Search

JP-7856469-B2 - A method for automatically deriving attack paths in a network.

JP7856469B2JP 7856469 B2JP7856469 B2JP 7856469B2JP-7856469-B2

Inventors

  • ロベルト・ブルットメッソ
  • アレッサンドロ・カヴァッラーロ・コルティ
  • モレノ・カルッロ
  • アンドレア・カルカノ

Assignees

  • ノゾミ・ネットワークス・エッセアジエッレ

Dates

Publication Date
20260511
Application Date
20220407
Priority Date
20210408

Claims (16)

  1. A method for automatically deriving attack paths in a network, (10) The network topology is defined as an enhanced network topology based on the packets exchanged within the network, Identifying the vulnerability of the topology as a vulnerability information artifact (20), (30) Constructing an atomic attack database of the network based on the topology and the vulnerability, Replacing the aforementioned reinforced network topology, vulnerability information artifacts, and atomic attack database with a predefined formal model (40), To search for counterexamples, run a predefined SMT-based model checker for the predefined formal model (50), (60) Deriving the attack pass from the counterexample, Defining the topology (10) A computer data processing unit connected to the network in an operational manner executes the network's deep packet inspection module to construct the network topology based on information derived from the packets by the deep packet inspection module, The computer data processing unit executes the network's active query module to construct the enhanced network topology based on further information derived from the packets by active queries for constructing the enhanced network topology, and adds the further information to the network topology, Identifying the aforementioned vulnerability (20) The computer data processing unit includes running a vulnerability assessment module to identify the vulnerability information artifact for each node of the network based on the consistency between the node information of the reinforced network topology and known vulnerabilities in a predefined vulnerability database. Constructing the atomic attack database (30) A method for the automatic derivation of attack paths in a network, comprising, as a prerequisite, discovering one or more atomic attacks against the network and an action to simultaneously capture the state of the system at a given moment, wherein the action is expressed in terms of a set of node features.
  2. The method for automatically deriving attack paths in a network according to claim 1, wherein the predefined formal model is a circuit formal model.
  3. The method for automatically deriving attack paths in a network according to claim 1, wherein the SMT-based model checker is a circuit-based SMT-based model checker.
  4. The method for automatically deriving an attack path in a network according to claim 3, wherein the circuit-based SMT model checker defines the circuit by a global clock that divides execution into separate time steps.
  5. The aforementioned circuit, An initial input, which serves as a port into which data from an external input can flow into the circuit, The circuit has an initial output as a port from which it can output the data, A latch as a basic memory element capable of holding the aforementioned data, Gates as stateless combination elements that execute basic logic functions, Comparators as stateless comparators, A constant, which is a number of boolean or symbolic constants, that outputs the same value at all of the aforementioned time steps, A method for automatically deriving an attack path in a network according to claim 4.
  6. The method for automatically deriving an attack path in a network according to claim 5, wherein the initial input is of boolean or integer type.
  7. The method for automatically deriving an attack path in a network according to claim 5, wherein the initial output is of boolean or integer type.
  8. The method for automatically deriving an attack path in a network according to claim 5, wherein the latch is of boolean or integer type.
  9. The method for automatically deriving an attack path in a network according to claim 5, wherein the latch stores a first value representing the value held when the circuit is activated in the first time step.
  10. The method for automatically deriving an attack path in a network according to claim 9, wherein the latch is updated with a new value at each subsequent time step.
  11. The method for automatically deriving an attack path in a network according to claim 5, wherein the basic logic function of the gate is AND, OR, or NOT.
  12. The method for automatically deriving an attack path in a network according to claim 5, wherein the gate takes the boolean data and returns the boolean data.
  13. The method for automatically deriving an attack path in a network according to claim 5, wherein the stateless comparator satisfies ≤, <, =, >, and ≥.
  14. The method for automatically deriving an attack path in a network according to claim 5, wherein the stateless comparator takes integer data and returns boolean data.
  15. In each of the aforementioned time steps, the initial input value of the initial input for the current time step is read, The initial input value at the current time step and the latch value at the current time step are processed by the gate. The value of the latch in the subsequent time step is generated by the comparator. The initial output value of the initial output at the current time step is generated by the comparator. A method for automatically deriving an attack path in a network according to claim 5.
  16. A latch is created for each of the nodes and each of the characteristics of each node, and the value of the latch at each time step defines the state of the system for each of the time steps, according to claim 15, for automatic derivation of an attack path in a network.

