Complex Systems, Heterogeneous Attackersand Versatile Controls: Simulation Based

Decision Support in IT Security Management

Elmar Kiesling, Andreas Ekelhart, Bernhard Grill,Christine Strauß, Christian Stummer

SBA Research, Vienna University of Technology,University of Vienna, University of Bielefeld

March 21, 2014; Vienna, Austria

Funded by the Austrian Science Fund under project number P 23122-N23

2

2 Introduction

FrameworkKnowledge base

Attack patterns

Simulation

Optimization

Decision support

ExampleExperimental setup

Results

Conclusions

Appendix

Problem definition and approach

Objective: framework to help a decision maker choosingan “optimal” set of security controls

Solution approach:1. Model

a) IT infrastructureb) attacks and controlsc) attacker

2. Apply sets of security controls and simulate attacks3. Optimize control sets w.r.t. multiple objectives4. Support decision-maker in the selection of control

Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management

3

Introduction

3 FrameworkKnowledge base

Attack patterns

Simulation

Optimization

Decision support

ExampleExperimental setup

Results

Conclusions

Appendix

Overview

Implem

entation cost

Successful attacks

Detected attacks

Running cost

Implem

entation time

Successful attack actions

Metaheuristic optimization1 1 1 0 0 0 0 1 0 0 1 1

Attack Simulation Engine

Attack Scenario

Attackermodel

AbstractAttack Graph

Attackerobjectives

Attack PatternLinking

Knowledge base

Attack and ControlModel

System Model

Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management

4

Introduction

Framework4 Knowledge base

Attack patterns

Simulation

Optimization

Decision support

ExampleExperimental setup

Results

Conclusions

Appendix

Knowledge base

Implem

entation cost

Successful attacks

Detected attacks

Running cost

Implem

entation time

Successful attack actions

Metaheuristic optimization1 1 1 0 0 0 0 1 0 0 1 1

Attack Simulation Engine

Attack Scenario

Attackermodel

AbstractAttack Graph

Attackerobjectives

Attack PatternLinking

Knowledge base

Attack and ControlModel

System Model

Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management

5

Introduction

Framework5 Knowledge base

Attack patterns

Simulation

Optimization

Decision support

ExampleExperimental setup

Results

Conclusions

Appendix

Knowledge base

I Captures abstract attack knowledgeI Describes controls and their impact on attacksI Models the IT infrastructure

Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management

Atomic attack actions Condition propertiesPre-Conditions Post-Conditions

7

Introduction

Framework7 Knowledge base

Attack patterns

Simulation

Optimization

Decision support

ExampleExperimental setup

Results

Conclusions

Appendix

Brute force: Prolog rule formulation

Preconditionsaction_bruteForce(Attacker, TargetHost, TargetGroup):-

technicalSkillLevel(Attacker, TechnicalSkillLevel),TechnicalSkillLevel >= 1,owned(Attacker, AttackHost),connected(AttackHost, TargetHost, rdpProtocol, rdpPort),accessHost(TargetGroup, TargetHost, _),not(inGroup(Attacker, TargetGroup)).

Postconditionexec_success_action_bruteForce(Attacker, TargetHost, TargetGroup):-

assert(inGroup(Attacker, TargetGroup)).

Impactaction_impact(action_bruteForce, confidentiality).impact_success_bruteForce(Attacker, TargetHost, TargetGroup, SecurityAttribute, Impact):-

importance(TargetGroup, SecurityAttribute, Impact).

Simulation attributes/** cost, time, base probability, maxTries, simultaneous **/action_properties(action_bruteForce, 0, 18000, 0.01, 0, true).available_action(action_bruteForce).

Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management

8

Introduction

Framework8 Knowledge base

Attack patterns

Simulation

Optimization

Decision support

ExampleExperimental setup

Results

Conclusions

Appendix

Attacker, Control & Infrastucture Mod-ellingAttacker/* Attacker Properties (attacker, timeBudget, monetaryBudget, weightCosts,weightDetection, weightSuccess, weightDistance, behavioralModelClassName,pBacktrackOnSuccessAndNewActions, pSiblingOnSuccessNoNewActions,pRetryFailedAction, pBacktrackOnFailure) */attacker_properties(skilledExternal, 200000, 0, 0, 0.30, 0.40, 0.30,utilityDepthFirst, 0.1, 0.7, 0.5, 0.3).technicalSkillLevel(skilledExternal, 2).

Controlavailable_control(control_av)./****** Control Properties (abstractControl, ControlType, ControlVisible,ControlOutcome, ControlAggregationType, ControlResponseType, ControlDelay,CandidateAssetType, TargetAssetType) ******/control_properties(control_av, preventive, false, null, min, null, 0, av, hostGroup).action_has_control(action_CVE_2013_04_22, control_av).action_has_control(action_emailBackdoor, control_av).

Infrastuctureavailable_asset_type(host).host(workstation_host_1).user(administrator).userGroup(adminGroup).inGroup(administrator, adminGroup).access(adminGroup, workstation_host_1).

Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management

9

Introduction

FrameworkKnowledge base

9 Attack patterns

Simulation

Optimization

Decision support

ExampleExperimental setup

Results

Conclusions

Appendix

Attack patterns

Attack PatternLinking

Knowledge base

Attack and ControlModel

System Model

Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management

10

Introduction

FrameworkKnowledge base

10 Attack patterns

Simulation

Optimization

Decision support

ExampleExperimental setup

Results

Conclusions

Appendix

Attack pattern linking

Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management

10

Introduction

FrameworkKnowledge base

10 Attack patterns

Simulation

Optimization

Decision support

ExampleExperimental setup

Results

Conclusions

Appendix

Attack pattern linking

+

Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management

10

Introduction

FrameworkKnowledge base

10 Attack patterns

Simulation

Optimization

Decision support

ExampleExperimental setup

Results

Conclusions

Appendix

Attack pattern linking

+

Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management

10

Introduction

FrameworkKnowledge base

10 Attack patterns

Simulation

Optimization

Decision support

ExampleExperimental setup

Results

Conclusions

Appendix

Attack pattern linking

Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management

10

Introduction

FrameworkKnowledge base

10 Attack patterns

Simulation

Optimization

Decision support

ExampleExperimental setup

Results

Conclusions

Appendix

Attack pattern linking

Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management

11

Introduction

FrameworkKnowledge base

Attack patterns

11 Simulation

Optimization

Decision support

ExampleExperimental setup

Results

Conclusions

Appendix

Simulation

Attack Scenario

Attackermodel

AbstractAttack Graph

Attackerobjectives

Attack PatternLinking

Knowledge base

Attack and ControlModel

System Model

Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management

11

Introduction

FrameworkKnowledge base

Attack patterns

11 Simulation

Optimization

Decision support

ExampleExperimental setup

Results

Conclusions

Appendix

Simulation

Attack Simulation Engine

Attack Scenario

Attackermodel

AbstractAttack Graph

Attackerobjectives

Attack PatternLinking

Knowledge base

Attack and ControlModel

System Model

Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management

12

Introduction

FrameworkKnowledge base

Attack patterns

12 Simulation

Optimization

Decision support

ExampleExperimental setup

Results

Conclusions

Appendix

Discrete Event Scheduling

t=0

Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management

12

Introduction

FrameworkKnowledge base

Attack patterns

12 Simulation

Optimization

Decision support

ExampleExperimental setup

Results

Conclusions

Appendix

Discrete Event Scheduling

t=0

Action Start

Action Selection

Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management

12

Introduction

FrameworkKnowledge base

Attack patterns

12 Simulation

Optimization

Decision support

ExampleExperimental setup

Results

Conclusions

Appendix

Discrete Event Scheduling

t=0

Action Start

Action Selection

Action End

ActionExecution

Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management

12

Introduction

FrameworkKnowledge base

Attack patterns

12 Simulation

Optimization

Decision support

ExampleExperimental setup

Results

Conclusions

Appendix

Discrete Event Scheduling

t=0

Action Start

Action Selection

Action End

ActionExecution

Target Reached

Execution Result

ActionSelection

Action Start

Action End

...

Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management

12

Introduction

FrameworkKnowledge base

Attack patterns

12 Simulation

Optimization

Decision support

ExampleExperimental setup

Results

Conclusions

Appendix

Discrete Event Scheduling

t=0

Action Start

Action Selection

Action End

ActionExecution

Detection

Response

Attacker Stopped

Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management

13

Introduction

FrameworkKnowledge base

Attack patterns

Simulation

13 Optimization

Decision support

ExampleExperimental setup

Results

Conclusions

Appendix

Optimization

Attack Simulation Engine

Attack Scenario

Attackermodel

AbstractAttack Graph

Attackerobjectives

Attack PatternLinking

Knowledge base

Attack and ControlModel

System Model

Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management

13

Introduction

FrameworkKnowledge base

Attack patterns

Simulation

13 Optimization

Decision support

ExampleExperimental setup

Results

Conclusions

Appendix

Optimization

Metaheuristic optimization1 1 1 0 0 0 0 1 0 0 1 1

Attack Simulation Engine

Attack Scenario

Attackermodel

AbstractAttack Graph

Attackerobjectives

Attack PatternLinking

Knowledge base

Attack and ControlModel

System Model

Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management

14

Introduction

FrameworkKnowledge base

Attack patterns

Simulation

14 Optimization

Decision support

ExampleExperimental setup

Results

Conclusions

Appendix

Evaluation of control portfolios

CandidateControlMapGenotype

MosesEvaluator

1 1 1 0 0 0 0 1 0 0 1 1

InitializedSystemPhenotype

I Genetic algorithm adapts the control setI Performing multiple replications per control set

Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management

15

Introduction

FrameworkKnowledge base

Attack patterns

Simulation

Optimization

15 Decision support

ExampleExperimental setup

Results

Conclusions

Appendix

Decision support

Metaheuristic optimization1 1 1 0 0 0 0 1 0 0 1 1

Attack Simulation Engine

Attack Scenario

Attackermodel

AbstractAttack Graph

Attackerobjectives

Attack PatternLinking

Knowledge base

Attack and ControlModel

System Model

Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management

15

Introduction

FrameworkKnowledge base

Attack patterns

Simulation

Optimization

15 Decision support

ExampleExperimental setup

Results

Conclusions

Appendix

Decision support

Implem

entation cost

Successful attacks

Detected attacks

Running cost

Implem

entation time

Successful attack actions

Metaheuristic optimization1 1 1 0 0 0 0 1 0 0 1 1

Attack Simulation Engine

Attack Scenario

Attackermodel

AbstractAttack Graph

Attackerobjectives

Attack PatternLinking

Knowledge base

Attack and ControlModel

System Model

Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management

Decision support

18

Introduction

FrameworkKnowledge base

Attack patterns

Simulation

Optimization

Decision support

18 ExampleExperimental setup

Results

Conclusions

Appendix

Scenario domain

Clients

DMZ

Users-&-Groups

Internet

db(admingroup((3)

Servers

DB(servers(

DB2DB1 DB3

fileservers

admin(group((3)

file(server(reader(group((5)

file(server(admin(group((2)

dmz(subnet(user(group((20)

worksta@on(user(group((30)

Externala8acker Internal

a8acker

Client(1 Client(2(( Client(30((...

An@virus IDS Security(Training121Controls:

2 PatchPLogging(Policy 112 23Code(reviewR

Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management

18

Introduction

FrameworkKnowledge base

Attack patterns

Simulation

Optimization

Decision support

18 ExampleExperimental setup

Results

Conclusions

Appendix

Scenario domain

Clients

DMZ

Users-&-Groups

Internet

db(admingroup((3)

Servers

DB(servers(

DB2DB1 DB3

fileservers

admin(group((3)

file(server(reader(group((5)

file(server(admin(group((2)

dmz(subnet(user(group((20)

worksta@on(user(group((30)

Externala8acker Internal

a8acker

Client(1 Client(2(( Client(30((...

