On Attack/Defense Trees - Attack/Defense Trees Patrick Schweitzer ... Salami attack 7/23. Attack Trees Attack Trees - the concept ... Type: τ:V → {, ,

  • Published on
    16-Apr-2018

  • View
    216

  • Download
    2

Embed Size (px)

Transcript

<ul><li><p>On Attack/Defense Trees</p><p>Patrick SchweitzerSaToSS, Faculty of Sciences, Communication and Technology</p><p>University of Luxembourg</p><p>November 17th 2009</p><p>1/23</p></li><li><p>Outline</p><p>1 Intuition and overview of existing approaches to model attacks</p><p>2 Attack Trees</p><p>3 The new approach to include defenses</p><p>4 Future work</p><p>2/23</p></li><li><p>Intuition and overview</p><p>Intuition</p><p>Get money(illegally)</p><p>Get moneyfrom a bank</p><p>Rob a</p><p>bank</p><p>Steal from</p><p>ATM</p><p>S2</p><p>S2</p><p>S2</p><p>Hack into</p><p>computer</p><p>system</p><p>Rob a storeEnter with</p><p>a gun2 3.1</p><p>4.14.2</p><p>4.3</p><p>3.2</p><p>3.33.4</p><p>Enter</p><p>disguised</p><p>Enter</p><p>at night2</p><p>Go toloan shark</p><p>3/23</p></li><li><p>Intuition and overview</p><p>Intuition</p><p>Get money(illegally)</p><p>Get moneyfrom a bank</p><p>Rob a</p><p>bank</p><p>Steal from</p><p>ATM</p><p>S2</p><p>S2</p><p>S2</p><p>Hack into</p><p>computer</p><p>system</p><p>Rob a storeEnter with</p><p>a gun2 3.1</p><p>4.14.2</p><p>4.3</p><p>3.2</p><p>3.33.4</p><p>Enter</p><p>disguised</p><p>Enter</p><p>at night2</p><p>Go toloan shark</p><p>3/23</p></li><li><p>Intuition and overview</p><p>Intuition</p><p>Get money(illegally)</p><p>Get moneyfrom a bank</p><p>Rob a</p><p>bank</p><p>Steal from</p><p>ATM</p><p>S2</p><p>S2</p><p>S2</p><p>Hack into</p><p>computer</p><p>system</p><p>Rob a storeEnter with</p><p>a gun2 3.1</p><p>4.14.2</p><p>4.3</p><p>3.2</p><p>3.33.4</p><p>Enter</p><p>disguised</p><p>Enter</p><p>at night2</p><p>Go toloan shark</p><p>3/23</p></li><li><p>Intuition and overview</p><p>Guide to modeling attacks</p><p>Intuitive start: A mindmap (a special graph)</p><p>Problem: Complexity</p><p>Solution: Computer support (requires formalism)</p><p>Literature: Several approaches</p><p>4/23</p></li><li><p>Intuition and overview</p><p>Guide to modeling attacks</p><p>Intuitive start: A mindmap (a special graph)</p><p>Problem: Complexity</p><p>Solution: Computer support (requires formalism)</p><p>Literature: Several approaches</p><p>4/23</p></li><li><p>Intuition and overview</p><p>Guide to modeling attacks</p><p>Intuitive start: A mindmap (a special graph)</p><p>Problem: Complexity</p><p>Solution: Computer support (requires formalism)</p><p>Literature: Several approaches</p><p>4/23</p></li><li><p>Intuition and overview</p><p>Guide to modeling attacks</p><p>Intuitive start: A mindmap (a special graph)</p><p>Problem: Complexity</p><p>Solution: Computer support (requires formalism)</p><p>Literature: Several approaches</p><p>4/23</p></li><li><p>Intuition and overview</p><p>Different approaches to modeling attacks</p><p>Attack TreesEssentially all information is contained in the leaves.</p><p>Attack Graphs or Attack NetsFinite automata that fulfill security properties;separation of data and processes</p><p>Security Pattern DescriptionsDocuments that describe in words the possible attacks on asystem. They are very long exactly like this text which shouldnever have been on the slide because nobody that listens tothe talk reads that much text.</p><p>. . .</p><p>5/23</p></li><li><p>Intuition and overview</p><p>Different approaches to modeling attacks</p><p>Attack TreesEssentially all information is contained in the leaves.</p><p>Attack Graphs or Attack NetsFinite automata that fulfill security properties;separation of data and processes</p><p>Security Pattern DescriptionsDocuments that describe in words the possible attacks on asystem. They are very long exactly like this text which shouldnever have been on the slide because nobody that listens tothe talk reads that much text.</p><p>. . .