Professional Documents
Culture Documents
State Space Explosion Mitigation For Large-Scale Attack and Compliance Graphs Using Synchronous Exploit Firing
State Space Explosion Mitigation For Large-Scale Attack and Compliance Graphs Using Synchronous Exploit Firing
State Space Explosion Mitigation For Large-Scale Attack and Compliance Graphs Using Synchronous Exploit Firing
ABSTRACT Attack and compliance graphs are useful tools for cybersecurity and regulatory or compliance
analysis. Thgraphs represent the state of a system or a set of systems, and can be used to identify all current
or future ways the systems are compromised or at risk of violating regulatory or compliance mandates.
However, due to their exhaustiveness and thorough permutation checking, these graphs suffer from state
space explosion - the graphs rapidly increase in the total number of states, and likewise, their generation
time also rapidly increases. This state space explosion in turn also slows the analysis process. This work
introduces a mitigation technique called synchronous firing, where graph users and designers can prevent
the generation of infeasible states by firing exploits simultaneously through joining inseparable features like
time. This feature does not invalidate the integrity of the resulting attack or compliance graph by altering the
exhaustiveness or permutation checking of the generation process, but rather jointly fires exploits through
their defined inseparable features.
INDEX TERMS Attack graph, compliance and regulation, compliance graph, cybersecurity, high-
performance computing, speedup, synchronous firing.
complexity required for examining compliance statuses. Com- the approach of using alternate representations of the under-
pliance graphs are promising tools that can aid in minimizing lying graph structure through logical attack graphs. In this
the overhead caused by these systems and the regulations they representation, each node only encompasses a portion of the
must follow. network in a logical statement format, as opposed to encoding
Attack and compliance graphs are an appealing approach the entire system information at each node. This approach
since they are often designed to be exhaustive: all system is able to limit the total number of nodes to O(N 2 ), with N
properties are represented at its initial state, all attack options representing the total number of nodes in the system.
are fully enumerated, all permutations are examined, and all A form of synchronous firing is discussed by the author
changes to a system are encoded into their own indepen- of [16], where it is described as grouped exploits. The func-
dent states, where these states are then individually analyzed tionality discussed by the author is similar: firing an exploit
through the process. The authors of [12] also discuss the ad- should be performed on all possible assets simultaneously.
vantage of conciseness of attack graphs, where the final graph This was also described as synchronizing multiple exploits.
only incorporates states that an attacker can leverage; no su- The methodology is similar to the one implemented in this
perfluous states are generated that can clutter analysis. Despite work, but there are notable differences. The first, is that the
their advantages, attack graphs do suffer from their exhaus- work performed by the author of [16] utilizes global features
tiveness as well. As the authors of [3] examine, even very with group features. Using the simultaneous exploit firing
small networks with only 10 hosts and 5 vulnerabilities yield necessitated a separation of global and group features, and
graphs with 10 million edges. When scaling attack graphs to grouped exploits could not be performed on exploits that
analyze the modern, interconnected state of large networks could be applicable to both sets. A second difference is that
comprising of a multitude of hosts, and utilizing the entries there is no consistency checking in the work by the author
located in the National Vulnerability Database and any custom of [16], which could lead to indeterminate behavior or race
vulnerability testing, attack graph generation quickly becomes conditions unless additional effort was put into encoding ex-
infeasible. Similar difficulties arise in related fields, where ploits to use precondition guards. A third difference is that the
social networks, bioinformatics, and neural network represen- work of [16] could still lead to a separation of features. The
tations result in graphs with millions of states [13]. This state grouped exploit feature would attempt to fire all exploits on
space explosion is a natural by-product of the graph genera- all applicable assets simultaneously, but if some assets were
tion process, and removing or avoiding it entirely undermines not ready or capable to fire, these assets would not proceed
the overall goal of attack and compliance graphs. However, with the exploit firing but the applicable assets would. The last
there are some scenarios in which the state space explosion difference is that the work by the author of [16] was developed
can be mitigated when certain features are inseparable. Since in Python, since that was the language of the generator of
every change in the network is examined individually, and the tool at the time. This work relies on RAGE (The RAGE
no two changes can occur simultaneously, some nodes in the Attack Graph Engine) for the feature development and result
graph are created despite being infeasible. A leading cause of collection [17]. RAGE is developed in C++ for performance
this is when examining an environment over time. Assets must enhancements, so the synchronous firing feature in this new
undergo a time progression in the graph generation process, work was likewise developed in C++.
