Skip to main content

Hardening Critical Infrastructure Networks Against Attacker Reconnaissance

  • Conference paper
  • First Online:
Quantitative Evaluation of Systems (QEST 2020)

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 12289))

Included in the following conference series:

Abstract

The knowledge an attacker gathers about the critical infrastructure network they infiltrate allows them to customize the payload and remain undetected while causing maximum impact. This knowledge is a consequence of internal reconnaissance in the cyber network by lateral movement and is enabled by exploiting discovered vulnerabilities. This stage of the attack is also the longest, thereby giving a defender the biggest opportunity to detect and react to the attacker.

This paper helps a defender minimize the information an attacker might gain once in the network. This can be done by curbing lateral movement, misdirecting the attacker or inhibiting reachability to a critical device. We use a linear threshold models of attack propagation to analyze potential attack loss and use this to find actions that a defender might invest in while staying within their budgetary constraints. We show that while finding the best solution subject to these constraints is computationally intractable, the objective function is supermodular, allowing for a tractable technique with a known approximation bound.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Anantharaman, P., Palani, K.: What happened when the Kudankulam nuclear plant was hacked - and what real danger did it pose? Scroll.in, 20 November 2019

    Google Scholar 

  2. Bakshy, E., Hofman, J.M., Mason, W.A.,Watts, D.J.: Everyone’s an influencer: quantifying influence on Twitter. In: Proceedings of the Fourth ACM International Conference on Web Search and Data Mining, pages 65–74 (2011)

    Google Scholar 

  3. Chen, W., Wang, C., Wang, Y.: Scalable influence maximization for prevalent viral marketing in large-scale social networks. In: Proceedings of the 16th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 1029–1038 (2010)

    Google Scholar 

  4. Feige, U.: A threshold of ln n for approximating set cover. J. ACM (JACM) 45(4), 634–652 (1998)

    Article  Google Scholar 

  5. Gomez-Rodriguez, M., Leskovec, J., Krause, A.: Inferring networks of diffusion and influence. ACM Trans. Knowl. Discov. Data (TKDD) 5(4), 1–37 (2012)

    Article  Google Scholar 

  6. Gomez Rodriguez, M., Leskovec, J., Schölkopf, B.: Structure and dynamics of information pathways in online media. In: Proceedings of the Sixth ACM International Conference on Web Search and Data Mining, pp. 23–32 (2013)

    Google Scholar 

  7. Granovetter, M., Soong, R.: Threshold models of diffusion and collective behavior. J. Math. Sociol. 9(3), 165–179 (1983)

    Article  Google Scholar 

  8. Jha, S., Sheyner, O., Wing, J.: Two formal analyses of attack graphs. In: Proceedings 15th IEEE Computer Security Foundations Workshop, CSFW-15, pp. 49–63. IEEE (2002)

    Google Scholar 

  9. Kempe, D., Kleinberg, J., Tardos, É.: Maximizing the spread of influence through a social network. In: Proceedings of the Ninth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 137–146. ACM (2003)

    Google Scholar 

  10. Kermack, W.O., McKendrick, A.G.: A contribution to the mathematical theory of epidemics. In: Proceedings of the royal society of London. Series A, Containing Papers of a Mathematical and Physical Character, vol. 115(772), pp. 700–721 (1927)

    Google Scholar 

  11. Khalil, E., Dilkina, B., Song, L.: CuttingEdge: influence minimization in networks. In: Proceedings of Workshop on Frontiers of Network Analysis: Methods, Models, and Applications at NIPS (2013)

    Google Scholar 

  12. Krause, A., Golovin, D.: Submodular function maximization. In: Tractability: Practical Approaches to Hard Problems, pp. 71–104. Cambridge University Press (2014)

    Google Scholar 

  13. Krause, A., Guestrin, C.: A Note on the Budgeted Maximization of Submodular Functions. Carnegie Mellon University, Center for Automated Learning and Discovery (2005)

    Google Scholar 

  14. Krause, A., Leskovec, J., Guestrin, C., VanBriesen, J., Faloutsos, C.: Efficient sensor placement optimization for securing large water distribution networks. J. Water Resour. Plann. Manage. 134(6), 516–526 (2008)

