modeling observability in adaptive systems to defend against advanced persistent threats ·...
TRANSCRIPT
Modeling Observability in Adaptive Systems to Defend Against
Advanced Persistent Threats
Cody Kinneer, Ryan Wagner, Fei Fang, Claire Le Goues, David Garlan
2
Security in Self-* Systems
3
Security in Self-* Systems
4
Advanced Persistant Threats (APTs)
5
Advanced Persistant Threats (APTs)
6
Tactics Techniques and Procedures (TTPs)
7
Tactics Techniques and Procedures (TTPs)
8
APT Observability
9
APT Observability
• Multiple attacker types• Goals• Tactics Techniques and Procedures (TTPs)
• Actions (both sides)• Defender faces wait or evict dilemma• Attacker notices defensive measures and
adapts to remain hidden
10
Observable Eviction Game
11
Observable Eviction Game
• One (or none) of several APT attackers present
• Defender suspects an attack, unsure of attacker identity
• Takes place over a finite number of timesteps
• Each side has knowledge of available actions and payoff structure
12
Extensive Form Game
13
Extensive Form Game
14
Extensive Form Game
15
Extensive Form Game
16
Extensive Form Game
17
Extensive Form Game
18
Extensive Form Game
19
Extensive Form Game
20
Extensive Form Game
21
Extensive Form Game
22
Extensive Form Game
23
Extensive Form Game
24
Extensive Form Game
25
Extensive Form Game
26
Extensive Form Game
27
Extensive Form Game
28
Extensive Form Game
29
Payoffs
• Attacker• Time in system• Suitability of TTP to goals
• Defender• Limit attacker utility• Minimize disruption to system
• Different TTPs cause different disruption• Defensive measures cause varying disrutpion
30
Payoffs
31
Extensive Form Game
32
Extensive Form Game
33
Extensive Form Game
34
Extensive Form Game
35
Extensive Form Game
36
Solving the Game
37
Solving the Game
38
Solving the Game
39
Solving the Game
40
Solving the Game
41
Validation
• Does using the model result in improved utility compared to random?
• Can the OEG enable a robust defense for a range of threat landscapes?
• Is solving the OEG scalable to practically useful time horizons?
42
Limitations and Future Work
• High level of abstraction• Generalizability to real world systems• Refinement to provide automation for APT
testbed• Abstract strategy reuse and refinement
43
Conclusion
• Security presents unique challenges to Self-* systems
• Observable Eviction Game• Modeling observability as a first class
concern is a step towards secure self-* systems
Paper Available at:http://acme.able.cs.cmu.edu/pubs/uploads/pdf/[email protected]
44
Backup Slides
45
Comparison to Random
46
Using the model results in improvement
−1.5
−1.4
−1.3
−1.2
0.0 0.2 0.4 0.6Prior Probability of Attacker Type 1
Def
ende
r's U
tility
Defender Plays
equilibriumuniform random
Stackelberg Equilibrium
−1.5
−1.4
−1.3
−1.2
0.0 0.2 0.4 0.6Prior Probability of Attacker Type 1
Def
ende
r's U
tility
Defender Plays
equilibriumuniform random
Nash Equilibrium
47
NE Sensitivity Analysis
48
0.0
0.2
0.4
0.6
11 12 21 22 e1 e2 we1 we2 wp ae1 ae2 apAction
Prio
r P
roba
bilit
y of
Atta
cker
Typ
e 1
0.000.250.500.751.00
ProbabilityPlayed
Nash Equilibrium
49
0.0
0.2
0.4
0.6
11 12 21 22 e1 e2 we1 we2 wp ae1 ae2 apAction
Prio
r P
roba
bilit
y of
Atta
cker
Typ
e 1
0.000.250.500.751.00
ProbabilityPlayed
Stackelberg Equilibrium
50
Scalability Analysis
51
Stackleberg Scalable on Number of Timesteps
0
5
10
15
0 5 10 15 20 25Number of Timesteps
Tim
e in
Sec
onds
Equilibrium
NashStackelberg
52
Evaluate Design Alternatives
53
Utility Change with Honeypots
0
5
10
15
0.00 0.25 0.50 0.75 1.00
Prior Probability of Attacker Type 1
Opt
imal
Num
ber
of D
ecoy
s
Equilibrium
nash
stackelberg
0.00
0.05
0.10
0.15
0.00 0.25 0.50 0.75 1.00
Prior Probability of Attacker Type 1
Del
ta D
efen
der's
Util
ity
Equilibrium
nash
stackelberg
54
Strategy Change with Honeypots
55
Optimal Defense
• Bayesian Nash and Stackelberg equilibria
w0e1
1 w0e2
1e1
0e2
0
0.68 0.00 0.00 0.32
The power of observability