research-article

Multi-step attack modelling and simulation (MsAMS) framework based on mobile ambients

Authors:

Virginia N. L. Franqueira,

Raul H. C. Lopes,

Pascal van EckAuthors Info & Claims

SAC '09: Proceedings of the 2009 ACM symposium on Applied Computing

Pages 66 - 73

https://doi.org/10.1145/1529282.1529294

Published: 08 March 2009 Publication History

Abstract

Attackers take advantage of any security breach to penetrate an organisation perimeter and exploit hosts as stepping stones to reach valuable assets, deeper in the network. The exploitation of hosts is possible not only when vulnerabilities in commercial off-the-shelf (COTS) software components are present, but also, for example, when an attacker acquires a credential on one host which allows exploiting further hosts on the network. Finding attacks involving the latter case requires the ability to represent dynamic models. In fact, more dynamic aspects are present in the network domain such as attackers accumulate resources (i.e. credentials) along an attack, and users and assets may move from one environment to another, although always constrained by the ruling of the network. In this paper we address these dynamic issues by presenting MsAMS (Multi-step Attack Modelling and Simulation), an implemented framework, based on Mobile Ambients, to discover attacks in networks. The idea of ambients fits naturally into this domain and has the advantage of providing flexibility for modelling. Additionally, the concept of mobility allows the simulation of attackers exploiting opportunities derived either from the exploitation of vulnerable and non-vulnerable hosts, through the acquisition of credentials. It also allows expressing security policies embedded in the rules of the ambients.

References

[1]

P. Ammann, J. Pamula, J. Street, and R. Ritchey. A host-based approach to network attack chaining analysis. In ACSAC '05: Proc. of the 21st Annual Computer Security Applications Conference, pages 72--84, Washington, DC, USA, 2005. IEEE Computer Society.

Digital Library

[2]

P. Ammann, D. Wijesekera, and S. Kaushik. Scalable, graph-based network vulnerability analysis. In CCS '02: Proceedings of the 9th ACM conference on Computer and communications security, pages 217--224, New York, NY, USA, 2002. ACM.

Digital Library

[3]

B. Berard, M. Bidoit, A. Finkel, F. Laroussinie, A. Petit, L. Petrucci, and P. Schnoebelen. Systems and software verification: Model-checking techniques and tools. Springer-Verlag, Berlin, 2001.

Digital Library

[4]

L. Cardelli. Bioware Languages, pages 59--65. Monographs in Computer Science. Springer, New York, 2004.

[5]

L. Cardelli and A. D. Gordon. Mobile Ambients. In Foundations of Software Science and Computation Structures: First International Conference, FOSSACS'98, volume 1378 of LNCS, pages 140--155, Berlin Germany, 1998. Springer-Verlag.

Digital Library

[6]

L. Cardelli and A. D. Gordon. Types for Mobile Ambients. In POPL'99: Proc. of the 26th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, pages 79--92, New York, NY, USA, 1999. ACM.

Digital Library

[7]

R. Chinchani, A. Iyer, H. Q. Ngo, and S. Upadhyaya. Towards a Theory of Insider Threat Assessment. In DSN 2005: Int. Conference on Dependable Systems and Networks, pages 108--117. IEEE Publishing, July 2005. http://ieeexplore.ieee.org/iel5/9904/31476/01467785.pdf.

Digital Library

[8]

F. Cuppens and R. Ortalo. Lambda: A language to model a database for detection of attacks. In RAID'00: Proc. of the Third Int. Workshop on Recent Advances in Intrusion Detection, pages 197--216, London, UK, 2000. Springer-Verlag.

Digital Library

[9]

V. N. L. Franqueira and R. H. C. Lopes. Vulnerability Assessment by Learning Attack Specifications in Graphs. In IAS'07: Proc. of the 3rd Int. Symposium on Information Assurance and Security), pages 161--164, August 2007.

Digital Library

[10]

V. N. L. Franqueira, R. H. C. Lopes, and P. van Eck. Multi-step Attack Modelling and Simulation (MsAMS) Framework based on Mobile Ambients. Technical Report TR-CTIT-08-44, Centre for Telematics and Information Technology (CTIT), University of Twente, Enschede, The Netherlands, June 2008.

