=Paper=
{{Paper
|id=Vol-1788/STIDS2016_T02
|storemode=property
|title=Using Ontologies to Quantify Attack Surfaces
|pdfUrl=https://ceur-ws.org/Vol-1788/STIDS_2016_T02_Altighetchi_etal.pdf
|volume=Vol-1788
|authors=Michael Altighetchi,Borislava Simidechieva,Fusun Yaman,Thomas Eskridge,Marco Carvalho,Nicholas Paltzer
|dblpUrl=https://dblp.org/rec/conf/stids/AtighetchiSYECP16
}}
==Using Ontologies to Quantify Attack Surfaces==
https://ceur-ws.org/Vol-1788/STIDS_2016_T02_Altighetchi_etal.pdf
Using Ontologies to Quantify Attack Surfaces
Michael Borislava Fusun Thomas Marco Captain Nicholas Paltzer
Atighetchi Simidchieva Yaman Eskridge Carvalho Air Force Research Laboratory
Raytheon BBN Technologies Florida Institute of Technology Rome, NY 13441 USA
Cambridge, MA 02138 USA Melbourne, FL 32901 USA nicholas.paltzer@us.af.mil
{matighet | simidchieva | fusun}@bbn.com {teskridge | mcarvalho}@fit.edu
Current State of the Art of Cyber C2 With Reasoning and Characterization
Abstract—Cyber defenders face the problem of selecting and
configuring the most appropriate defenses to protect a given Manual&Selection&and& Automatically&Select&and&Configure&
Configuration&of&Cyber&Defenses Appropriate&Cyber Defenses
network of systems supporting a certain set of missions against
cyber attacks. Cyber defenders have very little visibility into Attacks Attacks
security/cost tradeoffs between individual defenses and a poor Server
Defense
understanding of how multiple defenses interact, which, in X
Networked Networked
turn, leads to systems that are insecure or too overloaded with System System
security processing to provide necessary mission functionality. Cyber
We have been developing a reasoning framework, called Attack Defender
Surface Reasoning (ASR), which enables cyber defenders to Unknown& Manual& Compute& Intelligently
Security& Trial&&& Attack Surface& Execute&
explore quantitative tradeoffs between security and cost of Metrics Error Metrics Experiments
various compositions of cyber defense models. ASR automatically
quantifies and compares cost and security metrics across multiple
attack surfaces, covering both mission and system dimensions. Fig. 1. The proposed approach computes attack surface metrics, provides
In addition, ASR automatically identifies opportunities for mini- structured support for deployment of (and experimentation with) wrapped
defenses, and automates the defense selection and configuration process
mizing attack surfaces, e.g., by removing interactions that are
not required for successful mission execution. In this paper,
we present the ontologies used for attack surface reasoning.
In particular, this includes threat models describing important shortage in cyber security Subject Matter Experts (SMEs) [9],
aspects of the target networked systems together with abstract this introduces significant delays and cost.
definitions of adversarial activities. We also describe modeling of
The reasoning framework presented in this paper aims to
cyber defenses with a particular focus on Moving Target Defenses
(MTDs), missions, and metrics. We demonstrate the usefulness significantly improve the level of rigor and automation associ-
and applicability of the ontologies by presenting instance models ated with selection and configuration of cyber defenses. Using
from a fictitious deployment, and show how the models support an ontologically grounded definition of an attack surface, the
the overall functionality of attack surface reasoning. framework contains algorithms to find all applicable attack
vectors and compute metrics for the security and cost impact
I. I NTRODUCTION
of adding cyber defenses to target systems. Using models
Cyber security remains one of the most serious challenges to of key mission processes and their interactions, the analysis
national security and the economy that we face today. Systems extends observations about system-level components to the
employing well known but static defenses are increasingly resulting impact on execution of mission critical workflows.
vulnerable to penetration from determined, diverse, and well Finally, the framework combines measurement, modeling, and
resourced adversaries launching targeted attacks such as Ad- analysis with testing of software artifacts through the use of
vanced Persistent Threats (APTs). a virtualized test infrastructure [1]. Experimental validation of
Due to the heavy focus on cyber security technologies in analysis results on real systems with real defense implemen-
both commercial and government environments over the last tations establishes the usefulness and validity of the approach.
decade, an overwhelming array of cyber defense technologies Figure 2 illustrates how the Attack Surface Reasoning
have become available for cyber defenders to use. As the num- (ASR) framework captures models of underlying systems,
ber and complexity of these defenses increase, cyber defenders cyber defenses, and missions in the form of unified models.
face the problem of selecting, composing, and configuring These models are augmented by other models that describe
them, a process which to date is performed manually and adversary constraints, potential attack steps, and definitions
without a clear understanding of integration points and risks of security and cost metrics. ASR provides two categories
associated with each defense or combination of defenses. of algorithms: attack surface characterization and minimiza-
As shown in Figure 1, the current state-of-the-art approach tion. The characterization algorithm constructs attack vectors
for selecting and configuring cyber defenses is manual in and calculates security and cost metrics. The minimization
nature and is often done without a clear understanding of secu- algorithm uses system and mission information to identify
rity metrics associated with attack surfaces. Due to the talent opportunities for pruning unnecessary access paths to reduce
Distribution Statement ”A” (Approved for Public Release, Distribution Unlimited). This material is based upon work supported by the Air Force Research
Laboratory under Contract No. FA8750-14-C-0104.
STIDS 2016 Proceedings Page 10
� for system modeling include the Cyber Observable eXpression
(CybOX) and the Common Information Model (CIM). These
standards focus on capturing detailed information about sys-
tem observables, cyber security events, indicators of compro-
mise, and vulnerabilities for the purposes of sharing specific
threat information (to yield enhanced intrusion detection) and
eliminating existing vulnerabilities (through continuous patch-
ing). In contrast, the ASR ontologies are expressed at a higher
level of abstraction and focus on design-level assessments of
attack surfaces. Another difference is that the ASR ontolo-
gies are expressed in OWL, while the community standards
mentioned above are prescribed in XML. Finally, the above-
mentioned standards focus on system and adversary modeling,
but provide no structured means for representing cyber defense
capabilities. In contrast, ASR contains a specific defense
ontology describing the protection provided by defenses and
Fig. 2. The Attack Surface Reasoning (ASR) framework the cost associated with various defense configurations.
B. Security Ontologies
the attack surface. Using the models, algorithms, and metrics,
cyber defenders can compare various deployments of proactive A number of different ontologies exist for expressing
cyber defenses in a quantitative manner and contrast tradeoffs security-related properties, including [6] and [4], as summa-
between security benefits and performance overhead. As such, rized in [13]. [5] applies semantic threat and defense modeling
ASR provides a foundational capability in support of an to identify proper firewall configurations. [14] develops an
envisioned cyber planning tool that automatically suggests and ontology for the HTTP protocol as well as attacks against
configures defenses given mission executions over systems. web applications (using HTTP), and then uses a separate
This paper describes the ontologies used to model systems, ontology for finding attack vectors. [10] focuses on a review of
cyber defenses, adversarial capabilities, and mission con- existing cyber security taxonomies and ontologies and points
straints. Validation of the approach focuses on a specific class out several existing models. However, the review does not list
of proactive cyber defenses, Moving Target Defenses (MTDs) any ontologies for cyber defenses. [15] describes an extensive
[7], [11]. MTDs claim to make entry points into networks ontology supporting forensic activities across disparate data
and systems harder to detect, thereby reducing vulnerabilities sources. Finally, work on modeling cyber defense decision
and making the exposure to those vulnerabilities that remain processes [3], [12] provides ontology support for learning and
more transient. This introduced dynamism ought to render extracting cyber defense workflows and decision procedures.
attacks against MTD-protected systems less effective, but few The ASR ontologies are in large inspired by the STRIDE
quantitative results are available to date, which makes MTDs threat-modeling approach [16] used by Microsoft. One key
a prime choice for quantification. difference to existing ontologies is the focus on abstract
The rest of the paper is organized as follows. Section II architectural concepts and high-level adversarial objectives.
describes related work in threat modeling and analysis. Section
III describes the set of ontologies we developed to support III. O NTOLOGIES
attack surface reasoning. Section IV reports on the validation The attack surface reasoning algorithms operate over a set
results of applying the ontologies to cyber defense operations of models that together describe the system under examination,
of a small enterprise network. Section V concludes the paper. its defenses, the assumed capabilities and starting point(s) of
II. R ELATED W ORK the adversary, and optionally a mission or set of missions
which may operate over the defined system. In addition, the
The ontologies presented in this paper relate to several ap-
set of metrics to be computed is itself described in a model
proaches for modeling cyber security systems and observables.
to allow for easy extension and modification by the user.
A. Security Standards ASR models are defined in the WorldWideWeb Consortium
A number of different taxonomies exist for describing cyber (W3C) semantic Web Ontology Language (OWL). Using a se-
security related information. For threat information, this set of mantic web substrate provides a number of benefits, including:
standard includes the Common Vulnerabilities Enumeration • Scalability: the OWL language and supporting tools allow
(CVE), Common Weakness Enumeration (CWE), Common for scaling to very large models;
Vulnerability Scoring System (CVSS), Malware Attribute Enu- • Inference: OWL ontologies encode meaning in a formal
meration and Characterization (MAEC), Structured Threat way, which enables inferring new facts from existing data;
Information eXpression (STIX), and Common Attack Pattern • Cross-domain integration: OWL ontologies can connect
Enumeration and Configuration (CAPAC). Taxonomies in use disparate domains without contaminating the sources;
STIDS 2016 Proceedings Page 11
� • Standards and community: OWL and associated lan- TABLE II
guages such as Resource Description Framework (RDF) M AIN S YSTEM M ODEL CONCEPTS
and SPARQL Protocol And RDF Query Language Resource Description
(SPARQL) provide interoperable libraries and tooling, Entity General concept
and active practitioner communities; and Boundary Trust realm for unrestricted access within a
• Relative maturity: semantic web languages provide tested boundary
Vertical Boundary subclassOf Boundary describing realm cross
algorithms, established terminology, and relatively ma- layers
ture libraries. Tooling with predictable performance both Horizontal Boundary subclassOf Boundary describing realm on a
within and beyond the laboratory setting is also available. single layer
Host subclassOf Vertical Boundary representing a
One of the key challenges of modeling distributed systems computer system
is to identify the level of abstraction most appropriate for WAN subclassOf Horizontal Boundary representing
the modelers who will create the models, the algorithms that a wide area network
VLAN subclassOf Horizontal Boundary representing
will operate over them, and the results that are provided to a wide area network
stakeholders. Modeling at the extreme of precision allows Layer Logical layering of functionality into three
exact answers to be derived, but creates models that are main layers
difficult to accurately create and to keep up to date, and leads NetworkLayer subclassOf Layer describing network entities
and interactions
to analysis outcomes that are brittle as the system changes. On PhysicalLayer subclassOf Layer describing physical entities
the other hand, modeling at too coarse of a level of abstraction ProcessLayer subclassOf Layer describing application-level
leads to easily created models, but models that can tell little components and interactions
to interested parties about questions of importance. DataFlow Flow of bits between two entities
DataStore Persistent store of information
We took a middle road with ASR. A number of the concepts, External An entity that is external to the system
and the level of granularity, were modeled after the Microsoft User subclassOf External describing human actors
STRIDE [8] threat-classification framework and related mod- NetworkEndpoint Sockets used in network connections
NIC Network Interface Card
eling languages described in [16]. STRIDE expresses system
Process Operating System process
concepts through abstract concepts including processes, data Resource Shared resource with certain capacity
flows, boundaries, external entities, and data stores. We model
the different aspects of an attack surface separately in order
to facilitate modularity and extensibility. Table I lists the six
the physical layer. Table II describes the main resource types
ontological models used in ASR and summarizes their content.
