POMPDs Make Better Hackers: Accounting for Uncertainty in Penetration Testing By: Chris Abbott
Introduction What is penetration testing? Methodology for assessing network security, by generating and executing possible attacks exploiting know vulnerabilities of Operating Systems and applications. Why Allows for regular and systematic testing without a prohibitive amount of human labor. More accessible to non-experts
Introduction Attack Planning How to automatically generate attacks? Very technical, addresses the low-level system configuration details. Commercial Software Core Insight Enterprise Does not handle uncertainty (SW upgrades, etc) Difficult to keep updated
Introduction COTS : Attack Planning Encoded using PDDL, using a variant of Metric-FF. Uncertainty Limited by ability to handle Cannot be up-to-date with details of configuration of every machine in the network
Introduction Scanning: Addresses machine configuration Scanning methods as a pre-process to planning Drawbacks: Incurs significant costs in terms of running time, network traffic Scans have a residual uncertainty
Introduction This paper proposes solutions to: A solution to scanning run time A solution to scanning uncertainty
Introduction Incomplete Knowledge: Encode uncertainty of state Modeling the possible network configurations in terms of a probability distribution
Introduction Scans and Exploits: Are deterministic (outcome depends only on the state they are executed in) Rewards: Negative rewards encode the cost The duration Positive rewards encode the value of targets attained
Introduction POMDPs fail to scale to large networks Input model grows exponentially in the number of machines
Introduction Networks are viewed as graphs Vertices are fully-connected subnetworks Arcs encode the connections between these, filtered by firewalls Graph is decomposed into biconnected components
Introduction We approximate the attacks on these components by combining attacks on individual subnetworks We approx this by combining attacks on individual machines Attacks on individual machines are modeled and solved as POMDPs Solutions are propagated back up
Preliminaries Network Structure Viewed as directed graphs whose vertices are given by the set M of machines Arcs are connections between pairs of m M Network graphs tends to consist of subnetworks (i.e. clusters)
Preliminaries Penetration Testing: Impossible to keep track of all the configuration details
Preliminaries POMDPs: Define as a tuple <S,A,0,T,O,r,b0> states S, actions A, Observations 0, reward r Transition function T, Observation function O Agent must find a decision at each step, based on past observations, in order to maximize reward Agent reasons about hidden state of system using a belief state b, a prob distribution over S
POMDP Model States: Network Structure and Firewall filtering rules are static POMDP variables that encode these aspects. Pre-processed and not included in the model
POMDP Model States: Capture the status of each machine Controlled, reached, not reached Terminal state Giving up the attack State space is huge S = O( C ^ M ) Will run POMDPs on single machines M =1
POMDP Model Actions: Two main types Scans: gains knowledge about configuration OS detection, ports Exploits: make use of a vulnerability to gain control over a machine Buffer overflow
POMDP Model Rewards: Reward depends on the scan/exploit action r(s, a, s' ) = re (s, a, s' ) + rt (a) + rd (a) re is the value of the attacked machine exploit rt is a cost that depends on the action's duration rd is a cost that reflects the risk of detection
POMDP Model Designing the Initial Belief: Initial belief is a concrete configuration Future belief: Knowledge of network depends on previous Uncertainty arises from software updates Encoded in terms of Markov chain
4AL Decomposition Algorithm Overview: 4AL algorithm using decomposition and approximation POMDPs do not scale to large networks POMDPs used only to attack individual machines Is a POMDP solver specialized to attack planning Input: a logical network and POMDP model encoding attacks on individual machines Output: policy for the global POMDP encoding
4AL Decomposition Algorithm Level 1: Decompose the logical network into a tree of biconnected components More than one path to attack a subnetwork
4AL Decomposition Algorithm Level 2: Given a component C, for each rewarded subnetwork N C, all paths in C that reach N Considers individual attack paths within C Any single path P is a sequence of attacks on individual subnetworks
4AL Decomposition Algorithm Level 3: Given subnetwork N and a firewall F through which to attack N, for each machine m N Approximate the reward for attacking m first After breaking m we are behind F
4AL Decomposition Algorithm Level 4: Given machine m and a firewall F Model a single-machine attack planning problem as a POMDP Has low-order polynomial runtime
Experiments Test Scenario: Composed of three areas: exposed, sensitive and user
Experiments Approximation Loss Relative loss of quality when running 4AL instead of a global POMDP solution (a) Attack quality comparison. (b) Runtime of 4AL.
Experiments Scaling Up Scaling up to larger values of M shows that 4AL is polynomial Scaling to larger values of E yields more challenging single-machine POMDPs, resulting in steep growth of runtime.
Conclusion Devised a POMDP Model that represents Incomplete knowledge about the network configuration Dependencies between different attack possibilities and firewalls. Intelligently mix scans with exploits While accurate Decomposition algorithm, with small loss in quality