Intrusion Process Modeling for Security Quantification - IEEE Xplore

2009 International Conference on Availability, Reliability and Security

Intrusion Process Modeling for Security Quantification Jaafar Almasizadeh and Mohammad Abdollahi Azgomi Performance and Dependability Eng. Lab., Department of Computer Engineering, Iran University of Science and Technology, Tehran, Iran E-mail: [email protected] and [email protected]

needed to describe systems that have yet to be built, and for systems whose specific vulnerabilities remain unknown [1]. The proposed method considers an intrusion process as a sequence of elementary phases and at each phase the interactions between the system and the attacker are modeled. Based on the proposed scenario, desired measures for security quantification are obtained. First of all, we mention some assumptions for describing the attacking process and on the basis of these assumptions a stochastic model is presented. Finally, the model is analyzed and some suitable measures are obtained. For security quantification, two quantitative security measures are defined and evaluated by using the stochastic model. These two measures are: (1) the mean time to first security failure of the system and (2) the steady-state security probabilities of the system. The initial model is a state transition model. After parameterization, this model will be a stochastic model. In order to evaluate the security measures of the system, it is important to carefully determine the temporal parameters of the stochastic model. The underlying stochastic model is recognized as a semiMarkov chain (SMC). One of the advantages of the SMC is the feasibility of obtaining closed-form solutions. Also, the sojourn time distribution functions can be defined generally. We solve the SMC model to compute the interested security measures. In order to do so, the SMC model must be converted into its embedded discrete-time Markov chain (DTMC) and then the resulting DTMC is analyzed for obtaining security measures. The proposed stochastic model is generic and can be used for modeling any intrusion processes. The remainder of this paper is organized as follows: in section 2, related work on security quantification is reviewed. Section 3, presents the proposed stochastic model. Section 4, discusses how the desired security measures are evaluated. Section 5, explains the method by a detailed case study. Finally, section 6, concludes the paper and discusses some limitations and problems that must be investigated in future work.

Abstract The aim is to develop a suitable method for quantifying security. We use stochastic modeling techniques for this purpose. An intrusion process is considered as a series of elementary attack phases and at each phase the interactions between the attacker and the system are analyzed rigorously. It is assumed that a typical attacker needs some time to perform an elementary attack phase. On the other hand, it is assumed that the attacker may be detected by the system and thus the overall intrusion process is interrupted. The attacker skill level and the system’s abilities are characterized by the uniform distribution functions assigned to the transitions of the model. The underlying stochastic model is recognized as a semiMarkov chain. For security analysis, some valid assumptions about intrusion process are considered. Also, two quantitative security measures are defined and evaluated based on the model. The proposed method is demonstrated by modeling a complicated attack process and evaluating the desired security measures.

1. Introduction Because of human-made faults, numerous existing vulnerabilities and increasing complex attacks, computer systems are not expected to be completely secure. Before the decision is made to rely on a system that is intended to be secure, the amount of security obtained by the system needs to be predicted. Nowadays, it is strongly accepted that security of computer systems must be considered as a quality of service measure. On the other hand, quantitative security evaluation is a challenging and critical problem; there is no comprehensive and realistic approach for this purpose. In this paper, we utilize stochastic modeling techniques to present a new and useful method for intrusion process modeling for quantifying security. Stochastic assumptions are

978-0-7695-3564-7/09 $25.00 © 2009 IEEE DOI 10.1109/ARES.2009.142

114

system’s design as well as to determine whether a given survivability requirement was satisfied. In [20], a model for estimating the time to compromise a system component that is visible to an attacker is proposed. The model provides an estimate of the expected value of the time-to-compromise as a function of known and visible vulnerabilities, and attacker skill level. In [22], a method for quantitative threat modeling is presented, which quantifies security threats by calculating the total severity weights of relevant attack paths for commercial-off-the-shelf (COTS) systems. Compared to existing approaches, this method is sensitive to an organization’s business value priorities and IT environment. The studies listed above suggest that stochastic modeling can and should be the suitable approach for modeling the intrusion process and quantifying the security measures. Unfortunately, most of these approaches lack a strong theoretical foundation for modeling attacker behavior and neither of these methods is adequate for predicting security measures. For example, in [7, 11] the attacker behavior is modeled by only two transitions. A security model needs to include more detailed attacker behavior. We believe that describing attacker behavior carefully is central to security quantification. Hence, our primary focus in this paper is on various aspects of building a suitable attack model. Also a main weak in some approaches [3, 9, 14, 24], is this fact that the sojourn time distribution in states of the models is assumed to be exponential. As investigated in [19] and stated in [7, 11, 14], this assumption may not be appropriate in many situations of an intrusion process. Therefore, to be able to propose a more realistic model for quantitative security evaluation, it is necessary to carefully take into account the time aspects of events of the attacking process. A suitable notion of time must be defined. Security analysis must assume that failures are caused by human intent, resulting in security failures that are definitely correlated, that depend in subtle ways on system state, and that attackers learn over time [1]. The main contributions of this paper are as follows: first, non-exponential distributions, namely, uniform distributions are applied as appropriate distributions to predict the temporal aspects of the attacker or the system behavior; we present a semi-Markov chain model with uniform sojourn time distribution function assigned to its transitions. Second, it is explained how an intrusion process is carefully analyzed and modeled for obtaining desired security measure. Third, an analytical stochastic model is proposed by considering realistic assumptions about attacking process.

2. Related Work and Contributions There are some research papers on presenting methods for security quantification. As will be mentioned, stochastic evaluation techniques used in dependability evaluation have also been used to evaluate certain security measures. In [2], the similarities between reliability and security are discussed with the intention of working towards measures of operational security similar to those that have been used for reliability of systems. In [9], an approach is used for modeling the system as a privilege graph exhibiting the security vulnerabilities and the computation of measures representing the difficulty for a possible attacker to exploit these vulnerabilities and defeat the security objectives of the system. In [3], based on empirical data collected from intrusion experiments, authors have worked out a hypothesis on typical attacker behavior. The hypothesis suggests that the attacking process can be split into three phases: the learning phase, the standard attack phase, and the innovative attack phase. In [1], existing model-based techniques for evaluating system dependability are surveyed, and summarized how they are now being extended to evaluate system security. The work presented in [11], deals with various issues related to quantifying the security attributes of an intrusion tolerant system (i.e. SITAR). A security intrusion and the response of an intrusion tolerant system to an attack is modeled as a random process. This facilitates the use of stochastic modeling techniques to capture the attacker behavior as well as the system's response to a security intrusion. In [7], authors have used stochastic reward nets (SRNs) to model both attacker and system behavior of SITAR. It is shown that the resulting analysis is useful in determining gains in security by reconfiguring such a system in terms of increase in redundancy under varying threat levels. In [17], an approach for quantifying security of systems using colored Petri nets is presented. The extended security and dependability framework covers not only breaches caused by users and non-users, but also traditional dependability failures. In [24, 26], the relation between dependability and security is discussed and the need for an integrated evaluation framework is pointed out. The paper suggests the use of stochastic modeling techniques as a suitable method for assessing the trustworthiness of a system, regardless of if the failure cause is intentional or not. In [5], a model-based validation effort that was undertaken as part of a unified approach to validating a networked intrusion tolerant information system is described. Model-based results were used to guide the

115

attack phase to next attack phase. This process is repeated until one of the two specific situations is reached: security failure or secure state. In fact, an intrusion process is said to be successful, if and only if all the elementary attack phases of the intrusion process are successfully exploited by the attacker. Imagine, for gaining a better understanding, the attacker and the system as two competing agents. They compete for different goals: the attacker aims to compromise the security of the system. On the other hand, the system aims to protect system resources from external intruders. Therefore, the proposed model represents a set of interactions between the attacker and the system. We propose a detailed model. Determining the appropriate level of detail/abstraction in an attacker model is very important, and depends on the scope and purpose of the model [1]. The model is shown in Figure 2, where the interactions between the attacker and the system, at each attack phase, are considered:

