Physical Security and Vulnerability Modeling for Infrastructure Facilities

Transcription

1 Proceedngs of the 39th Hawa Internatonal Conference on System Scences Physcal Securty and Vulnerablty Modelng for Infrastructure Facltes Dean A. Jones Chad E. Davs Sanda Natonal Laboratores Albuquerque, NM dajones@sanda.gov cedavs@sanda.gov Mark A. Turnqust Lnda K. Nozck Cornell Unversty Ithaca, NY mat14@cornell.edu lkn3@cornell.edu Abstract A model of malcous ntrusons n nfrastructure facltes s developed, usng a network representaton of the system structure together wth Markov models of ntruder progress and strategy. Ths structure provdes an explct mechansm to estmate the probablty of successful breaches of physcal securty, and to evaluate potental mprovements. An example of an ntruder attemptng to place an explosve devce on an arplane at an arport gate llustrates the structure and potental applcaton of the model. 1. Introducton There s wdespread nterest n protecton of crtcal nfrastructures from malcous attack. The attacks mght be ether physcal ntrusons (e.g., to steal vtal materal, plant a bomb, etc.) or cyber ntrusons (e.g., to dsrupt nformaton systems, steal data, etc.). The attackers may be nternatonal terrorsts, home-grown hackers, or ordnary crmnals. In 1997, the report of the U.S. Presdent s Commsson on Crtcal Infrastructure Protecton dentfed eght crtcal nfrastructures whose ncapacty or destructon would have a debltatng mpact on our defense and economc securty [11]. In subsequent years, ths lst of crtcal nfrastructures was expanded and a set of 13 crtcal nfrastructure sectors are ncluded n the Natonal Strategy for Homeland Securty [3]. These 13 are: agrculture, food processng, water, publc health, government, emergency servces, bankng and fnance, telecommuncatons, energy, transportaton, the chemcal ndustry, postal and shppng servces, and the defense ndustral base. In ths analyss, we focus prmarly on transportaton facltes, but the approach we suggest could also be used n other nfrastructure contexts. For example, a smlar type of analyss has been appled to nformaton systems [2]. The objectve of the analyss presented here s to provde gudance to system owners and operators regardng effectve ways to reduce vulnerabltes of specfc facltes. To accomplsh ths, we develop a Markov Decson Process (MDP) model of how an ntruder mght try to penetrate the varous barrers desgned to protect the faclty. Ths ntruder model provdes the bass for consderaton of possble strateges to reduce the probablty of a successful attack on the faclty. We represent the system of nterest as a network of nodes and arcs. Nodes represent barrers that an ntruder must penetrate, and arcs represent movements between barrers that an ntruder can make wthn the system. The adversares frst must penetrate entry ponts to the system, and f an attempted penetraton at a partcular entry node s successful, they can traverse edges from the successfully breached node to other nodes n the network that are connected to the one breached. Traversng an edge entals a rsk of detecton. The adversary s assumed to make the decson that maxmzes the probablty of successful attack. Several prevous authors have used graph-based methods to represent attackers or defenders n securty analyses. Phllps and Swler [10] ntroduced the concept of an attack graph to represent sets of system states and paths for an attacker to pursue an objectve n dsruptng an nformaton system. Several subsequent papers (e.g., [4], [13], [15]) have extended these ntal deas. A number of authors have used Markov models /06/$20.00 (C) 2006 IEEE 1

2 Proceedngs of the 39th Hawa Internatonal Conference on System Scences to represent uncertantes n system state n the face of attacks, especally n computer systems (e.g., [4], [7], [13], [14]). In partcular, Hdden Markov Models (HMM) focus on ntruder detecton usng ndcators that ndrectly reflect potental attacker actvtes (see, for example, [8], [14], [16]). Jha et al. [4] ntroduced the dea of usng Markov Decson Processes (MDP) for stuatons n whch the ntruder s path s probablstc. By nterpretng attack graphs as Markov Decson Processes they computed a probablty of ntruder success for each attack represented by the graph. In the current work, we also use the dea of computng the probablty of a successful attack by characterzng the problem as an MDP. However, our graph structure s dfferent from the normal attack graph structure used n nformaton systems, and thus the underlyng network over whch the MDP s formulated s dfferent from that used n [4]. Our prmary attenton s on a class of adversares that s ratonal and well nformed. By ratonal, we mean that the adversares follow a strategy that maxmzes the probablty of ther attack beng successful. By well nformed, we mean that the adversares know the probabltes of detecton, success, etc. at varous stages of the attack, so they can effectvely optmze ther attacks. Our focus on well-nformed adversares s useful because t leads to an estmate of the probablty of successful ntruson that s lkely to be an upper bound on the actual value. Ths, n turn, leads us to be conservatve n estmatng how well-protected the system s. Less well-nformed ntruders mght also be successful, but ther probabltes of success wll be smaller. Further exploraton of the lkely strateges of less nformed ntruders s, however, an mportant area for addtonal work. We frst construct an HMM to represent an ntruder s actons at a sngle node (barrer) n a system. Then we develop an aggregated representaton of that sngle-node model for ncluson n an MDP model of ntruder strategy wthn a network representaton of the entre system. 2. Intruson attempts at a node An attempt to penetrate a system barrer (node) and the nteracton between the ntruder and the ntrusondetecton system s modeled usng a Hdden Markov Model (HMM). The general concept of such a model s represented n Fgure 1. The ntruder s actons (the lower porton of the dagram) are assumed to progress through a set of states as a Markov process. The dagram n Fgure 1 shows a smplfed representaton n whch transtons are only to sequental states, but the transton matrx used can be more general. Occupancy of varous states may result n emanatons that are observable by the system operator (represented by the sgnals n Fgure 1). For example, the ntruder may be attemptng to pck the lock of a door where there s vdeo survellance. Pckng the lock requres an uncertan amount of tme, represented by transton through a seres of Markov states. Whle the ntruder occupes those states (.e., durng the tme that the ntruder s attemptng to pck the lock), there s a probablty that hs/her presence wll be detected by the vdeo survellance system. The general structure of the HMM allows consderable flexblty n defnng varous types of sgnals and resultng actons by the system operator. For example, some sgnals may cause an ncreased level of survellance wthout an alarm beng rased. For our current purposes, we use a straghtforward defnton that a recognzed sgnal from any state consttutes detecton and the end of the attempted ntruson. If the ntruder reaches a breach state wthout beng detected, we say that the node (barrer) has been breached, and no further emanatons wll cause the system to detect the ntruder at that node. We also nclude a retreat state that corresponds to an unsuccessful, but undetected, attempt to penetrate the barrer. In that outcome, the ntruder can wthdraw wthout rasng an alarm. Sgnals a b c Intruder States k Breach Retreat Fgure 1. A hdden Markov model characterzng an attack at a system node. We use a dscrete-tme, dscrete-state HMM characterzed by the followng equatons: X = A X T n+1 n (1) Y n = BX n (2) for transton steps n = 1, 2,,. The state of the system (.e., presence of the ntruder n some node n 2

3 Proceedngs of the 39th Hawa Internatonal Conference on System Scences the lower porton of Fgure 1) s represented by the (column) probablty vector, X. The dynamcs of the system are governed by (1), where A s a transton matrx (.e., t satsfes the propertes aj 0 and j a j 1.) The states of the system are not observed drectly. The process Y s observed, whch s a functon of the state of the underlyng Markov process, X. Each column of B specfes a condtonal probablty dstrbuton over the possble observatons, gven that the underlyng (hdden) system s n a partcular state. The estmated values for B n a gven applcaton should reflect any efforts that mght be taken by an ntruder to reduce the lkelhood of detecton (e.g., attemptng to defeat sensors, create dversons, etc.). For our purposes, we assume that A and B are known (or have been estmated). We want to use the estmated HMMs at varous nodes as the bass for a network-level model of ntruder strategy. In large networks, t s useful to abstract the HMM at node v to a smpler representaton, as shown n Fgure 2. An ntruder enters an Attempt state for that barrer (node). The ntruder contnues to occupy that state untl the attempted penetraton s detected (and an alarm s rased), the penetraton s successful and the barrer s breached, or the ntruder retreats. penetraton n the orgnal HMM. In the nterests of space, the detals are not gven here, but they are provded n [5]. The value of the aggregated representaton s that t allows us to construct a Markov Decson Process (MDP) of the ntruder s strategy at the system level, wthout carryng along all the detal of states wthn each node. Ths s the focus of the followng secton. 3. Expandng to the system level At the system level, we represent a network of barrers and potental movements as shown n the smple example n Fgure 3. Each node can be expanded usng a representaton lke the one n Fgure 2. If the ntruder s successful at breachng a partcular barrer, he/she has choces about where to go next (whch arc to cross). Crossng arc j entals a probablty of detecton j, and ths s represented n the transton matrx. Fgure 3. Smple system-level network. Fgure 2. Aggregated abstracton of the HMM at a node. To make the abstracton n Fgure 2 useful, we must be able to derve the transton probabltes p, s, d and r from the underlyng A and B matrces of the HMM. The transton probabltes s, d and r are specfed so that the probabltes of detecton, successful breach and retreat match those from the orgnal HMM. The transton probablty p s specfed so the expected length of resdence n the attempt state matches the duraton of the attempted We can pose the problem of fndng the ntruder s optmal strategy as an MDP over an nfnte horzon. We defne the expected reward to the ntruder as a value assocated wth reachng the success state of a goal node (such as node 8 n the example n Fgure 3), whch represents an undetected ext from the system after accomplshng a desred acton (such as placng a bomb, etc.). If we defne ths reward value as 1, then the expected rewards calculated at all earler nodes n the network can be nterpreted as probabltes of success, gven that the ntruder has reached that node. We assume that the objectve of the ntruder s to maxmze hs/her expected reward (probablty of successful attack), and we examne the problem of fndng the optmal strategy for ths objectve. Solvng ths problem postons us to adopt the perspectve of the system operator and consder the actons that can have the largest mpact on reducng the probablty of successful ntrusons. 3

4 Proceedngs of the 39th Hawa Internatonal Conference on System Scences If the ntruder s n state and chooses acton a, we denote the expected value of the future stream of rewards by w(,a ). Each possble acton a mples a change n the transton probabltes that govern the process. We denote the elements of the transton matrx resultng from choosng acton a as P j (a ). The MDP we defne for ths problem s postve bounded, and we can fnd the optmal polcy through ether polcy teraton or lnear programmng. From a computatonal standpont, polcy teraton s generally preferable to lnear programmng for fndng solutons, but the lnear programmng formulaton can yeld nsghts that are sgnfcant for our current purposes. Puterman [12] descrbes the lnear programmng formulaton for postve bounded expected total reward models. The formulaton seeks the decson polcy (choce of a ) that maxmzes the expected value of the reward stream, w(,a ). We denote the resultng optmal expected value as w*(). As [12] descrbes n detal, the set of w*() s the smallest set of values of w() for whch the followng nequaltes hold for all states, : w ( ) R ( a ) + Pj ( a ) w( j) (3) j where R ( a ) s the mmedate reward for selectng acton a when the system state s. In our applcaton, R ( a ) = 0 for all states other than the goal state, g, and R ( a g g ) = 1 for the dummy acton, a g, after achevng the goal state. If we then ntroduce an arbtrary set of postve scalars, β, wth the requrement that β = 1, the lnear program can be wrtten as follows: subject to: mn β w ( ) (4) x( a) Pj( a) x( a) β (8) a j a x ( a ) 0, a (9) In our case, because all but one of the R ( a ) values are zero, the dual objectve functon can be smplfed to: max x ( a ) (7 ) g g The prmal lnear program has many more constrants than varables, so t s more effectve to solve the dual problem. In addton, t can be shown (see [12]) that n an optmal soluton to the dual problem (7) (9), there s no more than one non-zero x (a ) for each state. The a for whch x (a ) s non-zero ndcates the optmal acton a for each. The shadow prces on * the dual constrants (8) are the values of w*(), ndcatng the probablty of successful attack, gven that the ntruder has reached state. 