Abstract
The knowledge an attacker gathers about the critical infrastructure network they infiltrate allows them to customize the payload and remain undetected while causing maximum impact. This knowledge is a consequence of internal reconnaissance in the cyber network by lateral movement and is enabled by exploiting discovered vulnerabilities. This stage of the attack is also the longest, thereby giving a defender the biggest opportunity to detect and react to the attacker.
This paper helps a defender minimize the information an attacker might gain once in the network. This can be done by curbing lateral movement, misdirecting the attacker or inhibiting reachability to a critical device. We use a linear threshold models of attack propagation to analyze potential attack loss and use this to find actions that a defender might invest in while staying within their budgetary constraints. We show that while finding the best solution subject to these constraints is computationally intractable, the objective function is supermodular, allowing for a tractable technique with a known approximation bound.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Anantharaman, P., Palani, K.: What happened when the Kudankulam nuclear plant was hacked - and what real danger did it pose? Scroll.in, 20 November 2019
Bakshy, E., Hofman, J.M., Mason, W.A.,Watts, D.J.: Everyone’s an influencer: quantifying influence on Twitter. In: Proceedings of the Fourth ACM International Conference on Web Search and Data Mining, pages 65–74 (2011)
Chen, W., Wang, C., Wang, Y.: Scalable influence maximization for prevalent viral marketing in large-scale social networks. In: Proceedings of the 16th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 1029–1038 (2010)
Feige, U.: A threshold of ln n for approximating set cover. J. ACM (JACM) 45(4), 634–652 (1998)
Gomez-Rodriguez, M., Leskovec, J., Krause, A.: Inferring networks of diffusion and influence. ACM Trans. Knowl. Discov. Data (TKDD) 5(4), 1–37 (2012)
Gomez Rodriguez, M., Leskovec, J., Schölkopf, B.: Structure and dynamics of information pathways in online media. In: Proceedings of the Sixth ACM International Conference on Web Search and Data Mining, pp. 23–32 (2013)
Granovetter, M., Soong, R.: Threshold models of diffusion and collective behavior. J. Math. Sociol. 9(3), 165–179 (1983)
Jha, S., Sheyner, O., Wing, J.: Two formal analyses of attack graphs. In: Proceedings 15th IEEE Computer Security Foundations Workshop, CSFW-15, pp. 49–63. IEEE (2002)
Kempe, D., Kleinberg, J., Tardos, É.: Maximizing the spread of influence through a social network. In: Proceedings of the Ninth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 137–146. ACM (2003)
Kermack, W.O., McKendrick, A.G.: A contribution to the mathematical theory of epidemics. In: Proceedings of the royal society of London. Series A, Containing Papers of a Mathematical and Physical Character, vol. 115(772), pp. 700–721 (1927)
Khalil, E., Dilkina, B., Song, L.: CuttingEdge: influence minimization in networks. In: Proceedings of Workshop on Frontiers of Network Analysis: Methods, Models, and Applications at NIPS (2013)
Krause, A., Golovin, D.: Submodular function maximization. In: Tractability: Practical Approaches to Hard Problems, pp. 71–104. Cambridge University Press (2014)
Krause, A., Guestrin, C.: A Note on the Budgeted Maximization of Submodular Functions. Carnegie Mellon University, Center for Automated Learning and Discovery (2005)
Krause, A., Leskovec, J., Guestrin, C., VanBriesen, J., Faloutsos, C.: Efficient sensor placement optimization for securing large water distribution networks. J. Water Resour. Plann. Manage. 134(6), 516–526 (2008)
Lee, R.: TRISIS malware: analysis of safety system targeted malware. Dragos Inc. (2017)
Lee, R., Assante, M., Conway, T.: Analysis of the cyber attack on the Ukrainian power grid. EISAC Technical report (2016)
Leskovec, J., Adamic, L.A., Huberman, B.A.: The dynamics of viral marketing. ACM Trans. Web (TWEB) 1(1), 5es (2007)
Leskovec, J., Backstrom, L., Kleinberg, J.: Meme-tracking and the dynamics of the news cycle. In: Proceedings of the 15th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 497–506 (2009)
Leskovec, J., Krause, A., Guestrin, C., Faloutsos, C., VanBriesen, J., Glance, N.: Cost-effective outbreak detection in networks. In: Proceedings of the 13th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 420–429 (2007)
Ellen, N.: Russian military was behind NotPetya cyberattack in Ukraine, CIA concludes. The Washington Post, 12 Jan (2018)
Nemhauser, G.L., Wolsey, L.A., Fisher, M.L.: An analysis of approximations for maximizing submodular set functions–I. Math. Program. 14(1), 265–294 (1978)
Nguyen, H.H., Palani, K., Nicol, D.M.: An approach to incorporating uncertainty in network security analysis. In: Proceedings of the Hot Topics in Science of Security: Symposium and Bootcamp, pp. 74–84 (2017)
Ou, X., Boyer, W.F., McQueen, M.A.: A scalable approach to attack graph generation. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, pp. 336–345 (2006)
Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.M.: Automated generation and analysis of attack graphs. In: Proceedings 2002 IEEE Symposium on Security and Privacy, pp. 273–284. IEEE (2002)
Summers, T.H., Cortesi, F.L., Lygeros, J.: On submodularity and controllability in complex dynamical networks. IEEE Trans. Control Netw. Syst. 3(1), 91–101 (2015)
Sviridenko, M.: A note on maximizing a submodular set function subject to a knapsack constraint. Oper. Res. Lett. 32(1), 41–43 (2004)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Proof of Theorem 1
A Proof of Theorem 1
Given an attack graph \(\mathcal {A} = (V,E,p)\) we need to show that for any set \(\pi \subseteq E\) and an edge \(e=(u,v) \in E \setminus \pi \)
This proof is very similar to the proof in [11] and only differs in our function of interest (attack loss function).
