Spotlight on Lablet Research #35 - Uncertainty in Security Analysis

Spotlight on Lablet Research #35 -

Uncertainty in Security Analysis

Lablet: University of Illinois at Urbana-Champaign

The goal of this project is to develop a mathematical basis for describing and analyzing the ability of an adversary to laterally traverse networks in the presence of uncertainty about connections and uncertainty about exploitable vulnerabilities. This basis will be used to develop algorithms for quantified risk analysis of cyber-physical systems.

Cyber-security vulnerabilities in Cyber-Physical Systems (CPS) allow an adversary to remotely reach and damage physical infrastructure. Following the initial point of entry, the adversary may move laterally through the computer network using connections that are allowed by the access control but which give access to services with exploitable vulnerabilities. Using lateral movement, the adversary may eventually have control of monitors and actuators in the CPS, corrupt data being reported and/or issue malicious control commands, the consequences of which may inflict significant damage. Analyses of the risk of such attacks are known, under the assumption that all vulnerabilities and all connections in the cyber-system are known perfectly. They aren't. The research team, led by Principal Investigator David Nicol, is interested in developing the mathematical basis for describing the ability of the adversary to reach critical components in the CPS and to inflict significant damage in the presence of uncertainty with respect to the connections and the vulnerabilities which enable lateral movement.

Edges derived from topological analysis may be thought to have "exploitation probabilities," which quantify with a single probability the possibility of the adversary traversing that edge in a lateral movement. An edge probability models the uncertainty of an adversary on one host A being able to connect to another host B and exploit a vulnerability there, enabling the adversary to launch further attacks from B. In this study, researchers introduced the attack loss, a function that quantifies the loss to the system given the event of an adversary reaching a specific set of hosts. As the ability of an adversary to reach a set of hosts is uncertain and as the team models uncertainty using probability, the overall loss caused by an attack is represented by an attack loss distribution. While previous analysis focused on computing reachability, i.e., the probability that a pathway exists between a specifically chosen source and destination host, the current analysis focuses on techniques for quantifying the attack loss distribution. In particular, the right tail of the distribution contains the "worst-case scenarios" where the attack inflicts the largest number of losses. Understanding high-impact security events and their probabilities allows businesses to make risk-informed defense decisions on whether to reduce the risk, e.g., by investing in network hardening solutions, or to transfer the residual risk, usually by purchasing some form of cyber-insurance.

This research focuses on understanding the network security risk and the uncertainty associated with the estimate when the security properties of the network components are not exactly known. In a previous study, researchers used Bernoulli random variables to model the existence of a link between two immediate hosts in the network, which indicates the possibility of a lateral movement. The current investigation generalized this model by modeling the uncertainty in the link existence using Beta distribution, a more versatile class of distributions that takes one of many different shapes depending on its two parameters. Computing the existence of a pathway between two specifically chosen hosts (i.e., reachability analysis) in the generalized model reduces to identifying the reachability distribution, in the form of a multivariate reliability polynomial of Betas. This is a hard problem. However, the initial results highly suggest that in many cases, the reliability distribution can be well-approximated by another beta distribution. This observation aligns with several results from previous studies regarding approximating Betas. The researchers' finding, however, applies to a much more general setup. The implication of this result is that under conditions in which the approximation is sufficiently good, the computational cost of reachability analysis can be significantly reduced.

Time is considered as an additional dimension of network security analysis. The researchers' goal is to capture and incorporate network changes into the existing framework so that analyses can be performed in an accurate and timely fashion. The current effort focuses on understanding changes associated with an ongoing attack, including the uncertainty about the current and future states of the attack and its implication on incident detection and response.