4. An llustratve applcaton As an example of system-level analyss for a specfc nfrastructure faclty, consder an ntruder who s attemptng to place an explosve devce aboard an arcraft whle t s sttng at an arport gate, wth the ntent that t wll explode later after the arcraft s n flght. A smplfed representaton of the barrer network and possble ntruder actons s shown n Fgure 4 (the network structure s the same as n Fgure 3, but the nodes and lnks have now been labeled as specfc barrers and movements). w ( ) P ( a ) w( j) R ( a ), a (5) j j w( ) 0 (6) Ths lnear program has a dual that can be expressed as follows: subject to: max R( a) x( a) (7) a 4

5 Proceedngs of the 39th Hawa Internatonal Conference on System Scences Fgure 4. Illustratve network for analyzng an attempted placement of an explosve devce on an arcraft. The ntruder must frst gan access to the apron area of the termnal. We postulate that ths can occur ether by ganng llct access through the employee gate (e.g., by stealng an employee ID and usng t to enter the area), or by enterng n a servce vehcle at a gate (e.g., n a caterng truck). If the ntruder s successful n gettng access to the area, he/she must then mpersonate a legtmate worker n the arcraft gate area ether an arlne employee or a servce contractor. The cross-over arcs between entry and mpersonaton n Fgure 4 ndcate that even f the ntruder gans access to the apron area usng an employee ID, he/she may swtch ID s and mpersonate a servce contractor wthn the area (or vce versa). Ths mpersonaton must be successful for the perod of tme requred to get from the entrance to the arcraft tself. Approachng the arcraft carres a rsk of detecton, and the approachable areas on the arcraft f the ntruder s mpersonatng an employee may be dfferent from those that are approachable f he/she s mpersonatng a servce contractor. For example, a person who appears to be an arlne mantenance employee mght not attract attenton approachng the under-wng area around the landng gear, whereas a person who appears to be a caterng contractor would. For purposes of ths example, we consder n Fgure 4 three areas of the arcraft where an explosve devce mght be hdden nsde the wng around the landng gear, n the cargo hold, or n the caterng supples delvered to the galley. If access to the arcraft s ganed, the devce must be placed wthout arousng suspcon. Ths s represented by the arcs connectng the arcraft area nodes to the ext node. Each of these arcs has a probablty of detecton. Fnally, f the ntruder succeeds n ganng access to the arcraft and placng the devce, he/she must ext wthout detecton, and ths represents the last barrer. Our modelng premse s that f the ntruder s detected after placng the devce, t wll trgger a thorough search of the arcraft and the devce wll be dscovered, so that the attempted attack wll be foled. Table 1 summarzes the node data used for the example analyss, and Table 2 shows the probabltes of detecton used for the arcs n the example network. These data are all nputs to the analyss and the values shown n Tables 1 and 2 are strctly hypothetcal. In practce, these nput values would lkely be a mxture of estmates based on testng specfc elements of the system and subjectve estmates (.e., expert judgment). Table 1. Example data for network nodes. Node (see Fgure 4) Expected Tme for Attempted Breach (mn) Prob. of Success Prob. of Detecton Prob. of Retreat Employee Gate Servce Vehcle Impersonate Employee Impersonate Contractor Landng Gear Cargo Hold Galley Undetected Ext Table 2. Probablty of detecton for possble moves. Arc Prob. of Detecton Empl. Gate Impersonate Employee 0 Empl. Gate Impersonate Contractor 0 Servce Vehcle Impersonate Empl. 0 Servce Vehcle Impersonate Contr. 0 Impersonate Empl. Landng Gear 0.3 Impersonate Empl. Cargo Hold 0.2 Impersonate Contr. Cargo Hold 0.5 Impersonate Contr. Galley 0.1 Landng Gear Ext 0.4 Cargo Hold Ext 0.2 Galley Ext 0.3 5

