Title: Towards a Theory of Cyber Attack Mechanics
1Towards a Theory of Cyber Attack Mechanics
- Phase 1 of a 3-Phase Program of Research
Peter R. Stephenson, PhD, CISSP, CISM,
FICAF Eastern Michigan University/Norwich
University pstephen_at_norwich.edu Paul Prueitt,
PhD George Washington University paul_at_ontologystre
am.com
2Problem Statement
- There is no reliable way to protect against or
back-trace unknown attacks and/or complicated
attacks of unknown type or origin - There is no reliable cyber attack early warning
system and no reliable anticipatory mechanism - Currently, digital attacks, are categorized in a
somewhat haphazard manner - Existing attack taxonomies tend to focus upon the
known from the perspective of the attack - Attacks are viewed as the product of some exploit
or set of exploits over a vulnerability or set of
vulnerabilities - Generally, both the exploits and the
vulnerabilities must be known
3Motivation for this Research
- Formalization and understanding of how attacks
behave on the Internet and within enterprise
networks - Development of a cyber attack taxonomy derived
from formal ontology - Discovery of a reliable method for forensic
analysis of complicated network events - Discovery of a reliable method of cyber attack
early warning - Development of an artificial immune system for
protecting computing systems
4Research Program
- Phase 1 Foundation (the topic of this paper)
- Produce a foundational mathematical vocabulary
that allows formal discussion of cyber events - Develop a preliminary cyber attack taxonomy using
stratified ontology and other formal techniques - Develop an hypothesis of cyber attack mechanics
- Phase 2 Forensic and early warning tool sets
(year 2) - Validation of Phase 1 taxonomy and cyber attack
hypothesis - Phase 3 Artificial immune system prototype
development (year 3)
5Notation and Formal Definitions the Starting
Points
FOUNDATIONAL VOCABULARY
- Security Policy Domain
- A security policy domain, Ep, consists of all of
the elements, e, of an enterprise that conform to
the same security policy, p. - External Stimulus
- An external stimulus, ß, applies to a set of
states and yields a set of states. - Computer Security Incident
- A computer security incident, i, results when a
change of state of an element, e, conforming to a
policy p causes that element no longer to conform
to that policy, and where the state change is
caused by the application of a stimulus, ß,
external to the system. - Impact
- An impact µ results when an external stimulus ß
is applied to a state s. - Vulnerability
- A vulnerability, v, is a weakness or flaw in an
element of a system, that has the potential to be
exploited with a damaging outcome, µ. - Threat
- A threat, t, is an external stimulus ß that may
lead to an incident when the external stimulus ß
is applied to an element, e. t is defined when ß
e ? i - Information System Risk
- Information Systems Risk is the probability, P,
that a threat agent will successfully exploit a
vulnerability to create an impact µ - Cyber Attack
- A cyber attack a is an ordered threat-vulnerabilit
y pair a (t, v)
Notation and formal expressions appear in
Stephenson, Peter R., Prueitt, Paul S. Towards a
Theory of Cyber Attack Mechanics
6Developing a Cyber Attack Taxonomy- Concepts
CYBER ATTACK TAXONOMY
- Categorical Abstraction (cA)
- Each element of a machine taxonomy is a cA
- Formed from the induction, or abstraction, of a
reduced set of descriptors so that differences
between elements in the same category are
diminished - In the case of cyber attacks, we are concerned
with cA about the universe of threats applied
against vulnerabilities - Functional properties of combinations of
elementary patterns (cA) - Formation of a higher level of abstraction where
function may be realized from any of a large set
of combinations of lower level cA - Lower level is the level for atomic cA, and the
higher level the level for molecular or compound
cA - We use a technique called Event Chemistry (eC) to
aid in cA and visualization
7Developing a Cyber Attack Taxonomy
CYBER ATTACK TAXONOMY
- Using formal methods we break down the results of
combinations1 in the universe of possible attacks
to a manageable set of representations. - Several inductions are involved in the production
of abstractions that leave out details that are
not salient in context. - The set of molecular cAs contains compounds whose
event Chemistry (eC) can become known by applying
a special set of formal, mechanisms - Result is a stratification of abstractions about
process activity that provides a simple way to
describe a very complicated universe of events,
both known and unknown - An understanding of cyber attacks described using
a formal taxonomy is fundamental to developing a
theory of cyber attack mechanics
- Vulnerability taxonomy derived from the Mitre CVE
(http//cve.mitre.org) and - threat taxonomy derived from the Common Criteria
8Developing a Cyber Attack Taxonomy
CYBER ATTACK TAXONOMY
- Structural ontology
- A set of defining specifications that will result
in measurement that can be compared with elements
of taxonomy of cyber attacks - Allows a precise set of definitions of attack
types from which we can abstract a clear notion
of a network organisms self and not-self
required in the construction of an artificial
immune system - Abstract away from the specific threats and
vulnerabilities to build a structural ontology
based upon that level of abstraction - We are then able to derive a taxonomy that is
abstracted from explicit threats and
vulnerabilities and no longer depends upon them
as part of a process of attack definitions - The notion of attack types (and the substructural
threats and vulnerabilities) must acknowledge but
must not depend upon known attacks
9SLIP (Shallow link analysis, Iterated
Scatter-Gather, and Parcelation)
CYBER ATTACK TAXONOMY
- Derives a set of elemental representations of
attacks based upon threats and vulnerabilities - Allows us to explore the set of attacks as
defined in Definition 8 - Specific application of an ontology referential
base (Orb) of the form - Where ai and aj are substructural elements and r
is some relation between them - eC representation of 2 threats (from the attack
taxonomy) against a vulnerability residing in an
attack space using SLIP
10Structure of the Cyber Attack Upper Taxonomy a
(t, v)
CYBER ATTACK TAXONOMY
- Access_Err (v)
- User_Send, User_Modify, User_Err_Conf,
User_Collect, User_Abuse_Conf, Spoofing,
Hack_Msg_Data, Hack_Masq, Hack_Comm_Eavesdrop,
Hack_AC, Dev_Flawed_Code, Admin_User_Priv,
Admin_Hostile_Modify, Admin_Err_Commit,
Admin_Err_Omit, User_Send - Conf_Err (v)
- User_Send, User_Modify, User_Collect,
User_Abuse_Conf, Hack_Crypto, Hack_Comm_Eavesdrop,
Admin_User_Priv, Admin_Hostile_Modify,
Admin_Err_Commit, Admin_Err_Omit - Config_Err (v)
- User_Send, User_Modify, User_Err_Slf_Protect,
User_Err_Misuse_Avl_Resc, User_Err_Integrity,
User_Err_Inaccess, User_Err_Conf, User_Collect,
User_Abuse_Conf, Malicious_Code, Hack_Msg_Data,
Hack_AC, Failure_DS_Comp, Admin_User_Priv,
Admin_Hostile_Modify, Admin_Err_Commit,
Admin_Err_Omit - Input_Err (v)
- User_Send, User_Modify, User_Misuse_Avl_Resc,
User_Err_Slf_Protect, User_Err_Integrity,
User_Err_Inaccess, User_Err_Conf, Hack_Msg_Data,
Hack_Masq, Hack_AC, Admin_User_Priv,
Admin_Hostile_Modify, Admin_Err_Commit,
Admin_Err_Omit - Logic_Err (v)
- User_Send, User_Modify, User_Misuse_Avl_Resc,
User_Err_Slf_Protect, User_Err_Integrity,
User_Err_Inaccess, User_Err_Conf, User_Collect,
User_Abuse_Conf, Malicious_Code, Hack_Msg_Data,
Hack_Masq, Hack_Comm_Eavesdrop, Hack_Avl_Resc,
Hack_AC, Admin_User_Priv, Admin_Hostile_Modify,
Admin_Err_Commit, Admin_Err_Omit - DOS (v)
- User_Err_Slf_Protect, User_Err_Misuse_Avl_Resc,
Power_Disrupt, Malicious_Code, Hack_Phys,
Hack_Avl_Resc, Failure_DS_Comp, Dev_Flawed_Code,
Component_Failure, Admin_User_Priv,
Admin_Hostile_Modify, Admin_Err_Commit,
Admin_Err_Omit - Audit_Err (v)
- User_Collect, Spoofing, Repudiate_Transact,
Repudiate_Send, Repudiate_Receive, Hack_AC,
Dev_Flawed_Code, Admin_User_Priv,
Admin_Hostile_Modify, Admin_Err_Commit,
Admin_Err_Omit - Phys_Acc (v)
- Power_Disrupt, Hack_Social_Engineer, Hack_Phys,
Component_Failure, Admin_User_Priv,
Admin_Hostile_Modify, Admin_Err_Commit,
Admin_Err_Omit - Client_Side (v)
- Malicious_Code, Dev_Flawed_Code
11The 9 Upper Attack Taxonomy Classes Yield 31
Attack Stems or Primes
CYBER ATTACK TAXONOMY
- Based upon the Client_Side attack class
- Malicious_Code
- Client_Side
- Config_Err
- DOS
- Logic_Err
- Dev_Flawed_Code
- Access_Err
- Audit_Err
- Client_Side
- DOS
12The Fractal Nature of the Internet
- Any sufficiently large network such as the public
Internet may be described in terms of the fractal
nature of its connection topology, particularly
its routers2 - There is an implication that the data between
nodes is, likewise, fractal - Yook, et al establish a fixed fractal dimension
Df for a scale-invariant fractal set that
describes both Internet routers and domains
HYPOTHESIS OF CYBER ATTACK MECHANICS
2. Yook , Soon-Hyung, Hawoong Jeong,
Albert-Laszlo Barabasi. Modeling the Internets
Large-Scale Topology Proceeding of the national
Academy of Science , 1338213386 October 15,
2002, vol. 99 no. 21,and Lakhina, Anukool, John
W. Byers, Mark Crovella, Ibrahim Matta. On the
Geographic Location of Internet Resources Proc.