</p><p>5/23</p></li><li><p>Intuition and overview</p><p>Different approaches to modeling attacks</p><p>Attack TreesEssentially all information is contained in the leaves.</p><p>Attack Graphs or Attack NetsFinite automata that fulfill security properties;separation of data and processes</p><p>Security Pattern DescriptionsDocuments that describe in words the possible attacks on asystem. They are very long exactly like this text which shouldnever have been on the slide because nobody that listens tothe talk reads that much text.</p><p>. . .</p><p>5/23</p></li><li><p>Attack Trees</p><p>1 Intuition and overview of existing approaches to model attacks</p><p>2 Attack Trees</p><p>3 The new approach to include defenses</p><p>4 Future work</p><p>6/23</p></li><li><p>Attack Trees</p><p>Attack Trees - the concept</p><p>Attack: How to get free food?</p><p>7/23</p></li><li><p>Attack Trees</p><p>Attack Trees - the concept</p><p>Attack: How to get free food?</p><p>Free food</p><p>7/23</p></li><li><p>Attack Trees</p><p>Attack Trees - the concept</p><p>Attack: How to get free food?</p><p>Free food</p><p>Eat n runPretendto work</p><p>at restaurant</p><p>7/23</p></li><li><p>Attack Trees</p><p>Attack Trees - the concept</p><p>Attack: How to get free food?</p><p>Free food</p><p>Eat n run</p><p>Order meal Sneak out</p><p>Pretendto work</p><p>at restaurant</p><p>Ask Chefto prepare</p><p>Salamiattack</p><p>7/23</p></li><li><p>Attack Trees</p><p>Attack Trees - the concept</p><p>Attack: How to get free food?</p><p>Free food</p><p>Eat n run</p><p>Order meal Sneak out</p><p>Pretendto work</p><p>at restaurant</p><p>Ask Chefto prepare</p><p>Salamiattack</p><p>Wait oncustomers</p><p>Steal part oftheir food</p><p>Sneak out</p><p>7/23</p></li><li><p>Attack Trees</p><p>Attack Trees - the concept</p><p>Attack: How to get free food?</p><p>Free food</p><p>Eat n run</p><p>Order meal Sneak out</p><p>Pretendto work</p><p>at restaurant</p><p>Ask Chefto prepare</p><p>Salamiattack</p><p>Wait oncustomers</p><p>Steal part oftheir food</p><p>Sneak out</p><p>Essentially a set of multisets,e.g.:</p><p>{{{Order meal, sneak out}},</p><p>{{Ask Chef to prepare}},</p><p>{{Wait on customers,</p><p>steal part of their food,</p><p>sneak out}}}</p><p>7/23</p></li><li><p>Attack Trees</p><p>Properties of the existing model</p><p>Important properties of Attack Trees</p><p>Uses and and or nodes</p><p>Simple normal form: trees of depth 1</p><p>Attributes can be attached to the leaves:then the attribute can be calculated for the root</p><p>Projection only works for some attributes(Projection = Restriction of an attribute)</p><p>8/23</p></li><li><p>Attack Trees</p><p>Properties of the existing model</p><p>Important properties of Attack Trees</p><p>Uses and and or nodes</p><p>Simple normal form: trees of depth 1</p><p>Attributes can be attached to the leaves:then the attribute can be calculated for the root</p><p>Projection only works for some attributes(Projection = Restriction of an attribute)</p><p>8/23</p></li><li><p>Attack Trees</p><p>Properties of the existing model</p><p>Important properties of Attack Trees</p><p>Uses and and or nodes</p><p>Simple normal form: trees of depth 1</p><p>Attributes can be attached to the leaves:then the attribute can be calculated for the root</p><p>Projection only works for some attributes(Projection = Restriction of an attribute)</p><p>8/23</p></li><li><p>Attack Trees</p><p>Properties of the existing model</p><p>Important properties of Attack Trees</p><p>Uses and and or nodes</p><p>Simple normal form: trees of depth 1</p><p>Attributes can be attached to the leaves:then the attribute can be calculated for the root</p><p>Projection only works for some attributes(Projection = Restriction of an attribute)</p><p>8/23</p></li><li><p>Attack Trees</p><p>Including a defense in the framework</p><p>Free food</p><p>Eat n run</p><p>Order meal Sneak out</p><p>Pretendto work</p><p>at restaurant</p><p>Ask Chefto prepare</p><p>Salamiattack</p><p>Wait oncustomers</p><p>Steal part oftheir food</p><p>Sneak out</p><p>9/23</p></li><li><p>Attack Trees</p><p>Including a defense in the framework</p><p>Free food</p><p>Eat n run</p><p>Order meal Sneak out</p><p>Policeman</p><p>Pretendto work</p><p>at restaurant</p><p>Ask Chefto prepare</p><p>Salamiattack</p><p>Wait oncustomers</p><p>Steal part oftheir food</p><p>Sneak out</p><p>Policeman</p><p>9/23</p></li><li><p>Attack Trees</p><p>Attack and Defense Trees</p><p>Consider the Defense Tree law enforcement instead of apoliceman.