Description

This invention relates to the field of network security policies. In particular, it relates to a method for the automated derivation of attack paths in a network. Even managed networks are vulnerable to attacks stemming from security issues arising from various complex services. In other words, a service that is secure when provided individually can become vulnerable to exploitation when provided in conjunction with other services. Many current tools address vulnerabilities in a single-host context. Nevertheless, it is crucial to address vulnerabilities arising from the configuration of various hosts in a network. Secure cyber-physical systems (CPS) and Internet of Things (IoT) systems require identification of how interdependencies within existing atomic vulnerabilities can be exploited by adversaries to simultaneously carry out attacks that gain unauthorized access to the system. Network attack path analysis is an important method for analyzing the security status of computer networks, as it can automatically analyze the correlation between network vulnerabilities and potential threats resulting from those vulnerabilities. Typically, a correlation analysis is performed between vulnerabilities and related information. The characteristics are conceptualized to build atomic attack and corresponding atomic attack databases. A network attack model consists of network connectivity and host configuration. By aligning atomic attacks with the attack database, Comparison algorithms are employed to explore potential attack paths that could lead to a specific attack target. Creating an attack graph is an essential part of shaping a global view of network security, and an accurate attack graph plays a crucial role in system security. Manually constructing an attack graph consisting of over 100 nodes is cumbersome, error-prone, and impractical. Automation techniques for generating and analyzing attack graphs are known. A well-known approach uses existing model-checking and architecture-descriptor tools to generate an attack graph that enumerates all possible sequences that atomic-level vulnerabilities may be exploited to gain unauthorized access to system security. The architecture-descriptor captures a formal representation of the networked system, its atomic vulnerabilities, their preceding and succeeding states, and the security properties in question. A model checker is employed to automatically identify attack sequences in the form of counterexamples. The model checker analyzes the counterexamples, encodes them for relaxation, and iterates until all attack sequences are revealed. Finally, a visualization tool may generate a graphical representation of the generated attack graph. Therefore, it is necessary to ensure the accurate generation of attack paths and associated attack graphs. This shows a block diagram based on one embodiment of the present invention.This diagram shows a circuit modeling a network, according to one embodiment of the present invention. This invention relates to a method for the automatic derivation of attack paths in a network. The method according to the present invention discovers useful applications for industrial automation systems, particularly in all types of physical infrastructure and networked automation systems, such as industrial processes for manufacturing, industrial processes for power generation, infrastructure for the distribution of fluids (water, oil, and gas), infrastructure for the production and/or transmission of electricity, and infrastructure for transportation management. Furthermore, it discovers useful applications in all technological environments, including information technology (IT), operational technology (OT), or the Internet of Things (IoT). In this invention, the term "network protocol" refers to a system of rules between entities on a network that describe how the bytes constituting the exchanged messages should be structured in order for the entities to understand each other. Notable examples of network protocols include TCP/IP, Modbus, and BACnet. In this invention, the term "packet" means a finite sequence of bytes representing a message exchanged between entities on a network. Each protocol defines a specific structure for packets to be transmitted or received. In this invention, the term "node" means a device in a network capable of receiving and/or transmitting data over a connection based on cable or wireless signals. A node is defined by a unique identifier, which may be, for example, a MAC address or an IP address. In this invention, the term "edge" refers to direct communication between nodes n1 and n2 in a network via protocol p, which can be represented as (n_1, p, n_2). Several edges can exist between the two nodes, each utilizing a different communication protocol. In this invention, the term "network topology graph" refers to an abstraction of a network structure, which can be represented as a labeled graph G(N,E,P), where N is a set of nod