An@virus IDS Security(Training121Controls:

2 PatchPLogging(Policy 112 23Code(reviewR

Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management

18

Introduction

FrameworkKnowledge base

Attack patterns

Simulation

Optimization

Decision support

18 ExampleExperimental setup

Results

Conclusions

Appendix

Scenario domain

Clients

DMZ

Users-&-Groups

Internet

db(admingroup((3)

Servers

DB(servers(

DB2DB1 DB3

fileservers

admin(group((3)

file(server(reader(group((5)

file(server(admin(group((2)

dmz(subnet(user(group((20)

worksta@on(user(group((30)

Externala8acker Internal

a8acker

Client(1 Client(2(( Client(30((...

An@virus IDS Security(Training121Controls:

2 PatchPLogging(Policy 112 23Code(reviewR

58 binary decision variables (> 1017 control-asset assignments)Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management

19

Introduction

FrameworkKnowledge base

Attack patterns

Simulation

Optimization

Decision support

Example19 Experimental setup

Results

Conclusions

Appendix

Adversary types

Characteristicstime (mins) wdet wsuc wdist access

Employee 2500 0.45 0.25 0.3 workstationsAdministrator 5000 0.5 0.2 0.3 all hostsSkilled External 3333 0.3 0.4 0.3 -Unskilled External 1667 0.3 0.4 0.3 -APT ∞ 0.5 0.2 0.3 -

Available actions (based on skill level, access)Employee (skill: 0) shoulderSurfingUnskilled external (skill: 1) spearfish

sqlInjectionsocialAttackbruteForceemailKeyloggeremailBackdoor

Skilled external (skill: 2) + bufferOverflow+ directoryTraversal

Admin (skill: 2) (all above)Advanced persistent threat (skill: 3) + zeroDay

Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management

20

Introduction

FrameworkKnowledge base

Attack patterns

Simulation

Optimization

Decision support

Example20 Experimental setup

Results

Conclusions

Appendix

Optimization objectives

1. Minimize cost of controls2. Minimize target condition achievement3. Maximize detection of attacks4. Minimize confidentiality impact (L/M/H)5. Minimize integrity impact (L/M/H)6. Minimize availability impact (L/M/H)

L/M/H: low, medium, high in lexicographic order

Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management

21

Introduction

FrameworkKnowledge base

Attack patterns

Simulation

Optimization

Decision support

Example21 Experimental setup

Results

Conclusions

Appendix

Parameter settings

Simulation: 50 replications per control set

Optimization: 500 generationsI Population

I α = 100 (population size)I µ = 25 (number of parents per generation)I λ = 25 (number of offsprings per generation)I Initialization: ~1, ~0, remaining random

(i.e., each control included with p = 0.5)I Selection: NSGA2, 2 tournamentsI Crossover: 2-point crossover @ rate 0.95I Mutation: mixed permutation (insert, revert, swap)

rate 1/n

Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management

22

Introduction

FrameworkKnowledge base

Attack patterns

Simulation

Optimization

Decision support

ExampleExperimental setup

22 Results

Conclusions

Appendix

Results

Full enumeration for this scenario would take about109 years

Runtime (3GHz Xeon, currently only single core used)∼ 90 mins (admin) – ∼ 50 hrs (APT)

Proposed efficient solutionsI administrator: 2I employee: 58I unskilled external: 104I skilled external: 306I advanced persistent threat: 251

Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management

example attack trace

av1

on s

ubne

t1H

osts

av1

on d

mzH

osts

av1

on d

bSer

verH

osts

av1

on fi

leSe

rver

Hos

tsav

1 on

wor

ksta

tionH

osts

av2

on s

ubne

t1H

osts

av2

on d

mzH

osts

av2

on d

bSer

verH

osts

av2

on fi

leSe

rver

Hos

tsav

2 on

wor

ksta

tionH

osts

ids1

on

subn

et1H

osts

ids1

on

dmzH

osts

ids1

on

dbSe

rver

Hos

tsid

s1 o

n fil

eSer

verH

osts

ids1

on

work

stat

ionH

osts

ids2

on

subn

et1H

osts

ids2

on

dmzH

osts

ids2

on

dbSe

rver

Hos

tsid

s2 o

n fil

eSer

verH

osts

ids2

on

work

stat

ionH

osts

patc

hCVE

_201

3_04

_22

on s

ubne

t1H

osts

patc

hCVE

_201

3_04

_22

on d

mzH

osts

patc

hCVE

_201

3_04

_22

on d

bSer

verH

osts

patc

hCVE

_201

3_04

_22

on fi

leSe

rver

Hos

tspa

tchC

VE_2

013_

04_2

2 on

wor

ksta

tionH

osts

logP

olic

y1 o

n su

bnet

1Hos

tslo

gPol

icy1

on

dmzH

osts

logP

olic

y1 o

n db

Serv

erH

osts

logP

olic

y1 o

n fil

eSer

verH

osts

logP

olic

y1 o

n wo

rkst

atio

nHos

tswe

bSer

verH

arde

ning

1 on

sub

net1

Hos

tswe

bSer

verH

arde

ning

1 on

dm

zHos

tswe

bSer

verH

arde

ning

1 on

dbS

erve

rHos

tswe

bSer

verH

arde

ning

1 on

file

Serv

erH

osts

webS

erve

rHar

deni

ng1

on w

orks

tatio

nHos

tsco

deR

evie

w1

on s

ubne

t1H

osts

code

Rev

iew

1 on

dm

zHos

tsco

deR

evie

w1

on d

bSer

verH

osts

code

Rev

iew

1 on

file

Serv

erH

osts

code

Rev

iew

1 on

wor

ksta

tionH

osts

secu

rityT

rain

ing1

on

adm

inG

roup

secu

rityT

rain

ing1

on

dbAd

min

Gro

upse

curit

yTra

inin

g1 o

n su

bnet

1Use

rGro

upse

curit

yTra

inin

g1 o

n fil

eSer

verU

serG

roup

secu

rityT

rain

ing1

on

fileS

erve

rUse

rRea

derG

roup

secu

rityT

rain

ing1

on

work

stat

ionU

serG

roup

secu

rityT

rain

ing2

on

adm

inG

roup

secu

rityT

rain

ing2

on

dbAd

min

Gro

upse

curit

yTra

inin

g2 o

n su

bnet

1Use

rGro

upse

curit

yTra

inin

g2 o

n fil

eSer

verU

serG

roup

secu

rityT

rain

ing2

on

fileS

erve

rUse

rRea

derG

roup

secu

rityT

rain

ing2

on

work

stat

ionU

serG

roup

secu

rityT

rain

ing3

on

adm

inG

roup

secu

rityT

rain

ing3

on

dbAd

min

Gro

upse

curit

yTra

inin

g3 o

n su

bnet

1Use

rGro

upse

curit

yTra

inin

g3 o

n fil

eSer

verU

serG

roup

secu

rityT

rain

ing3

on

fileS

erve

rUse

rRea

derG

roup

secu

rityT

rain

ing3

on

work

stat

ionU

serG

roup

Cos

tTa

rget

con

ditio

n re

ache

dD

etec

ted

atta

cks

Con

fiden

tialit

y hi

ghC

onfid

entia

lity

med

ium

Con

fiden

tialit

y lo

wIn

tegr

ity h

igh

Inte

grity

med

ium

Inte

grity

low

Avai

labi

lity

high

Avai

labi

lity

med

ium

Avai

labi

lity

low

RESULTS

Uns

kille

d Ex

tern

alSk

illed

Exte

rnal

APT

Emp-

loye

e

AV IDS Patch Log Hard-ening

CodeReview Security Training

AV1 AV2 IDS1 IDS2 Train 1 Train 2 Train 3

CostTarget condition reached

Detected attacksConfidentiality impact

Integrity impactAvailability impact

MLH MLH MLH

Results:Overview

av1

on s

ubne

t1H

osts

av1

on d

mzH

osts

av1

on d

bSer

verH

osts

av1

on fi

leSe

rver

Hos

tsav

1 on

wor

ksta

tionH

osts

av2

on s

ubne

t1H

osts

av2

on d

mzH

osts

av2

on d

bSer

verH

osts

av2

on fi

leSe

rver

Hos

tsav

2 on

wor

ksta

tionH

osts

ids1

on

subn

et1H

osts

ids1

on

dmzH

osts

ids1

on

dbSe

rver

Hos

tsid

s1 o

n fil

eSer

verH

osts

ids1

on

work

stat

ionH

osts

ids2

on

subn

et1H

osts

ids2

on

dmzH

osts

ids2

on

dbSe

rver

Hos

tsid

s2 o

n fil

eSer

verH

osts

ids2

on

work

stat

ionH

osts

patc

hCVE

_201

3_04

_22

on s

ubne

t1H

osts

patc

hCVE

_201

3_04

_22

on d

mzH

osts

patc

hCVE

_201

3_04

_22

on d

bSer

verH

osts

patc

hCVE

_201

3_04

_22

on fi

leSe

rver

Hos

tspa

tchC

VE_2

013_

04_2

2 on

wor

ksta

tionH

osts

logP

olic

y1 o

n su

bnet

1Hos

tslo

gPol

icy1

on

dmzH

osts

logP

olic

y1 o

n db

Serv

erH

osts

logP

olic

y1 o

n fil

eSer

verH

osts

logP

olic

y1 o

n wo

rkst

atio

nHos

tswe

bSer

verH

arde

ning

1 on

sub

net1

Hos

tswe

bSer

verH

arde

ning

1 on

dm

zHos

tswe

bSer

verH

arde

ning

1 on

dbS

erve

rHos

tswe

bSer

verH

arde

ning

1 on

file

Serv

erH

osts

webS

erve

rHar

deni

ng1

on w

orks

tatio

nHos

tsco

deR

evie

w1

on s

ubne

t1H

osts

code

Rev

iew

1 on

dm

zHos

tsco

deR

evie

w1

on d

bSer

verH

osts

code

Rev

iew

1 on

file

Serv

erH

osts

code

Rev

iew

1 on

wor

ksta

tionH

osts

secu

rityT

rain

ing1

on

adm

inG

roup

secu

rityT

rain

ing1

on

dbAd

min

Gro

upse

curit

yTra

inin

g1 o

n su

bnet

1Use

rGro

upse

curit

yTra

inin

g1 o

n fil

eSer

verU

serG

roup

secu

rityT