    Article  Google Scholar 

  15. Lee, R.: TRISIS malware: analysis of safety system targeted malware. Dragos Inc. (2017)

    Google Scholar 

  16. Lee, R., Assante, M., Conway, T.: Analysis of the cyber attack on the Ukrainian power grid. EISAC Technical report (2016)

    Google Scholar 

  17. Leskovec, J., Adamic, L.A., Huberman, B.A.: The dynamics of viral marketing. ACM Trans. Web (TWEB) 1(1), 5es (2007)

    Article  Google Scholar 

  18. Leskovec, J., Backstrom, L., Kleinberg, J.: Meme-tracking and the dynamics of the news cycle. In: Proceedings of the 15th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 497–506 (2009)

    Google Scholar 

  19. Leskovec, J., Krause, A., Guestrin, C., Faloutsos, C., VanBriesen, J., Glance, N.: Cost-effective outbreak detection in networks. In: Proceedings of the 13th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 420–429 (2007)

    Google Scholar 

  20. Ellen, N.: Russian military was behind NotPetya cyberattack in Ukraine, CIA concludes. The Washington Post, 12 Jan (2018)

    Google Scholar 

  21. Nemhauser, G.L., Wolsey, L.A., Fisher, M.L.: An analysis of approximations for maximizing submodular set functions–I. Math. Program. 14(1), 265–294 (1978)

    Article  MathSciNet  Google Scholar 

  22. Nguyen, H.H., Palani, K., Nicol, D.M.: An approach to incorporating uncertainty in network security analysis. In: Proceedings of the Hot Topics in Science of Security: Symposium and Bootcamp, pp. 74–84 (2017)

    Google Scholar 

  23. Ou, X., Boyer, W.F., McQueen, M.A.: A scalable approach to attack graph generation. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, pp. 336–345 (2006)

    Google Scholar 

  24. Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.M.: Automated generation and analysis of attack graphs. In: Proceedings 2002 IEEE Symposium on Security and Privacy, pp. 273–284. IEEE (2002)

    Google Scholar 

  25. Summers, T.H., Cortesi, F.L., Lygeros, J.: On submodularity and controllability in complex dynamical networks. IEEE Trans. Control Netw. Syst. 3(1), 91–101 (2015)

    Article  MathSciNet  Google Scholar 

  26. Sviridenko, M.: A note on maximizing a submodular set function subject to a knapsack constraint. Oper. Res. Lett. 32(1), 41–43 (2004)

    Article  MathSciNet  Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Kartik Palani .

Editor information

Editors and Affiliations

A Proof of Theorem 1

A Proof of Theorem 1

Given an attack graph \(\mathcal {A} = (V,E,p)\) we need to show that for any set \(\pi \subseteq E\) and an edge \(e=(u,v) \in E \setminus \pi \)

$$\begin{aligned} \mathcal {R}(\mathcal {A}\setminus \pi ) - \mathcal {R}(\mathcal {A}\setminus (\pi \cup \{e\})) \ge 0 \end{aligned}$$

This proof is very similar to the proof in [11] and only differs in our function of interest (attack loss function).

The space of attack scenarios \(\varOmega _{\mathcal {A} \setminus \pi }\), can be divided into three disjoint partitions based on the edge selected for node v. \(\varOmega _{\mathcal {A} \setminus \pi }^e\) (edge \(e = (u,v)\) is chosen), \(\varOmega _{\mathcal {A} \setminus \pi }^{\overline{e}}\) (a different edge \(\overline{e} = (u^{'},v)\) is chosen) and \(\varOmega _{\mathcal {A} \setminus \pi }^{\emptyset }\) (no incoming edge is selected).

Now for, the space \(\varOmega _{\mathcal {A} \setminus (\pi \cup \{e\})}\) we note that the space is a subset of \(\varOmega _{\mathcal {A} \setminus \pi }\) since any scenario graph in the former can be generated in the latter. Also, the only scenarios not present in the former are ones where the edge e is involved. Thus, \(\varOmega _{\mathcal {A} \setminus (\pi \cup \{e\})}\) can be defined based on two partitions as: \(\varOmega _{\mathcal {A} \setminus \pi }^{\overline{e}} \cup \varOmega _{\mathcal {A} \setminus \pi }^{\emptyset }\).

