Using Ontologies to Quantify Attack Surfaces Michael Borislava Fusun Thomas Marco Captain Nicholas Paltzer Atighetchi Simidchieva Yaman Eskridge Carvalho Air Force Research Laboratory Raytheon BBN Technologies Florida Institute of Technology Rome, NY 13441 USA Cambridge, MA 02138 USA Melbourne, FL 32901 USA nicholas.paltzer@us.af.mil {matighet | simidchieva | fusun}@bbn.com {teskridge | mcarvalho}@fit.edu Current State of the Art of Cyber C2 With Reasoning and Characterization Abstract—Cyber defenders face the problem of selecting and configuring the most appropriate defenses to protect a given Manual&Selection&and& Automatically&Select&and&Configure& Configuration&of&Cyber&Defenses Appropriate&Cyber Defenses network of systems supporting a certain set of missions against cyber attacks. Cyber defenders have very little visibility into Attacks Attacks security/cost tradeoffs between individual defenses and a poor Server Defense understanding of how multiple defenses interact, which, in X Networked Networked turn, leads to systems that are insecure or too overloaded with System System security processing to provide necessary mission functionality. Cyber We have been developing a reasoning framework, called Attack Defender Surface Reasoning (ASR), which enables cyber defenders to Unknown& Manual& Compute& Intelligently Security& Trial&&& Attack Surface& Execute& explore quantitative tradeoffs between security and cost of Metrics Error Metrics Experiments various compositions of cyber defense models. ASR automatically quantifies and compares cost and security metrics across multiple attack surfaces, covering both mission and system dimensions. Fig. 1. The proposed approach computes attack surface metrics, provides In addition, ASR automatically identifies opportunities for mini- structured support for deployment of (and experimentation with) wrapped defenses, and automates the defense selection and configuration process mizing attack surfaces, e.g., by removing interactions that are not required for successful mission execution. In this paper, we present the ontologies used for attack surface reasoning. In particular, this includes threat models describing important shortage in cyber security Subject Matter Experts (SMEs) [9], aspects of the target networked systems together with abstract this introduces significant delays and cost. definitions of adversarial activities. We also describe modeling of The reasoning framework presented in this paper aims to cyber defenses with a particular focus on Moving Target Defenses (MTDs), missions, and metrics. We demonstrate the usefulness significantly improve the level of rigor and automation associ- and applicability of the ontologies by presenting instance models ated with selection and configuration of cyber defenses. Using from a fictitious deployment, and show how the models support an ontologically grounded definition of an attack surface, the the overall functionality of attack surface reasoning. framework contains algorithms to find all applicable attack vectors and compute metrics for the security and cost impact I. I NTRODUCTION of adding cyber defenses to target systems. Using models Cyber security remains one of the most serious challenges to of key mission processes and their interactions, the analysis national security and the economy that we face today. Systems extends observations about system-level components to the employing well known but static defenses are increasingly resulting impact on execution of mission critical workflows. vulnerable to penetration from determined, diverse, and well Finally, the framework combines measurement, modeling, and resourced adversaries launching targeted attacks such as Ad- analysis with testing of software artifacts through the use of vanced Persistent Threats (APTs). a virtualized test infrastructure [1]. Experimental validation of Due to the heavy focus on cyber security technologies in analysis results on real systems with real defense implemen- both commercial and government environments over the last tations establishes the usefulness and validity of the approach. decade, an overwhelming array of cyber defense technologies Figure 2 illustrates how the Attack Surface Reasoning have become available for cyber defenders to use. As the num- (ASR) framework captures models of underlying systems, ber and complexity of these defenses increase, cyber defenders cyber defenses, and missions in the form of unified models. face the problem of selecting, composing, and configuring These models are augmented by other models that describe them, a process which to date is performed manually and adversary constraints, potential attack steps, and definitions without a clear understanding of integration points and risks of security and cost metrics. ASR provides two categories associated with each defense or combination of defenses. of algorithms: attack surface characterization and minimiza- As shown in Figure 1, the current state-of-the-art approach tion. The characterization algorithm constructs attack vectors for selecting and configuring cyber defenses is manual in and calculates security and cost metrics. The minimization nature and is often done without a clear understanding of secu- algorithm uses system and mission information to identify rity metrics associated with attack surfaces. Due to the talent opportunities for pruning unnecessary access paths to reduce Distribution Statement ”A” (Approved for Public Release, Distribution Unlimited). This material is based upon work supported by the Air Force Research Laboratory under Contract No. FA8750-14-C-0104. STIDS 2016 Proceedings Page 10 for system modeling include the Cyber Observable eXpression (CybOX) and the Common Information Model (CIM). These standards focus on capturing detailed information about sys- tem observables, cyber security events, indicators of compro- mise, and vulnerabilities for the purposes of sharing specific threat information (to yield enhanced intrusion detection) and eliminating existing vulnerabilities (through continuous patch- ing). In contrast, the ASR ontologies are expressed at a higher level of abstraction and focus on design-level assessments of attack surfaces. Another difference is that the ASR ontolo- gies are expressed in OWL, while the community standards mentioned above are prescribed in XML. Finally, the above- mentioned standards focus on system and adversary modeling, but provide no structured means for representing cyber defense capabilities. In contrast, ASR contains a specific defense ontology describing the protection provided by defenses and Fig. 2. The Attack Surface Reasoning (ASR) framework the cost associated with various defense configurations. B. Security Ontologies the attack surface. Using the models, algorithms, and metrics, cyber defenders can compare various deployments of proactive A number of different ontologies exist for expressing cyber defenses in a quantitative manner and contrast tradeoffs security-related properties, including [6] and [4], as summa- between security benefits and performance overhead. As such, rized in [13]. [5] applies semantic threat and defense modeling ASR provides a foundational capability in support of an to identify proper firewall configurations. [14] develops an envisioned cyber planning tool that automatically suggests and ontology for the HTTP protocol as well as attacks against configures defenses given mission executions over systems. web applications (using HTTP), and then uses a separate This paper describes the ontologies used to model systems, ontology for finding attack vectors. [10] focuses on a review of cyber defenses, adversarial capabilities, and mission con- existing cyber security taxonomies and ontologies and points straints. Validation of the approach focuses on a specific class out several existing models. However, the review does not list of proactive cyber defenses, Moving Target Defenses (MTDs) any ontologies for cyber defenses. [15] describes an extensive [7], [11]. MTDs claim to make entry points into networks ontology supporting forensic activities across disparate data and systems harder to detect, thereby reducing vulnerabilities sources. Finally, work on modeling cyber defense decision and making the exposure to those vulnerabilities that remain processes [3], [12] provides ontology support for learning and more transient. This introduced dynamism ought to render extracting cyber defense workflows and decision procedures. attacks against MTD-protected systems less effective, but few The ASR ontologies are in large inspired by the STRIDE quantitative results are available to date, which makes MTDs threat-modeling approach [16] used by Microsoft. One key a prime choice for quantification. difference to existing ontologies is the focus on abstract The rest of the paper is organized as follows. Section II architectural concepts and high-level adversarial objectives. describes related work in threat modeling and analysis. Section III describes the set of ontologies we developed to support III. O NTOLOGIES attack surface reasoning. Section IV reports on the validation The attack surface reasoning algorithms operate over a set results of applying the ontologies to cyber defense operations of models that together describe the system under examination, of a small enterprise network. Section V concludes the paper. its defenses, the assumed capabilities and starting point(s) of II. R ELATED W ORK the adversary, and optionally a mission or set of missions which may operate over the defined system. In addition, the The ontologies presented in this paper relate to several ap- set of metrics to be computed is itself described in a model proaches for modeling cyber security systems and observables. to allow for easy extension and modification by the user. A. Security Standards ASR models are defined in the WorldWideWeb Consortium A number of different taxonomies exist for describing cyber (W3C) semantic Web Ontology Language (OWL). Using a se- security related information. For threat information, this set of mantic web substrate provides a number of benefits, including: standard includes the Common Vulnerabilities Enumeration • Scalability: the OWL language and supporting tools allow (CVE), Common Weakness Enumeration (CWE), Common for scaling to very large models; Vulnerability Scoring System (CVSS), Malware Attribute Enu- • Inference: OWL ontologies encode meaning in a formal meration and Characterization (MAEC), Structured Threat way, which enables inferring new facts from existing data; Information eXpression (STIX), and Common Attack Pattern • Cross-domain integration: OWL ontologies can connect Enumeration and Configuration (CAPAC). Taxonomies in use disparate domains without contaminating the sources; STIDS 2016 Proceedings Page 11 • Standards and community: OWL and associated lan- TABLE II guages such as Resource Description Framework (RDF) M AIN S YSTEM M ODEL CONCEPTS and SPARQL Protocol And RDF Query Language Resource Description (SPARQL) provide interoperable libraries and tooling, Entity General concept and active practitioner communities; and Boundary Trust realm for unrestricted access within a • Relative maturity: semantic web languages provide tested boundary Vertical Boundary subclassOf Boundary describing realm cross algorithms, established terminology, and relatively ma- layers ture libraries. Tooling with predictable performance both Horizontal Boundary subclassOf Boundary describing realm on a within and beyond the laboratory setting is also available. single layer Host subclassOf Vertical Boundary representing a One of the key challenges of modeling distributed systems computer system is to identify the level of abstraction most appropriate for WAN subclassOf Horizontal Boundary representing the modelers who will create the models, the algorithms that a wide area network VLAN subclassOf Horizontal Boundary representing will operate over them, and the results that are provided to a wide area network stakeholders. Modeling at the extreme of precision allows Layer Logical layering of functionality into three exact answers to be derived, but creates models that are main layers difficult to accurately create and to keep up to date, and leads NetworkLayer subclassOf Layer describing network entities and interactions to analysis outcomes that are brittle as the system changes. On PhysicalLayer subclassOf Layer describing physical entities the other hand, modeling at too coarse of a level of abstraction ProcessLayer subclassOf Layer describing application-level leads to easily created models, but models that can tell little components and interactions to interested parties about questions of importance. DataFlow Flow of bits between two entities DataStore Persistent store of information We took a middle road with ASR. A number of the concepts, External An entity that is external to the system and the level of granularity, were modeled after the Microsoft User subclassOf External describing human actors STRIDE [8] threat-classification framework and related mod- NetworkEndpoint Sockets used in network connections NIC Network Interface Card eling languages described in [16]. STRIDE expresses system Process Operating System process concepts through abstract concepts including processes, data Resource Shared resource with certain capacity flows, boundaries, external entities, and data stores. We model the different aspects of an attack surface separately in order to facilitate modularity and extensibility. Table I lists the six the physical layer. Table II describes the main resource types ontological models used in ASR and summarizes their content. associated with the system model ontology. The following properties have specific meaning: TABLE I ASR USES A COLLECTION OF MODELS TO QUANTIFY ATTACK SURFACES • contains: expresses membership relationship between two Entities. For instance, a Host contains Processes and a Model Concepts VLAN contains NICs. System System components and their relationships; • connectsTo: expresses a data or control flow link between e.g., computational entities, boundaries, and data flows two Entities. For instance, a User connects to a Process, a Attack Generic attack logic as individual steps, vec- Process connects to a NetworkEndpoint, and a Network- tors, and templates Adversary Adversarial starting position and goal Endpoint connects to a NIC. Mission Mission relevant system elements and key per- • via: expresses a link between hierarchical data flows. For formance metrics example, a process-layer flow is realized via a network- Defense Cyber defense capabilities in terms of protec- layer flow, which itself happens via a physical-layer flow. tions provided plus associated costs Metric Metrics for security, cost, and mission impact B. Attack Model The attack model describes the generic activities performed by adversaries as a collection of potential attack steps. Table A. System Model III describes the main resource types associated with the System models describe the business system against which attack model ontology. Each attack step definition comprises attacks can be executed and within or around which defenses a number of attributes that specify an attack type (modeled can be deployed. These models detail the hosts in the system, via the six high-level types of attacks whose initials define the networks that connect these hosts, and the processes that STRIDE), the pre-conditions necessary for the attack step to run on them. Data flows are modeled here at three different execute, and the post-conditions that holds once the attack step layers: process, network, and physical. The three layers are executes successfully. Figure 3 shows an example of an attack interconnected in the model such that one can determine for step definition that represents network sniffing, and Table IV a given process-layer data flow that the described data is sent shows the set of attack step definitions that are currently out through a given endpoint at the network layer, which in modeled in ASR, using the STRIDE attack types from Table turn is bound to a particular network interface card (NIC) at III. STIDS 2016 Proceedings Page 12 C. Adversary Model TABLE IV ATTACK S TEPS C URRENTLY M ODELED IN ASR The adversary model contains the following information: • Starting Position: A reference to an entity in the system Name Type Pre-Condition Post-Condition model that describes the starting privilege an adversary Sniff Information Access to network Knowledge has for the purpose of a specific assessment. Disclosure about observed network flows • Target Goal: Information about the type of attack and the PortScan Information Network Knowledge intended target of the attack. Disclosure reachability about listening sockets TCPConFlood Denial of Network Depletes file Service reachability & descriptors at a TABLE III Knowledge about given rate M AIN ATTACK M ODEL CONCEPTS the target endpoint OSFingerPrint Information Knowledge on lis- Knowledge Resource Description Disclosure tening socket on a about host OS AttackStep A specific instance of adversarial activity. At- host specifics tack vectors consists of a collections of linked GetRoot Elevation Knowledge on Root privilege on attack steps. of Privilege host OS and host AttackStepDefinition A reusable generic description of an adver- listening socket sarial activity. Attack steps are derived from ShutDownServer Denial of Knowledge on Server definitions Service host OS and unavailable AttackVectorElement Ordering and context around an AttackStep to listening socket form an AttackVector Root privilege on AttackVector Ordered execution of AttackSteps host AttackTemplate A templatized version of an attack vector Attacker Captures aspects of the expected