associated with the system model ontology.
The following properties have specific meaning:
TABLE I
ASR USES A COLLECTION OF MODELS TO QUANTIFY ATTACK SURFACES • contains: expresses membership relationship between two
Entities. For instance, a Host contains Processes and a
Model Concepts
VLAN contains NICs.
System System components and their relationships;
• connectsTo: expresses a data or control flow link between
e.g., computational entities, boundaries, and
data flows two Entities. For instance, a User connects to a Process, a
Attack Generic attack logic as individual steps, vec- Process connects to a NetworkEndpoint, and a Network-
tors, and templates
Adversary Adversarial starting position and goal
Endpoint connects to a NIC.
Mission Mission relevant system elements and key per- • via: expresses a link between hierarchical data flows. For
formance metrics example, a process-layer flow is realized via a network-
Defense Cyber defense capabilities in terms of protec- layer flow, which itself happens via a physical-layer flow.
tions provided plus associated costs
Metric Metrics for security, cost, and mission impact
B. Attack Model
The attack model describes the generic activities performed
by adversaries as a collection of potential attack steps. Table
A. System Model III describes the main resource types associated with the
System models describe the business system against which attack model ontology. Each attack step definition comprises
attacks can be executed and within or around which defenses a number of attributes that specify an attack type (modeled
can be deployed. These models detail the hosts in the system, via the six high-level types of attacks whose initials define
the networks that connect these hosts, and the processes that STRIDE), the pre-conditions necessary for the attack step to
run on them. Data flows are modeled here at three different execute, and the post-conditions that holds once the attack step
layers: process, network, and physical. The three layers are executes successfully. Figure 3 shows an example of an attack
interconnected in the model such that one can determine for step definition that represents network sniffing, and Table IV
a given process-layer data flow that the described data is sent shows the set of attack step definitions that are currently
out through a given endpoint at the network layer, which in modeled in ASR, using the STRIDE attack types from Table
turn is bound to a particular network interface card (NIC) at III.
STIDS 2016 Proceedings Page 12
�C. Adversary Model TABLE IV
ATTACK S TEPS C URRENTLY M ODELED IN ASR
The adversary model contains the following information:
• Starting Position: A reference to an entity in the system Name Type Pre-Condition Post-Condition
model that describes the starting privilege an adversary Sniff Information Access to network Knowledge
has for the purpose of a specific assessment. Disclosure about observed
network flows
• Target Goal: Information about the type of attack and the PortScan Information Network Knowledge
intended target of the attack. Disclosure reachability about listening
sockets
TCPConFlood Denial of Network Depletes file
Service reachability & descriptors at a
TABLE III Knowledge about given rate
M AIN ATTACK M ODEL CONCEPTS the target endpoint
OSFingerPrint Information Knowledge on lis- Knowledge
Resource Description Disclosure tening socket on a about host OS
AttackStep A specific instance of adversarial activity. At- host specifics
tack vectors consists of a collections of linked GetRoot Elevation Knowledge on Root privilege on
attack steps. of Privilege host OS and host
AttackStepDefinition A reusable generic description of an adver- listening socket
sarial activity. Attack steps are derived from ShutDownServer Denial of Knowledge on Server
definitions Service host OS and unavailable
AttackVectorElement Ordering and context around an AttackStep to listening socket
form an AttackVector Root privilege on
AttackVector Ordered execution of AttackSteps host
AttackTemplate A templatized version of an attack vector
Attacker Captures aspects of the expected adversary,
including the starting position
SideEffect As part of executing this attack, these specific • Attack Vector Template: Preconceived structure of attack
facts are added to the model
vectors specifying sequences of types of attack steps that
AttackType The type of attack being executed
Spoofing subclassOf AttackType. Illegally accessing and
have not been bound to specific instances.
then using another user’s authentication infor- Given these assumptions about the adversary, ASR will au-
mation.
Tampering subclassOf AttackType. Malicious modifica-
tomatically identify all applicable attack vectors as a partially
tion of data ordered sequence of bound attack steps.