rain

ing1

on

fileS

erve

rUse

rRea

derG

roup

secu

rityT

rain

ing1

on

work

stat

ionU

serG

roup

secu

rityT

rain

ing2

on

adm

inG

roup

secu

rityT

rain

ing2

on

dbAd

min

Gro

upse

curit

yTra

inin

g2 o

n su

bnet

1Use

rGro

upse

curit

yTra

inin

g2 o

n fil

eSer

verU

serG

roup

secu

rityT

rain

ing2

on

fileS

erve

rUse

rRea

derG

roup

secu

rityT

rain

ing2

on

work

stat

ionU

serG

roup

secu

rityT

rain

ing3

on

adm

inG

roup

secu

rityT

rain

ing3

on

dbAd

min

Gro

upse

curit

yTra

inin

g3 o

n su

bnet

1Use

rGro

upse

curit

yTra

inin

g3 o

n fil

eSer

verU

serG

roup

secu

rityT

rain

ing3

on

fileS

erve

rUse

rRea

derG

roup

secu

rityT

rain

ing3

on

work

stat

ionU

serG

roup

Cos

tTa

rget

con

ditio

n re

ache

dD

etec

ted

atta

cks

Con

fiden

tialit

y hi

ghC

onfid

entia

lity

med

ium

Con

fiden

tialit

y lo

wIn

tegr

ity h

igh

Inte

grity

med

ium

Inte

grity

low

Avai

labi

lity

high

Avai

labi

lity

med

ium

Avai

labi

lity

low

Results:Em

ployee

av1

on s

ubne

t1H

osts

av1

on d

mzH

osts

av1

on d

bSer

verH

osts

av1

on fi

leSe

rver

Hos

tsav

1 on

wor

ksta

tionH

osts

av2

on s

ubne

t1H

osts

av2

on d

mzH

osts

av2

on d

bSer

verH

osts

av2

on fi

leSe

rver

Hos

tsav

2 on

wor

ksta

tionH

osts

ids1

on

subn

et1H

osts

ids1

on

dmzH

osts

ids1

on

dbSe

rver

Hos

tsid

s1 o

n fil

eSer

verH

osts

ids1

on

work

stat

ionH

osts

ids2

on

subn

et1H

osts

ids2

on

dmzH

osts

ids2

on

dbSe

rver

Hos

tsid

s2 o

n fil

eSer

verH

osts

ids2

on

work

stat

ionH

osts

patc

hCVE

_201

3_04

_22

on s

ubne

t1H

osts

patc

hCVE

_201

3_04

_22

on d

mzH

osts

patc

hCVE

_201

3_04

_22

on d

bSer

verH

osts

patc

hCVE

_201

3_04

_22

on fi

leSe

rver

Hos

tspa

tchC

VE_2

013_

04_2

2 on

wor

ksta

tionH

osts

logP

olic

y1 o

n su

bnet

1Hos

tslo

gPol

icy1

on

dmzH

osts

logP

olic

y1 o

n db

Serv

erH

osts

logP

olic

y1 o

n fil

eSer

verH

osts

logP

olic

y1 o

n wo

rkst

atio

nHos

tswe

bSer

verH

arde

ning

1 on

sub

net1

Hos

tswe

bSer

verH

arde

ning

1 on

dm

zHos

tswe

bSer

verH

arde

ning

1 on

dbS

erve

rHos

tswe

bSer

verH

arde

ning

1 on

file

Serv

erH

osts

webS

erve

rHar

deni

ng1

on w

orks

tatio

nHos

tsco

deR

evie

w1

on s

ubne

t1H

osts

code

Rev

iew

1 on

dm

zHos

tsco

deR

evie

w1

on d

bSer

verH

osts

code

Rev

iew

1 on

file

Serv

erH

osts

code

Rev

iew

1 on

wor

ksta

tionH

osts

secu

rityT

rain

ing1

on

adm

inG

roup

secu

rityT

rain

ing1

on

dbAd

min

Gro

upse

curit

yTra

inin

g1 o

n su

bnet

1Use

rGro

upse

curit

yTra

inin

g1 o

n fil

eSer

verU

serG

roup

secu

rityT

rain

ing1

on

fileS

erve

rUse

rRea

derG

roup

secu

rityT

rain

ing1

on

work

stat

ionU

serG

roup

secu

rityT

rain

ing2

on

adm

inG

roup

secu

rityT

rain

ing2

on

dbAd

min

Gro

upse

curit

yTra

inin

g2 o

n su

bnet

1Use

rGro

upse

curit

yTra

inin

g2 o

n fil

eSer

verU

serG

roup

secu

rityT

rain

ing2

on

fileS

erve

rUse

rRea

derG

roup

secu

rityT

rain

ing2

on

work

stat

ionU

serG

roup

secu

rityT

rain

ing3

on

adm

inG

roup

secu

rityT

rain

ing3

on

dbAd

min

Gro

upse

curit

yTra

inin

g3 o

n su

bnet

1Use

rGro

upse

curit

yTra

inin

g3 o

n fil

eSer

verU

serG

roup

secu

rityT

rain

ing3

on

fileS

erve

rUse

rRea

derG

roup

secu

rityT

rain

ing3

on

work

stat

ionU

serG

roup

Cos

tTa

rget

con

ditio

n re

ache

dD

etec

ted

atta

cks

Con

fiden

tialit

y hi

ghC

onfid

entia

lity

med

ium

Con

fiden

tialit

y lo

wIn

tegr

ity h

igh

Inte

grity

med

ium

Inte

grity

low

Avai

labi

lity

high

Avai

labi

lity

med

ium

Avai

labi

lity

low

No effective technical controlsResults:Em

ployee

av1

on s

ubne

t1H

osts

av1

on d

mzH

osts

av1

on d

bSer

verH

osts

av1

on fi

leSe

rver

Hos

tsav

1 on

wor

ksta

tionH

osts

av2

on s

ubne

t1H

osts

av2

on d

mzH

osts

av2

on d

bSer

verH

osts

av2

on fi

leSe

rver

Hos

tsav

2 on

wor

ksta

tionH

osts

ids1

on

subn

et1H

osts

ids1

on

dmzH

osts

ids1

on

dbSe

rver

Hos

tsid

s1 o

n fil

eSer

verH

osts

ids1

on

work

stat

ionH

osts

ids2

on

subn

et1H

osts

ids2

on

dmzH

osts

ids2

on

dbSe

rver

Hos

tsid

s2 o

n fil

eSer

verH

osts

ids2

on

work

stat

ionH

osts

patc

hCVE

_201

3_04

_22

on s

ubne

t1H

osts

patc

hCVE

_201

3_04

_22

on d

mzH

osts

patc

hCVE

_201

3_04

_22

on d

bSer

verH

osts

patc

hCVE

_201

3_04

_22

on fi

leSe

rver

Hos

tspa

tchC

VE_2

013_

04_2

2 on

wor

ksta

tionH

osts

logP

olic

y1 o

n su

bnet

1Hos

tslo

gPol

icy1

on

dmzH

osts

logP

olic

y1 o

n db

Serv

erH

osts

logP

olic

y1 o

n fil

eSer

verH

osts

