Towards a Theory of Cyber Attack Mechanics - PowerPoint PPT Presentation

1 / 20
About This Presentation
Title:

Towards a Theory of Cyber Attack Mechanics

Description:

There is no reliable cyber attack early warning system and no reliable ... attack upon a large, complicated network disturbs the fractal nature of that ... – PowerPoint PPT presentation

Number of Views:48
Avg rating:3.0/5.0
Slides: 21
Provided by: peterste
Category:

less

Transcript and Presenter's Notes

Title: Towards a Theory of Cyber Attack Mechanics


1
Towards a Theory of Cyber Attack Mechanics
  • Phase 1 of a 3-Phase Program of Research

Peter R. Stephenson, PhD, CISSP, CISM,
FICAF Eastern Michigan University/Norwich
University pstephen_at_norwich.edu Paul Prueitt,
PhD George Washington University paul_at_ontologystre
am.com
2
Problem Statement
  • There is no reliable way to protect against or
    back-trace unknown attacks and/or complicated
    attacks of unknown type or origin
  • There is no reliable cyber attack early warning
    system and no reliable anticipatory mechanism
  • Currently, digital attacks, are categorized in a
    somewhat haphazard manner
  • Existing attack taxonomies tend to focus upon the
    known from the perspective of the attack
  • Attacks are viewed as the product of some exploit
    or set of exploits over a vulnerability or set of
    vulnerabilities
  • Generally, both the exploits and the
    vulnerabilities must be known

3
Motivation for this Research
  • Formalization and understanding of how attacks
    behave on the Internet and within enterprise
    networks
  • Development of a cyber attack taxonomy derived
    from formal ontology
  • Discovery of a reliable method for forensic
    analysis of complicated network events
  • Discovery of a reliable method of cyber attack
    early warning
  • Development of an artificial immune system for
    protecting computing systems

4
Research Program
  • Phase 1 Foundation (the topic of this paper)
  • Produce a foundational mathematical vocabulary
    that allows formal discussion of cyber events
  • Develop a preliminary cyber attack taxonomy using
    stratified ontology and other formal techniques
  • Develop an hypothesis of cyber attack mechanics
  • Phase 2 Forensic and early warning tool sets
    (year 2)
  • Validation of Phase 1 taxonomy and cyber attack
    hypothesis
  • Phase 3 Artificial immune system prototype
    development (year 3)

5
Notation and Formal Definitions the Starting
Points
FOUNDATIONAL VOCABULARY
  • Security Policy Domain
  • A security policy domain, Ep, consists of all of
    the elements, e, of an enterprise that conform to
    the same security policy, p.
  • External Stimulus
  • An external stimulus, ß, applies to a set of
    states and yields a set of states.
  • Computer Security Incident
  • A computer security incident, i, results when a
    change of state of an element, e, conforming to a
    policy p causes that element no longer to conform
    to that policy, and where the state change is
    caused by the application of a stimulus, ß,
    external to the system.
  • Impact
  • An impact µ results when an external stimulus ß
    is applied to a state s.
  • Vulnerability
  • A vulnerability, v, is a weakness or flaw in an
    element of a system, that has the potential to be
    exploited with a damaging outcome, µ.
  • Threat
  • A threat, t, is an external stimulus ß that may
    lead to an incident when the external stimulus ß
    is applied to an element, e. t is defined when ß
    e ? i
  • Information System Risk
  • Information Systems Risk is the probability, P,
    that a threat agent will successfully exploit a
    vulnerability to create an impact µ
  • Cyber Attack
  • A cyber attack a is an ordered threat-vulnerabilit
    y pair a (t, v)

Notation and formal expressions appear in
Stephenson, Peter R., Prueitt, Paul S. Towards a
Theory of Cyber Attack Mechanics
6
Developing a Cyber Attack Taxonomy- Concepts
CYBER ATTACK TAXONOMY
  • Categorical Abstraction (cA)
  • Each element of a machine taxonomy is a cA
  • Formed from the induction, or abstraction, of a
    reduced set of descriptors so that differences
    between elements in the same category are
    diminished
  • In the case of cyber attacks, we are concerned
    with cA about the universe of threats applied
    against vulnerabilities
  • Functional properties of combinations of
    elementary patterns (cA)
  • Formation of a higher level of abstraction where
    function may be realized from any of a large set
    of combinations of lower level cA
  • Lower level is the level for atomic cA, and the
    higher level the level for molecular or compound
    cA
  • We use a technique called Event Chemistry (eC) to
    aid in cA and visualization

