Dynamic Risk Assessment and Response Computation using Bayesian Attack Models
François-Xavier Aguessy, PhD thesis
PhD Supervisors: Hervé Debar, Vania Conan
Information systems concentrate invaluable resources, generally composed of the computers, and servers that process the data of an organisation. They constitute an increasingly attractive target for attackers. Given the number and complexity of attacks, security teams need to focus their actions on the most important attacks, in order to select the most efficient security controls. Because of the threat posed by advanced multi-step attacks, it is difficult for security operators to fully defend against all vulnerabilities when deploying countermeasures. Deploying intrusion detection sensors to monitor attacks exploiting residual vulnerabilities is not sufficient and new tools are needed to assess the risk associated with the security events produced by these sensors.
In this PhD thesis, we build a complete framework for static and dynamic risk assessment, leveraging prior knowledge on the information system (e.g., network topology, vulnerabilities, etc.) and dynamic events (e.g., intrusion alerts, attack detection, etc.), to propose responses to prevent future attacks.
First, we study how to remediate the potential attacks that can happen in a system, using logical attack graphs. We build a remediation methodology to remove the most relevant attack paths extracted from a logical attack graph. In order to help an operator to choose between several remediation candidates, we rank them according to a cost of remediation combining operational and impact costs. We implement this method using MulVAL attack graphs and several publicly available sets of data.
Then, we study the dynamic attacks that can occur in a system. Although attack graphs were proposed to represent known multi-step attacks that may occur, they are not directly suited for dynamic risk assessment. Several extensions of static risk assessment models have been proposed in the literature to accommodate dynamic risk assessment, but they suffer from common limitations, such as existing cycles. We present how static risk assessment models can be generalised in a Generic Attack Model. Then, we present how to extend Generic Attack Models to build two new dynamic risk assessment models to evaluate the attacks that are the most likely. First, the Bayesian Attack Model (BAM), a Bayesian network-based extension to the Generic Attack Model, built to handle cycles and to suit various information system configurations. Then, we extend the Bayesian Attack Model as the Hybrid Risk Assessment Model (HRAM). This hybrid model is subdivided in two complementary models: (1) Dynamic Risk Correlation Models, correlating a chain of alerts with the knowledge on the system to analyse ongoing attacks and provide the hosts’ compromise probabilities, and (2) Future Risk Assessment Models, taking into account existing vulnerabilities and current attack status to assess the most likely future attacks. We study the sensitivity of their probabilistic parameters and of the parameters of the input Generic Attack Model. Finally, we validate the accuracy and usage of both these dynamic risk assessment models in the domain of cybersecurity, by building them from topological attack graphs.