6 Proceedngs of the 39th Hawa Internatonal Conference on System Scences In the example data, we assume there s no retreat at the stage of extng after placng the devce at that stage ether the attack s successful or t s detected. Also note that the probablty of detecton on the arcs leadng to the mpersonaton nodes s zero. Ths s because we are treatng mpersonaton process (and tme) as a barrer (node), so the probablty of detecton s lumped at the nodes, rather than on the arcs. For ths set of nput data, the soluton for the optmal ntruder strategy can be summarzed as shown n Fgure 5. To the left of each node s the probablty of successful attack, gven that the ntruder s arrvng at that barrer. To the rght of each node s the probablty of success, gven that the ntruder has successfully negotated that barrer. There s only one value shown for the ext node (.e., the approachng probablty), because once that node s successfully negotated, the attack has been a success, by defnton. Fgure 5. Summary of ntruder strategy and probablty of success. The dashed lne ndcates the optmal path for an ntruder (.e., the path that maxmzes the probablty of success). Ths s the path of greatest vulnerablty to the system. In our smple example, we would compute a probablty of successful attack of 0.11 for an ntruder whose strategy s to gan entry to the apron area through the employee gate, then swtch ID s and mpersonate a contractor (probably a caterng servce worker) to access the arcraft galley and place the devce there before extng. The exstence of ths strategy does not mean that all ntruders wll always proceed n exactly the way ndcated. It does mean that f all ntruders were ratonal and well nformed (n the sense descrbed at the begnnng of the paper), ths would be a strategy through whch they could maxmze the probablty of a successful attack. The actual probablty of successful attack s lkely to be less than ths maxmum value because ntruders wll have less-thancomplete nformaton and may not optmze ther strategy. The soluton to the MDP model also provdes useful nformaton on the condtonal probablty of success for an attacker that reaches a certan pont n the network, regardless of whether or not he/she followed the optmal strategy. For example, f an ntruder succeeds n reachng the cargo hold of the arcraft (despte the fact that ths s not an optmal strategy), the probablty of a successful attack from that pont on s Ths nformaton can be extended to represent a vulnerablty tree as shown n Fgure 6. Ths tree ndcates the optmal strategy for contnung an attack by an ntruder who reaches a gven node, regardless of how he/she arrved there. Ths nformaton adds value to system securty studes over and above the dentfcaton of the sngle most vulnerable path for a system ntruder. Havng establshed a base-case vulnerablty assessment for the system, we can proceed to a seres of what f analyses to examne the mpact of potental changes to mprove securty. For example, what f an attempt were made to reduce the lkelhood of successful attack along the most vulnerable path by more carefully checkng contractors movng n the arcraft gate area and delverng food to the galley? We wll represent ths change n operatonal polcy by ncreasng the probablty of detecton of someone mpersonatng a contractor movng n the gate area to 0.5 (and correspondngly decreasng the probablty of successful mpersonaton to 0.4). We wll represent the effect of ncreasng the vglance on contractors enterng the galley area of the arcraft by ncreasng the probablty of detecton on that access arc to 0.3. Fgure 6. Vulnerablty tree. Fgure 7 summarzes the results of those changes. The well-nformed ntruder adapts by changng 6

7 Proceedngs of the 39th Hawa Internatonal Conference on System Scences hs/her strategy, and now mpersonates an arlne employee, makng an attempt to place the explosve devce n the cargo hold of the arcraft rather than n the galley. The overall probablty of success has declned, but only margnally, to Of course, the change mght have somewhat greater short-term effectveness (.e., before the potental ntruder can learn of t and change strategy), but t s unlkely to produce very sgnfcant mprovements n securty over a longer perod. arcs n the cut set shown n Fgure 8. The resultng soluton for ntruder strategy s shown n Fgure 9. The optmal ntruder strategy has shfted from the galley to the