Skip to main content
SpringerLink
Log in

A Quantitative Security Risk Analysis Framework for Modelling and Analyzing Advanced Persistent Threats

  • Conference paper
  • First Online:
Foundations and Practice of Security (FPS 2020)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12637))

Included in the following conference series:

Abstract

Advanced persistent threats (APTs) are different from other computer-based attacks in their target selection, attack technique, and malicious motive. Distinct from script kiddie attacks, these attacks target critical systems to inflict maximum damage, such as to stall critical industrial processes. Standard defenses against APT attack is to deploy security mechanisms that are typically reminiscent of enterprise defense systems such as firewalls, intrusion detection systems, etc. However, given the nature and attack potential of APT attacks, one cannot rely on these security mechanisms alone as they are susceptible to failure, false alarms, and interfere with usability. A yet another problem is to decide on which mechanisms to deploy and at which points to offer maximum coverage against attacks. We believe, given the unique characteristics of APT attacks, one needs a robust and layered defense to protect against APT by timely detection, prevention, mitigation, and emergency plan. One such objective way to determine the countermeasures’ efficacy is by modeling and simulating attack behaviour.

In this paper, we propose a two-layer framework to analyze the APT attacks. At the top is the domain model of the Enhanced cyber kill chain. We use it to capture the attack phases, techniques, and processes. The bottom layer is the analytic layer of stochastic timed automata derived from the domain model. Key metrics are obtained using a state-of-the-art statistical model - checking techniques. We argue that such a timed analysis can be used to improve the security posture by putting countermeasures at appropriate positions.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Capec: Common attack pattern enumeration and classification http://capec.mitre.org/

  2. Mitre att&ck

    Google Scholar 

  3. Agha, G., Palmskog, K.: A survey of statistical model checking. ACM Trans. Model. Comput. Simul. 28(1), 6:1–6:39 (2018)

    Google Scholar 

  4. Alshamrani, A., Myneni, S., Chowdhary, A., Huang, D.: A survey on advanced persistent threats: techniques, solutions, challenges, and research opportunities. IEEE Commun. Surv. Tutorials 21(2), 1851–1877 (2019)

    Article  Google Scholar 

  5. Alur, R., Dill, D.L.: A theory of timed automata. Theor. Comput. Sci. 126(2), 183–235 (1994)

    Article  MathSciNet  Google Scholar 

  6. Arnold, F., Belinfante, A., Van der Berg, F., Guck, D., Stoelinga, M.: DFTCalc: a tool for efficient fault tree analysis. In: Bitsch, F., Guiochet, J., Kaâniche, M. (eds.) SAFECOMP 2013. LNCS, vol. 8153, pp. 293–301. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40793-2_27

    Chapter  Google Scholar 

  7. Arnold, F., Guck, D., Kumar, R., Stoelinga, M.: Sequential and parallel attack tree modelling. In: Koornneef, F., van Gulijk, C. (eds.) SAFECOMP 2015. LNCS, vol. 9338, pp. 291–299. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24249-1_25

    Chapter  Google Scholar 

  8. Assante, M.J., Lee, R.: The industrial control system cyber kill chain, October 2015. https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297/

  9. Clio, S., et al.: Cyber kill chain based threat taxonomy and its application on cyber common operational picture. In: International Conference on Cyber Situational Awareness, Data Analytics And Assessment, pp. 1–8. IEEE (2018)

    Google Scholar 

  10. David, A., Larsen, K.G., Legay, A., Mikucionis, M., Poulsen, D.B.: Uppaal SMC tutorial. Int. J. Softw. Tools Technol. Transf. 17(4), 397–415 (2015)

    Article  Google Scholar 

  11. David, A., et al.: Statistical model checking for networks of priced timed automata. In: Fahrenberg, U., Tripakis, S. (eds.) FORMATS 2011. LNCS, vol. 6919, pp. 80–96. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-24310-3_7

    Chapter  Google Scholar 

  12. Falliere, N., Murchu, L.O., Chien, E.: W32 stuxnet dossier. White paper, Symantec Corp., Security Response, vol. 5, no. 6, p. 29 (2011)

    Google Scholar 

  13. Giura, P., Wang, W.: A context-based detection framework for advanced persistent threats. In: 2012 ASE International Conference on Cyber Security, pp. 69–74. IEEE Computer Society (2012)

    Google Scholar 

  14. Holm, H., Sommestad, T., Ekstedt, M., NordströM, L.: CySeMoL: a tool for cyber security analysis of enterprises. In: 22nd International Conference and Exhibition on Electricity Distribution (CIRED 2013), pp. 1–4. Institute of Engineering and Technology (2013)

    Google Scholar 

  15. Hutchins, E.M., Cloppert, M.J., Amin, R.M.: Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains, vol. 1, pp. 80–106 (2011)

    Google Scholar 

  16. Kriaa, S., Bouissou, M., Piètre-Cambacédès, L.: Modeling the stuxnet attack with BDMP: towards more formal risk assessments. In: 2012 7th International Conference on Risks and Security of Internet and Systems, pp. 1–8. IEEE (2012)

    Google Scholar 

  17. Kumar, R.: A model-based safety-security risk analysis framework for interconnected critical infrastructures. ICCIP 2020. IAICT, vol. 596, pp. 283–306. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-62840-6_14

    Chapter  Google Scholar 

  18. Kumar, R., Ruijters, E., Stoelinga, M.: Quantitative attack tree analysis via priced timed automata. In: Sankaranarayanan, S., Vicario, E. (eds.) FORMATS 2015. LNCS, vol. 9268, pp. 156–171. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-22975-1_11

    Chapter  MATH  Google Scholar 

  19. Kumar, R., Stoelinga, M.: Quantitative security and safety analysis with attack-fault trees. In: 2017 IEEE 18th International Symposium on High Assurance Systems Engineering (HASE), pp. 25–32 (2017)

    Google Scholar 

  20. Kumar, R.: Truth or dare: quantitative security risk analysis via attack trees. Ph.D. thesis, University of Twente, Netherlands, October 2018

    Google Scholar 

  21. Langner, R.: Stuxnet: dissecting a cyberwarfare weapon. IEEE Secur. Privacy 9(3), 49–51 (2011)

    Article  Google Scholar 

  22. LeMay, E., Ford, M.D., Keefe, K., Sanders, W.H., Muehrcke, C.: Model-based security metrics using adversary view security evaluation (ADVISE). In: 8th International Conference on Quantitative Evaluation of Systems, QEST, pp. 191–200. IEEE Computer Society (2011)

    Google Scholar 

  23. Li, F., Lai, A., DDL: Evidence of advanced persistent threat: a case study of malware for political espionage. In: 6th International Conference on Malicious and Unwanted Software, MALWARE, pp. 102–109. IEEE Computer Society (2011)

    Google Scholar 

  24. Long, J.: Stuxnet: A digital staff ride, March 2019. https://mwi.usma.edu/stuxnet-digital-staff-ride/

  25. Lund, M.S., Solhaug, B., Stølen, K.: The CORAS Risk Modelling Language, pp. 47–72. Springer, Berlin Heidelberg (2011). https://doi.org/10.1007/978-3-642-12323-8_4

  26. Piètre-Cambacédès, L., Bouissou, M.: Beyond attack trees: dynamic security modeling with boolean logic driven Markov processes (BDMP). In: 2010 European Dependable Computing Conference, pp. 199–208 (2010)

    Google Scholar 

  27. Pols, P.: The unified kill chain: designing a unified kill chain for analyzing, comparing and defending against cyber attacks, Cyber Security Academy (2017). https://www.csacademy.nl/images/scripties/2018/Paul-Pols---The-Unified-Kill-Chain.pdf

  28. Ross, R.: Managing enterprise security risk with nist standards 40(8), 88–91 (2007)

    Google Scholar 

  29. Shojaie, B., Federrath, H., Saberi, I.: Evaluating the effectiveness of ISO 27001: 2013 based on annex A, pp. 259–264 (2014)

    Google Scholar 

  30. Virvilis, N., Gritzalis, D.: The big four - what we did wrong in advanced persistent threat detection? In: 2013 International Conference on Availability, Reliability and Security, pp. 248–254 (2013)

    Google Scholar 

  31. Wideł, W., Audinot, M., Fila, B., Pinchinat, S.: Beyond 2014: formal methods for attack tree-based security modeling, vol. 52, no. 4 (2019)

    Google Scholar 

  32. Wolf, M.: Chapter 8 - cyber-physical systems. In: High-Performance Embedded Computing 2 edn. pp. 391–413 (2014)

    Google Scholar 

  33. Zhao, G., Xu, K., Xu, L., Wu, B.: Detecting APT malware infections based on malicious DNS and traffic analysis. IEEE Access 3, 1132–1142 (2015)

    Article  Google Scholar 

  34. Zhao, W., Wang, P., Zhang, F.: Extended petri net-based advanced persistent threat analysis model. In: Wong, W.E., Zhu, T. (eds.) Computer Engineering and Networking. LNEE, vol. 277, pp. 1297–1305. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-01766-2_147

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science and Information Systems, Birla Institute of Technology and Science, Pilani, India

    Rajesh Kumar, Siddhant Singh & Rohan Kela

Authors
  1. Rajesh Kumar
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Siddhant Singh
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Rohan Kela
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Rajesh Kumar .

Editor information

Editors and Affiliations

  1. Polytechnique Montréal, Montréal, QC, Canada

    Gabriela Nicolescu

  2. CEA-Leti Technology Research Institute, Grenoble, France

    Assia Tria

  3. Polytechnique Montréal, Montréal, QC, Canada

    José M. Fernandez

  4. University of Lorraine, Vandœuvre lès Nancy, France

    Jean-Yves Marion

  5. Télécom SudParis, Evry, France

    Joaquin Garcia-Alfaro

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Kumar, R., Singh, S., Kela, R. (2021). A Quantitative Security Risk Analysis Framework for Modelling and Analyzing Advanced Persistent Threats. In: Nicolescu, G., Tria, A., Fernandez, J.M., Marion, JY., Garcia-Alfaro, J. (eds) Foundations and Practice of Security. FPS 2020. Lecture Notes in Computer Science(), vol 12637. Springer, Cham. https://doi.org/10.1007/978-3-030-70881-8_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-70881-8_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-70880-1

  • Online ISBN: 978-3-030-70881-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation