1. Using Ontologies to Quantify Attack Surfaces
Mr. Michael Atighetchi, Dr. Borislava Simidchieva, Dr. Fusun Yaman, Raytheon BBN Technologies
Dr. Thomas Eskridge
Dr. Marco Carvalho
Florida Institute of Technology
Captain Nicholas Paltzer
Air Force Research Laboratory
Distribution Statement “A” (Approved for Public Release, Distribution Unlimited). This material is based upon work supported by the Air Force Research Laboratory under Contract No. FA C-0104.

2. Context
Problem: Defense selection and configuration is a poorly understood, non-quantifiable process
Add defenses that provide little value or even increase the attack surface
Introduce unacceptable overhead
Cause unintended side effects when combining multiple defenses
Objective: Provide tools enabling automated security quantification of distributed systems with a focus on architectural patterns
Model key concepts related to cyber defense
Provide algorithms to quantify and minimize attack surfaces
Focus on Moving Target Defense

3. Systematic Quantification of Defense Postures

4. Attack Surface Reasoning (ASR)
Objective: Measure attack surfaces for security quantification
Establish appropriate metrics for quantifying different attack surfaces
Incorporate mission security and cost measurements
Address usability issues through representative and composite measures of effectiveness
Technical Achievements
Models for attack surfaces that include systems, defenses, and attack vectors to enable quantitative characterization of attack surfaces
Metrics for characterizing the attack surface of a dynamic, distributed system at the application, operating system, and network layers
Algorithms for evaluating the effectiveness of defenses and minimizing attack surfaces

5. Modeling Approach
Express a configuration C as a collection of OWL models
C = {system, defense, attack, adversary, mission, metrics}
Ontology openly available at
Focus on interactions between distributed components
Adversaries tend to take advantage of weak seems
Make as few assumptions about adversaries as possible
Minimize “garbage in, garbage out” problems
Leverage extensible knowledge representation frameworks with powerful query languages
Ontologies expressed in OWL
Models can queried with SPARQL
Automate model creation when possible
Increase consistency and minimize cost of manual model creation

6. Systems Model Capture the relevant aspects of systems
Based on Microsoft’s STRIDE dataflow model
Process
DLLs, EXEs, service
External Entity
People, other systems
Data Flow
Network flow, function call
Data Store
File
Database
Trust Boundary
Process boundary
File system
Extensions
Hierarchical Layering
Inclusion of specific concepts to make models more understandable

7. Attack Model 6 >500 >943 Attack Types S = Spoofing T = Tampering
R = Repudiation
I = Information Disclosure
D = Denial of Service
E = Elevation of Privilege
Expresses high-level attack steps
Microsoft 6
STRIDE
Common
Attack
Pattern
Enumeration
And
Classification
MITRE
>500
CAPAC
MITRE
Common
Weakness
Enumeration
>943
CWE

8. Attack Step Model
Example AttackStepDefinition:

9. Current Set of Modeled Attack Steps

10. Adversary Model Captures assumptions we make about adversaries
Starting position
Overall objective of the attack
Quantification experiments assess attack surfaces across many different adversary models
To increase efficiency of attack vector finding, knowledge of adversarial workflows can be expressed in AttackVectorTemplates

11. Defense Model
Express the security provided and cost incurred by cyber defenses
Defense models may add new entities to system models (new data flows, processes, etc.)
Current set of modeled defenses includes three types of MTDs
Time-bounding observables (e.g., IPHopping)
Masquerading (OS Masquerading)
Time-bounding footholds (e.g., continuous restart via Watchdogs)

12. Mission Model
Missions are simply modeled as a subset of data flows together with information security and cost requirements
Security requirements are expressed as Confidentiality, Integrity, Availability
Cost requirements are expressed as %change of latency and throughput
Missions (and their individual flows) can be in three distinct modes
Pass, degraded, fail

13. Metrics Model
Attack surface metrics are themselves expressed through a model
Cover {system & mission, security & cost} dimensions

14. Attack Surface Indexes

15. Quantification Methodology
Security
Mission
Cost
1. Wrap Defense
2. Scan System into Model
4. Quantify Attack Surface
ASI
ACI
AMI
123
Networked System
System
Fail
System -5
+12
Fail
System
Virtual Experimentation Environment
System
+13 +3
Degraded
Mission
Networked System*
Attack
System
+23 +5
Pass
3. Characterize Defense
5. Validate Attack Vectors
Experimentation:
System auto-scan
Defense cost characterization
Attack vector validation
Analytics:
Cost and security metrics
Attack vector finding
Attack surface minimization

16. Experimental Results
Generated models of tens of hosts and a small number of defenses and attack steps
Deployed scanning capabilities on BBN network and virtualized network at customer location and automatically generated system models from live systems
Explore runtime complexity of attack vector finding and metrics computation algorithms using a random model generator

17. Conclusion and Next Steps
We created a framework for quantifying attack surfaces using semantic models
Our ontologies are openly available at
We hope you will try them out and provide feedback!
Next Steps
Automate defense deployment exploration within a system through a genetic search algorithm
Include metrics to capture interaction effect between multiple cyber defenses
Expand scenario to enterprise-scale regimes
Extend the set of modeled cyber defenses beyond MTDs
Proxy overlay networks, deception, reactive defenses

18. Contacts Mr. Michael Atighetchi, matighet@bbn.com
Dr. Borislava Simidchieva,
Dr. Fusun Yaman,
Dr. Thomas Eskridge,
Dr. Marco Carvalho,
Captain Nicholas Paltzer,