7
Developing a Cyber Attack Taxonomy
CYBER ATTACK TAXONOMY
  • Using formal methods we break down the results of
    combinations1 in the universe of possible attacks
    to a manageable set of representations.
  • Several inductions are involved in the production
    of abstractions that leave out details that are
    not salient in context.
  • The set of molecular cAs contains compounds whose
    event Chemistry (eC) can become known by applying
    a special set of formal, mechanisms
  • Result is a stratification of abstractions about
    process activity that provides a simple way to
    describe a very complicated universe of events,
    both known and unknown
  • An understanding of cyber attacks described using
    a formal taxonomy is fundamental to developing a
    theory of cyber attack mechanics
  • Vulnerability taxonomy derived from the Mitre CVE
    (http//cve.mitre.org) and
  • threat taxonomy derived from the Common Criteria

8
Developing a Cyber Attack Taxonomy
CYBER ATTACK TAXONOMY
  • Structural ontology
  • A set of defining specifications that will result
    in measurement that can be compared with elements
    of taxonomy of cyber attacks
  • Allows a precise set of definitions of attack
    types from which we can abstract a clear notion
    of a network organisms self and not-self
    required in the construction of an artificial
    immune system
  • Abstract away from the specific threats and
    vulnerabilities to build a structural ontology
    based upon that level of abstraction
  • We are then able to derive a taxonomy that is
    abstracted from explicit threats and
    vulnerabilities and no longer depends upon them
    as part of a process of attack definitions
  • The notion of attack types (and the substructural
    threats and vulnerabilities) must acknowledge but
    must not depend upon known attacks

9
SLIP (Shallow link analysis, Iterated
Scatter-Gather, and Parcelation)
CYBER ATTACK TAXONOMY
  • Derives a set of elemental representations of
    attacks based upon threats and vulnerabilities
  • Allows us to explore the set of attacks as
    defined in Definition 8
  • Specific application of an ontology referential
    base (Orb) of the form
  • Where ai and aj are substructural elements and r
    is some relation between them
  • eC representation of 2 threats (from the attack
    taxonomy) against a vulnerability residing in an
    attack space using SLIP

10
Structure of the Cyber Attack Upper Taxonomy a
(t, v)
CYBER ATTACK TAXONOMY
  • Access_Err (v)
  • User_Send, User_Modify, User_Err_Conf,
    User_Collect, User_Abuse_Conf, Spoofing,
    Hack_Msg_Data, Hack_Masq, Hack_Comm_Eavesdrop,
    Hack_AC, Dev_Flawed_Code, Admin_User_Priv,
    Admin_Hostile_Modify, Admin_Err_Commit,
    Admin_Err_Omit, User_Send
  • Conf_Err (v)
  • User_Send, User_Modify, User_Collect,
    User_Abuse_Conf, Hack_Crypto, Hack_Comm_Eavesdrop,
    Admin_User_Priv, Admin_Hostile_Modify,
    Admin_Err_Commit, Admin_Err_Omit
  • Config_Err (v)
  • User_Send, User_Modify, User_Err_Slf_Protect,
    User_Err_Misuse_Avl_Resc, User_Err_Integrity,
    User_Err_Inaccess, User_Err_Conf, User_Collect,
    User_Abuse_Conf, Malicious_Code, Hack_Msg_Data,
    Hack_AC, Failure_DS_Comp, Admin_User_Priv,
    Admin_Hostile_Modify, Admin_Err_Commit,
    Admin_Err_Omit
  • Input_Err (v)
  • User_Send, User_Modify, User_Misuse_Avl_Resc,
    User_Err_Slf_Protect, User_Err_Integrity,
    User_Err_Inaccess, User_Err_Conf, Hack_Msg_Data,
    Hack_Masq, Hack_AC, Admin_User_Priv,
    Admin_Hostile_Modify, Admin_Err_Commit,
    Admin_Err_Omit
  • Logic_Err (v)
  • User_Send, User_Modify, User_Misuse_Avl_Resc,
    User_Err_Slf_Protect, User_Err_Integrity,
    User_Err_Inaccess, User_Err_Conf, User_Collect,
    User_Abuse_Conf, Malicious_Code, Hack_Msg_Data,
    Hack_Masq, Hack_Comm_Eavesdrop, Hack_Avl_Resc,
    Hack_AC, Admin_User_Priv, Admin_Hostile_Modify,
    Admin_Err_Commit, Admin_Err_Omit
  • DOS (v)
  • User_Err_Slf_Protect, User_Err_Misuse_Avl_Resc,
    Power_Disrupt, Malicious_Code, Hack_Phys,
    Hack_Avl_Resc, Failure_DS_Comp, Dev_Flawed_Code,
    Component_Failure, Admin_User_Priv,
    Admin_Hostile_Modify, Admin_Err_Commit,
    Admin_Err_Omit
  • Audit_Err (v)
  • User_Collect, Spoofing, Repudiate_Transact,
    Repudiate_Send, Repudiate_Receive, Hack_AC,
    Dev_Flawed_Code, Admin_User_Priv,
    Admin_Hostile_Modify, Admin_Err_Commit,
    Admin_Err_Omit
  • Phys_Acc (v)
  • Power_Disrupt, Hack_Social_Engineer, Hack_Phys,
    Component_Failure, Admin_User_Priv,
    Admin_Hostile_Modify, Admin_Err_Commit,
    Admin_Err_Omit
  • Client_Side (v)
  • Malicious_Code, Dev_Flawed_Code

