Ranking of security
controlling strategies
driven by quantitative
threat analysis.
Tavolo 2: "Big data security evaluation"
UNIFI-CNR
Nicola Nostro, Andrea Ceccarelli,
Ilaria Matteucci, Felicita Di Giandomenico
Fai della Paganella - February 12, 2014
Outline
1.General description of work
2.Basics
3.Architecture/Framework
4.Use case
5.Conclusions and future works
General description of the work
• Security analysis and design are key activities for the
protection of critical systems and infrastructure.
• Traditional approaches:
– Apply a qualitative threat assessment
– Results used as input for the security design such that
appropriate countermeasures are selected
• Our work: selection and ranking of security
controlling strategies driven by quantitative threat
analysis
– Threat analysis that identifies attack points and paths, and
ranks attacks (costs, difficulty, ...)
– Such enriched information is used for more elaborated
controlling strategies that derive the appropriate
monitoring rules and select countermeasures.
Basics – Threat Analysis
• Purpose is to create a data base of threats,
vulnerabilities and countermeasures
– Start from the identification of the assets to protect
– identifies the potential vulnerabilities and the related
threats
– takes into account the severity of the threats
– countermeasures plan are defined
• A vulnerability is represented by a bug, a flaw, a
weakness or exposure of an application; a
system, a device or a service which could lead to
issues of confidentiality, integrity or availability.
• A threat represents the occurrence of a harmful
event, by exploiting one or more vulnerabilities.
Basics – Control strategies (1)
A control strategy is defined in order to
guarantee “security” at run-time.
A security policy is expressed over the traces of
the system.
Guaranteeing security means that the
controlled system satisfies security policies.
Basics – Control strategies (2)
• The truncation strategy recognizes bad
sequences of actions and halts program
execution before security property is violated,
but cannot otherwise modify program behavior.
• The suppression strategy can halt program
execution and suppress individual program
actions without terminating the program
outright.
• The insertion strategy can insert a sequence of
actions into the program actions stream as well
as terminate the program.
Framework Architecture
• Threat analysis supported by security models provides
information on:
–
–
–
–
Attackers
Attacks and Attack points (as usual from threat analysis)
Attack paths
Relevance of the path (from a security
viewpoint)/necessity of countermeasures
– Weights: costs, probabilities
• Security control strategies
– Uses weights, relevance of the paths
– Current objective: ranking of quantitative security
controlling strategies
– Final output is the definition of countermeasures based
on the evaluation of the controlled paths
High-level Workflow
Requirements
Threats Analysis
Controlling strategies
(system) functional
requirements
dependability and
security requirements
Design of security
countermeasures
Use case description
• Critical system
– Several categories of users
– Heterogeneous devices
• Security and Privacy requirements to protect
– guarantees that authorized users do not
compromise, counterfeit, steal or unnecessarily
query data, or do not abuse of the data
correlation and data search capacity behind what
is strictly necessary for their work.
ADVISE formalism
1. Attack Execution Graph (AEG)
– attack graph with different nodes: attack
steps, access domains, skills, and goals
2. Adversary Profile: the set of items initially
owned, proficiency in attack skills, and
policies:
– payoff, costs, detection risk
• The algorithm evaluates the reachable states
for a planning horizon, and selects the most
appealing
E. LeMay, M.D. Ford, K. Keefe, W.H. Sanders, C. Muehrcke, “Model-based Security Metrics Using ADversary
VIew Security Evaluation (ADVISE)”. QEST 2011: 191-200
(Insider) Threat analysis and AEG –
resulting AEG
Data Theft Attack Execution Graph
(insider) Threat analysis and AEG –
quantitative results
• Based on predefined metrics of interest
– Attackers;
– Critical paths, probability to follow a path;
– Critical Attack Steps;
– Attack costs;
– ...
Attributes
System
Administrator
System Expert
Skill
800
500
Cost
0
0
Detection
0.1
0.4
Payoff
1000
1000
Quantitative Control strategies
• We can associate with each trace manipulation a measure,
e.g., a cost.
• Definition of a controller process trough a Generalized
Process Algebra in which each step is associated with a value.
Definition.
Given a path t = (a1,k1) … (an,kn), the label of t is given by (a1 …
an) belongs to Act*, and its run weight by |t| = k1 * … * kn
belongs to K, where the product * denotes the product of the
considered semiring K.
The valuation of a process intuitively corresponds to the sum of
all possible quantity of the traces belonging to the process.
Is a Control strategies better than
another?
To select the controller strategy that better fit a
set of requirements (e.g., the minimum cost)
we associate to each step a value obtained by
the threat analysis.
;
;
where k,k’ denote these values.
Next Steps
• Identification of appropriate Case Study
• Preliminary version of paper in progress
• Iterative approach to framework