Visualization and Natural Language Representation of Simulated Cyber Attacks

Mao, Xinyue

January 2018

The attack path is an effective tool for showing possible hacking routestaken by an attacker to target a specific computer network. It also informsadministrators about potential weakness in a network helpingthem roll-out network configuration changes. Based on predefinedcomputing methods, a large number of attack paths can be generated.However, attack paths show all possible routes for each calculationand represent them with terminologies specific to the cybersecurityfield. A major portion of attack routes and representations aretoo complicated for normal users, making it difficult to identify theparts they should pay more attention to. In this thesis project, a frameworkfor generating a concise and user-friendly attack path throughgrouping continuous attack steps is described. The framework is designedwith 6 levels of hierarchical abstraction. Top 3 levels of theseabstractions are classified based on the predefined structure of the softwareand named Structural Division. The other 3 lower levels areclassified based on semantics involving a taxonomy for natural languagerepresentation called SCV (Security Community Vocabulary),named semantics division. This visualization method is released aspart of securiCADR , a cybersecurity product released by Foreseeti,which provides a concise and understandable interaction by aggregatingoriginal attack steps according to different requirements of customers. / Anfallsstigen är ett effektivt verktyg för att visa möjliga hackningsvägarsom en angripare tar emot ett specifikt datornätverk. Det informerarockså administratörer om eventuell svaghet i ett nätverk somhjälper dem att utrulla nätverkskonfigurationsändringar. Baserat påfördefinierade datormetoder kan ett stort antal attackvägar genereras.Åtkomstvägar visar dock alla möjliga vägar för varje beräkning och representerardem med terminologier som är specifika för fältet Cybersecurity.En stor del av attackvägar och representationer är för kompliceradeför vanliga användare vilket gör det svårt att identifiera de delarsom de borde ägna mer uppmärksamhet åt. I denna avhandlingsrapportbeskrivs ett ramverk för att generera en kortfattad och användarvänligattackväg genom att gruppera kontinuerliga angreppssteg.Ramverket är utformat med 6 nivåer av hierarkisk abstraktion. Topp3 nivåer av dessa abstraktioner klassificeras baserat på den fördefinieradestrukturen av mjukvaran och namngiven strukturell uppdelning.De övriga 3 lägre nivåerna klassificeras baserat på semantik meden taxonomi för naturlig språkrepresentation som heter SCV (SecurityCommunity Vocabulary), namngiven semantikavdelning. Denna visualiseringsmetodsläpps som en del av securiCADR en cybersecurityproduktsom släpptes av Foreseeti, vilket ger en kortfattad och förståeliginteraktion genom att aggregera ursprungliga attacksteg enligtolika kunders krav.

attack path visualization

taxonomy for attack graph

natural language representation

attackvägsvisualisering

taxonomi för attackgraf

naturlig språkrepresentation

Engineering and Technology

Teknik och teknologier

Attack graph approach to dynamic network vulnerability analysis and countermeasures

Hamid, Thaier K. A.

January 2014

It is widely accepted that modern computer networks (often presented as a heterogeneous collection of functioning organisations, applications, software, and hardware) contain vulnerabilities. This research proposes a new methodology to compute a dynamic severity cost for each state. Here a state refers to the behaviour of a system during an attack; an example of a state is where an attacker could influence the information on an application to alter the credentials. This is performed by utilising a modified variant of the Common Vulnerability Scoring System (CVSS), referred to as a Dynamic Vulnerability Scoring System (DVSS). This calculates scores of intrinsic, time-based, and ecological metrics by combining related sub-scores and modelling the problem’s parameters into a mathematical framework to develop a unique severity cost. The individual static nature of CVSS affects the scoring value, so the author has adapted a novel model to produce a DVSS metric that is more precise and efficient. In this approach, different parameters are used to compute the final scores determined from a number of parameters including network architecture, device setting, and the impact of vulnerability interactions. An attack graph (AG) is a security model representing the chains of vulnerability exploits in a network. A number of researchers have acknowledged the attack graph visual complexity and a lack of in-depth understanding. Current attack graph tools are constrained to only limited attributes or even rely on hand-generated input. The automatic formation of vulnerability information has been troublesome and vulnerability descriptions are frequently created by hand, or based on limited data. The network architectures and configurations along with the interactions between the individual vulnerabilities are considered in the method of computing the Cost using the DVSS and a dynamic cost-centric framework. A new methodology was built up to present an attack graph with a dynamic cost metric based on DVSS and also a novel methodology to estimate and represent the cost-centric approach for each host’ states was followed out. A framework is carried out on a test network, using the Nessus scanner to detect known vulnerabilities, implement these results and to build and represent the dynamic cost centric attack graph using ranking algorithms (in a standardised fashion to Mehta et al. 2006 and Kijsanayothin, 2010). However, instead of using vulnerabilities for each host, a CostRank Markov Model has developed utilising a novel cost-centric approach, thereby reducing the complexity in the attack graph and reducing the problem of visibility. An analogous parallel algorithm is developed to implement CostRank. The reason for developing a parallel CostRank Algorithm is to expedite the states ranking calculations for the increasing number of hosts and/or vulnerabilities. In the same way, the author intends to secure large scale networks that require fast and reliable computing to calculate the ranking of enormous graphs with thousands of vertices (states) and millions of arcs (representing an action to move from one state to another). In this proposed approach, the focus on a parallel CostRank computational architecture to appraise the enhancement in CostRank calculations and scalability of of the algorithm. In particular, a partitioning of input data, graph files and ranking vectors with a load balancing technique can enhance the performance and scalability of CostRank computations in parallel. A practical model of analogous CostRank parallel calculation is undertaken, resulting in a substantial decrease in calculations communication levels and in iteration time. The results are presented in an analytical approach in terms of scalability, efficiency, memory usage, speed up and input/output rates. Finally, a countermeasures model is developed to protect against network attacks by using a Dynamic Countermeasures Attack Tree (DCAT). The following scheme is used to build DCAT tree (i) using scalable parallel CostRank Algorithm to determine the critical asset, that system administrators need to protect; (ii) Track the Nessus scanner to determine the vulnerabilities associated with the asset using the dynamic cost centric framework and DVSS; (iii) Check out all published mitigations for all vulnerabilities. (iv) Assess how well the security solution mitigates those risks; (v) Assess DCAT algorithm in terms of effective security cost, probability and cost/benefit analysis to reduce the total impact of a specific vulnerability.

005.8

Quantitative risk assessment under multi-context environments

Zhang, Su

January 1900

Doctor of Philosophy / Department of Computing and Information Sciences / Xinming Ou / If you cannot measure it, you cannot improve it. Quantifying security with metrics is important not only because we want to have a scoring system to track our efforts in hardening cyber environments, but also because current labor resources cannot administrate the exponentially enlarged network without a feasible risk prioritization methodology. Unlike height, weight or temperature, risk from vulnerabilities is sophisticated to assess and the assessment is heavily context-dependent. Existing vulnerability assessment methodologies (e.g. CVSS scoring system, etc) mainly focus on the evaluation over intrinsic risk of individual vulnerabilities without taking their contexts into consideration. Vulnerability assessment over network usually output one aggregated metric indicating the security level of each host. However, none of these work captures the severity change of each individual vulnerabilities under different contexts. I have captured a number of such contexts for vulnerability assessment. For example, the correlation of vulnerabilities belonging to the same application should be considered while aggregating their risk scores. At system level, a vulnerability detected on a highly depended library code should be assigned with a higher risk metric than a vulnerability on a rarely used client side application, even when the two have the same intrinsic risk. Similarly at cloud environment, vulnerabilities with higher prevalences deserve more attention. Besides, zero-day vulnerabilities are largely utilized by attackers therefore should not be ignored while assessing the risks. Historical vulnerability information at application level can be used to predict underground risks. To assess vulnerability with a higher accuracy, feasibility, scalability and efficiency, I developed a systematic vulnerability assessment approach under each of these contexts. ​

Vulnerability assessment

Quantitative risk assessment

Cloud computing security

Zero-day vulnerability assessment

Software dependency risk assessment

Network security (attack graph)

Computer Science (0984)

Software-defined Situation-aware Cloud Security

January 2020

abstract: The use of reactive security mechanisms in enterprise networks can, at times, provide an asymmetric advantage to the attacker. Similarly, the use of a proactive security mechanism like Moving Target Defense (MTD), if performed without analyzing the effects of security countermeasures, can lead to security policy and service level agreement violations. In this thesis, I explore the research questions 1) how to model attacker-defender interactions for multi-stage attacks? 2) how to efficiently deploy proactive (MTD) security countermeasures in a software-defined environment for single and multi-stage attacks? 3) how to verify the effects of security and management policies on the network and take corrective actions? I propose a Software-defined Situation-aware Cloud Security framework, that, 1) analyzes the attacker-defender interactions using an Software-defined Networking (SDN) based scalable attack graph. This research investigates Advanced Persistent Threat (APT) attacks using a scalable attack graph. The framework utilizes a parallel graph partitioning algorithm to generate an attack graph quickly and efficiently. 2) models single-stage and multi-stage attacks (APTs) using the game-theoretic model and provides SDN-based MTD countermeasures. I propose a Markov Game for modeling multi-stage attacks. 3) introduces a multi-stage policy conflict checking framework at the SDN network's application plane. I present INTPOL, a new intent-driven security policy enforcement solution. INTPOL provides a unified language and INTPOL grammar that abstracts the network administrator from the underlying network controller's lexical rules. INTPOL develops a bounded formal model for network service compliance checking, which significantly reduces the number of countermeasures that needs to be deployed. Once the application-layer policy conflicts are resolved, I utilize an Object-Oriented Policy Conflict checking (OOPC) framework that identifies and resolves rule-order dependencies and conflicts between security policies. / Dissertation/Thesis / Doctoral Dissertation Computer Science 2020

Computer science

Advanced Persistent Threat (APT)

Attack Graph

Bounded Model Checking

Markov Game

Moving Target Defense (MTD)

Software-defined Networking (SDN)

Using machine learning to visualize and analyze attack graphs

Cottineau, Antoine

January 2021

In recent years, the security of many corporate networks have been compromised by hackers who managed to obtain important information by leveraging the vulnerabilities of those networks. Such attacks can have a strong economic impact and affect the image of the entity whose network has been attacked. Various tools are used by network security analysts to study and improve the security of networks. Attack graphs are among these tools. Attack graphs are graphs that show all the possible chains of exploits an attacker could follow to access an important host on a network. While attack graphs are useful for network security, they may become hard to read because of their size when networks become larger. Previous work tried to deal with this issue by applying simplification algorithms on graphs. Experience shows that even if these algorithms can help improve the visualization of attack graphs, we believe that improvements can be made, especially by relying on Machin Learning (ML) algorithms. Thus, the goal of this thesis is to investigate how ML can help improve the visualization of attack graphs and the security analysis of networks based on their attack graph. To reach this goal, we focus on two main areas. First we used graph clustering which is the process of creating a partition of the nodes based on their position in the graph. This improves visualization by allowing network analysts to focus on a set of related nodes instead of visualizing the whole graph. We also design several metrics for security analysis based on attack graphs. We show that the ML algorithms in both areas. The ML clustering algorithms even produce better clusters than non-ML algorithms with respect to the coverage metric, at the cost of computation time. Moreover, the ML security evaluation algorithms show faster computation times on dense attack graphs than the non-ML baseline, while producing similar results. Finally, a user interface that permits the application of the methods presented   in the thesis is also developed, with the goal of making the use of such methods easier by network analysts. / Under de senaste åren har säkerheten för många företagsnätverk äventyrats av hackare som lyckats få fram viktig information genom att utnyttja sårbarheterna i dessa nätverk. Sådana attacker kan ha en stark ekonomisk inverkan och påverka bilden av den enhet vars nätverk har angripits. Olika verktyg användes av nätverkssäkerhetsanalytiker för att studera och förbättra säkerheten i nätverken. Attackgrafer ät bland dessa verktyg. Attackgrafer är diagram som visar alla möjliga kedjor av utnyttjande en angripare kan följa för att komma åt en viktig värd i ett nätverk. Även om attackgrafer är användbara för nätverkssäkerhet, kan de bli svåra att läsa på grund av deras storlek när nätverk blir större. Tidigare arbete försökte hantera detta problem genom att tillämpa förenklingsalgoritmer på grafer. Erfarenheten visar att även om dessa algoritmer kan hjälpa till att förbättra visualiseringen av attackgrafer tror vi att förbättringar kan göras, särskilt genom att förlita sig på Machine Learning  (ML) algoritmer. Således är målet med denna avhandling att undersöka hur ML kan hjälpa till att förbättra visualiseringen av attackgrafer och säkerhetsanalys av nätverk baserat på deras attackgraf. För att nå detta mål fokuserar vi på två huvudområden. Först använder vi grafklustering som är processen för att skapa en partition av noderna baserat på deras position i grafen. Detta förbättrar visualiseringen genom att låta nätverksanalytiker fokusera på en uppsättning relaterade noder istället för att visualisera hela grafen. Vi utformar också flera mätvärden för säkerhetsanalys baserat på attackgrafer. Vi visar att ML-algoritmerna är lika effektiva som icke-LM-algoritmer inom båda områdena. Klusteringsalgoritmerna ML producerar till och med bättre kluster än icke-ML-algoritmer med avseende på täckningsvärdet, till kostnaden för beräkningstid. Dessutom visar ML säkerhetsutvärderingsalgoritmerna snabbare beräkningstider på täta attackgrafer än icke-ML baslinjen, samtidigt som de ger liknande resultat. Slutligen utvecklas också ett användargränssnitt som tillåter tillämpning av metoderna som presenteras i avhandlingen, med målet att göra användningen av sådana metoder enklare för nätverksanalytiker.

