Truth or dare: quantitative security risk analysis via attack trees

Rajesh Kumar

Research output: ThesisPhD Thesis - Research UT, graduation UTAcademic

112 Downloads (Pure)

Abstract

Cyber breaches have grown exponentially over the years, both in the number of incidents and in damage. Examples of such damaging attacks are numerous, with WannaCry ransomware, DigiNotar hack, Code Red virus and Equifax data breach to name a few. At the same time, enterprises themselves have grown ever complex, with an interplay of IT systems, physical infrastructure and human actors, resulting in so-called socio-technical systems. Adversaries ranging from unskilled to sophisticated, from script-kiddies to government agencies, target this complexity, exploit multiple component failures, software and hardware vulnerabilities, and combine these with social engineering techniques to launch sophisticated attacks. An impressive example of such socio-technical attack is the attack on the Supervisory Control and Data Acquisition (SCADA) system, via the Stuxnet virus, allegedly targeting the Iran's nuclear facilities.

Current information security risk management techniques are based on evaluator experience, or on checklists, brainstorming, compliance standards, etc. Due to the informal nature of eliciting the security risks using these techniques, often-important attack scenarios, such as multi-step attack scenario, are missed. Additionally, due to the lack of quantitative analysis frameworks, sometimes too-many security mechanisms are implemented, which interfere with system safety and usability.

To address these challenges, in this thesis, we propose automated tools/techniques, to aid security practitioners understand their cyber-risks by quantifying them, thereby making the cyber-security investment decisions more objective and transparent. To do so, we provide a multi-faceted security analysis framework that is capable of answering a rich set of security questions such as cost-optimal attack scenarios for attackers, time-dependent attack probabilities, etc. Our work relies on attack trees as the modelling formalism and uses model-checking technique for analysis. Attack trees are graphical models, which provide a systematic representation of attack scenarios. Owing to their graphical format to elicit security risks, they are easy to use and hence very popular in security engineering. However, classical attack tree analysis techniques lack support for modelling the temporal dependencies between the attack tree components. Analytically, they are limited to single attribute computation such as probability of an attack, cost of an attack, etc. Furthermore, the traditional attack tree analysis technique of single attribute bottom-up computation is applicable only under the strong and unrealistic assumption of non-shared nodes.

In this thesis, we alleviate all the aforementioned limitations of classical attack tree analysis techniques and propose novel methods using the automata theoretic framework and relying on stochastic and statistical model checking. In particular, in Part II of this thesis, we provide a multi-parametric and time dynamic analysis of attack trees, taking into account temporal dependencies, attacker proles and accidental component failures, which otherwise cannot be analysed using state-of-the-art techniques. We augment the attack tree formalism with two new gates: the sequential-AND gate and the sequential-OR gate, which allows modeling the temporal dependencies between the attack tree components. Analytically, we provide compositional analysis framework for attack trees, by translating them into suitable priced/stochastic timed automata. By doing so, we combine several attack tree attributes (possibly functionally dependent) in a mathematical precise manner.

In Part III of this thesis, we look into security goals. For this, we develop a taxonomy for security goals based on a survey of top 30 highly cited papers in information security literature from 1995-2016. We represent our taxonomy using a feature diagram, which enables us to represent commonalities, variabilities and interrelationships between the deterrent security goal concepts. By mapping security goals collected from the aforementioned papers to our taxonomy, we provide critical insights into trends, omissions and focus of security goals in the literature. In the same part, we develop a property specification language LOCKS to express both quantitative and qualitative security goals. The security goals in locks are expressed as queries over an attack model, namely the structural attack model SAM. As most prominent threat models, such as attack trees and attack graphs, can be translated to generic structures of SAMs, our proposed language can express security goals over all these frameworks.

Practically, we demonstrate our analysis framework with many case studies taken from literature. To support our methods in an automated manner, we develop two tools: ATCalc to obtain the probability of attack over time and ATTop to systematically translate attack trees into automata and derive results using the principles of model-driven engineering.
Original languageEnglish
Awarding Institution
  • University of Twente
Supervisors/Advisors
  • Stoelinga, Mariëlle Ida Antoinette, Supervisor
  • Rensink, Arend , Supervisor
Award date17 Oct 2018
Place of PublicationEnschede
Publisher
Print ISBNs978-90-365-4625-6
DOIs
Publication statusPublished - 17 Oct 2018

Fingerprint

Risk analysis
Taxonomies
Model checking
Security of data
Computer viruses
SCADA systems
Specification languages
Stochastic models
Risk management
Viruses
Security systems
Dynamic analysis
Costs
Hardware
Chemical analysis
Industry

Cite this

Kumar, Rajesh . / Truth or dare : quantitative security risk analysis via attack trees. Enschede : University of Twente, 2018. 226 p.
@phdthesis{7c7e4f8ebe1c4cf1a4d53c2c2811d53c,
title = "Truth or dare: quantitative security risk analysis via attack trees",
abstract = "Cyber breaches have grown exponentially over the years, both in the number of incidents and in damage. Examples of such damaging attacks are numerous, with WannaCry ransomware, DigiNotar hack, Code Red virus and Equifax data breach to name a few. At the same time, enterprises themselves have grown ever complex, with an interplay of IT systems, physical infrastructure and human actors, resulting in so-called socio-technical systems. Adversaries ranging from unskilled to sophisticated, from script-kiddies to government agencies, target this complexity, exploit multiple component failures, software and hardware vulnerabilities, and combine these with social engineering techniques to launch sophisticated attacks. An impressive example of such socio-technical attack is the attack on the Supervisory Control and Data Acquisition (SCADA) system, via the Stuxnet virus, allegedly targeting the Iran's nuclear facilities.Current information security risk management techniques are based on evaluator experience, or on checklists, brainstorming, compliance standards, etc. Due to the informal nature of eliciting the security risks using these techniques, often-important attack scenarios, such as multi-step attack scenario, are missed. Additionally, due to the lack of quantitative analysis frameworks, sometimes too-many security mechanisms are implemented, which interfere with system safety and usability.To address these challenges, in this thesis, we propose automated tools/techniques, to aid security practitioners understand their cyber-risks by quantifying them, thereby making the cyber-security investment decisions more objective and transparent. To do so, we provide a multi-faceted security analysis framework that is capable of answering a rich set of security questions such as cost-optimal attack scenarios for attackers, time-dependent attack probabilities, etc. Our work relies on attack trees as the modelling formalism and uses model-checking technique for analysis. Attack trees are graphical models, which provide a systematic representation of attack scenarios. Owing to their graphical format to elicit security risks, they are easy to use and hence very popular in security engineering. However, classical attack tree analysis techniques lack support for modelling the temporal dependencies between the attack tree components. Analytically, they are limited to single attribute computation such as probability of an attack, cost of an attack, etc. Furthermore, the traditional attack tree analysis technique of single attribute bottom-up computation is applicable only under the strong and unrealistic assumption of non-shared nodes.In this thesis, we alleviate all the aforementioned limitations of classical attack tree analysis techniques and propose novel methods using the automata theoretic framework and relying on stochastic and statistical model checking. In particular, in Part II of this thesis, we provide a multi-parametric and time dynamic analysis of attack trees, taking into account temporal dependencies, attacker proles and accidental component failures, which otherwise cannot be analysed using state-of-the-art techniques. We augment the attack tree formalism with two new gates: the sequential-AND gate and the sequential-OR gate, which allows modeling the temporal dependencies between the attack tree components. Analytically, we provide compositional analysis framework for attack trees, by translating them into suitable priced/stochastic timed automata. By doing so, we combine several attack tree attributes (possibly functionally dependent) in a mathematical precise manner.In Part III of this thesis, we look into security goals. For this, we develop a taxonomy for security goals based on a survey of top 30 highly cited papers in information security literature from 1995-2016. We represent our taxonomy using a feature diagram, which enables us to represent commonalities, variabilities and interrelationships between the deterrent security goal concepts. By mapping security goals collected from the aforementioned papers to our taxonomy, we provide critical insights into trends, omissions and focus of security goals in the literature. In the same part, we develop a property specification language LOCKS to express both quantitative and qualitative security goals. The security goals in locks are expressed as queries over an attack model, namely the structural attack model SAM. As most prominent threat models, such as attack trees and attack graphs, can be translated to generic structures of SAMs, our proposed language can express security goals over all these frameworks.Practically, we demonstrate our analysis framework with many case studies taken from literature. To support our methods in an automated manner, we develop two tools: ATCalc to obtain the probability of attack over time and ATTop to systematically translate attack trees into automata and derive results using the principles of model-driven engineering.",
author = "Rajesh Kumar",
year = "2018",
month = "10",
day = "17",
doi = "10.3990/1.9789036546256",
language = "English",
isbn = "978-90-365-4625-6",
series = "IDS Ph.D. Thesis Series",
publisher = "University of Twente",
number = "18-015",
address = "Netherlands",
school = "University of Twente",

}

Truth or dare : quantitative security risk analysis via attack trees. / Kumar, Rajesh .