cargo hold n response to ths change, and the overall probablty of successful attack has decreased to 0.075, a 32% decrease from the orgnal value of Fgure 7. Revsed ntruder strategy after ncreases n montorng levels for contractors. One strategy for achevng greater long-term mprovement n securty s to focus on cut sets n the ntruson network. Ths dea s llustrated n Fgure 8, whch shows a cut set constructed across the arcs representng access to the arcraft. If smultaneous mprovements n detecton rates for ntruders are made n all arcs of the cut set, t s more dffcult for the ntruder to change strategy to avod the hghersecurty paths because all paths must cross the cut set. Fgure 8. Illustraton of cut set. As an example, suppose that nstead of focusng just on contractors, as n our frst experment, the probablty of detecton were ncreased to 0.6 on all Fgure 9. Intruder strategy and probablty of success after ncreasng detecton probablty on cut set arcs to 0.6. The model structure developed here can also be used to answer a varety of other questons. For example, suppose we were to focus our attenton on the cut set n Fgure 8. We have seen that an ncrease n the detecton probablty on those arcs to 0.6 results n a notceable reducton n overall success probablty for the ntruder. How hgh would the detecton probablty on those cut set arcs have to be n order to reduce the overall ntruson success probablty to 0.01? We can determne that the requred detecton probablty s We can also use the model to examne combnatons of strateges. For example, suppose we thought t would be feasble to ncrease the detecton rate on the arcraft access arcs to 0.9, but not to If 0.9 were acheved on those arcs, how much better would the detecton probablty have to be at the mpersonaton nodes precedng those arcs n order to acheve an overall success probablty of no more than 0.01? We can do a quck search wth the model and determne that the answer to ths queston s That s, we would have to be able to mantan a 68% chance of detecton of mpersonators (of both employees and contractors), along wth a 90% chance of detecton of ntruders approachng an arcraft, n order to reduce the probablty of a successful attack to

8 Proceedngs of the 39th Hawa Internatonal Conference on System Scences Optmzng resource allocaton for securty mprovement The llustratve analyss n Secton 4 leads us to an obvous queston: If t were possble to estmate a cost functon for changes wthn the network that would reduce the lkelhood of a successful ntruson, could we dentfy the most effectve (.e., mnmum cost) way of achevng a desred (small) probablty of successful ntruson? Ths queston can be answered usng a b-level optmzaton formulaton. At the upper level we have an optmzaton that determnes changes at nodes and arcs n the network so as to mnmze cost, subject to a constrant that the resultng probablty of successful attack s no greater than a specfed value. However, the probablty of successful attack s determned as the soluton to a lower level optmzaton (optmzng the ntruder s strategy, gven the characterstcs of the network he/she s facng). To be more specfc about ths optmzaton, consder agan the model of the ntruder s strategy expressed n equatons (4)-(6). There are at least fve ways that the system operator (or defender ) can act to reduce the lkelhood that the ntruder wll be successful: Increase the probablty of detecton at barrer (node) ; ths mght be accomplshed ether by ncreasng the senstvty of the detecton process, or by ncreasng the tme requred to penetrate the barrer, allowng the exstng detecton mechansms more tme to be effectve. Increase the probablty of detecton on movement arcs j between nodes. Add new barrers that must be negotated; ths s represented by a new node n the network, wth reconnecton of exstng arcs to force some (or all) ntruders paths to go through the new node. Remove exstng arcs n the network; ths represents some addtonal constrants (ether physcal or vrtual) on movement wthn the system. Reduce the level of nformaton that potental ntruders have about the system structure and detecton probabltes, creatng addtonal uncertanty for the ntruders, and perhaps some level of dsnformaton that would lead them to make poor choces n ther attack strategy. From the standpont of the model we have defned, the thrd and fourth strateges lsted can be consdered to be specal (extreme) cases of the frst two strateges (for more detaled dscusson of ths, see [5]). The ffth strategy s qute dfferent from the frst two, and needs to be analyzed n a separate way. Ths s descrbed further n the followng secton as an extenson of the work n the current paper. For our current analyss, we wll focus on the frst two strateges for reducng the vulnerablty of the system (mplctly ncludng the thrd and fourth as well). Suppose that the ntal detecton probablty at node s denoted d 0, and the ncrease n that probablty s denoted Δ, so that the actual detecton probablty n effect s d = d 0 + Δ. Smlarly, we wll assume that the ntal detecton probablty on arc j s δ 0, and the ncrease n that j probablty s γ j, so the actual detecton probablty n effect s δ j = δ 0 j + γ. j Increases n the detecton probabltes are assumed to requre expendtures C ( Δ ) and K j ( γ j ). In the current formulaton, the cost functons are separable by node and arc, but a more general cost functon could be used wthout changng the structure of the b-level optmzaton formulaton. We wll use E to denote the set of entry nodes to the system network, and then express the upper level problem as follows: subject to: Mn C ( Δ ) + Kj ( γ j ) (10) j * * w ( ) W E (11) d = d 0 + Δ (12) 0 δ = δ + γ j (13) j j j Δ 0 (14) γ j 0 j (15) In (11), the w * ( ) values are the optmal soluton to the lower level problem, specfed as follows: 8

9 Proceedngs of the 39th Hawa Internatonal Conference on System Scences subject to: j j mn β w ( ) (16) j w ( ) P ( a d, δ ) w( j) 0 g, a 17) w( g) P ( a d, δ ) w( j) 1 a (18) j gj g g gj w( ) 0 (19) In (17) and (18), the transton matrx s wrtten as Pj ( a d, δ j ) to reflect the fact that t depends on the values of d and δ determned n the upper problem. j The lower problem n (16)-(19) s the same problem as n (4)-(6), but s re-wrtten to reflect the specfc knowledge of R ( a ) values that relevant to ths problem, and to emphasze ts connecton to the upper problem n (10)-(15). A soluton procedure for ths b-level optmzaton searches over possble values of Δ andγ j, and for each set of values, solves the lower problem to fnd w * ( ) (after translatng the d and δ values nto a new j transton matrx Pj ( a d, δ j ) ). A general ssue (whch s endemc to b-level models) s that t s dffcult to guarantee convergence of soluton algorthms to true optmal solutons n the upper model. Bard [1] descrbes ths general dffculty. 6. Extensons Several extensons to the model descrbed here are possble and desrable. In addton to further development of the b-level optmzaton deas dscussed n the prevous secton, there are two extensons that seem partcularly mportant. Frst, t s useful to ncorporate mperfect nformaton on the part of the ntruders. Ths allows us to begn exploraton of the ffth defender strategy mentoned n secton 5. One very drect way to do ths s to embed the MDP model n a smulaton where uncertanty n the perceptons of the detecton probabltes s reflected. Ths s one type of lmtaton on the nformaton assumed to be avalable to the attackers. Varatons n the perceptons of the detecton probabltes can lead to dfferent strateges for dfferent ntruders, and the effect (from the system operator s perspectve) s that potental attacks appear g to be followng a mxed (or randomzed) strategy. Ths form of smulaton s a step n the general drecton of consderng the system to be a partally observable Markov decson process (POMDP) from the perspectve of the ntruder. The smulaton approach can also be used to analyze other types of mperfect nformaton on the part of ntruders for example, mperfect knowledge of what arcs exst n the network for movement among nodes, or even mperfect nformaton as to what nodes exst. A second useful extenson s to create sem-markov models for the processes of attempted penetraton of barrers. Ths would allow more accurate representaton of the uncertan tme requred to penetrate a gven barrer, as well as offer a broader range of opportuntes for modelng varous types of tme-dependent detecton probabltes. Ths extenson could mprove the range of applcablty of the model. 7. Conclusons The objectve of the analyss presented here s to provde gudance to system owners and operators regardng effectve ways to reduce vulnerabltes of specfc nfrastructure facltes. To accomplsh ths, we have developed a Markov Decson Process (MDP) model of how an ntruder mght try to penetrate the varous barrers desgned to protect the faclty. The soluton to ths MDP model provdes nsght nto the level of vulnerablty of the faclty (the probablty of successful ntruson) and ndcates where the vulnerabltes are (the most lkely paths for the ntruder). The ntruder model also provdes the bass for consderaton of possble strateges to reduce the probablty of a successful attack on the faclty. Illustratons of usng the model n ths way are provded n the case study analyss n secton 4. The process of searchng for cost-effectve strateges to reduce system vulnerablty can be formally cast as a b-level optmzaton problem, as dscussed n secton 5. Ths provdes a promsng drecton for further work. Successful mplementaton of the model descrbed n ths paper depends very drectly on two mportant tasks: 1) constructng large-scale networks that represent the varous barrers and movement possbltes n a system; and 2) estmatng the varous probabltes embedded n the A and B matrces that are elements of the HMM s at each network node. Qute clearly, f the constructed network does not reflect accurately the barrers to ntruson and possble 9

10 Proceedngs of the 39th Hawa Internatonal Conference on System Scences paths for ntruders, the resultng computatons from the model wll be flawed. Constructng an accurate network representaton requres sgnfcant system knowledge and also the ablty to thnk lke an attacker. Estmatng the probabltes s also a challengng task. There are tools that have been created for estmatng HMM matrces n other applcaton contexts, and the experence ganed n those other contexts should provde mportant nsght for ths task. The process of testng, mplementng and enhancng the model s an ongong one, wth the expectaton that ths approach wll become an mportant new tool for the protecton of crtcal nfrastructure facltes. References [1] Bard, J.F., Some Propertes of the Blevel Programmng Problem, Journal of Optmzaton Theory and Applcatons, 68:2, 1991, [2] Carlson, R.E., Turnqust, M.A. and Nozck, L.K., Expected Losses, Insurablty and Benefts from Reducng Vulnerablty to Attacks, Report SAND , Sanda Natonal Laboratores, Albuquerque, NM, [3] Executve Offce of the Presdent, Natonal Strategy for Homeland Securty, July 2002, avalable on lne at [4] Jha, S., Sheyner, O., and Wng, J.M. Two Formal Analyses of Attack Graphs, 15th IEEE Computer Securty Foundatons Workshop, June 2002, Cape Breton, NS, Canada, Complexty, Journal of Computer Securty, 12:2, 2004, [10] Phllps, C.A., and Swler, L.P., A Graph-Based System for Network Vulnerablty Analyss, Proceedngs of the 1998 New Securty Paradgms Workshop, Assocaton for Computng Machnery, 1998, [11] Presdent s Commsson on Crtcal Infrastructure Protecton, Crtcal Foundatons: Protectng Amerca s Infrastructures, The Whte House, Washngton, DC, [12] Puterman, M.L. Markov Decson Processes. Wley, New York, [13] Sheyner, O., Hanes, J., Jha, S., Lppmann, R., and Wng, J.M., Automated Generaton and Analyss of Attack Graphs, Proceedngs of the IEEE Computer Socety Symposum on Research n Securty and Prvacy, Berkeley, CA, May 2002, [14] Soh, B.C., and Dllon, T.S. Settng Optmal Intruson- Detecton Thresholds, Computers & Securty, 14:7, 1995, [15] Swler, L.P., Phllps, C.A., Ells, D., and Chakeran, S., Computer Attack Graph Generaton Tool, Proceedngs of the 2nd DARPA Informaton Survvablty Conference and Exposton, 2001, [16] Warrender, C., Forrest, S. and Pearlmutter, B. Detectng Intrusons Usng System Calls: Alternatve Data Models, Proceedngs of the 1999 IEEE Symposum on Securty and Prvacy, 1999, [5] Jones, D.A., Turnqust, M.A. and Nozck, L.K., Physcal Securty and Vulnerablty Modelng for Infrastructure Facltes, Report SAND2005-xxxx,Sanda Natonal Laboratores, Albuquerque, NM, [6] Katskas, S.K., Grtzals, D., and Spraks, P., Attack Modellng n Open Network Envronments, Communcatons and Multmeda Securty II, 1996, [7] Katskas, S.K., Spyrou, T., Grtzals, D., and Darzentas, J., Model for Network Behavour under Vral Attack, Computer Communcatons, 19:2, 1996, [8] Ourston, D., Matzner, S., Stump, W., and Hopkns, B., Applcatons of Hdden Markov Models to Detectng Mult-stage Network Attacks, 36 th Hawa Internatonal Conference on Systems Scence, IEEE Computer Socety, Hawa, 2003, CD-ROM, 10p. [9] Ourston, D., Matzner, S., Stump, W., and Hopkns, B. Coordnated Internet Attacks: Respondng to Attack 10