Abstract
In the context of insiders, preventive security measures have a high likelihood of failing because insiders ought to have sufficient privileges to perform their jobs. Instead, in this paper, we propose to treat the insider threat by a detective measure that holds an insider accountable in case of violations. However, to enable accountability, we need to create causal models that support reasoning about the causality of a violation. Current security models (e.g., attack trees) do not allow that. Still, they are a useful source for creating causal models. In this paper, we discuss the value added by causal models in the security context. Then, we capture the interaction between attack trees and causal models by proposing an automated approach to extract the latter from the former. Our approach considers insider-specific attack classes such as collusion attacks and causal-model-specific properties like preemption relations. We present an evaluation of the resulting causal models’ validity and effectiveness, in addition to the efficiency of the extraction process.
TUM partners were in part funded by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) under grant no. PR1266/4-1, Conflict resolution and causal inference with integrated socio-technical models.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
ATCM is available at: https://github.com/amjadKhalifah/ATCM.
- 2.
Arsonists and Rock-Throwing are typical examples in the causality literature. We may consider setting a forest on fire as an attack on the forest, with lighting matches being a possible step of an attack. We may also consider shattering a bottle an attack on the bottle, with throwing a stone being a possible step of an attack. The point here is to show that our mechanism produces valid results also for well-known examples.
References
Althebyan, Q., Panda, B.: A knowledge-based Bayesian model for analyzing a system after an insider attack. In: Jajodia, S., Samarati, P., Cimato, S. (eds.) SEC 2008. ITIFIP, vol. 278, pp. 557–571. Springer, Boston, MA (2008). https://doi.org/10.1007/978-0-387-09699-5_36
Aslanyan, Z., Nielson, F.: Model checking exact cost for attack scenarios. In: Maffei, M., Ryan, M. (eds.) POST 2017. LNCS, vol. 10204, pp. 210–231. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54455-6_10
Chen, B., Pearl, J.: Graphical tools for linear structural equation modeling. Tech. rep., DTIC Document (2014)
Chinchani, R., Iyer, A., Ngo, H.Q., Upadhyaya, S.: Towards a theory of insider threat assessment. In: Proceedings of International Conference on Dependable Systems and Networks, 2005, DSN 2005, pp. 108–117. IEEE (2005)
Gadyatskaya, O., Jhawar, R., Kordy, P., Lounis, K., Mauw, S., Trujillo-Rasua, R.: Attack trees for practical security assessment: ranking of attack scenarios with ADTool 2.0. In: Agha, G., Van Houdt, B. (eds.) QEST 2016. LNCS, vol. 9826, pp. 159–162. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-43425-4_10
Halpern, J.Y.: A modification of the Halpern-pearl definition of causality. In: Proceedings of the Twenty-Fourth International Joint Conference on Artificial Intelligence, IJCAI 2015 (2015)
Halpern, J.Y.: Actual Causality. MIT Press, Cambridge (2016)
Horne, R., Mauw, S., Tiu, A.: Semantics for specialising attack trees based on linear logic. Fundamenta Informaticae 153(1–2), 57–86 (2017)
Hunker, J., Hutchinson, B., Margulies, J.: Role and challenges for sufficient cyber-attack attribution. Institute for Information Infrastructure Protection (2008)
Ibrahim, A., Kacianka, S., Pretschner, A., Hartsell, C., Karsai, G.: Practical causal models for cyber-physical systems. In: Badger, J.M., Rozier, K.Y. (eds.) NFM 2019. LNCS, vol. 11460, pp. 211–227. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-20652-9_14
Ibrahim, A., Klesel, T., Zibaei, E., Kacianka, S., Pretschner, A.: Actual causality canvas: a general framework for explanation-based socio-technical constructs. In: ECAI 2020, the 24th European Conference on Artificial Intelligence. Frontiers in Artificial Intelligence and Applications. IOS Press (2020)
Ibrahim, A., Rehwald, S., Pretschner, A.: Efficient checking of actual causality with sat solving. Eng. Secur. Dependable Softw. Syst. 53, 241 (2019)
Institute, P.: 2015 cost of cyber crime study: global (2015)
Kacianka, S., Ibrahim, A., Pretschner, A., Trende, A., Lüdtke, A.: Extending causal models from machines into humans. Electron. Proc. Theor. Comput. Sci. 308, 17–31 (2019)
