Skip to main content
SpringerLink
Log in

Causal Model Extraction from Attack Trees to Attribute Malicious Insider Attacks

  • Conference paper
  • First Online:
Graphical Models for Security (GraMSec 2020)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12419))

Included in the following conference series:

  • 436 Accesses

Abstract

In the context of insiders, preventive security measures have a high likelihood of failing because insiders ought to have sufficient privileges to perform their jobs. Instead, in this paper, we propose to treat the insider threat by a detective measure that holds an insider accountable in case of violations. However, to enable accountability, we need to create causal models that support reasoning about the causality of a violation. Current security models (e.g., attack trees) do not allow that. Still, they are a useful source for creating causal models. In this paper, we discuss the value added by causal models in the security context. Then, we capture the interaction between attack trees and causal models by proposing an automated approach to extract the latter from the former. Our approach considers insider-specific attack classes such as collusion attacks and causal-model-specific properties like preemption relations. We present an evaluation of the resulting causal models’ validity and effectiveness, in addition to the efficiency of the extraction process.

TUM partners were in part funded by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) under grant no. PR1266/4-1, Conflict resolution and causal inference with integrated socio-technical models.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    ATCM is available at: https://github.com/amjadKhalifah/ATCM.

  2. 2.

    Arsonists and Rock-Throwing are typical examples in the causality literature. We may consider setting a forest on fire as an attack on the forest, with lighting matches being a possible step of an attack. We may also consider shattering a bottle an attack on the bottle, with throwing a stone being a possible step of an attack. The point here is to show that our mechanism produces valid results also for well-known examples.

References

  1. Althebyan, Q., Panda, B.: A knowledge-based Bayesian model for analyzing a system after an insider attack. In: Jajodia, S., Samarati, P., Cimato, S. (eds.) SEC 2008. ITIFIP, vol. 278, pp. 557–571. Springer, Boston, MA (2008). https://doi.org/10.1007/978-0-387-09699-5_36

    Chapter  Google Scholar 

  2. Aslanyan, Z., Nielson, F.: Model checking exact cost for attack scenarios. In: Maffei, M., Ryan, M. (eds.) POST 2017. LNCS, vol. 10204, pp. 210–231. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54455-6_10

    Chapter  Google Scholar 

  3. Chen, B., Pearl, J.: Graphical tools for linear structural equation modeling. Tech. rep., DTIC Document (2014)

    Google Scholar 

  4. Chinchani, R., Iyer, A., Ngo, H.Q., Upadhyaya, S.: Towards a theory of insider threat assessment. In: Proceedings of International Conference on Dependable Systems and Networks, 2005, DSN 2005, pp. 108–117. IEEE (2005)

    Google Scholar 

  5. Gadyatskaya, O., Jhawar, R., Kordy, P., Lounis, K., Mauw, S., Trujillo-Rasua, R.: Attack trees for practical security assessment: ranking of attack scenarios with ADTool 2.0. In: Agha, G., Van Houdt, B. (eds.) QEST 2016. LNCS, vol. 9826, pp. 159–162. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-43425-4_10

    Chapter  Google Scholar 

  6. Halpern, J.Y.: A modification of the Halpern-pearl definition of causality. In: Proceedings of the Twenty-Fourth International Joint Conference on Artificial Intelligence, IJCAI 2015 (2015)

    Google Scholar 

  7. Halpern, J.Y.: Actual Causality. MIT Press, Cambridge (2016)

    Book  Google Scholar 

  8. Horne, R., Mauw, S., Tiu, A.: Semantics for specialising attack trees based on linear logic. Fundamenta Informaticae 153(1–2), 57–86 (2017)

    Article  MathSciNet  Google Scholar 

  9. Hunker, J., Hutchinson, B., Margulies, J.: Role and challenges for sufficient cyber-attack attribution. Institute for Information Infrastructure Protection (2008)

    Google Scholar 

  10. Ibrahim, A., Kacianka, S., Pretschner, A., Hartsell, C., Karsai, G.: Practical causal models for cyber-physical systems. In: Badger, J.M., Rozier, K.Y. (eds.) NFM 2019. LNCS, vol. 11460, pp. 211–227. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-20652-9_14

    Chapter  Google Scholar 

  11. Ibrahim, A., Klesel, T., Zibaei, E., Kacianka, S., Pretschner, A.: Actual causality canvas: a general framework for explanation-based socio-technical constructs. In: ECAI 2020, the 24th European Conference on Artificial Intelligence. Frontiers in Artificial Intelligence and Applications. IOS Press (2020)

    Google Scholar 

  12. Ibrahim, A., Rehwald, S., Pretschner, A.: Efficient checking of actual causality with sat solving. Eng. Secur. Dependable Softw. Syst. 53, 241 (2019)

    Google Scholar 

  13. Institute, P.: 2015 cost of cyber crime study: global (2015)

    Google Scholar 

  14. Kacianka, S., Ibrahim, A., Pretschner, A., Trende, A., Lüdtke, A.: Extending causal models from machines into humans. Electron. Proc. Theor. Comput. Sci. 308, 17–31 (2019)

    Article  Google Scholar 

  15. Ko, L.L., Divakaran, D.M., Liau, Y.S., Thing, V.L.: Insider threat detection and its future directions. Int. J. Secur. Netw. 12(3), 168–187 (2017)

    Article  Google Scholar 

  16. Kordy, B., Kordy, P., Mauw, S., Schweitzer, P.: ADTool: security analysis with attack-defense trees. In: Quantitative Evaluation of Systems - 10th International Conference, QEST, pp. 173–176 (2013)

    Google Scholar 

  17. Kordy, B., Piètre-Cambacédès, L., Schweitzer, P.: Dag-based attack and defense modeling: don’t miss the forest for the attack trees. Comput. Sci. Rev. 13, 1–38 (2014)

    Article  Google Scholar 

  18. Kumar, R., Ruijters, E., Stoelinga, M.: Quantitative attack tree analysis via priced timed automata. In: Sankaranarayanan, S., Vicario, E. (eds.) FORMATS 2015. LNCS, vol. 9268, pp. 156–171. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-22975-1_11

    Chapter  MATH  Google Scholar 

  19. Kuntz, M., Leitner-Fischer, F., Leue, S.: From Probabilistic Counterexamples via Causality to Fault Trees. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-24270-0_6

    Book  Google Scholar 

  20. Lewis, D.: Counterfactuals and comparative possibility. J. Philos. Logic 2(4), 418–446 (1973). https://doi.org/10.1007/BF00262950

    Article  MathSciNet  MATH  Google Scholar 

  21. Mauw, S., Oostdijk, M.: Foundations of attack trees. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 186–198. Springer, Heidelberg (2006). https://doi.org/10.1007/11734727_17

    Chapter  Google Scholar 

  22. Nicholson, A., Janicke, H., Watson, T.: An initial investigation into attribution in SCADA systems. In: ICS-CSR (2013)

    Google Scholar 

  23. Pearl, J.: Causality. Cambridge University Press, Cambridge (2009)

    Book  Google Scholar 

  24. Phyo, A., Furnell, S.: A detection-oriented classification of insider it misuse. In: Third Security Conference (2004)

    Google Scholar 

  25. Poolsapassit, N., Ray, I.: Investigating computer attacks using attack trees. In: Craiger, P., Shenoi, S. (eds.) DigitalForensics 2007. ITIFIP, vol. 242, pp. 331–343. Springer, New York (2007). https://doi.org/10.1007/978-0-387-73742-3_23

    Chapter  Google Scholar 

  26. Qin, X., Lee, W.: Attack plan recognition and prediction using causal networks. In: 20th Annual Computer Security Applications Conference. IEEE (2004)

    Google Scholar 

  27. Ray, I., Poolsapassit, N.: Using attack trees to identify malicious attacks from authorized insiders. In: di Vimercati, S.C., Syverson, P., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 231–246. Springer, Heidelberg (2005). https://doi.org/10.1007/11555827_14

    Chapter  Google Scholar 

  28. Rehák, M., et al.: Runtime monitoring and dynamic reconfiguration for intrusion detection systems. In: Kirda, E., Jha, S., Balzarotti, D. (eds.) RAID 2009. LNCS, vol. 5758, pp. 61–80. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04342-0_4

    Chapter  Google Scholar 

  29. Research, I.X.F.: 2016 cyber security intelligence index (2016)

    Google Scholar 

  30. Rowlingson, R.: A ten step process for forensic readiness. Int. J. Digit. Evid. 2(3), 1–28 (2004)

    Google Scholar 

  31. Salem, M.B., Hershkop, S., Stolfo, S.J.: A survey of insider attack detection research. In: Stolfo, S.J., Bellovin, S.M., Keromytis, A.D., Hershkop, S., Smith, S.W., Sinclair, S. (eds.) Insider Attack and Cyber Security. Advances in Information Security, vol. 39. Springer, Boston (2008). https://doi.org/10.1007/978-0-387-77322-3_5

  32. Schneier, B.: Attack trees. Dr. Dobb’s J. 24(12), 21–29 (1999)

    Google Scholar 

  33. Shamsi, J.A., Zeadally, S., Sheikh, F., Flowers, A.: Attribution in cyberspace: techniques and legal implications. Secur. Commun. Netw. 9(15), 2886–2900 (2016)

    Article  Google Scholar 

  34. Tan, J.: Forensic readiness. Cambridge, MA:@ Stake, pp. 1–23 (2001)

    Google Scholar 

  35. Tu, M., Xu, D., Butler, E., Schwartz, A.: Forensic evidence identification and modeling for attacks against a simulated online business information system. J. Digit. Forensic Secur. Law 7(4), 4 (2012)

    Google Scholar 

  36. Weitzner, D.J., Abelson, H., Berners-Lee, T., Feigenbaum, J., Hendler, J., Sussman, G.J.: Information accountability. Commun. ACM 51(6), 82–87 (2008)

    Article  Google Scholar 

  37. Wheeler, D.A., Larsen, G.N.: Techniques for cyber attack attribution. Tech. rep., Institute for Defense Analyses Alexandria VA (2003)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Informatics, Technical University (TUM) of Munich, Garching b. Munich, Germany

    Amjad Ibrahim, Simon Rehwald, Florian Andres & Alexander Pretschner

  2. Brainloop AG, Munich, Germany

    Antoine Scemama

Authors
  1. Amjad Ibrahim
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Simon Rehwald
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Antoine Scemama
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Florian Andres
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Alexander Pretschner
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Amjad Ibrahim .

Editor information

Editors and Affiliations

  1. Augusta University, Augusta, GA, USA

    Harley Eades III

  2. Leiden University, Leiden, The Netherlands

    Olga Gadyatskaya

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ibrahim, A., Rehwald, S., Scemama, A., Andres, F., Pretschner, A. (2020). Causal Model Extraction from Attack Trees to Attribute Malicious Insider Attacks. In: Eades III, H., Gadyatskaya, O. (eds) Graphical Models for Security. GraMSec 2020. Lecture Notes in Computer Science(), vol 12419. Springer, Cham. https://doi.org/10.1007/978-3-030-62230-5_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-62230-5_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-62229-9

  • Online ISBN: 978-3-030-62230-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation