ACT: Attack Countermeasure Trees for Information Assurance Analysis

In modeling system response to security threats, researchers have made extensive use of state space models, notable instances including the partially observable stochastic game model proposed by Zonouz et.al. The drawback of these state space models is that they may suffer from state space explosion. Our approach in modeling defense makes use of a combinatorial model which helps avert this problem. We propose a new attack-tree (AT) model named attack-countermeasure trees (ACT) based on combinatorial modeling technique for modeling attacks and countermeasures. ACT enables one to (i) place defense mechanisms in the form of detection and mitigation techniques at any node of the tree, not just at the leaf nodes as in defense trees (DT) (ii) automate the generation of attack scenarios from the ACT using its mincuts and (iii) perform probabilistic analysis (e.g. probability of attack, attack and security investment cost, impact of an attack, system risk, return on attack (ROA) and return on investment (ROI)) in an integrated manner (iv) select an optimal countermeasure set from the pool of defense mechanisms using a method which is much less expensive compared to the state-space based approach (v) perform analysis for trees with both repeated and non-repeat events. For evaluation purposes, we suggest suitable algorithms and implement an ACT module in SHARPE. We demonstrate the utility of ACT using a practical case study (BGP attacks).


I. INTRODUCTION
In modeling system response to security threats, researchers have made extensive use of state space models, notable instances including the partially observable stochastic game model proposed in [9]. The drawback of these state space models is that they may suffer from state space explosion. Our approach in modeling defense makes use of a combinatorial model which helps avert this problem. We propose a new attack-tree (AT) [7] model named attack-countermeasure trees 1 (ACT) based on combinatorial modeling technique for modeling attacks and countermeasures. ACT enables one to (i) place defense mechanisms in the form of detection and mitigation techniques at any node of the tree, not just at the leaf nodes as in defense trees (DT) [2] (ii) automate the generation of attack scenarios [5] from the ACT using its mincuts and (iii) perform probabilistic analysis (e.g. probability of attack, attack and security investment cost, impact of an attack, system risk, return on attack (ROA) and return on investment (ROI)) in an integrated manner (iv) select an optimal countermeasure set from the pool of defense mechanisms using a method which is much less expensive compared to the state-space based approach ( [9]) (v) perform analysis for trees with both repeated and non-repeat events. For evaluation purposes, we suggest suitable algorithms and implement an ACT module in SHARPE [8]. We demonstrate the utility of ACT using a practical case study (BGP attacks) [3]. In ACT, we can have three distinct classes of events: attack events (e.g. install keystroke logger), detection events (e.g. detect keystroke 1 This research was supported by US National Science Foundation grant NSF-CNS-08-31325. logger) and mitigation events (e.g. remove keystroke logger). Figures 1(a)-(e) represent different ACT nodes and the corresponding probability of attack equations are given in Eq. 1-Eq. 5, where p goal is the probability of attack success at the goal. In case (v), the nature of the mitigation technique triggered depends on the nature of intrusion detected. It is assumed that the detections can occur simultaneously.

II. ATTACK COUNTERMEASURE TREES
The output probability of AND, OR and k-out-of-n gates in an ACT are enumerated in Table I.

III. ACT ANALYSIS
ACT analysis can be either qualitative or probabilistic. Qualitative Analysis. Qualitative analysis of ACT investigates different attack scenarios using mincuts and relative importance of individual attack, detection and mitigation events using importance measures (IM). Mincuts help enumerate the various minimal combinations of attack events in the ACT that lead to attack success. We also use mincuts to perform cost, impact analysis and optimal countermeasure selection. Importance Measures are significant in determining the most critical component in a system. Detection/mitigation events for the most critical component can be given higher priority. We consider structural importance (I ST A k ) when the probability of attack and detection/mitigation of ACT nodes are unknown. If probability of attack/defense for ACT nodes are known, Birnbaum importance measure (I BT A k ) [1] is used. We use I BT A k for sensitivity analysis and for ROI, ROA computation.
Probabilistic Analysis. The metrics such as attack cost and ROA This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE INFOCOM 2010 proceedings reflect the attacker's viewpoint whereas the metrics security investment cost, risk, impact and ROI represent the defender's viewpoint.
Cost and impact of attack were used as measures by Schneier [7] for analysis of AT. In ACT, cost can be of two types; cost of attack and security investment cost. In ACT without repeated events, we use the formulae in Table I to compute attack cost and impact of attacks for the gates. When one or more events are repeated in the ACT, we use Rauzy's algorithm [6] to construct the binary decision diagram (BDD) corresponding to the ACT. We select the ACT mincut with lowest cost as the attack cost of the ACT. We select the ACT mincut with highest impact as attack impact for the ACT. Security investment cost is computed by summing the cost of defense mechanisms in the ACT. Risk computation (probabilistic risk assessment) follows from probability of attack and impact computation as system risk is given by the product of probability of attack and impact i.e. the expected value of impact. ROA and ROI [2] quantify the nature of the competition between the attacker and the defender. ROA is a measure that quantifies the benefit obtained from a particular attack (Eq. 6).Unlike attack cost, ROA for a defense mechanism changes with the order of applying the defense mechanisms. ROI is the profit obtained by the implementation of the k th defense mechanism by defender. For an ACT, ROI is given by Eq. 6 where δp goal (k), I goal and CD k are the change in p goal , impact due to attack success and the cost for implementing defense mechanism D k respectively.

A. Implementation
We have implemented cost, impact and risk analysis of ACTs in SHARPE [8]. ROA and ROI computation can be done by defining functions in SHARPE. We may also compute feasible attack scenarios (mincuts) subject to attacker resource constraints (attack cost constraint). Figure 2a shows how ROI varies with security investment cost and impact of attack for the ACT for 'resetting a BGP session' [3].

B. Optimal Countermeasure Selection
Given the ACT of a system, it is generally desirable to enforce the subset of the whole set of countermeasures, which is most cost efficient while covering as many attack events as possible. Then the problem reduces to finding out the smallest possible set of countermeasures (C ) that contains at least one countermeasure from each mincut. A greedy algorithm for solving this problem is given in Table II. We implemented all the optimization algorithms in a MATLAB toolbox. The algorithm (Table II) is directly reducible to of attack events in the ACT)*(total number of defense mechanisms in the ACT)*min(|no. of attack events|,|no. of defense mechanisms|) = O(mn*min(m,n))(say) = worst case O(m 3 ) (n=m in worst case i.e.-we add a distinct countermeasure for every attack event). With incrementally larger tree size, runtime for optimization(y-axis) is plotted against the number of nodes in the tree (x-axis) in Figure 2b. From our analyses, we observe that an optimal set of defense mechanisms for a system can be obtained in comparatively lesser time by using our optimization techniques on ACT than by using attack response trees (ART) [9].

V. CONCLUSION
We have shown that ACT not only allows us to perform qualitative and probabilistic analysis based on combinatorial models but also provide us with methods for the computation of optimal defense strategies in large systems.