Using these disjoint partitions, we can write the difference as:

$$\begin{aligned} \mathcal {R}(\mathcal {A}&\setminus \pi ) - \mathcal {R}(\mathcal {A}\setminus (\pi \cup \{e\})) \\&= \sum _{A \in \varOmega _{\mathcal {A} \setminus \pi }^e} Pr[A|\mathcal {A}\setminus \pi ] L(A) \\&+ \sum _{A \in \varOmega _{\mathcal {A} \setminus \pi }^{\overline{e}}} (Pr[A|\mathcal {A}\setminus \pi ] - Pr[A|\mathcal {A}\setminus (\pi \cup e)]) L(A) \\&+ \sum _{A \in \varOmega _{\mathcal {A} \setminus \pi }^{\emptyset }} (Pr[A|\mathcal {A}\setminus \pi ] - Pr[A|\mathcal {A}\setminus (\pi \cup e)]) L(A) \end{aligned}$$

For the space \(\varOmega _{\mathcal {A} \setminus \pi }^{\overline{e}}\) we have \(Pr[A|\mathcal {A}\setminus \pi ] - Pr[A|\mathcal {A}\setminus (\pi \cup e)] = 0\) since from Eq. 6 we have, \(p(v,A,\mathcal {A}\setminus \pi ) = p(v,A,\mathcal {A}\setminus (\pi \cup \{e\})) = p(\overline{e})\). This is due to the fact that in this space, under both cases, edge \(\overline{e}\) is chosen for node v.

For the space \(\varOmega _{\mathcal {A} \setminus \pi }^{\emptyset }\) we have:

$$\begin{aligned} Pr[A|\mathcal {A}\setminus \pi ] - Pr[A|\mathcal {A}\setminus (\pi \cup e)] = -p_e \prod _{v' \ne v} p(v',A,\mathcal {A}\setminus \pi ) \end{aligned}$$

This stems from the fact that we can rewrite the above difference in terms of the node v and all other nodes \(v'\ne v\) as \(Pr[A|\mathcal {A}\setminus \pi ] - Pr[A|\mathcal {A}\setminus (\pi \cup e)] = \prod _{v' \ne v} p(v',A,\mathcal {A} \setminus \pi ) \times [p(v,A,\mathcal {A}\setminus \pi ) - p(v,A,\mathcal {A}\setminus (\pi \cup \{e\}))]\).

As for the difference in probabilities when node v has no incoming edge we see that it goes to \(-p_e\) due to the fact that \(p(v,A,\mathcal {A}\setminus \pi ) = 1 - \sum _{x \in E \setminus \pi } p_x = 1 - \sum _{x \in E \setminus (\pi \cup \{e\})} p_x - p_e = p(v,A,\mathcal {A}\setminus (\pi \cup \{e\})) -p_e\).

Now consider the following two facts:

  • Every graph \(A' \in \varOmega _{\mathcal {A} \setminus \pi }^e\) has a corresponding graph \(A \in \varOmega _{\mathcal {A} \setminus \pi }^{\emptyset }\) and vice versa where \(A' = A \cup \{e\}\) i.e. they differ only in the edge e.

  • A graph \(A' \in \varOmega _{\mathcal {A} \setminus \pi }^e\) has probability \(Pr[A'|\mathcal {A}\setminus \pi ] = p_e \prod _{v' \ne v}p(v',A',\mathcal {A}\setminus \pi )\). Note that this is essentially Eq. 7 rewritten in terms of e.

Hence:

$$\begin{aligned} \mathcal {R}(\mathcal {A}\setminus \pi ) - \mathcal {R}(\mathcal {A}\setminus (\pi \cup \{e\})) = \sum _{A \in \varOmega _{\mathcal {A} \setminus \pi }^{\emptyset }} Pr[A'|\mathcal {A}\setminus \pi ] [L(A') - L(A)] \end{aligned}$$

Since this is a non-negative sum and by Lemma 2 we know that \(L(A') - L(A) \ge 0\) we can see that the risk function is monotone decreasing in the policy \(\pi \)

   \(\blacksquare \)

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Palani, K., Nicol, D.M. (2020). Hardening Critical Infrastructure Networks Against Attacker Reconnaissance. In: Gribaudo, M., Jansen, D.N., Remke, A. (eds) Quantitative Evaluation of Systems. QEST 2020. Lecture Notes in Computer Science(), vol 12289. Springer, Cham. https://doi.org/10.1007/978-3-030-59854-9_19

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-59854-9_19

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-59853-2

  • Online ISBN: 978-3-030-59854-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics