On Attack/Defense Trees - Attack/Defense Trees Patrick Schweitzer ... Salami attack 7/23. Attack Trees Attack Trees - the concept ... Type: τ:V → {, ,

Embed Size (px)

Text of On Attack/Defense Trees - Attack/Defense Trees Patrick Schweitzer ... Salami attack 7/23. Attack...

  • On Attack/Defense Trees

    Patrick SchweitzerSaToSS, Faculty of Sciences, Communication and Technology

    University of Luxembourg

    November 17th 2009

    1/23

  • Outline

    1 Intuition and overview of existing approaches to model attacks

    2 Attack Trees

    3 The new approach to include defenses

    4 Future work

    2/23

  • Intuition and overview

    Intuition

    Get money(illegally)

    Get moneyfrom a bank

    Rob a

    bank

    Steal from

    ATM

    S2

    S2

    S2

    Hack into

    computer

    system

    Rob a storeEnter with

    a gun2 3.1

    4.14.2

    4.3

    3.2

    3.33.4

    Enter

    disguised

    Enter

    at night2

    Go toloan shark

    3/23

  • Intuition and overview

    Intuition

    Get money(illegally)

    Get moneyfrom a bank

    Rob a

    bank

    Steal from

    ATM

    S2

    S2

    S2

    Hack into

    computer

    system

    Rob a storeEnter with

    a gun2 3.1

    4.14.2

    4.3

    3.2

    3.33.4

    Enter

    disguised

    Enter

    at night2

    Go toloan shark

    3/23

  • Intuition and overview

    Intuition

    Get money(illegally)

    Get moneyfrom a bank

    Rob a

    bank

    Steal from

    ATM

    S2

    S2

    S2

    Hack into

    computer

    system

    Rob a storeEnter with

    a gun2 3.1

    4.14.2

    4.3

    3.2

    3.33.4

    Enter

    disguised

    Enter

    at night2

    Go toloan shark

    3/23

  • Intuition and overview

    Guide to modeling attacks

    Intuitive start: A mindmap (a special graph)

    Problem: Complexity

    Solution: Computer support (requires formalism)

    Literature: Several approaches

    4/23

  • Intuition and overview

    Guide to modeling attacks

    Intuitive start: A mindmap (a special graph)

    Problem: Complexity

    Solution: Computer support (requires formalism)

    Literature: Several approaches

    4/23

  • Intuition and overview

    Guide to modeling attacks

    Intuitive start: A mindmap (a special graph)

    Problem: Complexity

    Solution: Computer support (requires formalism)

    Literature: Several approaches

    4/23

  • Intuition and overview

    Guide to modeling attacks

    Intuitive start: A mindmap (a special graph)

    Problem: Complexity

    Solution: Computer support (requires formalism)

    Literature: Several approaches

    4/23

  • Intuition and overview

    Different approaches to modeling attacks

    Attack TreesEssentially all information is contained in the leaves.

    Attack Graphs or Attack NetsFinite automata that fulfill security properties;separation of data and processes

    Security Pattern DescriptionsDocuments that describe in words the possible attacks on asystem. They are very long exactly like this text which shouldnever have been on the slide because nobody that listens tothe talk reads that much text.

    . . .

    5/23

  • Intuition and overview

    Different approaches to modeling attacks

    Attack TreesEssentially all information is contained in the leaves.

    Attack Graphs or Attack NetsFinite automata that fulfill security properties;separation of data and processes

    Security Pattern DescriptionsDocuments that describe in words the possible attacks on asystem. They are very long exactly like this text which shouldnever have been on the slide because nobody that listens tothe talk reads that much text.

    . . .

    5/23

  • Intuition and overview

    Different approaches to modeling attacks

    Attack TreesEssentially all information is contained in the leaves.

    Attack Graphs or Attack NetsFinite automata that fulfill security properties;separation of data and processes

    Security Pattern DescriptionsDocuments that describe in words the possible attacks on asystem. They are very long exactly like this text which shouldnever have been on the slide because nobody that listens tothe talk reads that much text.

    . . .

    5/23

  • Attack Trees

    1 Intuition and overview of existing approaches to model attacks

    2 Attack Trees

    3 The new approach to include defenses

    4 Future work

    6/23

  • Attack Trees

    Attack Trees - the concept

    Attack: How to get free food?

    7/23

  • Attack Trees

    Attack Trees - the concept

    Attack: How to get free food?

    Free food

    7/23

  • Attack Trees

    Attack Trees - the concept

    Attack: How to get free food?

    Free food

    Eat n runPretendto work

    at restaurant

    7/23

  • Attack Trees

    Attack Trees - the concept

    Attack: How to get free food?

    Free food

    Eat n run

    Order meal Sneak out

    Pretendto work

    at restaurant

    Ask Chefto prepare

    Salamiattack

    7/23

  • Attack Trees

    Attack Trees - the concept

    Attack: How to get free food?

    Free food

    Eat n run

    Order meal Sneak out

    Pretendto work

    at restaurant

    Ask Chefto prepare

    Salamiattack

    Wait oncustomers

    Steal part oftheir food

    Sneak out

    7/23

  • Attack Trees

    Attack Trees - the concept

    Attack: How to get free food?

    Free food

    Eat n run

    Order meal Sneak out

    Pretendto work

    at restaurant

    Ask Chefto prepare

    Salamiattack

    Wait oncustomers

    Steal part oftheir food

    Sneak out

    Essentially a set of multisets,e.g.:

    {{{Order meal, sneak out}},

    {{Ask Chef to prepare}},

    {{Wait on customers,

    steal part of their food,

    sneak out}}}

    7/23

  • Attack Trees

    Properties of the existing model

    Important properties of Attack Trees

    Uses and and or nodes

    Simple normal form: trees of depth 1

    Attributes can be attached to the leaves:then the attribute can be calculated for the root

    Projection only works for some attributes(Projection = Restriction of an attribute)

    8/23

  • Attack Trees

    Properties of the existing model

    Important properties of Attack Trees

    Uses and and or nodes

    Simple normal form: trees of depth 1

    Attributes can be attached to the leaves:then the attribute can be calculated for the root

    Projection only works for some attributes(Projection = Restriction of an attribute)

    8/23

  • Attack Trees

    Properties of the existing model

    Important properties of Attack Trees

    Uses and and or nodes

    Simple normal form: trees of depth 1

    Attributes can be attached to the leaves:then the attribute can be calculated for the root

    Projection only works for some attributes(Projection = Restriction of an attribute)

    8/23

  • Attack Trees

    Properties of the existing model

    Important properties of Attack Trees

    Uses and and or nodes

    Simple normal form: trees of depth 1

    Attributes can be attached to the leaves:then the attribute can be calculated for the root

    Projection only works for some attributes(Projection = Restriction of an attribute)

    8/23

  • Attack Trees

    Including a defense in the framework

    Free food

    Eat n run

    Order meal Sneak out

    Pretendto work

    at restaurant

    Ask Chefto prepare

    Salamiattack

    Wait oncustomers

    Steal part oftheir food

    Sneak out

    9/23

  • Attack Trees

    Including a defense in the framework

    Free food

    Eat n run

    Order meal Sneak out

    Policeman

    Pretendto work

    at restaurant

    Ask Chefto prepare

    Salamiattack

    Wait oncustomers

    Steal part oftheir food

    Sneak out

    Policeman

    9/23

  • Attack Trees

    Attack and Defense Trees

    Consider the Defense Tree law enforcement instead of apoliceman.

    Consider the Attack Tree Mafia attached to law enforcement.

    and so on...

    New framework: Attack Tree - Defense Tree - Attack Tree - ...

    10/23

  • Attack Trees

    Attack and Defense Trees

    Consider the Defense Tree law enforcement instead of apoliceman.

    Consider the Attack Tree Mafia attached to law enforcement.

    and so on...

    New framework: Attack Tree - Defense Tree - Attack Tree - ...

    10/23

  • Attack Trees

    Attack and Defense Trees

    Consider the Defense Tree law enforcement instead of apoliceman.

    Consider the Attack Tree Mafia attached to law enforcement.

    and so on...

    New framework: Attack Tree - Defense Tree - Attack Tree - ...

    10/23

  • The new approach to include defenses

    1 Intuition and overview of existing approaches to model attacks

    2 Attack Trees

    3 The new approach to include defenses

    4 Future work

    11/23

  • The new approach to include defenses

    The general idea: two functions describing the nodes

    Structure: rooted tree T = (V , E , r , , )(non-empty, finite, directed, connected, acyclic, rooted)Type: : V {,,} Connector : V {, , , }

    12/23

  • The new approach to include defenses

    The general idea: two functions describing the nodes

    Structure: rooted tree T = (V , E , r , , )(non-empty, finite, directed, connected, acyclic, rooted)Type: : V {,,} Connector : V {, , , }

    (v) {,} = (w) {(v),} (1)

    (v) {,} and | Childrenv | > 1 (v) {, } (2)

    (v) {,} and | Childrenv | 1 (v) = (3)

    (v) = = (w) {f (v),} (4)

    (v) = = | Childrenv | = 1 (5)

    (v) = (v) = (6)

    v , w V and (v , w) E

    12/23

  • The new approach to include defe