adversary, including the starting position SideEffect As part of executing this attack, these specific • Attack Vector Template: Preconceived structure of attack facts are added to the model vectors specifying sequences of types of attack steps that AttackType The type of attack being executed Spoofing subclassOf AttackType. Illegally accessing and have not been bound to specific instances. then using another user’s authentication infor- Given these assumptions about the adversary, ASR will au- mation. Tampering subclassOf AttackType. Malicious modifica- tomatically identify all applicable attack vectors as a partially tion of data ordered sequence of bound attack steps. Repudiation subclassOf AttackType. Deny performing an action without other parties having any way D. Mission Model to prove otherwise InformationDisclosure subclassOf AttackType. Exposure of informa- Mission models describe mission-critical flows between tion to individuals who are not supposed to actors and services at the application layer. The mission have access to it DenialOfService subclassOf AttackType. Deny service to valid models are a strict subset of process-layer system entities and users data flows contained in the system model. Table V shows the ElevationOfPrivilege subclassOf AttackType. An unprivileged user main concepts in the ASR mission models.Mission metrics gains privileged access and thereby has suf- ficient access to compromise or destroy the evaluate the fitness of a specific mission within the context entire system of a collection of other models. Like system metrics, mission metrics are evaluated along the two dimensions of cost and security, and mission-critical flows can specify requirements on the cost and security of information exchanges. Most mission metrics are rated on a normal, degraded, fail scale. To allow for quick and easy comparison of mission metrics among multiple configurations, we provide a mission aggregate cost index (ACI) and a mission aggregate security index (ASI), which return the minimum score along all cost or security concerns, respectively (i.e., if a single data flow fails a cost or security requirement, the mission aggregate cost or security index indicates a fail also). The individual metrics are provided for comparison purposes so that it is easy for the user to distinguish between a configuration that only has one or two poorly performing components for this mission, and an overall equally rated configuration whose every component is rated degraded or fail for this mission. Finally, the mission security and cost metrics are folded into an aggregate mission index Fig. 3. Example of an attack step that performs a network sniffing action (AMI), similar to the ACI and ASI. The value of the AMI STIDS 2016 Proceedings Page 13 is fail if either the mission aggregate security or cost indices for integrity. If any of the individual percentages of data flows evaluates to fail, and equals the mission aggregate cost rating that fail for confidentiality, integrity or availability are greater otherwise (this is because security is evaluated on a pass/fail than zero, the mission aggregate security index consequently scale, while cost follows the user-defined three-band ranking evaluates to a fail score on security overall. explained in detail below). Mission performance is constrained through four threshold TABLE V values, p1latency , p2latency , p1throughput , p2throughput , that M AIN M ISSION M ODEL CONCEPTS describe lower and upper allowable thresholds for percentage Resource Description overhead rates on latency and throughput. Not all mission- Mission Description of mission requirements over data flows critical data flows must specify a lower and upper threshold, Requirement Specifies thresholds for cost and minimum security and, if there is no requirement on a data flow, user-configurable requirements for a data flow MetricType Type of mission metrics default threshold values will be used. These thresholds are Integrity ⇢ MetricType. Security constraint used to define the following three bands: Availability ⇢ MetricType. Security constraint • Normal (platency < p1latency ): The mission operates Confidentiality ⇢ MetricType. Security constraint Latency ⇢ MetricType. Cost constraint via performance impact within normal parameters, i.e. the greatest latency penalty Throughput ⇢ MetricType. Cost constraint via performance impact incurred is still less than the lower threshold. • Degraded (p1latency <= platency < p2latency ): The mission can continue, though with sub-optimal outcomes, E. Defense Model i.e. the greatest latency penalty incurred is more than the lower threshold but less than the maximum allowable. The defense models describe which static and dynamic • Fail (p2latency < platency ): The mission cannot continue defenses are in place, what elements of the system they protect, and misses objectives, i.e. the greatest latency penalty what types of coverage they provide, and what cost is incurred. incurred exceeds the maximum allowed and the mission A single defense model can incorporate multiple defenses. performance will be unacceptable. Table VI shows the main concepts associated with models of For example, the user can specify that a latency penalty of cyber defenses. Different defenses operate over different types up to 10% is acceptable if it allows for a more sophisticated of nodes and thus the coverage relationship from a defense defense to be deployed with a mission, but a latency penalty has a range of type Entity, which in the ASR ontologies of 40% or more leads to unacceptable delays and jeopardizes inheritance hierarchy is the parent of all system-level nodes the mission. In this case, if the cumulative latency along some (processes, hosts, NICs, etc.). In this way, MTDs from Address mission-critical data flows does not exceed 110% of the normal Space Layout Randomization (ASLR) to IP Hopping can all value, these data flows are rated as normal; if the latency integrate with the system model in a uniform manner, despite exceeds 110% but is below 140%, corresponding data flows the fact that they protect very different elements. Defenses are rated as degraded; and if the latency is over 140% of can be modeled both abstractly, such as a generic definition the original value, those data flows are rated as fail. The for a firewall, and at the specific implementation level (e.g., throughput calculations are analogous, with the exception that IPTables). a penalty means a decrease, not an increase, in throughput. Thanks to the ability of OWL to incorporate inheritance, Mission security requirements specify any required secu- we can reap the benefits of reuse. We can define a generic rity attributes, which are delineated among confidentiality, IP hopping MTD that describes the capabilities and require- integrity, and availability. Not all mission-critical data flows ments common to all IP hopping defenses, and extend this must specify a security requirement and if no requirement definition to minimize the effort needed to model any specific is specified, the data flow is not considered when evaluating implementations of an IP hopping defense. We can even mission security. Security metrics are evaluated on a binary scale where a data flow either meets its security requirement TABLE VI or violates it. A data flow is considered to violate a security M AIN D EFENSE M ODEL CONCEPTS requirement if an attack step can compromise that requirement. For example, since all attack steps are categorized using Resource Description STRIDE, if an attack step contributes to a denial of service on Defense Description of cyber defense mechanism DefenseType Categorization into different types of defenses a data flow and that data flow has an availability requirement, Cost Characterization of the overhead defense incurred the requirement is violated. If the same data flow also has Degradation ⇢ Cost. Reduction in metric. confidentiality or integrity requirements, those are evaluated Requirement Prerequisite requirements for installing the defense Setup Description of the defense’s configurable items separately with respect to other attack steps that might compro- Protection Security guarantees provided by the defense mise them. If at least one mission-critical data flow is found to Reconfiguration- Description of dynamic behavior associated with violate a security-related requirement, that requirement is rated Detail MTDs as fail for the entire mission. For example, if there are three ProtectionDetail Description of target entities being covered by defense Randomization- Description of the randomization space data flows with integrity requirements and only one of them Detail violates a requirement, then the mission still gets a fail score STIDS 2016 Proceedings Page 14 analyze this generic instance without reference to a specific implementation to provide insight into how the entire class of defenses operates. In order to support the dynamic nature of MTDs, the defense model provides support for the proactive elements of a defense to be described. An IP hopping MTD may be configured to change IP addresses of the included NICs every 5 minutes, for example. Our current approach divides MTDs into three main kinds, and Table VII shows the set of proactive defenses currently modeled in ASR that cover two of the three categories: 1) Time-bound observable information on targets. In this Fig. 4. High-level ASR metrics category, MTDs place limits on the useful life of in- formation obtained in an execution step for use in a later execution step. IP Hopping in the context of TCP metrics are separated into security- and cost-related concerns Connection flooding is an example of this. along one axis, and along system- and mission-wide metrics 2) Masquerade targets. MTDs in this category make a target along the other axis. Security and cost are frequently at look like another kind of target, causing an adversary to odds, with higher security necessitating a more expensive spend extra cycles. OS masquerading is an example of defense. A single value may therefore be misleading to a this effect. user because it could either represent the ideal case of high 3) Time-bound footholds. MTDs in this category reset the security and low cost, or the clearly undesirable outcome of escalated privileges that an attacker has built up along low security and high cost. For these reasons, ASR provides the middle of an attack path. An example of this is the the user with a separate single-value index reflecting the cost use of virtualization and watchdogs to proactively and of any deployed defenses (the Aggregate Cost Index, ACI) continuously restart VMs to clear out corruption. and another single-value index reflecting the security score of the current configuration (the Aggregate Security Index, ASI). If a mission model is specified, a third index reflecting TABLE VII D EFENSES C URRENTLY M ODELED IN ASR the fitness of the configuration with respect to mission goals is also computed (the Aggregate Mission Index, AMI). The index metrics are composed of several lower-level metrics, Name Kind Requires Side Effect as shown in Figure 5. The desired metrics are specified in IPHopping Time-bound Network IP changes at observable Endpoints fixed intervals an OWL ontology, which is user-extensible and customizable. OS Masquerading Masquerade Host OS image Host OS image The metric computation is done through SPARQL queries for fake both simple and aggregate metrics, and the Jena API is used OS Hopping Time-bound Multiple OSs Host changes at observable compatible with fixed intervals to invoke the metric computation from the ASR server and applications store the results. Security Integer Cost Integer F. Metrics Model Aggregate'Security'Index'(ASI) Aggregate'Cost'Index'(ACI) • Attacker(Workload: • Latency: The metrics model enumerates all ASR metrics and defines Minimum(length(of(attack(vectors Overhead(on(critical(flows • Throughput: each metric’s name, the domain over which it is executed, • Coverage(over(known(attacks:( Overhead(on(critical(flows Number(of(attack(vectors and the SPARQL query used to compute it. ASR computes a Mission Pass|Degraded|Fail • Coverage(over(unknown( attacks: diverse set of both system- and mission-based metrics over a Number(of(entry(points(and(exit(points Aggregate'Mission'Index'(AMI) configuration. Most metrics are computed by querying other • Probabilistic(time@to@fail:( • Latency(&(Throughput: Resource(use(on(critical(flows models (e.g., to count the total number of listening endpoints Duration(distributions(of(attack(vectors( • Confidentiality|Integrity|Availability: and(estimated(probability(of(attack(success or of attack vectors found). Some metrics are post-processed to Required(security(on(critical(flows compute statistical attributes such as mean (e.g. to compute the average estimated duration of an attack vector) or maximum Fig. 5. The ASR index metrics take into account many submetrics or minimum values (e.g., to find the shortest attack vector). These metrics are meant to give the user an overview of how well a system is protected against a set of attacks IV. E XEMPLAR A PPLICATION OF THE O NTOLOGIES executed by a modeled adversary, as well as what costs (in To evaluate the modeling and reasoning performed by terms of latency and throughput) are incurred by the modeled ASR, we developed an enterprise information sharing scenario defenses. To facilitate this cost-benefit analysis, ASR provides involving several servers and both mobile and wired networks. users with some index metrics that can be used to judge Figure 6 shows the main actors participating in the scenario a configuration’s fitness at a glance, and compare fitness together with their interactions. An InformationProducer (e.g., between alternative solutions. Figure 4 illustrates how the a web camera) is sending videos and still images to a Website, STIDS 2016 Proceedings Page 15 Administrator The MNE is plugged into a Mobile Network and there is a Information Publish:7Video7&7Images network flow coming in over that network that is expressed at Producer LAN three distinct layers that are linked through the “via” property. 4G7Mobile % 4G Mobile Network from Figure 6 Acme Information demo1:MobileNetwork1 Network Website LAN Monitor rdf:type sm:WAN ; rdf:type owl:Thing ; sm:contains demo1:MNE1 ; % Information Producer’s MNE Deliver Query LAN sm:contains demo1:MNE2 . % Acme Website’s MNE Information Image Consumer Database % Process-layer data flow from IP1 to ACME1 demo1:pDataFlow1 rdf:type sm:DataFlow ; rdf:type owl:Thing ; Mobile Enterprise % Process on Acme Website defined above sm:destination demo1:ACME1 ; Pub/Sub7 Video7&7Images Administration % Process on Information Publisher from Figure 6 Query7Video7 &7Images Client Server sm:source demo1:IP1 ; sm:via demo1:nDataFlow1 . Fig. 6. Example information sharing scenario used to validate the approach % Underlying network-layer data flow demo1:nDataFlow1 rdf:type sm:DataFlow ; rdf:type owl:Thing ; which in turn disseminates both video and images to two sm:destination demo1:Endpoint2 ; sm:source demo1:Endpoint1 ; clients: an Information Consumer over a 4G mobile network sm:via demo1:gDataFlow1 . and an Information Monitor over a Local Area Network. The % Underlying physical-layer data flow Website is connected to an Image Database for persistence of demo1:gDataFlow1 images received. Finally, an Administrator can change settings rdf:type sm:DataFlow ; rdf:type owl:Thing ; on the Website through an administrative client. sm:destination demo1:MNE2 ; sm:source demo1:MNE1 . A. Instance Models Transcription of the components mentioned in the scenario An Internet Protocol Address randomization (IP Hopping) involves creating instance models that are consistent with the defense is installed to cover the data flow between Endpoint 1 ASR ontologies. To do this, we first define prefix shortcuts for (the Information Producer) and Endpoint2, the Acme Website. name spaces as follows, using TURTLE: The defense adds an additional data flow and processes for key synchronization. It also specifies necessary setup and @prefix demo1: . @prefix def: . configuration details and the incurred costs. @prefix sm: . def:IPHopping1 @prefix IPHop: . rdf:type def:Defense ; @prefix owl: . def:adds IPHop:DataFlow_pKeySharing ; @prefix rdf: . def:adds IPHop:IPHoppingProcess_ACME ; @prefix xsd: . def:adds IPHop:IPHoppingProcess_InfoProducer ; def:atCost IPHop:Cost_1 ; The “Acme Website” host and its components can be def:provides IPHop:Protection_1 ; expressed as: def:requires IPHop:Setup_1 . % Acme Website from Figure 6 IPHop:Protection_1 demo1:AcmeServer1 rdf:type def:Protection ; rdf:type sm:Host ; def:for demo1:Endpoint1 ; rdf:type owl:Thing ; def:for demo1:Endpoint2 ; sm:contains demo1:Endpoint2 ; def:inSupportOf def:Confidentiality ; sm:contains demo1:ACME1 ; def:inSupportOf def:Discoverability ; sm:hasImage demo1:OperatingSystem_1 . def:through def:Randomization ; def:withSpecific IPHop:RandomizationDetail_1 . % Process running on the Acme Website Server demo1:ACME1 IPHop:RandomizationDetail_1 rdf:type sm:Process ; rdf:type def:RandomizationDetail ; rdf:type owl:Thing ; def:disruptionLatency "5"ˆˆxsd:float ; sm:connectsTo demo1:Endpoint2 . def:interval "10000"ˆˆxsd:float ; def:space 6 . % NetworkEndpoint that ACME1 process connectsTo demo1:Endpoint2 IPHop:Setup_1 rdf:type sm:ListeningEndpoint ; rdf:type def:Setup ; rdf:type sm:NetworkEndpoint ; def:includes demo1:Endpoint1 ; rdf:type owl:Thing ; def:includes demo1:Endpoint2 . sm:connectsTo demo1:MNE2 ; sm:hasResource sm:FileDescriptorPool_1 . IPHop:Cost_1 rdf:type def:Cost ; % Acme Website’s MNE on the 4G Mobile Network def:impactOn IPHop:Latency_1 . demo1:MNE2 rdf:type sm:MNE ; IPHop:Latency_1 rdf:type owl:Thing . rdf:type def:MetricType ; STIDS 2016 Proceedings Page 16 def:forProperty def:Latency ; probability of success of attack steps and vectors is computed def:increase "0.3"ˆˆxsd:float ; def:on demo1:nDataFlow1 . using the underlying ontologies. For this example, suppose an attack step requires from 1 to Further details and content for the remaining models, in- 4 seconds to be successful (the duration distribution is part of cluding attack steps, adversary, metrics, and mission, are the attack model) and we have a defense that hops every 1 to included in the appendix to this paper and available at https: 3 seconds (this information is in the defense ontology). If the //ds.bbn.com/projects/asr.html . defense hops before the attack finishes, then the defense wins, else the attacker wins. Let us assume (for ease of computation) B. Quantification Results that both the attack step duration and the defense hopping To first step in quantifying an attack surface is creating a interval are uniform random variables, which means that any configuration containing the five model types and the metrics: number in the stated time range is equally likely and this will C = (system, def ense, attack, adversary, mission, metrics) be captured in the sample data points. We also assume that The purpose of this evaluation was to study the impact of these random variables are independent; intuitively this means varying the hopping interval of one particular IP Hopping that the attacker cannot detect when a hop has occurred and defense between slow and fast. To achieve this, we created launch the attack immediately after the hop (which would three separate configurations where the only variable was the give the attacker an unfair advantage). For this example, the defense, as follows: probability density function for attack time needed will be 1) Cbase = (sm1, ?, as1 , ap1 , mi1 , me1 ) • pattackDuration (x) = 3 8x | 1  x  4, and 1 2) Cdef 1 = (sm1 , IP HopSlow, as1 , ap1 , mi1 , me1 ) • pattackDuration (x) = 0 8x | x > 4 or x < 1. 3) Cdef 2 = (sm1 , IP HopF ast, as1 , ap1 , mi1 , me1 ) Similarly for defense we approximate Analyzing these three configurations using the ASR reason- • pdef enseHoptime (y) = 2 8y | 1  y  3, and 1 ing algorithms [2] yields the results shown in Table VIII. As a • pdef enseHoptime (y) = 0 8y | y > 3 or y < 1. reminder, these index metrics are computed as weighted sums of several terms, as shown in Figure 5. Note that IP HopSlow PLastly, the probability that the defense wins is computed as: in Cdef 1 and IP HopF ast in Cdef 2 both add considerable (pattackDuration (x) ⇥ pdef enseHoptime (y)), 8x, y | x > y, cost compared to the base configuration, which contains no which equals %66.7. Graphically, this is the normalized area defense. This makes sense intuitively, since the latency penalty to the right of the line y = x in Figure 7, which represents the incurred by a defense with a shorter randomization interval probability that the defense hops faster than attacker is able (in this case, an IP Hopping defense that hops faster) is to successfully complete his attack. higher than the latency incurred by a defense with a longer randomization interval. The base configuration has no defenses deployed, so there is no latency penalty incurred and its ACI is therefore 0. TABLE VIII R ESULTS OF A NALYSIS P ERFORMED ON C ONFIGURATIONS Config ASI ACI AMI Cbase 49.55 0 FAIL Cdef 1 51.03 15.0 FAIL Cdef 2 121.4 21.25 FAIL Cmin MAX 21.25 DEGRADED Fig. 7. A graphical representation of probability reasoning in ASR. The x axis represents the randomization interval of the defense. The y axis represents the Also note that as IP HopSlow in Cdef 1 does not offer a duration distribution of an attack step that the defense is protecting against. significant security gain over the base configuration whereas IP HopF ast in Cdef 2 doubles the ASI with respect to the In addition to computing metrics, the ontologies are pivotal base model. This is because in addition to submetrics that for another important innovation of ASR, its ability to semi- are computed over the base ontological models and do not automatically minimize attack surfaces [2]. Minimization is change between the two configurations (such as the number supported through inspection and inference over all ontologies of entry and exit points), the ASI also takes into account the in a configuration. Two different modalities of attack surface probabilistic vector impact, which consists of vector dura- minimization are supported: tion distributions and their estimated probability of success. • System minimization can find either entities that are not Intuitively, it makes sense that an IP Hopping defense that used within a system model (for instance an extraneous hops more frequently would provide better protection against listening endpoint that no other endpoint connects to). a comparable adversary, since the adversary would have less • Mission minimization, if a mission model is specified for time to complete a successful attack and would therefore be a configuration, can find entities that are not defined to less likely to succeed. Figure 7 gives a primer on how the be mission-critical (e.g., an administrative interface that STIDS 2016 Proceedings Page 17 is only used for the initial configuration of the system V. C ONCLUSION and never used during a mission). While it is common understanding that systems have attack Using the ontological models comprising a configuration surfaces and that those surfaces need to be minimized, the cy- and these two minimization modalities, ASR identifies all ber security community has until now lacked a structured and entities that can be safely removed and presents them to the generalizable approach for modeling attack surfaces and ex- user for selection. The user can select any or all of these pressing associated security, cost, and mission impacts through entities to remove, and can save the minimized configuration concrete metrics. This paper presents ontologies including for further inspection and analysis. Because removed entities semantic models of attacks, systems, defenses, missions, and may connect to other entities within the ontologies (e.g., an metrics, and supporting algorithms that quantify and minimize unused endpoint that is removed may result in an unnecessary attack surfaces. An application of the ontologies on a concrete process and its containing host, if they are not used for information-sharing demonstration scenario is also presented. any other purposes), a second round of minimization may Next steps include extending coverage of the defense mod- be necessary to remove all extraneous entities. The fourth els beyond MTDs to include more traditional defenses, e.g., configuration, Cmin , in Table VIII is the fully minimized (i.e. firewalls, VPNs, and host- and network-intrusion prevention with all extraneous and non-mission-critical entities removed) systems. Furthermore, we plan to generate system models of version of Cdef 2 . Since the minimized configuration no longer realistic size systems, such as a model of the BBN network, contains all the entities that are not necessary (for instance, which comprises hundreds of machines. Finally, we plan to the Administrator host and associated processes, endpoints, improve the ontologies by including feedback provided by the and data flows), it has fewer entry points for an adversary to cyber security research community. exploit and results in a higher security metric. In all but the Cmin configuration, the Aggregate Mission R EFERENCES Index, AMI, is “FAIL.” This is because none of them com- [1] M. Atighetchi, B. Simidchieva, M. Carvalho, and D. Last. Experimen- pletely eliminate the attack vectors that threaten mission- tation support for cyber security evaluations. In Proceedings of the 11th Annual Cyber and Information Security Research Conference, page 5. critical resources. Only after minimization are all vectors are ACM, 2016. eliminated (thus the ASI score of “MAX”). The AMI is a [2] M. Atighetchi, B. Simidchieva, N. Soule, F. Yaman, J. Loyall, D. Last, single rating of mission health with respect to both security D. Myers, and C. B. Flatley. Automatic quantification and minimization of attack surfaces. In The 27th Annual IEEE Software Technology and cost and a single failing score on any requirement results Conference (STC), October 2015. in a failing score for the AMI. After minimization, the AMI [3] N. Ben-Asher, A. Oltramari, R. F. Erbacher, and C. Gonzalez. Ontology- improves from the initial “FAIL” score (initially the mission based adaptive systems of cyber defense. In STIDS, 2015. [4] S. Fenz, T. Pruckner, and A. Manutscheri. Ontological mapping of fails because of violated security requirements on mission- information security best-practice guidelines. In Business Information critical flows) to a “DEGRADED” score (the mission now Systems, pages 49–60. Springer, 2009. passes all security requirements, but is “DEGRADED” on [5] S. N. Foley and W. M. Fitzgerald. Management of security policy configuration using a semantic threat graph approach. Journal of cost requirements). Intuitively, we have removed the security Computer Security, 19(3):567–605, 2011. vulnerabilities that threatened the mission through deploying [6] A. Herzog, N. Shahmehri, and C. Duma. An ontology of information a faster defense and minimizing the attack surface. However, security. International Journal of Information Security and Privacy (IJISP), 1(4):1–23, 2007. the improvement is only partial (the mission’s rating is still [7] S. Jajodia, A. K. Ghosh, V. Swarup, C. Wang, and X. S. Wang. Mov- “DEGRADED,” not “PASS”) due to the increased latency ing target defense: creating asymmetric uncertainty for cyber threats, penalties incurred on mission-critical flows by an IP Hopping volume 54. Springer Science & Business Media, 2011. [8] L. Kohnfelder and G. Praerit. The Threats To Our Products, Apr. 1999. defense that hops more frequently. [9] M. Loeb. Cybersecurity talent: Worse than a skills shortage, its a critical We evaluated the runtime of the analysis algorithm with gap. The Hill, Apr. 2015. randomly generated models where the complexity of the [10] L. Obrst, P. Chase, and R. Markeloff. Developing an ontology of the cyber security domain. In STIDS, pages 49–56, 2012. models (i.e. number of hosts and other system entities and [11] H. Okhravi, M. Rabe, T. Mayberry, W. Leonard, T. Hobson, D. Bigelow, the number of available attack steps) vary in a controlled way. and W. Streilein. Survey of cyber moving targets. Massachusetts Inst The points on the graph are averages of 5 runs for the same of Technology Lexington Lincoln Lab, No. MIT/LL-TR-1166, 2013. [12] A. Oltramari, L. Cranor, R. Walls, and P. McDaniel. Building an complexity configurations. The analysis time was measured on ontology of cyber security. In 9th Conference on Semantic Technologies a MacBook Pro 2.8 GHz Intel Core i7 with 16 GB of RAM. for Defense, Intelligence and Security. Citeseer, 2014. Analysis Time [13] S. Ramanauskaitė, D. Olifer, N. Goranin, and A. Čenys. Security 400 ontology for adaptive mapping of security standards. International 350 300 Journal of Computers, Communications & Control (IJCCC), 8(6):813– 250 825, 2013. Time (sec) 200 [14] A. Razzaq, Z. Anwar, H. F. Ahmad, K. Latif, and F. Munir. Ontology 6 a*ack steps 150 for attack detection: An intelligent approach to web application security. 3 atack steps 100 computers & security, 45:124–146, 2014. 50 0 [15] M. B. Salem and C. Wacek. Enabling new technologies for cyber 100 200 300 400 500 security defense with the icas cyber security ontology. In STIDS, 2015. Number of hosts [16] A. Shostack. Threat modeling: Designing for security. John Wiley & Sons, 2014. Fig. 8. ASR analysis runtime over system models of varying complexity STIDS 2016 Proceedings Page 18