</p><p>Consider the Attack Tree Mafia attached to law enforcement.</p><p>and so on...</p><p>New framework: Attack Tree - Defense Tree - Attack Tree - ...</p><p>10/23</p></li><li><p>Attack Trees</p><p>Attack and Defense Trees</p><p>Consider the Defense Tree law enforcement instead of apoliceman.</p><p>Consider the Attack Tree Mafia attached to law enforcement.</p><p>and so on...</p><p>New framework: Attack Tree - Defense Tree - Attack Tree - ...</p><p>10/23</p></li><li><p>Attack Trees</p><p>Attack and Defense Trees</p><p>Consider the Defense Tree law enforcement instead of apoliceman.</p><p>Consider the Attack Tree Mafia attached to law enforcement.</p><p>and so on...</p><p>New framework: Attack Tree - Defense Tree - Attack Tree - ...</p><p>10/23</p></li><li><p>The new approach to include defenses</p><p>1 Intuition and overview of existing approaches to model attacks</p><p>2 Attack Trees</p><p>3 The new approach to include defenses</p><p>4 Future work</p><p>11/23</p></li><li><p>The new approach to include defenses</p><p>The general idea: two functions describing the nodes</p><p>Structure: rooted tree T = (V , E , r , , )(non-empty, finite, directed, connected, acyclic, rooted)Type: : V {,,} Connector : V {, , , }</p><p>12/23</p></li><li><p>The new approach to include defenses</p><p>The general idea: two functions describing the nodes</p><p>Structure: rooted tree T = (V , E , r , , )(non-empty, finite, directed, connected, acyclic, rooted)Type: : V {,,} Connector : V {, , , }</p><p>(v) {,} = (w) {(v),} (1)</p><p>(v) {,} and | Childrenv | &gt; 1 (v) {, } (2)</p><p>(v) {,} and | Childrenv | 1 (v) = (3)</p><p>(v) = = (w) {f (v),} (4)</p><p>(v) = = | Childrenv | = 1 (5)</p><p>(v) = (v) = (6)</p><p>v , w V and (v , w) E</p><p>12/23</p></li><li><p>The new approach to include defenses</p><p>The additional properties</p><p>13/23</p></li><li><p>The new approach to include defenses</p><p>The additional properties</p><p>Property (1):(v) {,} = (w) {(v),}</p><p>13/23</p></li><li><p>The new approach to include defenses</p><p>The additional properties</p><p>Property (2):(v) {,} and | Childrenv | &gt; 1(v) {, }</p><p>13/23</p></li><li><p>The new approach to include defenses</p><p>The additional properties</p><p>Property (3):(v) {,} and | Childrenv | 1(v) = </p><p>13/23</p></li><li><p>The new approach to include defenses</p><p>The additional properties</p><p>Property (4):(v) = = (w) {f (v),}</p><p>13/23</p></li><li><p>The new approach to include defenses</p><p>The additional properties</p><p>Property (5):(v) = = | Childrenv | = 1</p><p>13/23</p></li><li><p>The new approach to include defenses</p><p>The additional properties</p><p>Property (6):(v) = (v) = </p><p>13/23</p></li><li><p>The new approach to include defenses</p><p>Semantics of the Adtrees</p><p>D1 </p><p>D2 D3 </p><p>A1</p><p>A2 </p><p>A3 A4 </p><p>D4 D5</p><p>A5 A6</p><p>Semantics of the adtree:Unique variable associated to leaf</p><p>JvK =</p><p>v if v L(T ),</p><p>wChildrenv</p><p>JwK if (v) = ,</p><p>wChildrenv</p><p>JwK if (v) = ,</p><p>JwK if (v) = and</p><p>Childrenv = {w},</p><p>JwK if (v) = and</p><p>Childrenv = {w}.</p><p>14/23</p></li><li><p>The new approach to include defenses</p><p>Logical formulas associated to trees</p><p>D1 </p><p>D2 D3 </p><p>A1</p><p>A2 </p><p>A3 A4 </p><p>D4 D5</p><p>A5 A6Propositional logic corresponding to thetree:</p><p>(((D1 ((D2 D3 (A1))))))(A2 (A3 A4 ((D4 D5)))(A5 A6)</p><p>15/23</p></li><li><p>The new approach to include defenses</p><p>Trees in normal form</p><p>A1 A5 A6 </p><p>D1</p><p>D2</p><p>D3</p><p>A2 A3 A4 </p><p>D4</p><p>D5</p><p>Normal form:A1 A5 A6 D1 D2 D3 (A2 A3 A4 D4 D5)</p><p>16/23</p></li><li><p>The new approach to include defenses</p><p>Exemplary transformation: Distributivity to </p><p>b</p><p>X1</p><p>. . .