A Kolmogorov Complexity Approach for Measuring Attack Path Complexity By Nwokedi C. Idika & Bharat Bhargava Presented by Bharat Bhargava

Outline Motivation The Kolmogorov Complexity Method (KCM) The K-step Capability Accumulation Metric (KCA) Applying KCM to KCA

Motivation Perfect enterprise security is impossible to achieve, and must be approximated The difficulty associated with causing a security breach is used as an indicator of the quality of an enterprise’s security The ability of an attacker to exploit a vulnerability is referred to as exploitability

Exploitability is Important Common Vulnerability Scoring System (CVSS) exploitability is incorporated scoring of vulnerabilities Computer Emergency Response Team/ Coordination Center (CERT/CC) has a numeric score based exploitability SANS Critical Vulnerability Analysis Scale Rating 2 of its 4 ratings include exploitability Thus, assessing the difficulty of attack paths is important!

Representing Attack Paths with Attack Graphs Total Attack Paths: 4

Issues with Representation Counting the number of paths is straightforward (usually) Measuring the complexity of each attack is non- trivial Choices for determining attack complexity have been made in the literature However, these choices lack consistency, and fail to make some of the modeler’s assumptions explicit If security metrics will become more of a science, we will need a standard way of communicating our measurements!

What We Would Like A standard way of measuring attack path complexity that is grounded in some sound theory A attack path measurement approach that incorporates the assumptions of the modeler A way of measuring attack paths that provides a modeler sufficient flexibility to model the attack path as desired The Kolmogorov Complexity Method achieves these aims

Kolmogorov Complexity (KC) KC determines a string’s complexity by using the size of the smallest program that can produce that string Let K be a the function that returns the KC of a string Given strings x1 and x2, if K(x1) < K(x2), then x2 is more complex than x1 Idea: If we model attack paths as strings, we can apply KC to attack paths

Representing Attack Paths Alphabet A corresponds to the set of all exploits (i.e., instances of vulnerabilities) found in all attack graphs under consideration Constants ε is the empty string v i ∈ A denotes that an exploit from an attack graph ∅ corresponds to the empty set

Representing Attack Paths (II) Operators Let S and T be two strings composed of characters from A Let E 1 and E 2 be expressions in the language ST evaluates to the concatenation of strings S and T () provides priority ordering (S) + denotes that S may repeat one or more times

Representing Attack Paths (III) Operators (continued...) S k evaluates to k instances of S concatenated together E 1 [k] E 2 evaluates to the insertion of E 1 into index k of E 2 where the first character of E2 is index 0 (the above can be generalized to E 1 [k 1 ],[k2],...[kn] E 2 ) E 1 l,[k] E 2 concatenate E 1 l to E 2 and insert E 1 into the kth index of E 2 E 1 l[k] E 2 inserts E 1 l into the kth index of E 2

The Kolmogorov Complexity Method (KCM) Applied to an Attack Path Quantitative Representation: v 1 v 1 v 1 v 2 v 3 v 1 v 1 Qualitative Representations: v 1 3,2[2] v 2 v 3, v 1 3,[2] v 2 v 3 v 1, v 1 3 v 2 v 3 v 1 v 1 Each representation makes explicit distinct assumptions about the attack path

KCM Can Handle Cyclic Attack Paths A Representation: v 1 2 (v 1 v 2 v 3 )+v 1 2

Outline Motivation The Kolmogorov Complexity Method (KCM) The K-step Capability Accumulation Metric (KCA) Applying KCM to KCA

Previously Proposed Metrics Capability Metrics: measure security in terms of an attacker’s capability Number of Paths (Ortalo et al. ’99), Weakest Adversary (Pamula et al. ’06), Network Compromise Percentage (Lippmann et al. ’06) Complexity Metrics: measure security in terms of effort Shortest Path (Phillips & Swiler ’98), Mean of Path Lengths (Li & Vaughn ’06)

The K-Step Capability Accumulation Metric (KCA) KCA is a hybrid of a complexity metric and a capability metric More than how difficult it is to cause a security breach, or what capabilities can an attacker obtain, KCA is concerned with the amount of capability an attacker can attain for varying levels of attack effort Intuition: In general, a network that can be compromised in a single attack step is less secure than another network that requires a series of multiple attack steps to compromise the network

KCA: Comparing 2 Attack Graphs G1G1 G2G2 KCA 1 (G 1 ) = KCA 1 (G 2 ) KCA 2 (G 1 ) < KCA 2 (G 2 ) G 1 is more secure than G 2

Adapting KCA for KCM Assuming the KCM qualitative representation Cap p i (G) = ∪ capabilities(p i ) Let q 1 through q n be quantitative representations of the attack paths p 1 through p n respectively q j 0...i is the substring of q j from index 0 to index i q j i is the ith position of of q j

Adapting KCA for KCM (II) Similar definitions exist for s e(s j 0...i ) = q j 0...m, such that s j i = q j m and q j m ≠ q j m+1 also ∀ v ∈ q j 0...m, v ∈ s j 0...i This gives the following: KCA k (G) = ∪ i=1 k Cap e(s j 0...i ) (G), for all attack paths j

Summary We have proposed a methodology for measuring attack paths, the Kolmogorov Complexity Method (KCM) We have proposed a novel security metric that combines complexity and capabilities obtained by the attacker, the K-step Capability Accumulation Metric (KCA) We have shown that KCM can be applied to a security metric, namely, KCA

Thank You