db)admin)group)(3)

Subnet1

DB)servers)(5)



file)servers)(5)

AnBvirus)1 Intrusion)detecBon)system)1

Intrusion)detecBon)system)2Security)Training

1

2

1Applied"controls:

AnBvirus)22

Patch)CVE_2013_04_22P

Logging)Policy1

12

23

2

2

2

1

2

1

P

P

11

1

3

1

2

Cost 15.330Successful attack actions ratio 0.0185Target condition reached average 0.0Share of undetected detectable attack actions 0.0093

32

Introduction

FrameworkOverview

Knowledge base

Attack patterns

Simulation

Optimization


Advanced

29 Conclusions


ConclusionsOutlook

Current research challengesI Simulation:

I Cognitive and behavioral modelI Optimization:

I Computational cost for individual portfolioevaluations

I Uncertainty of simulationI Thorough testing of optimization algorithms

(more alogrithms, performance measures acrossmultiple runs, multiple problem instances etc.)

Ideas for future workI Probabilistic dominance concepts?I Assign replications non-uniformly?I Control selection æ system design

(very large design space + constraints)

32

Introduction

FrameworkOverview

Knowledge base

Attack patterns

Simulation

Optimization


Advanced

30 Conclusions


Q & A

Contact:[email protected]

Simulation-based optimization of IT security controls · hacktivists, script kiddies, insiders,...

Documents

Transcript of Simulation-based optimization of IT security controls · hacktivists, script kiddies, insiders,...