Repudiation subclassOf AttackType. Deny performing an
action without other parties having any way D. Mission Model
to prove otherwise
InformationDisclosure subclassOf AttackType. Exposure of informa- Mission models describe mission-critical flows between
tion to individuals who are not supposed to actors and services at the application layer. The mission
have access to it
DenialOfService subclassOf AttackType. Deny service to valid models are a strict subset of process-layer system entities and
users data flows contained in the system model. Table V shows the
ElevationOfPrivilege subclassOf AttackType. An unprivileged user main concepts in the ASR mission models.Mission metrics
gains privileged access and thereby has suf-
ficient access to compromise or destroy the evaluate the fitness of a specific mission within the context
entire system of a collection of other models. Like system metrics, mission
metrics are evaluated along the two dimensions of cost and
security, and mission-critical flows can specify requirements
on the cost and security of information exchanges. Most
mission metrics are rated on a normal, degraded, fail scale. To
allow for quick and easy comparison of mission metrics among
multiple configurations, we provide a mission aggregate cost
index (ACI) and a mission aggregate security index (ASI),
which return the minimum score along all cost or security
concerns, respectively (i.e., if a single data flow fails a cost
or security requirement, the mission aggregate cost or security
index indicates a fail also). The individual metrics are provided
for comparison purposes so that it is easy for the user to
distinguish between a configuration that only has one or two
poorly performing components for this mission, and an overall
equally rated configuration whose every component is rated
degraded or fail for this mission. Finally, the mission security
and cost metrics are folded into an aggregate mission index
Fig. 3. Example of an attack step that performs a network sniffing action (AMI), similar to the ACI and ASI. The value of the AMI
STIDS 2016 Proceedings Page 13
�is fail if either the mission aggregate security or cost indices for integrity. If any of the individual percentages of data flows
evaluates to fail, and equals the mission aggregate cost rating that fail for confidentiality, integrity or availability are greater
otherwise (this is because security is evaluated on a pass/fail than zero, the mission aggregate security index consequently
scale, while cost follows the user-defined three-band ranking evaluates to a fail score on security overall.
explained in detail below).
Mission performance is constrained through four threshold TABLE V
values, p1latency , p2latency , p1throughput , p2throughput , that M AIN M ISSION M ODEL CONCEPTS
describe lower and upper allowable thresholds for percentage Resource Description
overhead rates on latency and throughput. Not all mission- Mission Description of mission requirements over data flows
critical data flows must specify a lower and upper threshold, Requirement Specifies thresholds for cost and minimum security
and, if there is no requirement on a data flow, user-configurable requirements for a data flow
MetricType Type of mission metrics
default threshold values will be used. These thresholds are Integrity ⇢ MetricType. Security constraint
used to define the following three bands: Availability ⇢ MetricType. Security constraint
• Normal (platency < p1latency ): The mission operates Confidentiality ⇢ MetricType. Security constraint
Latency ⇢ MetricType. Cost constraint via performance impact
within normal parameters, i.e. the greatest latency penalty Throughput ⇢ MetricType. Cost constraint via performance impact
incurred is still less than the lower threshold.
• Degraded (p1latency <= platency < p2latency ): The
mission can continue, though with sub-optimal outcomes,
E. Defense Model
i.e. the greatest latency penalty incurred is more than the
lower threshold but less than the maximum allowable. The defense models describe which static and dynamic
• Fail (p2latency < platency ): The mission cannot continue defenses are in place, what elements of the system they protect,
and misses objectives, i.e. the greatest latency penalty what types of coverage they provide, and what cost is incurred.
incurred exceeds the maximum allowed and the mission A single defense model can incorporate multiple defenses.
performance will be unacceptable. Table VI shows the main concepts associated with models of
For example, the user can specify that a latency penalty of cyber defenses. Different defenses operate over different types
up to 10% is acceptable if it allows for a more sophisticated of nodes and thus the coverage relationship from a defense
defense to be deployed with a mission, but a latency penalty has a range of type Entity, which in the ASR ontologies
of 40% or more leads to unacceptable delays and jeopardizes inheritance hierarchy is the parent of all system-level nodes
the mission. In this case, if the cumulative latency along some (processes, hosts, NICs, etc.). In this way, MTDs from Address
mission-critical data flows does not exceed 110% of the normal Space Layout Randomization (ASLR) to IP Hopping can all
value, these data flows are rated as normal; if the latency integrate with the system model in a uniform manner, despite
exceeds 110% but is below 140%, corresponding data flows the fact that they protect very different elements. Defenses
are rated as degraded; and if the latency is over 140% of can be modeled both abstractly, such as a generic definition
the original value, those data flows are rated as fail. The for a firewall, and at the specific implementation level (e.g.,
throughput calculations are analogous, with the exception that IPTables).
a penalty means a decrease, not an increase, in throughput. Thanks to the ability of OWL to incorporate inheritance,
Mission security requirements specify any required secu- we can reap the benefits of reuse. We can define a generic
rity attributes, which are delineated among confidentiality, IP hopping MTD that describes the capabilities and require-
integrity, and availability. Not all mission-critical data flows ments common to all IP hopping defenses, and extend this
must specify a security requirement and if no requirement definition to minimize the effort needed to model any specific
is specified, the data flow is not considered when evaluating implementations of an IP hopping defense. We can even
mission security. Security metrics are evaluated on a binary
scale where a data flow either meets its security requirement
TABLE VI
or violates it. A data flow is considered to violate a security M AIN D EFENSE M ODEL CONCEPTS
requirement if an attack step can compromise that requirement.
