modeling observability in adaptive systems to defend against advanced persistent threats ·...
TRANSCRIPT
![Page 1: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/1.jpg)
Modeling Observability in Adaptive Systems to Defend Against
Advanced Persistent Threats
Cody Kinneer, Ryan Wagner, Fei Fang, Claire Le Goues, David Garlan
![Page 2: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/2.jpg)
2
Security in Self-* Systems
![Page 3: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/3.jpg)
3
Security in Self-* Systems
![Page 4: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/4.jpg)
4
Advanced Persistant Threats (APTs)
![Page 5: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/5.jpg)
5
Advanced Persistant Threats (APTs)
![Page 6: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/6.jpg)
6
Tactics Techniques and Procedures (TTPs)
![Page 7: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/7.jpg)
7
Tactics Techniques and Procedures (TTPs)
![Page 8: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/8.jpg)
8
APT Observability
![Page 9: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/9.jpg)
9
APT Observability
• Multiple attacker types• Goals• Tactics Techniques and Procedures (TTPs)
• Actions (both sides)• Defender faces wait or evict dilemma• Attacker notices defensive measures and
adapts to remain hidden
![Page 10: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/10.jpg)
10
Observable Eviction Game
![Page 11: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/11.jpg)
11
Observable Eviction Game
• One (or none) of several APT attackers present
• Defender suspects an attack, unsure of attacker identity
• Takes place over a finite number of timesteps
• Each side has knowledge of available actions and payoff structure
![Page 12: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/12.jpg)
12
Extensive Form Game
![Page 13: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/13.jpg)
13
Extensive Form Game
![Page 14: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/14.jpg)
14
Extensive Form Game
![Page 15: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/15.jpg)
15
Extensive Form Game
![Page 16: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/16.jpg)
16
Extensive Form Game
![Page 17: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/17.jpg)
17
Extensive Form Game
![Page 18: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/18.jpg)
18
Extensive Form Game
![Page 19: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/19.jpg)
19
Extensive Form Game
![Page 20: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/20.jpg)
20
Extensive Form Game
![Page 21: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/21.jpg)
21
Extensive Form Game
![Page 22: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/22.jpg)
22
Extensive Form Game
![Page 23: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/23.jpg)
23
Extensive Form Game
![Page 24: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/24.jpg)
24
Extensive Form Game
![Page 25: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/25.jpg)
25
Extensive Form Game
![Page 26: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/26.jpg)
26
Extensive Form Game
![Page 27: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/27.jpg)
27
Extensive Form Game
![Page 28: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/28.jpg)
28
Extensive Form Game
![Page 29: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/29.jpg)
29
Payoffs
• Attacker• Time in system• Suitability of TTP to goals
• Defender• Limit attacker utility• Minimize disruption to system
• Different TTPs cause different disruption• Defensive measures cause varying disrutpion
![Page 30: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/30.jpg)
30
Payoffs
![Page 31: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/31.jpg)
31
Extensive Form Game
![Page 32: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/32.jpg)
32
Extensive Form Game
![Page 33: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/33.jpg)
33
Extensive Form Game
![Page 34: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/34.jpg)
34
Extensive Form Game
![Page 35: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/35.jpg)
35
Extensive Form Game
![Page 36: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/36.jpg)
36
Solving the Game
![Page 37: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/37.jpg)
37
Solving the Game
![Page 38: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/38.jpg)
38
Solving the Game
![Page 39: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/39.jpg)
39
Solving the Game
![Page 40: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/40.jpg)
40
Solving the Game
![Page 41: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/41.jpg)
41
Validation
• Does using the model result in improved utility compared to random?
• Can the OEG enable a robust defense for a range of threat landscapes?
• Is solving the OEG scalable to practically useful time horizons?
![Page 42: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/42.jpg)
42
Limitations and Future Work
• High level of abstraction• Generalizability to real world systems• Refinement to provide automation for APT
testbed• Abstract strategy reuse and refinement
![Page 43: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/43.jpg)
43
Conclusion
• Security presents unique challenges to Self-* systems
• Observable Eviction Game• Modeling observability as a first class
concern is a step towards secure self-* systems
Paper Available at:http://acme.able.cs.cmu.edu/pubs/uploads/pdf/[email protected]
![Page 44: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/44.jpg)
44
Backup Slides
![Page 45: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/45.jpg)
45
Comparison to Random
![Page 46: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/46.jpg)
46
Using the model results in improvement
−1.5
−1.4
−1.3
−1.2
0.0 0.2 0.4 0.6Prior Probability of Attacker Type 1
Def
ende
r's U
tility
Defender Plays
equilibriumuniform random
Stackelberg Equilibrium
−1.5
−1.4
−1.3
−1.2
0.0 0.2 0.4 0.6Prior Probability of Attacker Type 1
Def
ende
r's U
tility
Defender Plays
equilibriumuniform random
Nash Equilibrium
![Page 47: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/47.jpg)
47
NE Sensitivity Analysis
![Page 48: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/48.jpg)
48
0.0
0.2
0.4
0.6
11 12 21 22 e1 e2 we1 we2 wp ae1 ae2 apAction
Prio
r P
roba
bilit
y of
Atta
cker
Typ
e 1
0.000.250.500.751.00
ProbabilityPlayed
Nash Equilibrium
![Page 49: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/49.jpg)
49
0.0
0.2
0.4
0.6
11 12 21 22 e1 e2 we1 we2 wp ae1 ae2 apAction
Prio
r P
roba
bilit
y of
Atta
cker
Typ
e 1
0.000.250.500.751.00
ProbabilityPlayed
Stackelberg Equilibrium
![Page 50: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/50.jpg)
50
Scalability Analysis
![Page 51: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/51.jpg)
51
Stackleberg Scalable on Number of Timesteps
0
5
10
15
0 5 10 15 20 25Number of Timesteps
Tim
e in
Sec
onds
Equilibrium
NashStackelberg
![Page 52: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/52.jpg)
52
Evaluate Design Alternatives
![Page 53: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/53.jpg)
53
Utility Change with Honeypots
0
5
10
15
0.00 0.25 0.50 0.75 1.00
Prior Probability of Attacker Type 1
Opt
imal
Num
ber
of D
ecoy
s
Equilibrium
nash
stackelberg
0.00
0.05
0.10
0.15
0.00 0.25 0.50 0.75 1.00
Prior Probability of Attacker Type 1
Del
ta D
efen
der's
Util
ity
Equilibrium
nash
stackelberg
![Page 54: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/54.jpg)
54
Strategy Change with Honeypots
![Page 55: Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent Threats · 2020-05-25 · Modeling Observability in Adaptive Systems to Defend Against Advanced Persistent](https://reader031.vdocuments.us/reader031/viewer/2022011823/5ed45d053d3fa43c32615cba/html5/thumbnails/55.jpg)
55
Optimal Defense
• Bayesian Nash and Stackelberg equilibria
w0e1
1 w0e2
1e1
0e2
0
0.68 0.00 0.00 0.32
The power of observability