of ACM SIGCOMM Internet Measurement Workshop, 2002
13A New Point of View
- Any organism is subject to both an exophysics and
an endophysics - Endophysics an organisms internal elements
- Exophysics an organisms interaction with
external elements - When the organism is a large computing system or
network, the exophysics may be thought of as the
human/external interactions with the system while
the endophysics is considered to be the internal
actions of the computing systems themselves
HYPOTHESIS OF CYBER ATTACK MECHANICS
14A New Point of View
- We can, therefore, describe a cyber attack
against a computing organism in terms of the
interaction of the endophysics and the exophysics
considering the following characteristics - An attack is the imposition of a threat upon a
vulnerability by a threat agent. - A cyber incident occurs when an attack is
successful - Cyber Attack space may be described using
endo-taxonomies and exo-taxonomies - The stratification of attack types using the
cyber attack taxonomy allows us to describe the
exophysics - Exo-taxonomies are, by their nature, ambiguous
while endo-taxonomies tend to be ordered and may
be described using simple, structured ontologies - This view is entirely different from the current
perspective that describes attacks exclusively in
terms of, and from the viewpoint of, the
vulnerabilities exploited
HYPOTHESIS OF CYBER ATTACK MECHANICS
15Hypothesis
HYPOTHESIS OF CYBER ATTACK MECHANICS
The interaction between cyber attack space and
fractal network space results in event markers
that may anticipate the existence of a cyber
attack. Because attack markers are complex, they
may result in halting conditions within the
network. These halting conditions can be
represented formally and the source of the cyber
attack may be deduced.
16Hypothesis
a ef ?? Df(e) ? ? where (a) ? is an event
marker (b) ef is an element of a scale-invariant
fractal set describing Internet traffic
based upon routers or domains (c) ? Df(e) is the
change in the fractal dimension of the
scale-invariant fractal set containing element e
HYPOTHESIS OF CYBER ATTACK MECHANICS
Expanding (from Definition 8)
(t,v) ef ?? Df(e) ? ?
An event marker results from an attack against an
element of a scale-invariant fractal set
describing Internet traffic based upon routers or
domains such that there is a change in the
fractal dimension of that element.
17Corollary
HYPOTHESIS OF CYBER ATTACK MECHANICS
An enterprise network may be represented as a
finite state machine. In an enterprise network an
attack may be characterized as being an event
contrary to the desired operating state of the
network. Event markers within confined networks
are the result of a change in state of one or
more nodes of the finite state machine and may
lead to a halting condition of those nodes.
These halting conditions can be represented
formally and the source of the cyber attack may
be deduced.
18Explanation
- The imposition of a cyber attack upon a large,
complicated network disturbs the fractal nature
of that networks data flows and causes
perturbations that may alter the fractal
dimension of the data flows. - The larger the attack, the greater become
ambiguities. Large attacks, such as large-scale
worm infections, produce easily noticeable
ambiguities. Smaller attacks produce far more
subtle ones.
HYPOTHESIS OF CYBER ATTACK MECHANICS
19Conclusions
- It is feasible to characterize cyber attacks and
their contributing elements formally. - This characterization has forensic value in that
it may lead to enabling forensic investigations
of anomalistic events on both large-scale
networks such as the Internet and on smaller
enterprise networks where networks states can be
known.
20Questions?