Enschede : University of Twente, 2018. 226 p.

Research output: ThesisPhD Thesis - Research UT, graduation UTAcademic

TY - THES

T1 - Truth or dare

T2 - quantitative security risk analysis via attack trees

AU - Kumar, Rajesh

PY - 2018/10/17

Y1 - 2018/10/17

N2 - Cyber breaches have grown exponentially over the years, both in the number of incidents and in damage. Examples of such damaging attacks are numerous, with WannaCry ransomware, DigiNotar hack, Code Red virus and Equifax data breach to name a few. At the same time, enterprises themselves have grown ever complex, with an interplay of IT systems, physical infrastructure and human actors, resulting in so-called socio-technical systems. Adversaries ranging from unskilled to sophisticated, from script-kiddies to government agencies, target this complexity, exploit multiple component failures, software and hardware vulnerabilities, and combine these with social engineering techniques to launch sophisticated attacks. An impressive example of such socio-technical attack is the attack on the Supervisory Control and Data Acquisition (SCADA) system, via the Stuxnet virus, allegedly targeting the Iran's nuclear facilities.Current information security risk management techniques are based on evaluator experience, or on checklists, brainstorming, compliance standards, etc. Due to the informal nature of eliciting the security risks using these techniques, often-important attack scenarios, such as multi-step attack scenario, are missed. Additionally, due to the lack of quantitative analysis frameworks, sometimes too-many security mechanisms are implemented, which interfere with system safety and usability.To address these challenges, in this thesis, we propose automated tools/techniques, to aid security practitioners understand their cyber-risks by quantifying them, thereby making the cyber-security investment decisions more objective and transparent. To do so, we provide a multi-faceted security analysis framework that is capable of answering a rich set of security questions such as cost-optimal attack scenarios for attackers, time-dependent attack probabilities, etc. Our work relies on attack trees as the modelling formalism and uses model-checking technique for analysis. Attack trees are graphical models, which provide a systematic representation of attack scenarios. Owing to their graphical format to elicit security risks, they are easy to use and hence very popular in security engineering. However, classical attack tree analysis techniques lack support for modelling the temporal dependencies between the attack tree components. Analytically, they are limited to single attribute computation such as probability of an attack, cost of an attack, etc. Furthermore, the traditional attack tree analysis technique of single attribute bottom-up computation is applicable only under the strong and unrealistic assumption of non-shared nodes.In this thesis, we alleviate all the aforementioned limitations of classical attack tree analysis techniques and propose novel methods using the automata theoretic framework and relying on stochastic and statistical model checking. In particular, in Part II of this thesis, we provide a multi-parametric and time dynamic analysis of attack trees, taking into account temporal dependencies, attacker proles and accidental component failures, which otherwise cannot be analysed using state-of-the-art techniques. We augment the attack tree formalism with two new gates: the sequential-AND gate and the sequential-OR gate, which allows modeling the temporal dependencies between the attack tree components. Analytically, we provide compositional analysis framework for attack trees, by translating them into suitable priced/stochastic timed automata. By doing so, we combine several attack tree attributes (possibly functionally dependent) in a mathematical precise manner.In Part III of this thesis, we look into security goals. For this, we develop a taxonomy for security goals based on a survey of top 30 highly cited papers in information security literature from 1995-2016. We represent our taxonomy using a feature diagram, which enables us to represent commonalities, variabilities and interrelationships between the deterrent security goal concepts. By mapping security goals collected from the aforementioned papers to our taxonomy, we provide critical insights into trends, omissions and focus of security goals in the literature. In the same part, we develop a property specification language LOCKS to express both quantitative and qualitative security goals. The security goals in locks are expressed as queries over an attack model, namely the structural attack model SAM. As most prominent threat models, such as attack trees and attack graphs, can be translated to generic structures of SAMs, our proposed language can express security goals over all these frameworks.Practically, we demonstrate our analysis framework with many case studies taken from literature. To support our methods in an automated manner, we develop two tools: ATCalc to obtain the probability of attack over time and ATTop to systematically translate attack trees into automata and derive results using the principles of model-driven engineering.

