Download Pareto-Optimal Situaton Analysis for Selection of Security Measures

Pareto-Optimal Situaton Analysis for
Selection of Security Measures
Andres Ojamaa
Joint work with Jüri Kivimaa and Enn Tyugu
Institute of Cybernetics at TUT
CS Theory Days, Feb 1 2009, Kääriku
Outline
Introduction
Background and Motivation
Graded Security Model
Security Goals
Parameters and Functions
Optimizing Security Measures
Discrete Dynamic Programming
Graded Security Expert System
Example
Visual Specification
Example of Results
01.02.2009
A. Ojamaa
Pareto-Optimal Situaton Analysis for Selection of Security Measures 2
Security Situation Management
I
The aim is to provide the best possible security of a system
with given amount of resources.
I
At the same time at least the standard requirements
should be satisfied, if possible.
I
Solutions are usually needed yesterday. Therefore detailed
risk analysis is not a good option.
I
The goal is achieved by coarse-grained analysis of security
situation and optimisation of resource usage.
01.02.2009
A. Ojamaa
Pareto-Optimal Situaton Analysis for Selection of Security Measures 3
Security Awareness Simulation Games
I
CyberCIEGE — video game and tool to teach network
security concepts (2005)
I
CyberProtect — DISA-produced game that includes
hacker attacks and budget constraints (1999)
01.02.2009
A. Ojamaa
Pareto-Optimal Situaton Analysis for Selection of Security Measures 4
Situation Description: Security Goals
Security class is determined by security levels, associated with
security goals:
I
confidentiality (C),
I
integrity (I),
I
availability (A),
I
non-repudiation (N).
e.g. C2 I1 A1 N2
The model can be extended by adding security goals.
01.02.2009
A. Ojamaa
Pareto-Optimal Situaton Analysis for Selection of Security Measures 5
Situation Description: Parameters of the Model
I
Available resources — r
I
Integral measure of security — S
I
Security measures groups — g1 , g2 , . . . , gn
I
Security levels of measures groups — l1 , l2 , . . . , ln
I
Security confidences granted by measures groups —
q1 , q2 , . . . , qn
I
01.02.2009
Relative importance of measures groups: weights —
P
a1 , a2 , . . . , an , where ni=1 ai = 1
A. Ojamaa
Pareto-Optimal Situaton Analysis for Selection of Security Measures 6
Abstract Security Profile
An abstract security profile p is an assignment of security levels
to each group of security measures:
p = (l1 , l2 , . . . , ln )
01.02.2009
A. Ojamaa
Pareto-Optimal Situaton Analysis for Selection of Security Measures 7
Cost Function
The cost function h gives the costs h(l, g) required for
implementing security measures of a group g for a level l.
The costs of implementing a given abstract security profile:
costs(p) =
n
X
h(li , gi )
i=1
Goal 1: Keep the value of costs(p) as low as possible.
01.02.2009
A. Ojamaa
Pareto-Optimal Situaton Analysis for Selection of Security Measures 8
Levels Requirement Function
Function s produces a required security level s(c, g) for a group
g when the security class is c. The requirements may be
prescribed by security standards such as BSI, NISPOM or
ISKE.
01.02.2009
A. Ojamaa
Pareto-Optimal Situaton Analysis for Selection of Security Measures 9
Integrated Security Metrics
The overall security of a system is described by means of an
integrated security metrics (integral security confidence) S.
S=
n
X
ai qi
i=1
Goal 2: Increase security confidence of a system.
01.02.2009
A. Ojamaa
Pareto-Optimal Situaton Analysis for Selection of Security Measures 10
Dependencies
01.02.2009
A. Ojamaa
Pareto-Optimal Situaton Analysis for Selection of Security Measures 11
Conventional Graded Security Solution
S
l
S*
5, 7
3
1, 2, 3, 6, 8, 9
2
4
1
0
r*
01.02.2009
A. Ojamaa
r
Pareto-Optimal Situaton Analysis for Selection of Security Measures 12
Pareto-Optimality Curve
security
Pareto Optimality
Tradeoff Curve
rmin
01.02.2009
A. Ojamaa
rmax
resources
Pareto-Optimal Situaton Analysis for Selection of Security Measures 13
Pareto-Optimal Security Solutions
S
l
4
3
2
1
1
0
r1
01.02.2009
A. Ojamaa
r2
r
Pareto-Optimal Situaton Analysis for Selection of Security Measures 14
Dynamic Programming
Building optimal solutions gradually, for 1, 2, . . . , n security
measures groups enables us to use discrete dynamic
programming, and to reduce considerably the search.