Attack graph

Graph visualization

Graph clustering

Network security

Node embedding

Attackgraf

grafvisualisering

grafklustering

nätverkssäkerhet

inbäddning av noder

Computer and Information Sciences

Data- och informationsvetenskap

SCLEX-Lang : A Threat Modeling Language for Substation Automation Systems

Sun, Luyi

January 2020

Power systems in the industry today are adopting automated substations because of a growing trend of digitization. Substation automation has greatly reduced intervention from human as well as operation and maintenance costs. Although it has brought benefits, new challenges arise regarding security vulnerabilities, which can be opportunities for attackers to damage whole systems and eavesdrop communication. To keep the automated substations secure and free from attackers, threat modeling is one of the alternative methods that can be used to do attack simulation and assess the security of systems. KTH has developed Meta Attack Language, a framework for constructing domain specific languages in which threat models can be produced, based on which attack graphs will be created and attacks can be simulated. It is a framework for developers that eases them to generate attack graphs with new languages. Meta Attack Language has been applied to various of domains by now, such as In-vehicle Network and Amazon Web Services. This thesis is carried out in ABB, extending the previous work of SCLLang and ABB’s existing security assessment tool, and doing threat modeling specifically for substation automation. The final threat model is used to assess the security of products in ABB, which will also serve as a basis for further extension for the company. / Energisystemen i industrin i dag antar automatiserade transformatorstationer på grund av en växande tendens till digitalisering. Automatisering av transformatorstationer har väldigt minskat interventionen från såväl mänskliga som drifts-och underhållskostnader. Även om det har medfört fördelar uppstår nya utmaningar när det gäller säkerhetsmässiga sårbarheter, vilket kan ge möjligheter för angripare att fördärva hela system och tjuvlyssna kommunikation. För att hålla de automatiserade transformatorstationerna säkra och fria från angripare är hotmodell en av de alternativa metoder som kan användas för att utföra attacksimulering och bedöma systemens säkerhet. KTH har utvecklat Meta Attack Language, en ram för att konstruera domänspecifika språk där hotmodeller kan framställas, på grund av vilka attackgraf kommer att skapas och angrepp kan simuleras. Det är en ram för utvecklare som underlättar för dem att skapa attackgraf med nya språk. Meta Attack Language har tillämpats på olika dömäner vid det här laget, såsom fordons-IT och Amazon Web Services. Avhandlingen genomförs hos ABB, som utvidgar SCLLang och ABB:s tidigare arbete med det befintliga säkerhetsbedömningsverktyget, och gör hotmodeller särskilt för automatisering av transformatorstationer. Den sista hotmodellen används för att bedöma säkerheten av produkter hos ABB, som också kommer att tjäna som grund för ytterligare utvidgning av företaget.

Meta Attack Language

Automated Substation

Threat Modeling

Attack Graph

Security

Meta Attack Language

automatiserad transformatorstation

hotmodell

attackgraf

säkerhet

Computer and Information Sciences

Data- och informationsvetenskap

Attack Modeling and Risk Assessments in Software Defined networking (SDN)

Frankeline, Tanyi

January 2019

Software Defined Networking (SDN) is a technology which provides a network architecture with three distinct layers that is, the application layer which is made up of SDN applications, the control layer which is made up of the controller and the data plane layer which is made up of switches. However, the exits different types of SDN architectures some of which are interconnected with the physical network. At the core of SDN, the control plane is physically and logically separated from the data plane. The controller is connected to the application layer through an interface known as the northbound interface and to the data plane through another interface known as the southbound interface. The centralized control plane uses APIs to communicate through the northbound and southbound interface with the application layer and the data plane layer respectively. By default, these APIs such as Restful and OpenFlow APIs do not implement security mechanisms like data encryption and authentication thus, this introduces new network security threats to the SDN architecture. This report presents a technique known as threat modeling in SDN. To achieve this technique, attack scenarios are created based on the OpenFlow SDN vulnerabilities. After which these vulnerabilities are defined as predicates or facts and rules, a framework known as multihost multistage vulnerability analysis (MulVAL) then takes these predicates and rules to produce a threat model known as attack graph. The attack graph is further used to performed quantitative risk analysis using a metric to depict the risks associated to the OpenFlow SDN model