</p><p>k</p><p>b</p><p>Xk</p><p>b</p><p>Y1</p><p>. . .</p><p>l</p><p>b</p><p>Yl</p><p>b</p><p>X1</p><p>. . .</p><p>k</p><p>b</p><p>Xk</p><p>b</p><p>Y1</p><p>. . .</p><p>l</p><p>b</p><p>X1</p><p>. . .</p><p>k</p><p>b</p><p>Xk</p><p>b</p><p>Yl</p><p>With k 1 and l 2</p><p>17/23</p></li><li><p>The new approach to include defenses</p><p>Full set of transformation rules</p><p> Distributivity (A B) C (A C) (B C) 1level absorption (A B) A A 2level absorption as above Double negation A A Empty refinement no formula Associativity ( and ) (A B) C A B C De Morgan ( and ) (A B) A B Idempotency ( and ) X X X</p><p>18/23</p></li><li><p>The new approach to include defenses</p><p>Full set of transformation rules</p><p> Distributivity (A B) C (A C) (B C) 1level absorption (A B) A A 2level absorption as above Double negation A A Empty refinement no formula Associativity ( and ) (A B) C A B C De Morgan ( and ) (A B) A B Idempotency ( and ) X X X</p><p>18/23</p></li><li><p>The new approach to include defenses</p><p>Full set of transformation rules</p><p> Distributivity (A B) C (A C) (B C) 1level absorption (A B) A A 2level absorption as above Double negation A A Empty refinement no formula Associativity ( and ) (A B) C A B C De Morgan ( and ) (A B) A B Idempotency ( and ) X X X</p><p>18/23</p></li><li><p>The new approach to include defenses</p><p>Currently working on</p><p>Proving the uniqueness of the normal forms</p><p>Requires: Strong termination (Patrick - almost finished)Applying rules indefinitely is not possible</p><p> Local confluence (Barbara - finished)Order of applying the rules leads to same result</p><p>19/23</p></li><li><p>The new approach to include defenses</p><p>Currently working on</p><p>Proving the uniqueness of the normal forms</p><p>Requires: Strong termination (Patrick - almost finished)Applying rules indefinitely is not possible</p><p> Local confluence (Barbara - finished)Order of applying the rules leads to same result</p><p>19/23</p></li><li><p>The new approach to include defenses</p><p>Currently working on</p><p>Proving the uniqueness of the normal forms</p><p>Requires: Strong termination (Patrick - almost finished)Applying rules indefinitely is not possible</p><p> Local confluence (Barbara - finished)Order of applying the rules leads to same result</p><p>19/23</p></li><li><p>The new approach to include defenses</p><p>Termination function</p><p>Termination function:A function from the trees into a totally ordered set,s.t. the value before applying a transformation rule &gt;the value after applying a transformation rule.</p><p>20/23</p></li><li><p>The new approach to include defenses</p><p>Termination function</p><p>Termination function:A function from the trees into a totally ordered set,s.t. the value before applying a transformation rule &gt;the value after applying a transformation rule.</p><p>Whiteboard</p><p>20/23</p></li><li><p>Future work</p><p>1 Intuition and overview of existing approaches to model attacks</p><p>2 Attack Trees</p><p>3 The new approach to include defenses</p><p>4 Future work</p><p>21/23</p></li><li><p>Future work</p><p>Work on generalizing the framework</p><p>Introduce attributes to the leaves</p><p>Allow directed acyclic graphs</p><p>Consider temporal order of children</p><p>Check out the two existing software packages</p><p>. . .</p><p>22/23</p></li><li><p>Summary</p><p>1 Intuition and overview of existing approaches to model attacks</p><p>2 Attack Trees</p><p>3 The new approach to include defenses</p><p>4 Future work</p><p>23/23</p><p>OutlineIntuition and overview of existing approaches to model attacksAttack TreesThe new approach to include defensesFuture workSummary</p></li></ul>

Recommended

View more >