11
The 9 Upper Attack Taxonomy Classes Yield 31
Attack Stems or Primes
CYBER ATTACK TAXONOMY
  • Based upon the Client_Side attack class
  • Malicious_Code
  • Client_Side
  • Config_Err
  • DOS
  • Logic_Err
  • Dev_Flawed_Code
  • Access_Err
  • Audit_Err
  • Client_Side
  • DOS

12
The Fractal Nature of the Internet
  • Any sufficiently large network such as the public
    Internet may be described in terms of the fractal
    nature of its connection topology, particularly
    its routers2
  • There is an implication that the data between
    nodes is, likewise, fractal
  • Yook, et al establish a fixed fractal dimension
    Df for a scale-invariant fractal set that
    describes both Internet routers and domains

HYPOTHESIS OF CYBER ATTACK MECHANICS
2. Yook , Soon-Hyung, Hawoong Jeong,
Albert-Laszlo Barabasi. Modeling the Internets
Large-Scale Topology Proceeding of the national
Academy of Science , 1338213386 October 15,
2002, vol. 99 no. 21,and Lakhina, Anukool, John
W. Byers, Mark Crovella, Ibrahim Matta. On the
Geographic Location of Internet Resources Proc.
of ACM SIGCOMM Internet Measurement Workshop, 2002
13
A New Point of View
  • Any organism is subject to both an exophysics and
    an endophysics
  • Endophysics an organisms internal elements
  • Exophysics an organisms interaction with
    external elements
  • When the organism is a large computing system or
    network, the exophysics may be thought of as the
    human/external interactions with the system while
    the endophysics is considered to be the internal
    actions of the computing systems themselves

HYPOTHESIS OF CYBER ATTACK MECHANICS
14
A New Point of View
  • We can, therefore, describe a cyber attack
    against a computing organism in terms of the
    interaction of the endophysics and the exophysics
    considering the following characteristics
  • An attack is the imposition of a threat upon a
    vulnerability by a threat agent.
  • A cyber incident occurs when an attack is
    successful
  • Cyber Attack space may be described using
    endo-taxonomies and exo-taxonomies
  • The stratification of attack types using the
    cyber attack taxonomy allows us to describe the
    exophysics
  • Exo-taxonomies are, by their nature, ambiguous
    while endo-taxonomies tend to be ordered and may
    be described using simple, structured ontologies
  • This view is entirely different from the current
    perspective that describes attacks exclusively in
    terms of, and from the viewpoint of, the
    vulnerabilities exploited

HYPOTHESIS OF CYBER ATTACK MECHANICS
15
Hypothesis
HYPOTHESIS OF CYBER ATTACK MECHANICS
The interaction between cyber attack space and
fractal network space results in event markers
that may anticipate the existence of a cyber
attack. Because attack markers are complex, they
may result in halting conditions within the
network. These halting conditions can be
represented formally and the source of the cyber
attack may be deduced.
16
Hypothesis
a ef ?? Df(e) ? ? where (a) ? is an event
marker (b) ef is an element of a scale-invariant
fractal set describing Internet traffic
based upon routers or domains (c) ? Df(e) is the
change in the fractal dimension of the
scale-invariant fractal set containing element e

HYPOTHESIS OF CYBER ATTACK MECHANICS
Expanding (from Definition 8)
(t,v) ef ?? Df(e) ? ?
An event marker results from an attack against an
element of a scale-invariant fractal set
describing Internet traffic based upon routers or
domains such that there is a change in the
fractal dimension of that element.
17
Corollary
HYPOTHESIS OF CYBER ATTACK MECHANICS
An enterprise network may be represented as a
finite state machine. In an enterprise network an
attack may be characterized as being an event
contrary to the desired operating state of the
network. Event markers within confined networks
are the result of a change in state of one or
more nodes of the finite state machine and may
lead to a halting condition of those nodes.
These halting conditions can be represented
formally and the source of the cyber attack may
be deduced.
18
Explanation
  • The imposition of a cyber attack upon a large,
    complicated network disturbs the fractal nature
    of that networks data flows and causes
    perturbations that may alter the fractal
    dimension of the data flows.
  • The larger the attack, the greater become
    ambiguities. Large attacks, such as large-scale
    worm infections, produce easily noticeable
    ambiguities. Smaller attacks produce far more
    subtle ones.

HYPOTHESIS OF CYBER ATTACK MECHANICS
19
Conclusions
  • It is feasible to characterize cyber attacks and
    their contributing elements formally.
  • This characterization has forensic value in that
    it may lead to enabling forensic investigations
    of anomalistic events on both large-scale
    networks such as the Internet and on smaller
    enterprise networks where networks states can be
    known.

20
Questions?
Write a Comment
User Comments (0)
About PowerShow.com