Performance-sensitive Real-time
Risk Management is NP-Hard
By:
Ashish Gehani
Department of Computer Science, Duke University
1
PROBLEM : Intrusion response
Manual response decreasingly tenable:
– High attack frequency
– Great attack diversity
– Rapid attack execution
– Protection Time < Detection Time + Response Time
False positives preclude retaliation
Network connections encrypted
2
SOLUTION STRATEGY
Automate response:
– Model runtime risk
– Build risk management primitives
– Dynamically manage risk
– Minimize impact on performance
Passive response - limit to owner’s domain
Host-based
3
RISK MODEL : Management
Threat
Vulnerabilities
Assets
Likelihood
Safeguards
Risk
Risk
Consequences
Threshold
Reconfigure
4
Yes
RISK MODEL : Threat
Events : E = fe1; e2; : : :g
= ft1 ; t2; : : :g
Signature : S (t ) = fs1 ; s2 ; : : :g; si 2 E; t 2 T
Likelihood : T (t ) = (t ; E \ S (t )); t 2 T
Threats : T
5
RISK MODEL : Vulnerability
= fw1 ; w2; : : :g; W (t) W; t 2 T
Permissions : P = fp1 ; p2 ; : : :g; P (w ) P; w 2 W
S
Safeguards : P^ (t ) = w 2W (t ) P (w ); t 2 T
Static Exposure: v (p ) 2 f0; 1g; p 2 P
Dynamic Exposure: v 0 (p ) 2 [0; 1]; p 2 P
X v(p) v0 (p)
Vulnerability : V (t ) =
; t 2 T
^
jP (t )j
p 2P^ (t )
Weaknesses : W
6
RISK MODEL : Consequence
= fo1 ; o2; : : :g
Assets : A(t ) O
Confidentiality : c(o ); o 2 O
Integrity : i(o ); o 2 O
Availability : a(o ); o 2 O
X
Consequence : C (t ) =
c(o ) + i(o ) + a(o );
Objects : O
o 2A(t )
7
t
2T
RISK MODEL : Unmanaged Risk
R=
X
T (t ) V (t ) C (t )
Unmanaged Risk :
Computation Time : O jT j jP j jOj
(
t 2T
8
)
RISK MODEL : Risk Management Primitives
Auxiliary safeguards : (P ) P
Static checks : (P ) P
(P ) \ (P ) = ; (P ) [ (P ) = P
Curtailed consequences : (O) O
Transparent access : (O) O
(O) \ (O) = ; (O) [ (O) = O
9
RISK MODEL : Managed Risk
Managed Vulnerability : V 0 (t ) =
X
( ) + X v(p) v0 (p) ;
j
P^ (t )j
j
P^ (t )j
^
^
p 2P (t )\
(P )
p 2P (t )\(P )
v p
X
Managed Consequence :
C 0(t ) =
( ) + i(o ) + a(o ); t 2 T
o 2A(t )\
(O)
X
0
Managed Risk : R = T (t ) V 0 (t ) C 0(t )
c o
t 2T
10
t
2T
RISK MODEL : Risk Tolerance
Event : e
Rb
Risk change : =
6 0
Risk after : Ra = Rb + Risk threshold : R0
> 0 ^ Ra > R0 ) Reduce()
> 0 ^ Ra R0 ) < 0 ) Ra = Rb + < Rb < R0 )
Risk before :
11
()
Relax
RISK MODEL : Risk Recalculation
Threat change :
Æ
(T (t ); e) =
( ( [ e) \ S (t ))
t ; E
Threats affected :
(
t ; E
\ S (t))
(T; e) : Æ(T (t ); e) 6= 0 ) t 2 (T; e)
Update cost : O(jT j) * V 0 (t ); C 0(t ) cached
12
RISK MODEL : Risk Reduction
(
(P )) (P )
Enable curtailments : (
(O)) (O)
Find : (
(P )); (
(O)) ) R00 < R0
Enable safeguards : X
Reduced Vulnerability :
( ) +
^
j
P
(t )j
p 2(P^ (t )\
(P ) (
(P )))
X
v (p ) v 0 (p )
j
P^ (t )j
^
p 2(P (t )\(P )[(
(P )))
V 00 (t ) =
v p
X
Reduced Consequence :
C 00(t ) =
o 2(A(t )\
(O) (
(O)))
Reduced Risk :
R00 =
( ) + i(o ) + a(o )
c o
X
t 2T
T (t ) V 00 (t ) C 00(t )
13
RISK MODEL : Risk Relaxation
((P )) (P )
Disable curtailments : ((O)) (O)
Find : ((P )); ((O)) ) R00 < R0
Disable safeguards : X
Relaxed Vulnerability :
( ) +
^
j
P
(t )j
p 2(P^ (t )\
(P )[((P )))
X
v (p ) v 0 (p )
j
P^ (t )j
^
p 2(P (t )\(P ) ((P )))
V 00 (t ) =
v p
X
Reduced Consequence :
C 00(t ) =
o 2(A(t )\
(O)[((O)))
Reduced Risk :
R00 =
( ) + i(o ) + a(o )
c o
X
t 2T
T (t ) V 00 (t ) C 00(t )
14
RISK MODEL : Constraints
( (
(P )); (
(O))) =
X
Increase of Risk Reduction Cost :
( )+
f p
p 2(
(P ))
X
Decrease of Risk Relaxation Cost :
( ((P )); ((O))) =
Risk Reduction :
Risk Relaxation :
( )+
f p
p 2((P ))
X
( )
f o
o 2(
(O))
X
o 2((O))
( )
f o
min ((
(P )); (
(O))); R00 R0
max (((P )); ((O))); R00 R0
15
RISK MODEL : Time Complexity
(
( )) (
( ))
(2
)
Choices of ((P )); ((O))
for Risk Relaxation : O(2(jP j+jOj) )
Choices of P ; O
for Risk Reduction : O (jP j+jOj)
Linear Objective Function :
for Risk Reduction :
for Risk Relaxation :
min ( (
(P )); (
(O)))
max ( ((P )); ((O)))
Quadratic Constraint :
R00 R0
16
COMPLEXITY : Risk Graph
P
T
A
t1
p1
o1
t2
p2
o2
t3
p3
o3
t4
p4
p5
17
COMPLEXITY : Response Graph
f(p )
1
f(o )
1
f(p )
2
f(o )
2
w(p , o )
2 3
f(p )
3
w(p , o )
3 3
f(o )
3
f(o3 )
f(p )
4
w(p , o )
4 3
w’(p , o )
4 3
f(p )
5
f(p )
4
18
COMPLEXITY : Response Graph Properties
Bipartite graph, Partitions : P; O
( ) ( )
Vertex weights : f p , f o
(
Safeguard dependent edge weights : w 0 p ; o
X
)=
(
)
1
v 0 (p )
c(o ) + i(o ) + a(o )
T (t ) ^
jP (t )j
t 2T :p 2P^ (t )^o 2A(t )
v p
(
Consequence dependent edge weights : w p ; o
X
t 2T :p 2P^ (t )^o 2A(t
)=
(
)
v 0 (p )
c(o ) + i(o ) + a(o )
T (t ) ^
jP (t )j
)
v p
19
COMPLEXITY : Optimization Problem
Risk reduction
(
(
P )); (
(O ))
X
X
f (p ) +
Select vertex set : – Minimize
p 2(
(P ))
– Constrained by : We
We
= X
Ra
w 0 (p ; o )
p 2(
(P ));o 2(
(O))
20
o 2(
(O))
R0
+
( )
f o
X
(
w p ; o
p 2P (
(P ));o 2(O)
)
COMPLEXITY : Decision Problem
Input:
– Bipartite response graph
– Minimum for sum of edge weights
– Target sum of vertex weights
Output true if solution found, else f alse
21
COMPLEXITY : NP-Hard
Reduce to Maximum Edge Biclique
Construction:
–
–
–
–
8p; f (p) = 1
8o ; f (o ) = 1
8p8o ; w(p; o ) = 0
8p8o ; w0 (p; o ) = 1
Find solution with Risk Reduction Algorithm
Given vertex count, biclique has maximum edge count
Solves Maximum Edge Biclique
22
HEURISTIC : Response Heaps
Activate response
Disabled
Responses
Heap
Enabled
Responses
Heap
Deactivate response
Safeguard / Curtailment
Safeguard / Curtailment
Risk Relaxation
Frequency in Workload
Key =
Key =
Frequency in Workload
Risk Reduction
23
HEURISTIC : Pre-Processing
Step 1
8p 2 (P ), calculate Benefit-to-Cost ratio:
( )=
X
p
(
)
(1
v 0 (p ))
0 (t )
T (t ) C
j
P^ (t )j
^
t :p 2(P (t )\
(P ))
v p
f (p )
Step 2
8o 2 (O), calculate Benefit-to-Cost
X ratio:
c(o ) + i(o + a(o )) T (t ) V 0 (t )
t :o 2(A(t )\
(O))
f o
( )=
( )
o
24
HEURISTIC : Primitive Selection
(
(P )) = (
(O)) = Step 4 Choose: r = max pmax ; omax
pmax = max (p ); p 2 (P )
omax = max (o ); o 2 (O )
Add r to: (
(P )) = (
(O))
Step 3 Set [
Step 5
r
r
= p ) 8o 2
= o ) 8p 2
X
t :p 2P^ (t )
[
t :o 2A(t )
Step 6 Recalculate Risk :
R00 = Ra
p 2(
(P ))
A t
( )
: Update o
^( )
: Update p
P t
( ) f (p)
p
25
where:
( )
( )
X
( ) f (o )
o
o 2(
(O))
HEURISTIC : Response Completion
Step 7
R00 > R0 )
R00 R0 )
Step 4
(
(P )); (
(O))
Utilize Response : Time Complexity :
O(((
(P )) + (
(O))) (log jP j + log jOj +
( + jOj)2
Worst Case : O jP j
Response Initiation Time : O
26
(1)
X (j ^(
t 2T
P t )j + jA(t )j)))