and by firing the time change separately for each asset, there is
a synchronization problem where assets may progress through III. INSEPARABLE FEATURES
time disjointly from other assets. This work introduces a so- One main appeal of attack graphs and compliance graphs are
lution to this problem with synchronous exploit firing, which their exhaustiveness. The ability to generate all permutations
mitigates state space explosion for applicable scenarios while of attack chains or to generate all possible ways a system can
maintaining accuracy of the resulting graph, and discusses the fall out of compliance is a valuable feature. The disadvantage
performance results of its use. of this approach is that the generation of the final graph in-
creases in time, as does the analysis. Another disadvantage is
that this exhaustiveness can produce states that are not actu-
II. RELATED WORK ally attainable or realistic, as briefly mentioned in Section II.
Multiple works have introduced various approaches for mit- When a system has assets that have inseparable features, the
igating state space explosion. The authors of [14] propose generation process forcibly separates features to examine all
that attack graphs encapsulate excessive information that lead permutations, since the generation process only modifies one
to difficulties in scalability. They discuss the concept of quality at a time. One example of an inseparable feature is
monotonicity, where attackers do not need to backtrack. If a time. If two different assets are identical and no constraints
previous exploit was achieved, its preconditions and postcon- dictate otherwise, the two assets should not, and realistically
ditions should not be revoked through another, future exploit cannot, proceed through time at different rates. For example,
firing. The authors of [15] use monotonicity in their tool, TVA, if two cars were manufactured at the same moment, one of
along with various node and edge representations based on these cars cannot proceed multiple time steps into the future
sets and dependency graphs that can likewise mitigate the while the other remains at its current time step; each car must
state space explosion challenge. The authors of [3] also take step through time at the same rate. However, the generation
1) AUTOMOBILE MAINTENANCE For this example, various graphs are generated based on
The example networks for testing the effectiveness of syn- the permutations of employees present. In one graph, only
chronous firing follow the compliance graph generation ap- Employee A is present in the network. In another graph, Em-
proach. These networks analyze two assets, both of which ployees B and C are present in the network. All permutations
are identical 2006 Toyota Corolla cars with identical qualities. are examined and results are shown in Subsection V-B3. The
The generation examines both cars at their current states, and graph generation process walks through as a system adminis-
proceeds to advance in time by a pre-determined amount, up trator removes the torrenting software and the illicit data from
to a pre-determined limit. Each time increment updates each the company devices. Typically when removing torrenting
car by an identical amount of mileage. During the generation software, the data associated with the torrenting program can
process, it is determined if a car is out of compliance either be removed at the same time as the uninstall automatically;
through mileage or time since its last maintenance in accor- an administrator does not need to remove the torrenting pro-
dance with the Toyota Corolla Maintenance Schedule manual. gram and then separately remove the data. Without the use
In addition, the tests employ the use of “services”, where of synchronous firing, attack and compliance graphs must
if a car is out of compliance, it will go through a correction individually remove all data and all programs individually.
process and reset the mileage and time since last service. This example highlights the capability of synchronous firing
Each test varies in the number of services used. The 1 Service by grouping the removal of software and data together through
case only employs one service, and it is dedicated to brake “uninstall” groups, as opposed to traditional attack and com-
pads. The 2-Service case employs two services, where the pliance graphs requiring multiple steps to remove the software
first service is dedicated to the brake pads, and the second is and data.
for exhaust pipes. This process extends to the 3-, 4-, 5-, and This experimental setup is as follows:
6-Service cases. The experimental setup is as follows: r Employee A has torrenting software, and is actively up-
r All cases ran for 12 months, with time steps of 1 mo. loading and downloading 3 programs.
r All cases had the same number of compliance checks: r Employee B has torrenting software, and is actively up-
brake pads, exhaust pipes, vacuum pumps, AC filters, oil loading and downloading 4 programs.
changes, and driveshaft boots. r Employee C has torrenting software, and is actively up-
r There were 12 base exploits, and an additional 6 exploits loading and downloading 5 programs.
were individually added in the form of services for each r If synchronous firing is not enabled, the administrator re-
test. moves each illicit program one-by-one after the removal
r All cases used the same network model. of the torrenting software.
r All cases used the same exploit file, with the exception r If synchronous firing is enabled, the administrator re-
of the “group” keyword being present in the synchronous moves the torrenting software and all programs off a
firing testing. single device simultaneously.
r All services must be performed prior to advancing time, r Graph visualization was not timed. Only the generation
if services are applicable. and database operation time was measured.
r Graph visualization was not timed. Only the generation The compliance checks are as follows:
and database operation time was measured. r Does an employee have torrenting software?
The compliance checks are as follows: r Does an employee have illicit data?
r Brake pads: to be checked every 6 months
r Exhaust pipes: to be checked every 12 months
r AC filter: to be checked every 12,000 miles B. RESULTS AND ANALYSIS
r Vacuum pump: to be checked every 120,000 miles 1) RESULTS FOR THE THEORETICAL AUTOMOBILE
r Engine oil: to be checked every 6,000 miles ENVIRONMENT
r Driveshaft boots: to be checked every 12,000 miles Using the experimental setup described in Section V-A on the
platform described at the beginning of Section V-A, results
were collected in regards to the effect of synchronous firing on
2) DMCA TAKEDOWN both state space and runtime. The graphs’ edge to state ratio
A second example of synchronous firing is illustrated through (E/S Ratio) was computed as well. The inclusion of this ratio
a DMCA Takedown for a fictitious organization [19]. In this allows for a comparison to be drawn regarding the usage of the
example, a DMCA Takedown is issued to an organization synchronous firing feature. Examining this ratio can provide
after a group of employees were found to be engaging in additional insight on how the graph’s underlying topological
online piracy with torrenting software on company devices structures change when using or not using synchronous firing.
and while using company resources. Detection and removal The results can be seen in Figs. 5 and 6. The respective tables
of illicit data, such as through means presented by the authors are seen in Tables 1 and 2. Both figures show a decrease in
of [20] for Windows or [21] for company-supplied Android the number of states and a decrease in the runtime when syn-
mobile devices, can be incorporated into and represented by a chronous firing is utilized. Since synchronous firing prevents
compliance graph. the generation of unattainable states, there is no meaningful
TABLE 3. Results for the Comprehensive Services Without Synchronous TABLE 4. Results for the Comprehensive Services With Synchronous Firing
Firing
TABLE 5. Results for the Non-Synchronous Firing Testing FIGURE 11. Synchronous Firing on State Space and Runtime for the DMCA
Takedown Environment.
VII. CONCLUSION
This work implemented a state space explosion mitigation
technique called synchronous firing. This feature is able to
fire exploits simultaneously among a group of assets through
a single state transition. By firing exploits across multiple as-
sets, it is able to prevent the separation of features that should
normally be inseparable (such as time), and successfully re-
duces the number of total states in the resulting attack or
FIGURE 12. Speedup (Amdahl’s) and State Space Reduction Factor
Obtained When Using Synchronous Firing. compliance graph. This feature does not alter the procedure of
the generation process in a way that undermines the integrity
of the resulting attack or compliance graph, and only groups
VI. FUTURE WORKS assets through defined inseparable features. This feature is
As seen and discussed in Section III, when unattainable states also toggleable, and the generation process seen in Fig. 3 does
are generated, there is a compounding effect. Each unattain- not change if the feature is disabled. This feature successfully
able state is explored, and is likely to generate additional reduced the total number of states, reduced the runtime of the
unattainable states. Future works include examining the effect generation process, and can lead to a reduced analysis process
of synchronous firing when more assets are utilized. It is hy- due to a smaller resulting graph.
pothesized that the synchronous firing approach will lead to an
increased runtime reduction and state space reduction due to
the increased number of unattainable state permutations. This REFERENCES
work had a limited number of assets, but generated upwards of [1] C. Phillips and L. P. Swiler, “A graph-based system for network-
vulnerability analysis,” in Proc. New Secur. Paradigms Workshop, 1998,
400,000 states due to repeated applications of the exploit set pp. 71–79, doi: 10.1145/310889.310919.
due to the services corresponding with the compliance graph. [2] B. Schneier, “Attack trees: Modeling security threats,” Dr. Dobb’s J.,
Future work could alter the scenario to have a greater number vol. 24, no. 12, pp. 21–29, Dec. 1999. [Online]. Available: https://www.
schneier.com/academic/archives/1999/12/attack_trees.html
of assets, and a standard set of exploits more akin to an attack [3] X. Ou, W. F. Boyer, and M. A. Mcqueen, “A scalable approach to attack
graph rather than a compliance graph. Other future works graph generation,” in Proc. 13th ACM Conf. Comput. Commun. Secur.,
could include measuring the performance of synchronous fir- pp. 336–345, 2006.
[4] A. T. Al Ghazo, M. Ibrahim, H. Ren, and R. Kumar, “A2G2V: Au-
ing when multiple groups of inseparable features are used. tomated attack graph generator and visualizer,” in Proc. 1st ACM
This work used a single group, but multiple groups be added MobiHoc Workshop Mobile IoT Sens. Secur. Privacy, Ser. Mobile IoT.
to examine the performance of the feature. 2018, pp. 1–6, doi: 10.1145/3215466.3215468.
[5] M. Li, P. Hawrylak, and J. Hale, “Strategies for practical hybrid
Another avenue for future work would be to take a network attack graph generation and analysis,” Digit. Threats, Oct. 2021,
science approach. There may be features of interest from ex- doi: 10.1145/3491257.
amining the topology of the resulting graphs with and without [6] L. Muñoz González, D. Sgandurra, A. Paudice, and E. C. Lupu,
“Efficient attack graph analysis through approximate inference,”
synchronous firing. Various centrality metrics could be exam- ACM Trans. Privacy Secur., vol. 20, no. 3, pp. 1–30, Jul. 2017,
ined, as well as examining transformations such as dominant doi: 10.1145/3105760.
trees or transitive closures derived from the original graphs. [7] H. Wang, Z. Chen, J. Zhao, X. Di, and D. Liu, “A vulnerability assess-
ment method in industrial Internet of Things based on attack graph and
Each approach could compare each graph when using or not maximum flow,” IEEE Access, vol. 6, pp. 8599–8609, 2018.
using synchronous firing to determine if there are possible [8] T. Gonda, T. Pascal, R. Puzis, G. Shani, and B. Shapira, “Analysis of
points of interest. Taking a network science approach could attack graph representations for ranking vulnerability fixes,” in Proc.
GCAI, 2018, pp. 215–228.
also examine and analyze the E/S Ratio of the graphs when [9] J. Hale, P. Hawrylak, and M. Papa, “Compliance method for a cyber-
using or not using synchronous firing, and attempt to provide physical system,” U.S. Patent 9,471,789, Oct. 18, 2016.
further insight on what those differences mean in terms of [10] N. Baloyi and P. Kotzé, “Guidelines for data privacy compliance: A
focus on cyberphysical systems and Internet of Things,” in Proc. South
usability of the graphs. Afr. Inst. Comput. Sci. Inf. Technol.2019, pp. 1–12.
Introducing service heuristics could improve the charac- [11] E. Allman, “Complying with compliance: Blowing it off is not an
teristics of synchronous firing. If services are performed too option,” ACM Queue, vol. 4, no. 7, pp. 18–21, 2006.