logP

olic

y1 o

n wo

rkst

atio

nHos

tswe

bSer

verH

arde

ning

1 on

sub

net1

Hos

tswe

bSer

verH

arde

ning

1 on

dm

zHos

tswe

bSer

verH

arde

ning

1 on

dbS

erve

rHos

tswe

bSer

verH

arde

ning

1 on

file

Serv

erH

osts

webS

erve

rHar

deni

ng1

on w

orks

tatio

nHos

tsco

deR

evie

w1

on s

ubne

t1H

osts

code

Rev

iew

1 on

dm

zHos

tsco

deR

evie

w1

on d

bSer

verH

osts

code

Rev

iew

1 on

file

Serv

erH

osts

code

Rev

iew

1 on

wor

ksta

tionH

osts

secu

rityT

rain

ing1

on

adm

inG

roup

secu

rityT

rain

ing1

on

dbAd

min

Gro

upse

curit

yTra

inin

g1 o

n su

bnet

1Use

rGro

upse

curit

yTra

inin

g1 o

n fil

eSer

verU

serG

roup

secu

rityT

rain

ing1

on

fileS

erve

rUse

rRea

derG

roup

secu

rityT

rain

ing1

on

work

stat

ionU

serG

roup

secu

rityT

rain

ing2

on

adm

inG

roup

secu

rityT

rain

ing2

on

dbAd

min

Gro

upse

curit

yTra

inin

g2 o

n su

bnet

1Use

rGro

upse

curit

yTra

inin

g2 o

n fil

eSer

verU

serG

roup

secu

rityT

rain

ing2

on

fileS

erve

rUse

rRea

derG

roup

secu

rityT

rain

ing2

on

work

stat

ionU

serG

roup

secu

rityT

rain

ing3

on

adm

inG

roup

secu

rityT

rain

ing3

on

dbAd

min

Gro

upse

curit

yTra

inin

g3 o

n su

bnet

1Use

rGro

upse

curit

yTra

inin

g3 o

n fil

eSer

verU

serG

roup

secu

rityT

rain

ing3

on

fileS

erve

rUse

rRea

derG

roup

secu

rityT

rain

ing3

on

work

stat

ionU

serG

roup

Cos

tTa

rget

con

ditio

n re

ache

dD

etec

ted

atta

cks

Con

fiden

tialit

y hi

ghC

onfid

entia

lity

med

ium

Con

fiden

tialit

y lo

wIn

tegr

ity h

igh

Inte

grity

med

ium

Inte

grity

low

Avai

labi

lity

high

Avai

labi

lity

med

ium

Avai

labi

lity

low

Security trainings are effectiveResults:Em

ployee

av1

on s

ubne

t1H

osts

av1

on d

mzH

osts

av1

on d

bSer

verH

osts

av1

on fi

leSe

rver

Hos

tsav

1 on

wor

ksta

tionH

osts

av2

on s

ubne

t1H

osts

av2

on d

mzH

osts

av2

on d

bSer

verH

osts

av2

on fi

leSe

rver

Hos

tsav

2 on

wor

ksta

tionH

osts

ids1

on

subn

et1H

osts

ids1

on

dmzH

osts

ids1

on

dbSe

rver

Hos

tsid

s1 o

n fil

eSer

verH

osts

ids1

on

work

stat

ionH

osts

ids2

on

subn

et1H

osts

ids2

on

dmzH

osts

ids2

on

dbSe

rver

Hos

tsid

s2 o

n fil

eSer

verH

osts

ids2

on

work

stat

ionH

osts

patc

hCVE

_201

3_04

_22

on s

ubne

t1H

osts

patc

hCVE

_201

3_04

_22

on d

mzH

osts

patc

hCVE

_201

3_04

_22

on d

bSer

verH

osts

patc

hCVE

_201

3_04

_22

on fi

leSe

rver

Hos

tspa

tchC

VE_2

013_

04_2

2 on

wor

ksta

tionH

osts

logP

olic

y1 o

n su

bnet

1Hos

tslo

gPol

icy1

on

dmzH

osts

logP

olic

y1 o

n db

Serv

erH

osts

logP

olic

y1 o

n fil

eSer

verH

osts

logP

olic

y1 o

n wo

rkst

atio

nHos

tswe

bSer

verH

arde

ning

1 on

sub

net1

Hos

tswe

bSer

verH

arde

ning

1 on

dm

zHos

tswe

bSer

verH

arde

ning

1 on

dbS

erve

rHos

tswe

bSer

verH

arde

ning

1 on

file

Serv

erH

osts

webS

erve

rHar

deni

ng1

on w

orks

tatio

nHos

tsco

deR

evie

w1

on s

ubne

t1H

osts

code

Rev

iew

1 on

dm

zHos

tsco

deR

evie

w1

on d

bSer

verH

osts

code

Rev

iew

1 on

file

Serv

erH

osts

code

Rev

iew

1 on

wor

ksta

tionH

osts

secu

rityT

rain

ing1

on

adm

inG

roup

secu

rityT

rain

ing1

on

dbAd

min

Gro

upse

curit

yTra

inin

g1 o

n su

bnet

1Use

rGro

upse

curit

yTra

inin

g1 o

n fil

eSer

verU

serG

roup

secu

rityT

rain

ing1

on

fileS

erve

rUse

rRea

derG

roup

secu

rityT

rain

ing1

on

work

stat

ionU

serG

roup

secu

rityT

rain

ing2

on

adm

inG

roup

secu

rityT

rain

ing2

on

dbAd

min

Gro

upse

curit

yTra

inin

g2 o

n su

bnet

1Use

rGro

upse

curit

yTra

inin

g2 o

n fil

eSer

verU

serG

roup

secu

rityT

rain

ing2

on

fileS

erve

rUse

rRea

derG

roup

secu

rityT

rain

ing2

on

work

stat

ionU

serG

roup

secu

rityT

rain

ing3

on

adm

inG

roup

secu

rityT

rain

ing3

on

dbAd

min

Gro

upse

curit

yTra

inin

g3 o

n su

bnet

1Use

rGro

upse

curit

yTra

inin

g3 o

n fil

eSer

verU

serG

roup

secu

rityT

rain

ing3

on

fileS

erve

rUse

rRea

derG

roup

secu

rityT

rain

ing3

on

work

stat

ionU

serG

roup

Cos

tTa

rget

con

ditio

n re

ache

dD

etec

ted

atta

cks

Con

fiden

tialit

y hi

ghC

onfid

entia

lity

med

ium

Con

fiden

tialit

y lo

wIn

tegr

ity h

igh

Inte

grity

med

ium

Inte

grity

low

Avai

labi

lity

high

Avai

labi

lity

med

ium

Avai

labi

lity

low

Results:Advancedpe

rsistentthreat

av1

on s

ubne

t1H

osts

av1

on d

mzH

osts

av1

on d

bSer

verH

osts

av1

on fi

leSe

rver

Hos

tsav

1 on

wor

ksta

tionH

osts

av2

on s

ubne

t1H

osts

av2

on d

mzH

osts

av2

on d

bSer

verH

osts

av2

on fi

leSe

rver

Hos

tsav

2 on

wor

ksta

tionH

osts

ids1

on

subn

et1H

osts

ids1

on

dmzH

osts

ids1

on

dbSe

rver

Hos

tsid

s1 o

n fil

eSer

verH

osts

ids1

on

work

stat

ionH

osts

ids2

on

subn

et1H

osts

ids2

on

dmzH

osts

ids2

on

dbSe

rver

Hos

tsid

s2 o

n fil

eSer

verH

osts

ids2

on

work

stat

ionH

osts

patc

hCVE

_201

3_04

_22

on s

ubne

t1H

osts

patc

hCVE

_201

3_04

_22

on d

mzH

osts

patc

hCVE

_201

3_04

_22

on d

bSer

verH

osts

patc

hCVE

_201

3_04

_22

on fi

leSe

rver

Hos

tspa

tchC

VE_2

013_

04_2

2 on

wor

ksta

tionH

osts

logP

olic

y1 o

n su

bnet

1Hos

tslo

gPol

icy1

on

dmzH

osts

logP

olic

y1 o

n db

Serv

erH

osts

logP

olic

y1 o

n fil

eSer

verH

osts

logP

olic

y1 o

n wo

rkst

atio

nHos

tswe

bSer

verH

arde

ning

1 on

sub

net1

Hos

tswe

bSer

verH

arde

ning

1 on

dm

zHos

tswe

bSer

verH

arde

ning

1 on

dbS

erve

rHos

tswe

bSer

verH

arde

ning

1 on

file

Serv

erH

osts

webS

erve

rHar

deni

ng1

on w

orks

tatio

nHos

tsco

deR

evie

w1

on s

ubne

t1H

osts

code

Rev

iew

1 on

dm

zHos

tsco

deR

evie

w1

on d

bSer

verH

osts

code

Rev

iew

1 on

file

Serv

erH

osts

code

Rev

iew

1 on

wor

ksta

tionH

osts

secu

rityT

rain

ing1

on

adm

inG

roup

secu

rityT

rain

ing1

on

dbAd

min

Gro

upse

curit

yTra

inin

g1 o

n su

bnet

1Use

rGro

upse

curit

yTra

inin

g1 o

n fil

eSer

verU

serG

roup

secu

rityT

rain

ing1

on

fileS

erve

rUse

rRea

derG

roup

secu

rityT

rain

ing1

on

work

stat

ionU

serG

roup

secu

rityT

rain

ing2

on

adm

inG

roup

secu

rityT

rain

ing2

on

dbAd

min

Gro

upse

curit

yTra

inin

g2 o

n su

bnet

1Use

rGro

upse

curit

yTra

inin

g2 o

n fil

eSer

verU

serG

roup

secu

rityT

rain

ing2

on

fileS

erve

rUse

rRea

derG

roup

secu

rityT

rain

ing2

on

work

stat

ionU

serG

roup

secu

rityT

rain

ing3

on

adm

inG

roup

secu

rityT

rain

ing3

on

dbAd

min

Gro

upse

curit

yTra

inin

g3 o

n su

bnet

1Use

rGro

upse

curit

yTra

inin

g3 o

n fil

eSer

verU

serG

roup

secu

rityT

rain

ing3

on

fileS

erve

rUse

rRea

derG

roup

secu

rityT

rain

ing3

on

work

stat

ionU

serG

roup

Cos

tTa

rget

con

ditio

n re

ache

dD

etec

ted

atta

cks

Con

fiden

tialit

y hi

ghC

onfid

entia

lity

med

ium

Con

fiden

tialit

y lo

wIn

tegr

ity h

igh

Inte

grity

med

ium

Inte

grity

low

Avai

labi

lity

high

Avai

labi

lity

med

ium

Avai

labi

lity

low

Wide range of effective controlsResults:Advancedpe

rsistentthreat

27

Introduction

FrameworkKnowledge base

Attack patterns

Simulation

Optimization

Decision support

ExampleExperimental setup

Results

27 Conclusions

Appendix

Conclusions

SummaryI Simulation based optimization framework increasing

IT security in given IT infrastucures with decisionsupport

Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management

28

Introduction

FrameworkKnowledge base

Attack patterns

Simulation

Optimization

Decision support

ExampleExperimental setup

Results

28 Conclusions

Appendix

Q & A

Contact:bgrill@sba-research.org

Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management

29

Introduction

FrameworkKnowledge base

Attack patterns

Simulation

Optimization

Decision support

ExampleExperimental setup

Results

Conclusions

29 Appendix

Implementation

Knowledge baseI Initial experiments with OWL ontologiesI SWI-Prolog:1 current rule-based implementationI JPL:2 Java access

SimulationI Java 1.6I Mason 14:3 discrete-event coreI Colt 1.2:4 random distributionsI Jung 2.0.1:5 graph structures and visualizationI Log4j, XStream, JUnit, Commons, . . .

OptimizationI Opt4j 2.76: evolutionary computation framework

1 http://www.swi-prolog.org2 http://www.swi-prolog.org/packages/jpl3 http://cs.gmu.edu/~eclab/projects/mason/

4 http://acs.lbl.gov/software/colt/5 http://jung.sourceforge.net/6 http://opt4j.sourceforge.net/

Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management

30

Introduction

FrameworkKnowledge base

Attack patterns

Simulation

Optimization

Decision support

ExampleExperimental setup

Results

Conclusions

30 Appendix

Parameter settings

Simulation: 50 replications per control set

Optimization: 500 generationsI Population

I α = 100 (population size)I µ = 25 (number of parents per generation)I λ = 25 (number of offsprings per generation)I Initialization: ~1, ~0, remaining random

(i.e., each control included with p = 0.5)I Selection: NSGA2, 2 tournamentsI Crossover: 2-point crossover @ rate 0.95I Mutation: mixed permutation (insert, revert, swap)

rate 1/n

Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management

31

Introduction

FrameworkKnowledge base

Attack patterns

Simulation

Optimization

Decision support

ExampleExperimental setup

Results

Conclusions

31 Appendix

Behavioral model

Choice set:

