Analysis and improvement of security of modern computer systems is a challenging task because the systems are extremely complex and heterogeneous. Often the analysis of security is based on attack graphs. Frequently, methods of the analysis are system and context specific and require manual adjustments. Moreover, most of the methods provide their own basic metric as the result of the analysis. We aim at creating a method that allows automated analysis of system security and works with wide range of security metrics without changing the core algorithm. Using different metrics for the evaluation helps to provide different views on system security and allows a security administrator to judge better on improvements to security of a system.

The essential elements of our method are basic attacks described as XML credentials similar to RTML [ 10 ]. Basic attacks form an attack graph with the nodes representing sets of resources and the edges representing the attacks. All the edges are labelled with costs of attacks. We introduce three inference rules, that allows us to make conclusions on the system security. The rules are compliant with rules presented for reasoning on transitive trust models. Thus, we can adopt an earlier developed algorithm [ 11,5 ] for the analysis of the attack graphs.

We assume, that costs of attacks stand for security metrics, used for the evaluation of the system security. We associate each security metric with csemiring which is algebraic structure used for the analysis of weighted graphs, e.g., for searching a shortest path in a graph. C-semirings allow to create an algorithm for the analysis of attack graphs that does not depend on the security metric selected for the analysis of the system. 1.1

Contributions Main contributions of the paper are the following: – the method for the analysis of attack graphs is based on inference rules similar to ones used for the analysis of transitive trust models, thus, the method may reuse the slightly changed algorithm developed for the analysis of transitive trust models; – the method works regardless of the security metric selected for the evaluation due to the use of c-semiring algebraic structure.

The rest of the paper is structured as follows. Section 2 describes an application scenario and introduces inference rules. Section 3 discusses the exploitation of XML for representing basic attacks and introduces XML based rules for the processing of attacks. Section 4 observes the related work and Sect. 5 provides the conclusion and the future work. 2

We consider a scenario where a security administrator performs the evaluation of security on the basis of resources available to an attacker. The features and the notation of the model: AT T = {a1, . . . , am} is a set of attacks to a system, RES = {r1, . . . , rn} is a set of resources in the system, S = {a1 . . . ak | a ∈ AT T } is an attack sequence, R is a set of resources available to the attacker, G is a set of resources gained as the result of an attack, w is a cost of the attack, W is a cost of the attack sequence.

There is a set of basic attacks that can be applied when the attacker has an initial set of resources. The attacker obtains new resources by applying an attack. In our model, the resources are not consumed and the resources that can not be reached are not taken into account. We also consider the sequential composition of attacks, i.e., the attacker can perform attacks one by one. Moreover, all the attacks have costs, thus, all the potential resources are reachable with the corresponding costs. The attacker selects the attack with the best cost, e.g., the highest probability of success.

We introduce two operators ⊗, ⊕ over some domain D of values of costs, where the former operator serves for aggregation of costs of attacks in a sequence and the latter operator for the selection of the attack with the better cost. For example, the operator ⊗ equals × (multiplication), ⊕ equals max that stands for the selection of the attack sequence with the maximal probability of success, and the domain is D = [ 0, 1 ]. We can extend this basic set of operators to couples (sequence, cost). Suppose, there are sequences of attacks a1, a2 with costs w1, w2: (a1, w1) ⊗′ (a2, w2) = (a1a2, w1 ⊗ w2) (a1, w1) ⊕′ (a2, w2) = ((a1, w1) (a2, w2) if (w1 ⊕ w2) = w1 if (w1 ⊕ w2) = w2 (1) (2) (3) where a1a2 is an order preserving concatenation of attacks.

Now we are ready to present three inference rules that allow us to analyse the above model.

First, we consider a set of resources available, say RX . By starting from this set of resources, an intruder can perform a basic attack that simply needs a subset Ri of these resources and then acquires new resources Gj . This is modelled by the basic attack rule

(aq,wq) Rj Ri −→

Ri ⊆ RX

RX (a−q,→wq) Rt where Rj = Ri ∪ Gj and Rt = RX ∪ Gj .

Then it is possible to compose several different basic attacks in a sequence and this is done by the composite attack rule. It states that starting from a set of resources by applying an attack the intruder gets new resources that serve as a basic set for another attack. Thus, a sequence of attacks is built.

Finally, the attack selection rule selects the attack with the better cost.

Ri (a−q,→wq) Rj

Rj (a−p,→wp) Rk

Ri (aq,wq−)⊗→′(ap,wp) Rk Ri (a−q,→wq) Rj

Ri (a−p,→wp) Rj Ri

(aq,wq−)⊕→′(ap,wp) Rj

Rules 2 and 3 may be generalized for an application to attack sequences by using S and W instead of a and w.

The analysis of a system works as follows. Starting from the initial set of basic attacks, we build a graph whose nodes are sets of resources R and which arcs are labelled with attack costs. We need to apply the rules and to consider all the sequences exiting from the initial set Ri to the state Ri ∪ Gk and which cost is better than a total cost W . The overall protection goal can be to avoid the attacker to control the set of resources Ri ∪ Gk with the total cost better than the total cost W .

We propose to present costs as a special mathematical structure c-semiring (constraint semiring) [ 4 ]:

Definition 1. C-semiring T is a tuple hD, ⊕, ⊗, 0, 1i: – D is a set of elements and 0, 1 ∈ D; – ⊕, is an additive operator defined over (possibly infinite) set of elements D, for d1, d2, d3 ∈ T , it is commutative (d1 ⊕ d2 = d2 ⊕ d1) and associative (d1 ⊕ (d2 ⊕ d3) = (d1 ⊕ d2) ⊕ d3), and 0 is a unit element of the additive operator (d1 ⊕ 0 = d1 = 0 ⊕ d1). – ⊗ is a binary multiplicative operator, it is associative and commutative, 1 is its unit element (d1 ⊗ 1 = d1 = 1 ⊗ d1), and 0 is its absorbing element (d1 ⊗ 0 = 0 = 0 ⊗ d1); – ⊗ is distributive over additive operator (d1 ⊗(d2 ⊕d3) = (d1 ⊗d2)⊕(d1 ⊗d3)); – ≤T is a partial order over the set D, which enables comparing different elements of the semiring, the partial order is defined using the additive operator d1 ≤T d2 (d2 is better than d1) iff d1 ⊕ d2 = d2 (idempotence).

For a security metric, we need to determine the domain of values D and two operators ⊕ and ⊗ that are further used for the analysis of an attack graph. An example may be shortest attacks path metric and c-semiring with ⊕ equals min, ⊗ equals summation, and the domain D is the set of natural numbers N. Other c-semirings may be defined for other metrics. 3

We use XML credentials to store the information about basic attacks. Basic attacks are used to compute composite attacks sequences. Composite attacks are also represented by XML credentials and are used when necessary. XML credentials allow us to use slightly modified algorithm for dealing with trust relationships for access control systems [ 11,5 ] to deal with attack graph. Thus, we use two kinds of credential: one for modelling a basic attack b, and another one for modelling a composed attack c, where an attacker is A.

In case of a basic attack, a is a sequence which contains only a single attack, R is the minimal resources necessary to perform the attack, G is the set of gained resources and w is the cost of the attack:

A.b(a, R, G, w)

A.c(S, R, F, W )

In case of a composite attack, S is a sequence of attacks, R represents the initial set of resources, F is the final set of resources and W the cost of the attack sequence S.

Instantiations of Equations 1, 2, 3 for XML credentials are the following.

A.b(a, R, G, w) R ⊆ X

A.c(a, X, X ∪ G, w) A.c(S1, R1, F1, W1)

A.c(S2, R2, F2, W2)

R2 ⊆ F1

A.c(S1S2, R1, F2, W1 ⊗ W2) (4) (5) (6) (7)

A.c(S1, R, F, W1) A.c(S2, R, F, W2)

A.c(S1 ⊙ S2, R, F, W1 ⊕ W2) (8) where S1S2 is a concatenation of attack sequences, ⊙ corresponds to the selection of sequence with the better cost. Now we can adopt algorithm [ 5 ] to the analysis of attack graphs since the rules are similar to rules [ 5,11 ] for reasoning on trust. 4

The attacker model we use in the paper could be seen as an attack graph [ 1,13,12,6 ]. E.g., in [ 1 ] a (constrained) graph model based on resource acquisition by the attacker has been developed, the model considers the local knowledge of the attacker stored in nodes during the attack-path analysis (also for the selection of countermeasures).

Different security metrics are used for analysis of attack graphs: probability of successful attack [ 15 ], minimal cost of attack [ 14 ], minimal cost of reduction [ 16 ], shortest path [ 13 ]. Some of these metrics could be seen as specific instance of semirings, thus also suitable for the analysis with out approach. On the other hand, our approach is parametric and can also use other metrics for the analysis.

Krautsevich et al., [ 7 ] formally modelled and defined several security metrics which measure security system out of the context. The metrics were analysed in order to check if some of them provide the same evaluation. The next step in this study was establishing relations between these metrics and risk [ 8 ]. Every metric study was considered separately, when our current work is more generic.

To our knowledge, there are several attempts of applying semirings in security area [ 2,3 ]. The authors used semirings for the analysis of integrity policies, cryptographic protocols, and computation of trust levels through trust chains. Krautsevich et al., [ 9 ] applied semirings to analysis of security of process-like structures for describing web services. In this work, we provide a wider range of application of semirings for security analysis. 5

We used XML credentials to describe basic attacks and proposed inference rules for composition and selection of the attacks. C-semiring allows us to make the method independent of what security metric is selected for the evaluation. Finally, we worked towards an adoption of existed algorithm for reasoning on transitive trust to the analysis of parametric attacks graphs.

As a future work, we would like, first, to introduce modified algorithm for the analysis of attack graphs. Second, we would like to extend our approach for other models of attack graphs, e.g., privileges graph. Moreover, we would like to implement our method as a software prototype and perform an analysis the properties of the method, e.g, performance. For the implementation, we plan to minimally modify the code of algorithm for evaluation of RTML credentials with semirings developed in [ 5 ].