Abstract
1. Introduction
2. Threat model and attack path formalizations
3. Bayesian Network and Attacker’s Behavior Modeling
4. Path derivation and illustrative results
5. Conclusion
Acknowledgment
Research Data
References
Abstract
Security vulnerabilities exhibited in cloud computing components and technologies not limited to hypervisors, virtual machines, and virtualization present a major security concern. The primary challenge has been to characterize interlinked attack paths generated by Advanced Persistent Thereat (APT) attackers upon exploitation of vulnerabilities exhibited in cloud components. We propose a Bayesian network based weighted attack paths modeling technique to model these attack paths. In our approach, we employ quantitative induction to express weighted attack paths. We chain marginal and conditional probabilities together to characterize multiple attack paths from the attack source to the target node. In so doing, we evaluate the likelihood of an APT occurring in a given path. Furthermore, we propose an optimized algorithm to find the shortest attack path from multiple sources based on key nodes and key edges. The algorithm not only finds the shortest path but also resolves any existing ties amongst paths of equal weights. We characterize the attack time expense of the APT attack by modeling the associated atomic attack events in a path as Poisson variables obeying the Erlang distribution. The attack time expense is classified into three different levels; High, Medium and Low. We use the WannaCry ransomware attack to evaluate our model.
Introduction
Security presents a major concern echoed by many organizations migrating to cloud computing [1]. With the advent of e-governance, different governments likewise are switching to cloud computing and this has inadvertently attracted Advanced Persistent Threat (APT) attackers who target big corporations and governments [2]. APT attackers possess high levels of technical skills and have extensive resources at their disposal and this has enabled them to effectuate sophisticated stealthy reconnaissance, surveillance and data exfiltration attacks with little traceability if any at all. This profile of attackers has come to exploit vulnerabilities exhibited in cloud computing components not limited to hypervisors, virtual machines, virtual routers etc, to reach the otherwise secured or unreachable resources. Virtualization, for example, which is the foundation of most cloud offerings [3], has a myriad of attack vectors targeting virtual machines whether at rest in the cloud data centers or during migration on the network. Attacks on such a level of detail require highly skilled threat actors, hence APTs. Traversal of vulnerable cloud components during an attack generates virtual attack paths which depict dependencies shared amongst the exploited vulnerabilities. Attack paths have been widely studied [4 -7] in literature using different approaches. However, most of the studies apply to generic network environments with discrete network devices as opposed to virtualized cloud computing devices [8]. Bayesian networks have been employed to study attack paths but they suffer from attack cycles which typically occur in real-world scenarios due to the interleaving of reconnaissance and active APT attack stages.