For example, since all attack steps are categorized using Resource Description
STRIDE, if an attack step contributes to a denial of service on Defense Description of cyber defense mechanism
DefenseType Categorization into different types of defenses
a data flow and that data flow has an availability requirement, Cost Characterization of the overhead defense incurred
the requirement is violated. If the same data flow also has Degradation ⇢ Cost. Reduction in metric.
confidentiality or integrity requirements, those are evaluated Requirement Prerequisite requirements for installing the defense
Setup Description of the defense’s configurable items
separately with respect to other attack steps that might compro- Protection Security guarantees provided by the defense
mise them. If at least one mission-critical data flow is found to Reconfiguration- Description of dynamic behavior associated with
violate a security-related requirement, that requirement is rated Detail MTDs
as fail for the entire mission. For example, if there are three ProtectionDetail Description of target entities being covered by defense
Randomization- Description of the randomization space
data flows with integrity requirements and only one of them Detail
violates a requirement, then the mission still gets a fail score
STIDS 2016 Proceedings Page 14
�analyze this generic instance without reference to a specific
implementation to provide insight into how the entire class of
defenses operates. In order to support the dynamic nature of
MTDs, the defense model provides support for the proactive
elements of a defense to be described. An IP hopping MTD
may be configured to change IP addresses of the included
NICs every 5 minutes, for example.
Our current approach divides MTDs into three main kinds,
and Table VII shows the set of proactive defenses currently
modeled in ASR that cover two of the three categories:
1) Time-bound observable information on targets. In this Fig. 4. High-level ASR metrics
category, MTDs place limits on the useful life of in-
formation obtained in an execution step for use in a
later execution step. IP Hopping in the context of TCP metrics are separated into security- and cost-related concerns
Connection flooding is an example of this. along one axis, and along system- and mission-wide metrics
2) Masquerade targets. MTDs in this category make a target along the other axis. Security and cost are frequently at
look like another kind of target, causing an adversary to odds, with higher security necessitating a more expensive
spend extra cycles. OS masquerading is an example of defense. A single value may therefore be misleading to a
this effect. user because it could either represent the ideal case of high
3) Time-bound footholds. MTDs in this category reset the security and low cost, or the clearly undesirable outcome of
escalated privileges that an attacker has built up along low security and high cost. For these reasons, ASR provides
the middle of an attack path. An example of this is the the user with a separate single-value index reflecting the cost
use of virtualization and watchdogs to proactively and of any deployed defenses (the Aggregate Cost Index, ACI)
continuously restart VMs to clear out corruption. and another single-value index reflecting the security score
of the current configuration (the Aggregate Security Index,
ASI). If a mission model is specified, a third index reflecting
TABLE VII
D EFENSES C URRENTLY M ODELED IN ASR the fitness of the configuration with respect to mission goals
is also computed (the Aggregate Mission Index, AMI). The
index metrics are composed of several lower-level metrics,
Name Kind Requires Side Effect
as shown in Figure 5. The desired metrics are specified in
IPHopping Time-bound Network IP changes at
observable Endpoints fixed intervals an OWL ontology, which is user-extensible and customizable.
OS Masquerading Masquerade Host OS image Host OS image The metric computation is done through SPARQL queries for
fake both simple and aggregate metrics, and the Jena API is used
OS Hopping Time-bound Multiple OSs Host changes at
observable compatible with fixed intervals to invoke the metric computation from the ASR server and
applications store the results.
Security Integer Cost Integer
F. Metrics Model Aggregate'Security'Index'(ASI) Aggregate'Cost'Index'(ACI)
• Attacker(Workload: • Latency:
The metrics model enumerates all ASR metrics and defines Minimum(length(of(attack(vectors Overhead(on(critical(flows
• Throughput:
each metric’s name, the domain over which it is executed, • Coverage(over(known(attacks:(
Overhead(on(critical(flows
Number(of(attack(vectors
and the SPARQL query used to compute it. ASR computes a Mission Pass|Degraded|Fail
• Coverage(over(unknown( attacks:
diverse set of both system- and mission-based metrics over a Number(of(entry(points(and(exit(points Aggregate'Mission'Index'(AMI)
configuration. Most metrics are computed by querying other • Probabilistic(time@to@fail:(
• Latency(&(Throughput:
Resource(use(on(critical(flows
models (e.g., to count the total number of listening endpoints Duration(distributions(of(attack(vectors(
• Confidentiality|Integrity|Availability:
and(estimated(probability(of(attack(success
or of attack vectors found). Some metrics are post-processed to Required(security(on(critical(flows
compute statistical attributes such as mean (e.g. to compute the
average estimated duration of an attack vector) or maximum Fig. 5. The ASR index metrics take into account many submetrics
or minimum values (e.g., to find the shortest attack vector).
These metrics are meant to give the user an overview
of how well a system is protected against a set of attacks IV. E XEMPLAR A PPLICATION OF THE O NTOLOGIES
executed by a modeled adversary, as well as what costs (in To evaluate the modeling and reasoning performed by
terms of latency and throughput) are incurred by the modeled ASR, we developed an enterprise information sharing scenario
defenses. To facilitate this cost-benefit analysis, ASR provides involving several servers and both mobile and wired networks.
users with some index metrics that can be used to judge Figure 6 shows the main actors participating in the scenario
a configuration’s fitness at a glance, and compare fitness together with their interactions. An InformationProducer (e.g.,
between alternative solutions. Figure 4 illustrates how the a web camera) is sending videos and still images to a Website,
STIDS 2016 Proceedings Page 15
� Administrator The MNE is plugged into a Mobile Network and there is a
Information Publish:7Video7&7Images network flow coming in over that network that is expressed at
Producer LAN three distinct layers that are linked through the “via” property.
4G7Mobile % 4G Mobile Network from Figure 6
Acme Information demo1:MobileNetwork1
Network
Website LAN Monitor
rdf:type sm:WAN ;
rdf:type owl:Thing ;
sm:contains demo1:MNE1 ; % Information Producer’s MNE
Deliver Query LAN sm:contains demo1:MNE2 . % Acme Website’s MNE
Information Image
Consumer Database % Process-layer data flow from IP1 to ACME1
demo1:pDataFlow1
rdf:type sm:DataFlow ;
rdf:type owl:Thing ;
Mobile Enterprise
% Process on Acme Website defined above
sm:destination demo1:ACME1 ;
Pub/Sub7 Video7&7Images Administration
% Process on Information Publisher from Figure 6
Query7Video7 &7Images Client Server sm:source demo1:IP1 ;
sm:via demo1:nDataFlow1 .
Fig. 6. Example information sharing scenario used to validate the approach % Underlying network-layer data flow
demo1:nDataFlow1
rdf:type sm:DataFlow ;
rdf:type owl:Thing ;
which in turn disseminates both video and images to two sm:destination demo1:Endpoint2 ;
sm:source demo1:Endpoint1 ;
clients: an Information Consumer over a 4G mobile network sm:via demo1:gDataFlow1 .
and an Information Monitor over a Local Area Network. The
% Underlying physical-layer data flow
Website is connected to an Image Database for persistence of demo1:gDataFlow1
images received. Finally, an Administrator can change settings rdf:type sm:DataFlow ;
rdf:type owl:Thing ;
on the Website through an administrative client. sm:destination demo1:MNE2 ;
sm:source demo1:MNE1 .
A. Instance Models
Transcription of the components mentioned in the scenario An Internet Protocol Address randomization (IP Hopping)
involves creating instance models that are consistent with the defense is installed to cover the data flow between Endpoint 1
ASR ontologies. To do this, we first define prefix shortcuts for (the Information Producer) and Endpoint2, the Acme Website.
name spaces as follows, using TURTLE: The defense adds an additional data flow and processes for
key synchronization. It also specifies necessary setup and
@prefix demo1: .
@prefix def: . configuration details and the incurred costs.
@prefix sm: .
def:IPHopping1
@prefix IPHop: .
rdf:type def:Defense ;
@prefix owl: .
def:adds IPHop:DataFlow_pKeySharing ;
@prefix rdf: .
def:adds IPHop:IPHoppingProcess_ACME ;
@prefix xsd: .
def:adds IPHop:IPHoppingProcess_InfoProducer ;
def:atCost IPHop:Cost_1 ;
The “Acme Website” host and its components can be def:provides IPHop:Protection_1 ;
expressed as: def:requires IPHop:Setup_1 .
% Acme Website from Figure 6 IPHop:Protection_1
demo1:AcmeServer1 rdf:type def:Protection ;
rdf:type sm:Host ; def:for demo1:Endpoint1 ;
rdf:type owl:Thing ; def:for demo1:Endpoint2 ;
sm:contains demo1:Endpoint2 ; def:inSupportOf def:Confidentiality ;
sm:contains demo1:ACME1 ; def:inSupportOf def:Discoverability ;
sm:hasImage demo1:OperatingSystem_1 . def:through def:Randomization ;
def:withSpecific IPHop:RandomizationDetail_1 .
% Process running on the Acme Website Server
demo1:ACME1 IPHop:RandomizationDetail_1
rdf:type sm:Process ; rdf:type def:RandomizationDetail ;
rdf:type owl:Thing ; def:disruptionLatency "5"ˆˆxsd:float ;
sm:connectsTo demo1:Endpoint2 . def:interval "10000"ˆˆxsd:float ;
def:space 6 .
% NetworkEndpoint that ACME1 process connectsTo
demo1:Endpoint2 IPHop:Setup_1
rdf:type sm:ListeningEndpoint ; rdf:type def:Setup ;
rdf:type sm:NetworkEndpoint ; def:includes demo1:Endpoint1 ;
rdf:type owl:Thing ; def:includes demo1:Endpoint2 .
sm:connectsTo demo1:MNE2 ;
sm:hasResource sm:FileDescriptorPool_1 . IPHop:Cost_1
rdf:type def:Cost ;
% Acme Website’s MNE on the 4G Mobile Network def:impactOn IPHop:Latency_1 .
demo1:MNE2
rdf:type sm:MNE ; IPHop:Latency_1
rdf:type owl:Thing . rdf:type def:MetricType ;
STIDS 2016 Proceedings Page 16
� def:forProperty def:Latency ; probability of success of attack steps and vectors is computed
def:increase "0.3"ˆˆxsd:float ;
def:on demo1:nDataFlow1 .
using the underlying ontologies.
