Towards Modelling Information Security with Key-Challenge Petri Nets

1
Towards Modelling Information Security with
Key-Challenge Petri Nets

• Teijo Venäläinen
• teijo.v.o.venalainen_at_jyu.fi

2
Contents

• Introduction
• Various modelling methods
• Graph based modelling
• Key-Challenge Petri Nets

3
Introduction

• Since 7/2006 in Information Technology Research
  Institute (ITRI), Agora, JYU
• Doctoral studies since 2009
• Goal is to find a method for measuring
  information security (IS)
• Modelling and Simulation (MS)

4
Motivation for testing/modelling

• Testing a system in use is not a feasible option
  gt damage
• Real system must be replicated (modelled) somehow
• Testing is done with the modelled system
• How accurately does the model represent the real
  system?

5
Resulting information

• For the whole system or a single component, the
  following results are interesting
• Mean time between failure (against attacks)
• Success probability of attacks
• Damage (performance degradation, money, )
• Attack route i.e. how the attack progresses
• And more

6
Testing methods

• There are different methods, where varies 1
• target audience
• Human involement during testing
• Detail level
• Role playing, Packet wars, network design tools
• Mathematical modelling, state machines, graph
  based modelling

7
Role playing

• Scenario-based training exercises
• High abstraction level
• Test the strategic decision making process of
  personnel and organizations
• Computers not necessary, pencil paper
• Target audience high level decision makers
• Does not provide technical IS information

8
Packet wars

• Real network with real users, a dedicated test
  network in a laboratory
• Two teams attackers and defenders
• Highly accurate method but costly
• Target audience IS professionals

9
Network design tools

• Accurate modelling of networks and normal
  activities
• Attack modelling is limited gt limited results
• No human involvement during testing, only
  simulation
• Target audience IS professionals, network
  designers

10
Mathematical modelling, state machines, graph
based models

• Also approximations of the real system
• Provide results faster through simulation
• Cheap
• Easily modifyable

11
Modelling simulation
System description
Model
Simulation
12
Graph based modelling

• Network attack is usually a series of
  interdependent actions leading to a goal (
  breach in security)
• Actions are illustrated using nodes and arcs gt
  an attack graph (AG)
• Assign conditions (e.g. probability) on
  traversing between nodes
• Usually attackers point of view
• Simulate by starting from a node and moving
  towards the goal node(s)

13
Attack tree
Source 2
14
Challenges

• The system must be described at adequate level of
  accuracy. Scalability with large networks?
• Valid input parameters (From where? How?)
• Usability
• Attackers and defenders interaction (game
  theory?)
• Creating graphs is labor intensive gt automatic
  tools

15
Petri Nets

• Place (input/output) holds tokens
• Arc connects places and transitions
• Transition lets token pass through if conditions
  are met
• Token moves from place to place

16
Key-Challenge Petri Nets (KCPN)

• A modelling method under development
• Based on Petri-nets
• KCPN graph is created using network and
  vulnerability information
• Conditions for transitions key-challenge
• challenge security measure
• key means to circumvent/break the security
  measure

17
KCPN overview

• Hierarchical i.e. modelling may be performed
  using various abstration levels
• Modular structure
• Place network device or attack action
• Arc physical connection of devices or causal
  relation of attack actions
• Transition challenge (security measure)

18
KCPN simulation

• Attacker collects keys that allow him to progress
  in the graph
• Variables may be assigned for transitions
• Probability of being detected
• Duration of an attack action (time distribution)
• Cost, skill level, etc.
• It is possible to perform an attack action
  without required keys but with a greater
  cost/duration

19
KCPN results

• Simulation results include
• Probability of success of an entire attack
• The most vulnerable attack path
• The duration of the entire attack
• Results may be used as input data within the
  model (simulate modules independently)

20
KCPN example

• Two hierarchy levels
• Topology level (physical world)
• Attack action level (abstract world)
• Multiple network devices lumped into a single
  node (Hosts)
• Devices with similar connections, OS, software,
  etc. gt lumped together

21
KCPN the physical network
22
KCPN the graph
23
Sources

• 1 J. Saunders. Simulation Approaches in
  Information Security Education. Proceedings of
  6th National Colloquium for Information System
  Security Education, 2002.
• 2 Bruce Schneier. Attack Trees. SANS Network
  Security 1999. http//www.cs.utk.edu/dunigan/cns0
  6/attacktrees.pdf

24
Thank You!