Ko, L.L., Divakaran, D.M., Liau, Y.S., Thing, V.L.: Insider threat detection and its future directions. Int. J. Secur. Netw. 12(3), 168–187 (2017)
Kordy, B., Kordy, P., Mauw, S., Schweitzer, P.: ADTool: security analysis with attack-defense trees. In: Quantitative Evaluation of Systems - 10th International Conference, QEST, pp. 173–176 (2013)
Kordy, B., Piètre-Cambacédès, L., Schweitzer, P.: Dag-based attack and defense modeling: don’t miss the forest for the attack trees. Comput. Sci. Rev. 13, 1–38 (2014)
Kumar, R., Ruijters, E., Stoelinga, M.: Quantitative attack tree analysis via priced timed automata. In: Sankaranarayanan, S., Vicario, E. (eds.) FORMATS 2015. LNCS, vol. 9268, pp. 156–171. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-22975-1_11
Kuntz, M., Leitner-Fischer, F., Leue, S.: From Probabilistic Counterexamples via Causality to Fault Trees. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-24270-0_6
Lewis, D.: Counterfactuals and comparative possibility. J. Philos. Logic 2(4), 418–446 (1973). https://doi.org/10.1007/BF00262950
Mauw, S., Oostdijk, M.: Foundations of attack trees. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 186–198. Springer, Heidelberg (2006). https://doi.org/10.1007/11734727_17
Nicholson, A., Janicke, H., Watson, T.: An initial investigation into attribution in SCADA systems. In: ICS-CSR (2013)
Pearl, J.: Causality. Cambridge University Press, Cambridge (2009)
Phyo, A., Furnell, S.: A detection-oriented classification of insider it misuse. In: Third Security Conference (2004)
Poolsapassit, N., Ray, I.: Investigating computer attacks using attack trees. In: Craiger, P., Shenoi, S. (eds.) DigitalForensics 2007. ITIFIP, vol. 242, pp. 331–343. Springer, New York (2007). https://doi.org/10.1007/978-0-387-73742-3_23
Qin, X., Lee, W.: Attack plan recognition and prediction using causal networks. In: 20th Annual Computer Security Applications Conference. IEEE (2004)
Ray, I., Poolsapassit, N.: Using attack trees to identify malicious attacks from authorized insiders. In: di Vimercati, S.C., Syverson, P., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 231–246. Springer, Heidelberg (2005). https://doi.org/10.1007/11555827_14
Rehák, M., et al.: Runtime monitoring and dynamic reconfiguration for intrusion detection systems. In: Kirda, E., Jha, S., Balzarotti, D. (eds.) RAID 2009. LNCS, vol. 5758, pp. 61–80. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04342-0_4
Research, I.X.F.: 2016 cyber security intelligence index (2016)
Rowlingson, R.: A ten step process for forensic readiness. Int. J. Digit. Evid. 2(3), 1–28 (2004)
Salem, M.B., Hershkop, S., Stolfo, S.J.: A survey of insider attack detection research. In: Stolfo, S.J., Bellovin, S.M., Keromytis, A.D., Hershkop, S., Smith, S.W., Sinclair, S. (eds.) Insider Attack and Cyber Security. Advances in Information Security, vol. 39. Springer, Boston (2008). https://doi.org/10.1007/978-0-387-77322-3_5
Schneier, B.: Attack trees. Dr. Dobb’s J. 24(12), 21–29 (1999)
Shamsi, J.A., Zeadally, S., Sheikh, F., Flowers, A.: Attribution in cyberspace: techniques and legal implications. Secur. Commun. Netw. 9(15), 2886–2900 (2016)
Tan, J.: Forensic readiness. Cambridge, MA:@ Stake, pp. 1–23 (2001)
Tu, M., Xu, D., Butler, E., Schwartz, A.: Forensic evidence identification and modeling for attacks against a simulated online business information system. J. Digit. Forensic Secur. Law 7(4), 4 (2012)
Weitzner, D.J., Abelson, H., Berners-Lee, T., Feigenbaum, J., Hendler, J., Sussman, G.J.: Information accountability. Commun. ACM 51(6), 82–87 (2008)
Wheeler, D.A., Larsen, G.N.: Techniques for cyber attack attribution. Tech. rep., Institute for Defense Analyses Alexandria VA (2003)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Ibrahim, A., Rehwald, S., Scemama, A., Andres, F., Pretschner, A. (2020). Causal Model Extraction from Attack Trees to Attribute Malicious Insider Attacks. In: Eades III, H., Gadyatskaya, O. (eds) Graphical Models for Security. GraMSec 2020. Lecture Notes in Computer Science(), vol 12419. Springer, Cham. https://doi.org/10.1007/978-3-030-62230-5_1
Download citation
DOI: https://doi.org/10.1007/978-3-030-62230-5_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-62229-9
Online ISBN: 978-3-030-62230-5
eBook Packages: Computer ScienceComputer Science (R0)