For this example, suppose an attack step requires from 1 to
Further details and content for the remaining models, in- 4 seconds to be successful (the duration distribution is part of
cluding attack steps, adversary, metrics, and mission, are the attack model) and we have a defense that hops every 1 to
included in the appendix to this paper and available at https: 3 seconds (this information is in the defense ontology). If the
//ds.bbn.com/projects/asr.html . defense hops before the attack finishes, then the defense wins,
else the attacker wins. Let us assume (for ease of computation)
B. Quantification Results
that both the attack step duration and the defense hopping
To first step in quantifying an attack surface is creating a interval are uniform random variables, which means that any
configuration containing the five model types and the metrics: number in the stated time range is equally likely and this will
C = (system, def ense, attack, adversary, mission, metrics) be captured in the sample data points. We also assume that
The purpose of this evaluation was to study the impact of these random variables are independent; intuitively this means
varying the hopping interval of one particular IP Hopping that the attacker cannot detect when a hop has occurred and
defense between slow and fast. To achieve this, we created launch the attack immediately after the hop (which would
three separate configurations where the only variable was the give the attacker an unfair advantage). For this example, the
defense, as follows: probability density function for attack time needed will be
1) Cbase = (sm1, ?, as1 , ap1 , mi1 , me1 ) • pattackDuration (x) = 3 8x | 1 x 4, and
1
2) Cdef 1 = (sm1 , IP HopSlow, as1 , ap1 , mi1 , me1 ) • pattackDuration (x) = 0 8x | x > 4 or x < 1.
3) Cdef 2 = (sm1 , IP HopF ast, as1 , ap1 , mi1 , me1 ) Similarly for defense we approximate
Analyzing these three configurations using the ASR reason-
• pdef enseHoptime (y) = 2 8y | 1 y 3, and
1
ing algorithms [2] yields the results shown in Table VIII. As a
• pdef enseHoptime (y) = 0 8y | y > 3 or y < 1.
reminder, these index metrics are computed as weighted sums
of several terms, as shown in Figure 5. Note that IP HopSlow PLastly, the probability that the defense wins is computed as:
in Cdef 1 and IP HopF ast in Cdef 2 both add considerable (pattackDuration (x) ⇥ pdef enseHoptime (y)), 8x, y | x > y,
cost compared to the base configuration, which contains no which equals %66.7. Graphically, this is the normalized area
defense. This makes sense intuitively, since the latency penalty to the right of the line y = x in Figure 7, which represents the
incurred by a defense with a shorter randomization interval probability that the defense hops faster than attacker is able
(in this case, an IP Hopping defense that hops faster) is to successfully complete his attack.
higher than the latency incurred by a defense with a longer
randomization interval. The base configuration has no defenses
deployed, so there is no latency penalty incurred and its ACI
is therefore 0.
TABLE VIII
R ESULTS OF A NALYSIS P ERFORMED ON C ONFIGURATIONS
Config ASI ACI AMI
Cbase 49.55 0 FAIL
Cdef 1 51.03 15.0 FAIL
Cdef 2 121.4 21.25 FAIL
Cmin MAX 21.25 DEGRADED
Fig. 7. A graphical representation of probability reasoning in ASR. The x axis
represents the randomization interval of the defense. The y axis represents the
Also note that as IP HopSlow in Cdef 1 does not offer a duration distribution of an attack step that the defense is protecting against.
significant security gain over the base configuration whereas
IP HopF ast in Cdef 2 doubles the ASI with respect to the In addition to computing metrics, the ontologies are pivotal
base model. This is because in addition to submetrics that for another important innovation of ASR, its ability to semi-
are computed over the base ontological models and do not automatically minimize attack surfaces [2]. Minimization is
change between the two configurations (such as the number supported through inspection and inference over all ontologies
of entry and exit points), the ASI also takes into account the in a configuration. Two different modalities of attack surface
probabilistic vector impact, which consists of vector dura- minimization are supported:
tion distributions and their estimated probability of success. • System minimization can find either entities that are not
Intuitively, it makes sense that an IP Hopping defense that used within a system model (for instance an extraneous
hops more frequently would provide better protection against listening endpoint that no other endpoint connects to).
a comparable adversary, since the adversary would have less • Mission minimization, if a mission model is specified for
time to complete a successful attack and would therefore be a configuration, can find entities that are not defined to
less likely to succeed. Figure 7 gives a primer on how the be mission-critical (e.g., an administrative interface that
STIDS 2016 Proceedings Page 17
� is only used for the initial configuration of the system V. C ONCLUSION
and never used during a mission). While it is common understanding that systems have attack
Using the ontological models comprising a configuration surfaces and that those surfaces need to be minimized, the cy-
and these two minimization modalities, ASR identifies all ber security community has until now lacked a structured and
entities that can be safely removed and presents them to the generalizable approach for modeling attack surfaces and ex-
user for selection. The user can select any or all of these pressing associated security, cost, and mission impacts through
entities to remove, and can save the minimized configuration concrete metrics. This paper presents ontologies including
for further inspection and analysis. Because removed entities semantic models of attacks, systems, defenses, missions, and
may connect to other entities within the ontologies (e.g., an metrics, and supporting algorithms that quantify and minimize
unused endpoint that is removed may result in an unnecessary attack surfaces. An application of the ontologies on a concrete
process and its containing host, if they are not used for information-sharing demonstration scenario is also presented.
any other purposes), a second round of minimization may Next steps include extending coverage of the defense mod-
be necessary to remove all extraneous entities. The fourth els beyond MTDs to include more traditional defenses, e.g.,
configuration, Cmin , in Table VIII is the fully minimized (i.e. firewalls, VPNs, and host- and network-intrusion prevention
with all extraneous and non-mission-critical entities removed) systems. Furthermore, we plan to generate system models of
version of Cdef 2 . Since the minimized configuration no longer realistic size systems, such as a model of the BBN network,
contains all the entities that are not necessary (for instance, which comprises hundreds of machines. Finally, we plan to
the Administrator host and associated processes, endpoints, improve the ontologies by including feedback provided by the
and data flows), it has fewer entry points for an adversary to cyber security research community.
exploit and results in a higher security metric.