SDN

Application layer

Northbound Interface

Controller

Southbound Interface

data plane OpenFlow

Threat Model

MulVAL

Attack Graph

Attack Trees

Risk Analysis

Övrig annan teknik

HackerGraph : Creating a knowledge graph for security assessment of AWS systems

Stournaras, Alexios

January 2023

With the rapid adoption of cloud technologies, organizations have benefited from improved scalability, cost efficiency, and flexibility. However, this shift towards cloud computing has raised concerns about the safety and security of sensitive data and applications. Security engineers face significant challenges in protecting cloud environments due to their dynamic nature and complex infrastructures. Traditional security approaches, such as attack graphs that showcase attack vectors in given network topologies, often fall short of capturing the intricate relationships and dependencies of cloud environments. Knowledge graphs, essentially a knowledge base with a directed graph structure, are an alternative to attack graphs. They comprehensively represent contextual information such as network topology information and vulnerabilities, as well as the relationships between all of the entities. By leveraging knowledge graphs’ inherent flexibility and scalability, security engineers can gain deeper insights into the complex interconnections within cloud systems, enabling more effective threat analysis and mitigation strategies. This thesis involves the development of a new tool, HackerGraph, specifically designed to utilize knowledge graphs for cloud security. The tool integrates data from various other tools, gathering information about the cloud system’s architecture and its vulnerabilities and weaknesses. By analyzing and modeling the information using a knowledge graph, the tool provides a holistic view of the cloud ecosystem, identifying potential vulnerabilities, attack vectors, and areas of concern. The results are compared to modern stateof-the-art tools, both in the area of attack graphs and knowledge graphs, and we prove that more information and more attack paths in vulnerable by-design scenarios can be provided. We also discuss how this technology can evolve, to better handle the intricacies of cloud systems and help security engineers in fully protecting their complicated cloud systems. / Organisationers snabba anammande av molnteknologier har låtit dem dra nytta förbättrad skalbarhet, kostnadseffektivitet och flexibilitet. Däremot har detta skifte också lett till nya säkerhetsproblem, speciellt gällande applikationer och behandlingen av känslig information. Molnmiljöers dynamiska natur och komplexa problem skapar markanta problem för de säkerhetstekniker som ansvarar för att skydda miljön. Den typ av invecklade förhållanden som finns i molnet fångas däremot sällan av traditionella säkerhetsmetoder, såsom attackgrafer. Ett alternativ till attackgrafer är därför kunskapsgrafer som utförligt kan representera kontextuell information, förhållanden och domänspecifik kunskap. Genom kunskapsgrafernas naturliga flexibilitet och skalbarhet skulle säkerhetsteknikerna kunna få djupare insikter kring de komplexa förhållanden som råder i molnmiljöer för att på ett mer effektivt sätt analysera hot och hur de kan förebyggas. Det här arbetet involverar därför utvecklingen av ett nytt verktyg specifikt designat för att använda kunskapsgrafer, nämligen HackerGraph. Verktyget integrerar data från flera andra verktyg som samlar information om molnmiljöers arkitektur samt deras sårbarheter eller svagheter. Genom att analysera och modellera informationen som en kunskapsgraf skapar verktyget en holistisk bild av molnekosystemet som kan identifiera potentiella sårbarheter, attackvektorer eller andra problemområden. Resultaten jämförs sedan med moderna verktyg inom både attack- och kunskapsgrafer. Vi bevisar därmed både hur mer information och fler attackvägar kan tillhandahållas från scenarion som är sårbara per design. Vi diskuterar också hur den här teknologin kan utvecklas för att bättre hantera molnmiljöers komplexitet samt hur den kan hjälpa säkerhetstekniker att skydda sina komplicerade molnmiljöer.

Cloud security

Knowledge graph

Attack graph

Vulnerability ssessment

Attack paths

Vulnerable-by-design systems

Cloudgoat

Molnsäkerhet

Kunskapsgraf

Attackgraf

Sårbarhetsanalysis

Sårbara miljöer

Cloudgoat

Elektroteknik och elektronik