Action Selection

Choice function: for all considered actions a ∈ A

1. Calculate distance in abstract graph:drel

a ←d(a,t)

max(d(a,t))+1

2. Calculate weight:Wa ← psuc(a)wsuc

(1− pdet(a)

)wdet (1− drel

a

)wdist

3. return weightedChoice(A,W )

Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management

31

Introduction

FrameworkKnowledge base

Attack patterns

Simulation

Optimization

Decision support

ExampleExperimental setup

Results

Conclusions

31 Appendix

Behavioral model

Choice set:

Action Selection

Choice function: for all considered actions a ∈ A

1. Calculate distance in abstract graph:drel

a ←d(a,t)

max(d(a,t))+1

2. Calculate weight:Wa ← psuc(a)wsuc

(1− pdet(a)

)wdet (1− drel

a

)wdist

3. return weightedChoice(A,W )

Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management

31

Introduction

FrameworkKnowledge base

Attack patterns

Simulation

Optimization

Decision support

ExampleExperimental setup

Results

Conclusions

31 Appendix

Behavioral model

Choice set:

Action Selection

Choice function: for all considered actions a ∈ A

1. Calculate distance in abstract graph:drel

a ←d(a,t)

max(d(a,t))+1

2. Calculate weight:Wa ← psuc(a)wsuc

(1− pdet(a)

)wdet (1− drel

a

)wdist

3. return weightedChoice(A,W )

Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management

31

Introduction

FrameworkKnowledge base

Attack patterns

Simulation

Optimization

Decision support

ExampleExperimental setup

Results

Conclusions

31 Appendix

Behavioral model

Choice set:

Action Selection

Choice function: for all considered actions a ∈ A

1. Calculate distance in abstract graph:drel

a ←d(a,t)

max(d(a,t))+1

2. Calculate weight:Wa ← psuc(a)wsuc

(1− pdet(a)

)wdet (1− drel

a

)wdist

3. return weightedChoice(A,W )

Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management

31

Introduction

FrameworkKnowledge base

Attack patterns

Simulation

Optimization

Decision support

ExampleExperimental setup

Results

Conclusions

31 Appendix

Behavioral model

Choice set:

Action Selection

pcontinueNew

Choice function: for all considered actions a ∈ A

1. Calculate distance in abstract graph:drel

a ←d(a,t)

max(d(a,t))+1

2. Calculate weight:Wa ← psuc(a)wsuc

(1− pdet(a)

)wdet (1− drel

a

)wdist

3. return weightedChoice(A,W )

Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management

31

Introduction

FrameworkKnowledge base

Attack patterns

Simulation

Optimization

Decision support

ExampleExperimental setup

Results

Conclusions

31 Appendix

Behavioral model

Choice set:

Action Selection

1 � pcontinueNew

Choice function: for all considered actions a ∈ A

1. Calculate distance in abstract graph:drel

a ←d(a,t)

max(d(a,t))+1

2. Calculate weight:Wa ← psuc(a)wsuc

(1− pdet(a)

)wdet (1− drel

a

)wdist

3. return weightedChoice(A,W )

Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management

31

Introduction

FrameworkKnowledge base

Attack patterns

Simulation

Optimization

Decision support

ExampleExperimental setup

Results

Conclusions

31 Appendix

Behavioral model

Choice set:

Action Selection

Choice function: for all considered actions a ∈ A

1. Calculate distance in abstract graph:drel

a ←d(a,t)

max(d(a,t))+1

2. Calculate weight:Wa ← psuc(a)wsuc

(1− pdet(a)

)wdet (1− drel

a

)wdist

3. return weightedChoice(A,W )

Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management

31

Introduction

FrameworkKnowledge base

Attack patterns

Simulation

Optimization

Decision support

ExampleExperimental setup

Results

Conclusions

31 Appendix

Behavioral model

Choice set:

Action Selection

pretry

Choice function: for all considered actions a ∈ A

1. Calculate distance in abstract graph:drel

a ←d(a,t)

max(d(a,t))+1

2. Calculate weight:Wa ← psuc(a)wsuc

(1− pdet(a)

)wdet (1− drel

a

)wdist

3. return weightedChoice(A,W )

Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management

31

Introduction

FrameworkKnowledge base

Attack patterns

Simulation

Optimization

Decision support

ExampleExperimental setup

Results

Conclusions

31 Appendix

Behavioral model

Choice set:

Action Selection

1 � pretry

Choice function: for all considered actions a ∈ A

1. Calculate distance in abstract graph:drel

a ←d(a,t)

max(d(a,t))+1

2. Calculate weight:Wa ← psuc(a)wsuc

(1− pdet(a)

)wdet (1− drel

a

)wdist

3. return weightedChoice(A,W )

Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management

31

Introduction

FrameworkKnowledge base

Attack patterns

Simulation

Optimization

Decision support

ExampleExperimental setup

Results

Conclusions

31 Appendix

Behavioral model

Choice set:

Action Selection

Choice function: for all considered actions a ∈ A

1. Calculate distance in abstract graph:drel

a ←d(a,t)

max(d(a,t))+1

2. Calculate weight:Wa ← psuc(a)wsuc

(1− pdet(a)

)wdet (1− drel

a

)wdist

3. return weightedChoice(A,W )

Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management

32

Introduction

FrameworkKnowledge base

Attack patterns

Simulation

Optimization

Decision support

ExampleExperimental setup

Results

Conclusions

32 Appendix

References I

S. Barnum and G. McGraw, “Knowledge for softwaresecurity,” IEEE Security Privacy, vol. 3, no. 2, pp.74–78, 2005.S. Luke, C. Cioffi-Revilla, L. Panait, and K. Sullivan,“MASON: a new multi-agent simulation toolkit,” in2004 SwarmFest Workshop, 2004.

M. Lukasiewycz, M. Glass, and F. Reimann, “Opt4Jdocumentation,” 2012. [Online]. Available:http://opt4j.sourceforge.net/documentation/2.7/book.xhtml

Complex Systems, Heterogeneous Attackers and Versatile Controls: Simulation Based Decision Support in IT Security Management