In all but the Cmin configuration, the Aggregate Mission R EFERENCES
Index, AMI, is “FAIL.” This is because none of them com- [1] M. Atighetchi, B. Simidchieva, M. Carvalho, and D. Last. Experimen-
pletely eliminate the attack vectors that threaten mission- tation support for cyber security evaluations. In Proceedings of the 11th
Annual Cyber and Information Security Research Conference, page 5.
critical resources. Only after minimization are all vectors are ACM, 2016.
eliminated (thus the ASI score of “MAX”). The AMI is a [2] M. Atighetchi, B. Simidchieva, N. Soule, F. Yaman, J. Loyall, D. Last,
single rating of mission health with respect to both security D. Myers, and C. B. Flatley. Automatic quantification and minimization
of attack surfaces. In The 27th Annual IEEE Software Technology
and cost and a single failing score on any requirement results Conference (STC), October 2015.
in a failing score for the AMI. After minimization, the AMI [3] N. Ben-Asher, A. Oltramari, R. F. Erbacher, and C. Gonzalez. Ontology-
improves from the initial “FAIL” score (initially the mission based adaptive systems of cyber defense. In STIDS, 2015.
[4] S. Fenz, T. Pruckner, and A. Manutscheri. Ontological mapping of
fails because of violated security requirements on mission- information security best-practice guidelines. In Business Information
critical flows) to a “DEGRADED” score (the mission now Systems, pages 49–60. Springer, 2009.
passes all security requirements, but is “DEGRADED” on [5] S. N. Foley and W. M. Fitzgerald. Management of security policy
configuration using a semantic threat graph approach. Journal of
cost requirements). Intuitively, we have removed the security Computer Security, 19(3):567–605, 2011.
vulnerabilities that threatened the mission through deploying [6] A. Herzog, N. Shahmehri, and C. Duma. An ontology of information
a faster defense and minimizing the attack surface. However, security. International Journal of Information Security and Privacy
(IJISP), 1(4):1–23, 2007.
the improvement is only partial (the mission’s rating is still [7] S. Jajodia, A. K. Ghosh, V. Swarup, C. Wang, and X. S. Wang. Mov-
“DEGRADED,” not “PASS”) due to the increased latency ing target defense: creating asymmetric uncertainty for cyber threats,
penalties incurred on mission-critical flows by an IP Hopping volume 54. Springer Science & Business Media, 2011.
[8] L. Kohnfelder and G. Praerit. The Threats To Our Products, Apr. 1999.
defense that hops more frequently. [9] M. Loeb. Cybersecurity talent: Worse than a skills shortage, its a critical
We evaluated the runtime of the analysis algorithm with gap. The Hill, Apr. 2015.
randomly generated models where the complexity of the [10] L. Obrst, P. Chase, and R. Markeloff. Developing an ontology of the
cyber security domain. In STIDS, pages 49–56, 2012.
models (i.e. number of hosts and other system entities and [11] H. Okhravi, M. Rabe, T. Mayberry, W. Leonard, T. Hobson, D. Bigelow,
the number of available attack steps) vary in a controlled way. and W. Streilein. Survey of cyber moving targets. Massachusetts Inst
The points on the graph are averages of 5 runs for the same of Technology Lexington Lincoln Lab, No. MIT/LL-TR-1166, 2013.
[12] A. Oltramari, L. Cranor, R. Walls, and P. McDaniel. Building an
complexity configurations. The analysis time was measured on ontology of cyber security. In 9th Conference on Semantic Technologies
a MacBook Pro 2.8 GHz Intel Core i7 with 16 GB of RAM. for Defense, Intelligence and Security. Citeseer, 2014.
Analysis Time [13] S. Ramanauskaitė, D. Olifer, N. Goranin, and A. Čenys. Security
400 ontology for adaptive mapping of security standards. International
350
300
Journal of Computers, Communications & Control (IJCCC), 8(6):813–
250 825, 2013.
Time (sec)
200 [14] A. Razzaq, Z. Anwar, H. F. Ahmad, K. Latif, and F. Munir. Ontology
6 a*ack steps
150 for attack detection: An intelligent approach to web application security.
3 atack steps
100 computers & security, 45:124–146, 2014.
50
0
[15] M. B. Salem and C. Wacek. Enabling new technologies for cyber
100 200 300 400 500 security defense with the icas cyber security ontology. In STIDS, 2015.
Number of hosts [16] A. Shostack. Threat modeling: Designing for security. John Wiley &
Sons, 2014.
Fig. 8. ASR analysis runtime over system models of varying complexity
STIDS 2016 Proceedings Page 18