AB - Cyber breaches have grown exponentially over the years, both in the number of incidents and in damage. Examples of such damaging attacks are numerous, with WannaCry ransomware, DigiNotar hack, Code Red virus and Equifax data breach to name a few. At the same time, enterprises themselves have grown ever complex, with an interplay of IT systems, physical infrastructure and human actors, resulting in so-called socio-technical systems. Adversaries ranging from unskilled to sophisticated, from script-kiddies to government agencies, target this complexity, exploit multiple component failures, software and hardware vulnerabilities, and combine these with social engineering techniques to launch sophisticated attacks. An impressive example of such socio-technical attack is the attack on the Supervisory Control and Data Acquisition (SCADA) system, via the Stuxnet virus, allegedly targeting the Iran's nuclear facilities.Current information security risk management techniques are based on evaluator experience, or on checklists, brainstorming, compliance standards, etc. Due to the informal nature of eliciting the security risks using these techniques, often-important attack scenarios, such as multi-step attack scenario, are missed. Additionally, due to the lack of quantitative analysis frameworks, sometimes too-many security mechanisms are implemented, which interfere with system safety and usability.To address these challenges, in this thesis, we propose automated tools/techniques, to aid security practitioners understand their cyber-risks by quantifying them, thereby making the cyber-security investment decisions more objective and transparent. To do so, we provide a multi-faceted security analysis framework that is capable of answering a rich set of security questions such as cost-optimal attack scenarios for attackers, time-dependent attack probabilities, etc. Our work relies on attack trees as the modelling formalism and uses model-checking technique for analysis. Attack trees are graphical models, which provide a systematic representation of attack scenarios. Owing to their graphical format to elicit security risks, they are easy to use and hence very popular in security engineering. However, classical attack tree analysis techniques lack support for modelling the temporal dependencies between the attack tree components. Analytically, they are limited to single attribute computation such as probability of an attack, cost of an attack, etc. Furthermore, the traditional attack tree analysis technique of single attribute bottom-up computation is applicable only under the strong and unrealistic assumption of non-shared nodes.In this thesis, we alleviate all the aforementioned limitations of classical attack tree analysis techniques and propose novel methods using the automata theoretic framework and relying on stochastic and statistical model checking. In particular, in Part II of this thesis, we provide a multi-parametric and time dynamic analysis of attack trees, taking into account temporal dependencies, attacker proles and accidental component failures, which otherwise cannot be analysed using state-of-the-art techniques. We augment the attack tree formalism with two new gates: the sequential-AND gate and the sequential-OR gate, which allows modeling the temporal dependencies between the attack tree components. Analytically, we provide compositional analysis framework for attack trees, by translating them into suitable priced/stochastic timed automata. By doing so, we combine several attack tree attributes (possibly functionally dependent) in a mathematical precise manner.In Part III of this thesis, we look into security goals. For this, we develop a taxonomy for security goals based on a survey of top 30 highly cited papers in information security literature from 1995-2016. We represent our taxonomy using a feature diagram, which enables us to represent commonalities, variabilities and interrelationships between the deterrent security goal concepts. By mapping security goals collected from the aforementioned papers to our taxonomy, we provide critical insights into trends, omissions and focus of security goals in the literature. In the same part, we develop a property specification language LOCKS to express both quantitative and qualitative security goals. The security goals in locks are expressed as queries over an attack model, namely the structural attack model SAM. As most prominent threat models, such as attack trees and attack graphs, can be translated to generic structures of SAMs, our proposed language can express security goals over all these frameworks.Practically, we demonstrate our analysis framework with many case studies taken from literature. To support our methods in an automated manner, we develop two tools: ATCalc to obtain the probability of attack over time and ATTop to systematically translate attack trees into automata and derive results using the principles of model-driven engineering.

U2 - 10.3990/1.9789036546256

DO - 10.3990/1.9789036546256

M3 - PhD Thesis - Research UT, graduation UT

SN - 978-90-365-4625-6

T3 - IDS Ph.D. Thesis Series

PB - University of Twente

CY - Enschede

ER -

Kumar R. Truth or dare: quantitative security risk analysis via attack trees. Enschede: University of Twente, 2018. 226 p. (IDS Ph.D. Thesis Series; 18-015). (IPA Dissertation Series; 2018-15). https://doi.org/10.3990/1.9789036546256