[11]

V. Gorodetski and I. Kotenko. Attacks against computer network: Formal grammar-based framework and simulation tool. In A. Wespi, G. Vigna, and L. Deri, editors, RAID 2002: Proc. of the Fifth Int. Symposium on Recent Advances in Intrusion Detection, volume 2516 of LNCS, pages 219--238. Springer, October 2002.

Digital Library

[12]

D. Ha, S. Upadhyaya, H. Q. Ngo, S. Pramanik, R. Chinchani, and S. Mathew. Insider threat analysis using information-centric modeling. In Advances in Digital Forensics III, IFIP International Federation for Information Processing, pages 55--73. Springer, Boston, 2007.

[13]

C. A. R. Hoare. Communicating Sequential Processes. Prentice Hall International, second edition, June 2004. online version at http://www.usingcsp.com/cspbook.pdf.

[14]

K. Ingols, R. Lippmann, and K. Piwowarski. Practical attack graph generation for network defense. In ACSAC '06: Proc. of the 22nd Annual Computer Security Applications Conference on Annual Computer Security Applications Conference, pages 121--130, Washington, DC, USA, 2006. IEEE Computer Society.

Digital Library

[15]

S. Jajodia, S. Noel, and B. O'Berry. Topological Analysis of Network Attack Vulnerability. In Managing Cyber Threats: Issues, Approaches and Challenges. Springer-Verlag, Germany, 2005.

[16]

S. Jukna. Extremal Combinatorics. Springer, 2000.

[17]

G. Keizer. Mass hack infects tens of thousands of sites. Computerworld, publisehd on January 7, 2008. http://www.computerworld.com/action/article. do?command=viewArticleBasic&taxonomyId=16&articleId=9055858&intsrc=hm_topic. Visited 10-July-2008.

[18]

J. M. Kleinberg. Authoritative Sources in a Hyperlinked Environment. In In Proc. Ninth Ann. ACM-SIAM Symp. Discrete Algorithms, pages 668--677, New York, 1998. ACM Press.

Digital Library

[19]

A. N. Langville and C. D. Meyer. Google's PageRank and Beyond: The Science of Search Engine Rankings. Princeton Universty Press, 2006.

Digital Library

[20]

W. Li, R. B. Vaughn, and Y. S. Dandass. An approach to model network exploitations using exploitation graphs. Simulation, 82(8): 523--541, 2006.

Digital Library

[21]

R. Milner. Pure bigraphs. Technical Report UCAM-CL-TR-614, University of Cambridge, January 2005.

[22]

Nessus. Tenable network security: The Nessus Security Scanner. http://www.nessus.org. Visited 10-July-2008.

[23]

S. Noel and S. Jajodia. Managing attack graph complexity through visual hierarchical aggregation. In VizSEC/DMSEC '04: Proc. of the 2004 ACM workshop on Visualization and data mining for computer security, pages 109--118, New York, NY, USA, 2004. ACM. http://doi.acm.org/10.1145/1029208.1029225.

Digital Library

[24]

NVD. National vulnerability database v2. http://nvd.nist.gov/. Visited 10-July-2008.

[25]

X. Ou, W. F. Boyer, and M. A. McQueen. A Scalable Approach to Attack Graph Generation. In CCS '06: Proc. of the 13th ACM Conf. on Computer and Communications Security, pages 336--345, New York, NY, USA, 2006. ACM. people.cis.ksu.edu/~xou/publications/ccs06.pdf.

Digital Library

[26]

X. Ou, S. Govindavajhala, and A. W. Appel. Mulval: a logic-based network security analyzer. In SSYM'05: Proc. of the 14th Conf. on USENIX Security Symposium, Berkeley, CA, USA, August 2005. USENIX Association. www.cs.princeton.edu/~appel/papers/mulval.pdf.