The fitness function S defined on intervals from j to k as
S(j, k ) =
k
X
ai qi
i=j
is additive on the intervals, because from the definition of the
function S we have S(1, n) = S(1, k ) + S(k , n).
01.02.2009
A. Ojamaa
Pareto-Optimal Situaton Analysis for Selection of Security Measures 15
Discrete Dynamic Programming
01.02.2009
A. Ojamaa
Pareto-Optimal Situaton Analysis for Selection of Security Measures 16
Complexity Compared
Number of search steps
1.2e+09
Exhaustive search
Dynamic programming
1e+09
8e+08
6e+08
4e+08
2e+08
0
1
2
3
4
5
6
7
8
9
10
Number of security measures groups
01.02.2009
A. Ojamaa
Pareto-Optimal Situaton Analysis for Selection of Security Measures 17
Graded Security Expert System
Knowledge modules
Optimizer
GUI
Vi
Visual composer
01.02.2009
A. Ojamaa
Pareto-Optimal Situaton Analysis for Selection of Security Measures 18
Visual Specification
File Edit View Package Scheme Options Help
optimization
S
E
100%
SC1 SC2
BF DP
User training
Encryption
DDP Optimizer
Cost
0
4
8
12
Cost
0
2
4
7
Context: Banking
Confidence
0
30
60
65
Confidence
0
60
80
95
Antivirus software
Segmentation
Resources:
min
1
max
70
s
SecClass: C2I1A1M2
s
Redundancy
y
Backup
levels
Firewall
Access control
Intrusion detection
471, 10
01.02.2009
A. Ojamaa
Pareto-Optimal Situaton Analysis for Selection of Security Measures 19
Knowledge Modules as Decision Tables
01.02.2009
A. Ojamaa
Pareto-Optimal Situaton Analysis for Selection of Security Measures 20
85
80
75
70
65
60
55
50
45
40
35
30
25
20
15
10
5
0
6
5
4
3
2
1
0
5
10
15
20
25
30
35
40
45
50
55
60
65
70
0
Costs
Confidence
01.02.2009
A. Ojamaa
Redundancy
User training
Pareto-Optimal Situaton Analysis for Selection of Security Measures 21
Level index
Confidence
Example of Results
Future Work
I
Combine the optimization package with risk analysis tools
(e.g. attack trees)?
I
Improve the visual language and the user interface
I
Collect and accumulate expert knowledge and real data
I
Experiments with real data
I
Implement dependant measure groups
I
Analyze sensitivity of results wrt inaccurate input data
01.02.2009
A. Ojamaa
Pareto-Optimal Situaton Analysis for Selection of Security Measures 22
Summary
A CoCoViLa package was developed to help the IT
manager/security expert answer the following questions
quickly:
I
How much resources are needed to achieve the required
level of information security?
I
01.02.2009
What is the best way to spend the IT security budget?
A. Ojamaa
Pareto-Optimal Situaton Analysis for Selection of Security Measures 23
References
I CoCoViLa — Compiler Compiler for Visual Languages,
http://www.cs.ioc.ee/~cocovila
I CyberCIEGE — http://cisr.nps.edu/cyberciege/
I CyberProtect —
http://iase.disa.mil/eta/online-catalog.html
I E. Tyugu. Algorithms and Architectures of Artificial Intelligence. IOS
Press, 2007.
I A. Ojamaa, E. Tyugu, J. Kivimaa. Pareto-optimal situation analysis for
selection of security measures. In: MILCOM 08: Assuring Mission
Success: Unclassified Proceedings, November 17-19 San Diego, 2008,
7 p.
01.02.2009
A. Ojamaa
Pareto-Optimal Situaton Analysis for Selection of Security Measures 24