TY - GEN
T1 - Reasoning about sequential cyberattacks
AU - Paliath, Vivin
AU - Shakarian, Paulo
N1 - Publisher Copyright:
© 2019 Association for Computing Machinery.
PY - 2019/8/27
Y1 - 2019/8/27
N2 - Cyber adversaries employ a variety of malware and exploits to attack computer systems, usually via sequential or “chained” attacks, that take advantage of vulnerability dependencies. In this paper, we introduce a formalism to model such attacks. We show that the determination of the set of capabilities gained by an attacker, which also translates to extent to which the system is compromised, corresponds with the convergence of a simple fixed-point operator. We then address the problem of determining the optimal/most-dangerous strategy for a cyber-adversary with respect to this model and find it to be an NP-Complete problem. To address this complexity we utilize an A*based approach with an admissible heuristic, that incorporates the result of the fixed-point operator and uses memoization for greater efficiency. We provide an implementation and show through a suite of experiments, using both simulated and actual vulnerability data, that this method performs well in practice for identifying adversarial courses of action in this domain. On average, we found that our techniques decrease runtime by 82%.
AB - Cyber adversaries employ a variety of malware and exploits to attack computer systems, usually via sequential or “chained” attacks, that take advantage of vulnerability dependencies. In this paper, we introduce a formalism to model such attacks. We show that the determination of the set of capabilities gained by an attacker, which also translates to extent to which the system is compromised, corresponds with the convergence of a simple fixed-point operator. We then address the problem of determining the optimal/most-dangerous strategy for a cyber-adversary with respect to this model and find it to be an NP-Complete problem. To address this complexity we utilize an A*based approach with an admissible heuristic, that incorporates the result of the fixed-point operator and uses memoization for greater efficiency. We provide an implementation and show through a suite of experiments, using both simulated and actual vulnerability data, that this method performs well in practice for identifying adversarial courses of action in this domain. On average, we found that our techniques decrease runtime by 82%.
KW - Adversarial reasoning
KW - Cyber-attack modeling
KW - Cybersecurity
UR - http://www.scopus.com/inward/record.url?scp=85078826499&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85078826499&partnerID=8YFLogxK
U2 - 10.1145/3341161.3343522
DO - 10.1145/3341161.3343522
M3 - Conference contribution
AN - SCOPUS:85078826499
T3 - Proceedings of the 2019 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining, ASONAM 2019
SP - 855
EP - 862
BT - Proceedings of the 2019 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining, ASONAM 2019
A2 - Spezzano, Francesca
A2 - Chen, Wei
A2 - Xiao, Xiaokui
PB - Association for Computing Machinery, Inc
T2 - 11th IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining, ASONAM 2019
Y2 - 27 August 2019 through 30 August 2019
ER -