3. The General Model 3.1. Basic Assumptions for Modeling In this section, without loss of generality, we mention some general assumptions about intrusion process. These assumptions will be used for modeling and evaluation of the security measures. 1. Each intrusion process into a system can be modeled as a series of state changes of the system that finally transfer the system from an early secure state to a final security failure state. 2. The system’s responses to attacker’s actions are also considered. Generally, the attacker transfers the system into some unsecure state. On the other hand, the system aims to detect and to thwart effects of the attack. Hence, our primary interest is in description of the interactions between the attacker and the system. 3. It is assumed that there is only one intrusion process against the system. The main reason is that we want to focus on the modeling process of interactions between the attacker and the system. 4. We compute the time from the point the system is put into operation until the attacker starts the intrusion process "as a starting point of the intrusion process”. We believe that by considering this temporal aspect, more exact security measures are obtained.

S

. . .

…

n

F

In this model, all the states are transient except the state F, which will be considered as an absorbing state. In the above model, the state S represent the secure situation in the system, in which no attack is found and the state F represent the security failure situation in the system. Due to the uncertainty in the attacker and the system behavior the state transition model must be parameterized. Security measures are evaluated based on the temporal aspects of the attacker and the system’s actions. To an attacker with an incomplete knowledge of the system, there is uncertainty as to the effects of the attack. To the system designer/owner/ operator, there is uncertainty as to the type, frequency, intensity and the duration of the attack, and even as to whether a particular attack would result in a security breach [11]. Note that the transition  describes the elapsed time until starting point of the intrusion process. During the time interval the attacker is in an attack phase, system tries to detect the attacker’s actions in order to prevent a violation of system’s security.

We assume that a typical intrusion process can be visualized as in Figure 1: 2

1

Figure 2. The proposed stochastic model

3.2. Model Representation

1

0

n

Figure 1. Intrusion process representation

The intrusion process of Figure 1 has
phases. Each phase in the intrusion process represents a privilege level owned by the attacker, and a transition between two sequential phases specifies that there is some ways for the attacker to obtain new privileges. Clearly, all steps in an intrusion process are to be performed sequentially. As outlined earlier, an intrusion process is a series of elementary attack phases. It is assumed that at each attack phase, the attacker and the system interact with each other. It is necessary to model the interactions between the attacker and the system. If the existing vulnerabilities are detected and removed by the system before the attacker can detect and exploit them, the state transition model will return to the secure state; otherwise the attacker will be transferred from current

3.3. Model Parameterization It is clear that the attacker must spend some time at each attack phase to gain a new privilege. This time is best modeled as a nonnegative continuous random

116

variable that is described by a suitable distribution function. For security quantification, a suitable notion of time must be specified. Let random variable X be the time needed for the attacker to pass each elementary phase of intrusion process. Assume that an attack phase is started in zero time and completed at time a ≤  ≤  . Therefore, the above random variable is assumed to be uniformly distributed over the interval ,  , where a and b can be considered to be any nonnegative real values: 0≤ ≤≤∞

attacker success increases as the time is elapsed. To summarize, the reasons for assigning the uniform distributions to the transitions of the model are as follows: first, it is an IFR distribution. Second, the time intervals for the attacker and the system, can be defined based on the user’s intuition or experience. Third, defining time intervals gives a more appropriate description of the attacker and the system behavior over time. We assume that the defined time interval covers the true time of successful attack with probability one; that is, attack phase is performed at some time between a and b. We have:

1

A continuous random variable X is said to have a uniform distribution over the interval ,  if its distribution function is given by [13]: 0