The space of attack scenarios \(\varOmega _{\mathcal {A} \setminus \pi }\), can be divided into three disjoint partitions based on the edge selected for node v. \(\varOmega _{\mathcal {A} \setminus \pi }^e\) (edge \(e = (u,v)\) is chosen), \(\varOmega _{\mathcal {A} \setminus \pi }^{\overline{e}}\) (a different edge \(\overline{e} = (u^{'},v)\) is chosen) and \(\varOmega _{\mathcal {A} \setminus \pi }^{\emptyset }\) (no incoming edge is selected).
Now for, the space \(\varOmega _{\mathcal {A} \setminus (\pi \cup \{e\})}\) we note that the space is a subset of \(\varOmega _{\mathcal {A} \setminus \pi }\) since any scenario graph in the former can be generated in the latter. Also, the only scenarios not present in the former are ones where the edge e is involved. Thus, \(\varOmega _{\mathcal {A} \setminus (\pi \cup \{e\})}\) can be defined based on two partitions as: \(\varOmega _{\mathcal {A} \setminus \pi }^{\overline{e}} \cup \varOmega _{\mathcal {A} \setminus \pi }^{\emptyset }\).
Using these disjoint partitions, we can write the difference as:
For the space \(\varOmega _{\mathcal {A} \setminus \pi }^{\overline{e}}\) we have \(Pr[A|\mathcal {A}\setminus \pi ] - Pr[A|\mathcal {A}\setminus (\pi \cup e)] = 0\) since from Eq. 6 we have, \(p(v,A,\mathcal {A}\setminus \pi ) = p(v,A,\mathcal {A}\setminus (\pi \cup \{e\})) = p(\overline{e})\). This is due to the fact that in this space, under both cases, edge \(\overline{e}\) is chosen for node v.
For the space \(\varOmega _{\mathcal {A} \setminus \pi }^{\emptyset }\) we have:
This stems from the fact that we can rewrite the above difference in terms of the node v and all other nodes \(v'\ne v\) as \(Pr[A|\mathcal {A}\setminus \pi ] - Pr[A|\mathcal {A}\setminus (\pi \cup e)] = \prod _{v' \ne v} p(v',A,\mathcal {A} \setminus \pi ) \times [p(v,A,\mathcal {A}\setminus \pi ) - p(v,A,\mathcal {A}\setminus (\pi \cup \{e\}))]\).
As for the difference in probabilities when node v has no incoming edge we see that it goes to \(-p_e\) due to the fact that \(p(v,A,\mathcal {A}\setminus \pi ) = 1 - \sum _{x \in E \setminus \pi } p_x = 1 - \sum _{x \in E \setminus (\pi \cup \{e\})} p_x - p_e = p(v,A,\mathcal {A}\setminus (\pi \cup \{e\})) -p_e\).
Now consider the following two facts:
-
Every graph \(A' \in \varOmega _{\mathcal {A} \setminus \pi }^e\) has a corresponding graph \(A \in \varOmega _{\mathcal {A} \setminus \pi }^{\emptyset }\) and vice versa where \(A' = A \cup \{e\}\) i.e. they differ only in the edge e.
-
A graph \(A' \in \varOmega _{\mathcal {A} \setminus \pi }^e\) has probability \(Pr[A'|\mathcal {A}\setminus \pi ] = p_e \prod _{v' \ne v}p(v',A',\mathcal {A}\setminus \pi )\). Note that this is essentially Eq. 7 rewritten in terms of e.
Hence:
Since this is a non-negative sum and by Lemma 2 we know that \(L(A') - L(A) \ge 0\) we can see that the risk function is monotone decreasing in the policy \(\pi \)
\(\blacksquare \)
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Palani, K., Nicol, D.M. (2020). Hardening Critical Infrastructure Networks Against Attacker Reconnaissance. In: Gribaudo, M., Jansen, D.N., Remke, A. (eds) Quantitative Evaluation of Systems. QEST 2020. Lecture Notes in Computer Science(), vol 12289. Springer, Cham. https://doi.org/10.1007/978-3-030-59854-9_19
Download citation
DOI: https://doi.org/10.1007/978-3-030-59854-9_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-59853-2
Online ISBN: 978-3-030-59854-9
eBook Packages: Computer ScienceComputer Science (R0)