Digital Library

[27]

R. W. Ritchey and P. Ammann. Using Model Checking to Analyze Network Vulnerabilities. In SP'00: Proc. of the 2000 IEEE Symposium on Security and Privacy, pages 156--165, Washington, DC, USA, 2000. IEEE Computer Society.

Digital Library

[28]

R. Sawilla and X. Ou. Googling Attack Graphs. Technical Report TM-2007-205, Defense Research and Development Canada, September 2007. http://www.ottawa.drdc-rddc.gc.ca/html/tm_2007_205_e.html.

[29]

B. Schneier. The Ethics of Vulnerability Research. Information Security Magazine, May 2008. http://www.schneier.com/essay-211.html.

[30]

J. R. Seeley. The net of reciprocal influence: A problem in treating sociometric data. Canadian Jounal of Psychology, 3: 234--240, 1949.

[31]

O. Sheyner and J. Wing. Tools for Generating and Analyzing Attack Graphs. In In Proc. of Workshop on Formal Methods for Components and Objects, LNCS 3188, pages 344--371, Germany, 2004. Springer-Verlag.

[32]

L. P. Swiler, C. Phillips, D. Ellis, and S. Chakerian. Computer-attack graph generation tool. In DISCEX II'01: DARPA Information Survivability Conference and Exposition Conference and Exposition, volume 2, pages 307--321, Washington, DC, USA, June 2001. IEEE Computer Society.

[33]

S. J. Templeton and K. Levitt. A requires/provides model for computer attacks. In NSPW'00: Proc. of the 2000 Workshop on New Security Paradigms, pages 31--38, New York, NY, USA, 2000. ACM.

Digital Library

[34]

L. Williams, R. Lippmann, and K. Ingols. An interactive attack graph cascade and reachability display. In VizSEC'07: Proc. of the Workshop on Visualization for Computer Security, pages 221--235. Springer-Verlag, October 2007.

Cited By

Weaver GMarla LJohansson BJain S(2018)Cyber-physical simulation and optimal mitigation for shipping port operationsProceedings of the 2018 Winter Simulation Conference10.5555/3320516.3320844(2747-2758)Online publication date: 9-Dec-2018
https://dl.acm.org/doi/10.5555/3320516.3320844
Nichols WHill ZHawrylak PHale JPapa M(2018)Automatic Generation of Attack Scripts from Attack Graphs2018 1st International Conference on Data Intelligence and Security (ICDIS)10.1109/ICDIS.2018.00050(267-274)Online publication date: Apr-2018
https://doi.org/10.1109/ICDIS.2018.00050
Noel S(2018)A Review of Graph Approaches to Network Security AnalyticsFrom Database to Cyber Security10.1007/978-3-030-04834-1_16(300-323)Online publication date: 30-Nov-2018
https://doi.org/10.1007/978-3-030-04834-1_16
Show More Cited By

Index Terms

Multi-step attack modelling and simulation (MsAMS) framework based on mobile ambients
1. Security and privacy
  1. Cryptography
    1. Cryptanalysis and other attacks
  2. Intrusion/anomaly detection and malware mitigation
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

Correlating Multi-Step Attack and Constructing Attack Scenarios Based on Attack Pattern Modeling
ISA '08: Proceedings of the 2008 International Conference on Information Security and Assurance (isa 2008)

Most cyber-attacks are not single attack actions. They are multi-step attacks composed by a set of attack actions. Although techniques used by attackers can be diverse, attack patterns are generally finite. So we need to find attack steps that are ...
Evaluating MAPSec by marking attack graphs

MAPSec has recently been introduced as a security protocol for mobile telecommunication networks in the midst of numerous threats and vulnerabilities. Our initial study reveals that MAPSec can only provide protection coverage to a minor portion of the ...
A Graph-Theoretic Visualization Approach to Network Risk Analysis
VizSec '08: Proceedings of the 5th international workshop on Visualization for Computer Security

This paper describes a software system that provides significant new capabilities for visualization and analysis of network attack graphs produced through Topological Vulnerability Analysis (TVA). The TVA approach draws on a database of known exploits ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SAC '09: Proceedings of the 2009 ACM symposium on Applied Computing

