Transcript Modelling Network Security Using Key-Challenge Petri-nets

Towards Modelling Information
Security with Key-Challenge
Petri Nets
Teijo Venäläinen
[email protected]
Contents
1. Introduction
2. Various modelling methods
3. Graph based modelling
4. Key-Challenge Petri Nets
Introduction
 Since 7/2006 in Information Technology
Research Institute (ITRI), Agora, JYU
 Doctoral studies since 2009
 Goal is to find a method for measuring
information security (IS)
 Modelling and Simulation (M&S)
Motivation for testing/modelling
 Testing a system in use is not a feasible
option => damage
 Real system must be replicated (modelled)
somehow
 Testing is done with the modelled system
 How accurately does the model represent the
real system?
Resulting information
 For the whole system or a single component,
the following results are interesting:
–
–
–
–
–
Mean time between failure (against attacks)
Success probability of attacks
Damage (performance degradation, money, …)
Attack route i.e. how the attack progresses
And more …
Testing methods
 There are different methods, where varies [1]
– ”target audience”
– Human involement during testing
– Detail level
 Role playing, ”Packet wars”, network design
tools
 Mathematical modelling, state machines,
graph based modelling
Role playing
 Scenario-based training exercises
 High abstraction level
 Test the strategic decision making process of
personnel and organizations
 Computers not necessary, ”pencil & paper”
 Target audience: high level decision makers
 Does not provide technical IS information
”Packet wars”
 Real network with real users, a dedicated test
network in a laboratory
 Two teams: attackers and defenders
 Highly accurate method but costly
 Target audience: IS professionals
Network design tools
 Accurate modelling of networks and normal
activities
 Attack modelling is limited => limited results
 No human involvement during testing, only
simulation
 Target audience: IS professionals, network
designers
Mathematical modelling, state
machines, graph based models
 Also approximations of the real system
 Provide results faster through simulation
 Cheap
 Easily modifyable
Modelling & simulation
System
description
Model
Simulation
Graph based modelling
 Network attack is usually a series of interdependent
actions leading to a goal (= breach in security)
 Actions are illustrated using nodes and arcs => an
attack graph (AG)
 Assign conditions (e.g. probability) on traversing
between nodes
 Usually attacker’s point of view
 Simulate by starting from a node and moving towards
the goal node(s)
Attack tree
Source [2]
Challenges
 The system must be described at adequate
level of accuracy. Scalability with large
networks?
 Valid input parameters (From where? How?)
 Usability
 Attacker’s and defender’s interaction (game
theory?)
 Creating graphs is labor intensive =>
automatic tools
Petri Nets
 Place (input/output): holds tokens
 Arc: connects places and transitions
 Transition: lets token pass through if
conditions are met
 Token: moves from place to place
Key-Challenge Petri Nets (KCPN)
 A modelling method under development
 Based on Petri-nets
 KCPN graph is created using network and
vulnerability information
 Conditions for transitions = key-challenge
– challenge = security measure
– key = means to circumvent/break the security
measure
KCPN: overview
 Hierarchical i.e. modelling may be performed
using various abstration levels
 Modular structure
 Place = network device or attack action
 Arc = physical connection of devices or
causal relation of attack actions
 Transition = challenge (security measure)
KCPN: simulation
 Attacker collects keys that allow him to
progress in the graph
 Variables may be assigned for transitions
– Probability of being detected
– Duration of an attack action (time distribution)
– Cost, skill level, etc.
 It is possible to perform an attack action
without required keys but with a greater
cost/duration
KCPN: results
 Simulation results include:
– Probability of success of an entire attack
– The most vulnerable attack path
– The duration of the entire attack
 Results may be used as input data within the
model (simulate modules independently)
KCPN: example
 Two hierarchy levels:
– Topology level (physical world)
– Attack action level (abstract world)
 Multiple network devices lumped into a single
node (Hosts)
 Devices with similar connections, OS,
software, etc. => lumped together
KCPN: the physical network
KCPN:
the
graph
Sources
 [1] J. Saunders. Simulation Approaches in
Information Security Education. Proceedings
of 6th National Colloquium for Information
System Security Education, 2002.
 [2] Bruce Schneier. Attack Trees. SANS
Network Security 1999.
http://www.cs.utk.edu/~dunigan/cns06/attackt
rees.pdf
Thank You!