March 2009

2347 pages

ISBN:9781605581668

DOI:10.1145/1529282

Conference Chairs:
Sung Y. Shin
South Dakota State University, United States
,
Sascha Ossowski
University Rey Juan Carlos, Spain

Copyright © 2009 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGAPP: ACM Special Interest Group on Applied Computing

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 08 March 2009

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SAC09

Sponsor:

SIGAPP

SAC09: The 2009 ACM Symposium on Applied Computing

March 8, 2009 - March 12, 2008

Hawaii, Honolulu

Acceptance Rates

Overall Acceptance Rate 1,650 of 6,669 submissions, 25%

Upcoming Conference

SAC '25

Sponsor:
sigapp

The 40th ACM/SIGAPP Symposium on Applied Computing

March 31 - April 4, 2025

Catania , Italy

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

15
Total Citations
View Citations
432
Total Downloads

Downloads (Last 12 months)3
Downloads (Last 6 weeks)0

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Weaver GMarla LJohansson BJain S(2018)Cyber-physical simulation and optimal mitigation for shipping port operationsProceedings of the 2018 Winter Simulation Conference10.5555/3320516.3320844(2747-2758)Online publication date: 9-Dec-2018
https://dl.acm.org/doi/10.5555/3320516.3320844
Nichols WHill ZHawrylak PHale JPapa M(2018)Automatic Generation of Attack Scripts from Attack Graphs2018 1st International Conference on Data Intelligence and Security (ICDIS)10.1109/ICDIS.2018.00050(267-274)Online publication date: Apr-2018
https://doi.org/10.1109/ICDIS.2018.00050
Noel S(2018)A Review of Graph Approaches to Network Security AnalyticsFrom Database to Cyber Security10.1007/978-3-030-04834-1_16(300-323)Online publication date: 30-Nov-2018
https://doi.org/10.1007/978-3-030-04834-1_16
Guzzo APugliese ARullo ASacca DPiccolo A(2017)Malevolent Activity Detection with Hypergraph-Based ModelsIEEE Transactions on Knowledge and Data Engineering10.1109/TKDE.2017.265862129:5(1115-1128)Online publication date: 1-May-2017
https://dl.acm.org/doi/10.1109/TKDE.2017.2658621
Hill ZNichols WPapa MHale JHawrylak P(2017)Verifying attack graphs through simulation2017 Resilience Week (RWS)10.1109/RWEEK.2017.8088649(64-67)Online publication date: Sep-2017
https://doi.org/10.1109/RWEEK.2017.8088649
Kiesling EEkelhart AGrill BStrauss CStummer C(2016)Selecting security control portfolios: a multi-objective simulation-optimization approachEURO Journal on Decision Processes10.1007/s40070-016-0055-74:1-2(85-117)Online publication date: Jun-2016
https://doi.org/10.1007/s40070-016-0055-7
Ekelhart AKiesling EGrill BStrauss CStummer C(2015)Integrating attacker behavior in IT security analysisInformation Technology and Management10.1007/s10799-015-0232-616:3(221-233)Online publication date: 1-Sep-2015
https://dl.acm.org/doi/10.1007/s10799-015-0232-6
Pieters WProbst CLukszo ZMontoya L(2014)Cost-Effectiveness of Security MeasuresApproaches and Processes for Managing the Economics of Information Systems10.4018/978-1-4666-4983-5.ch009(139-156)Online publication date: 2014
https://doi.org/10.4018/978-1-4666-4983-5.ch009
Arnold FPieters WStoelinga M(2013)Quantitative penetration testing with item response theory2013 9th International Conference on Information Assurance and Security (IAS)10.1109/ISIAS.2013.6947732(49-54)Online publication date: Dec-2013
https://doi.org/10.1109/ISIAS.2013.6947732
Pieters Wvan der Ven SProbst CFord RZurko MHerley CWhalen T(2012)A move in the security measurement stalemateProceedings of the 2012 New Security Paradigms Workshop10.1145/2413296.2413298(1-14)Online publication date: 18-Sep-2012
https://dl.acm.org/doi/10.1145/2413296.2413298
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten