Adversary Tactic Driven Scenario and Terrain Generation with Partial Infrastructure Specification
Authors: 
Ádám Ruman, Martin Drašar, Lukáš Sadlek, Shanchieh Jay Yang, Pavel CeledaAuthors Info & Claims
ARES '24: Proceedings of the 19th International Conference on Availability, Reliability and Security
Article No.: 33, Pages 1 - 11
Abstract
Diverse, accurate, and up-to-date training environments are essential for training cybersecurity experts and autonomous systems. However, preparation of their content is time-consuming and requires experts to provide detailed specifications. In this paper, we explore the challenges of automated generation of the content (composed of scenarios and terrains) for these environments.
We propose new models to represent the cybersecurity domain and associated action spaces. These models are used to create sound and complex training content based on partial specifications provided by users. We compare the results with a real-world complex malware campaign to assess the realism of the synthesized content. To further evaluate the correctness and variability of the results, we utilize the kill-chain attack graph generation for the generated training content to asses the internal correspondence of its key components.
Our results demonstrate that the proposed approach can create complex training content similar to advanced attack campaigns, which passes evaluation for soundness and practicality. Our proposed approach and its implementation significantly contribute to the state of the art, enabling novel approaches to cybersecurity training and autonomous system development.
References
[1]
AO Kaspersky Lab. 2023. Mapping EDR to ATT&CKs. https://www.kaspersky.com/enterprise-security/mitre/edr-mapping Accessed on 23 Oct 2023.
[2]
David B. Blumenthal and Johann Gamper. 2020. On the exact computation of the graph edit distance. Pattern Recognition Letters 134 (2020), 46–57. https://doi.org/10.1016/j.patrec.2018.05.002 Applications of Graph-based Techniques to Pattern Recognition.
[3]
Ghanshyam S. Bopche and Babu M. Mehtre. 2014. Attack Graph Generation, Visualization and Analysis: Issues and Challenges. In Security in Computing and Communications, Jaime Lloret Mauri, Sabu M. Thampi, Danda B. Rawat, and Di Jin (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 379–390. https://doi.org/10.1007/978-3-662-44966-0_37
[4]
Yu-Chin Cheng, Chien-Hung Chen, Chung-Chih Chiang, Jun-Wei Wang, and Chi-Sung Laih. 2007. Generating Attack Scenarios with Causal Relationship. In 2007 IEEE International Conference on Granular Computing (GRC 2007). IEEE, New York, NY, USA, 368–368. https://doi.org/10.1109/GrC.2007.117
[5]
The MITRE Corporation. 2022. Digital Artifact Ontology. The MITRE Corporation. https://d3fend.mitre.org/dao/ Accessed on 7 Nov 2023.
[6]
The MITRE Corporation. 2023. MITRE ATT&CK®. https://attack.mitre.org
[7]
The MITRE Corporation. 2023. MITRE D3FEND™. https://d3fend.mitre.org
[8]
Martin Drašar, Ádám Ruman, Pavel Čeleda, and Shanchieh Jay Yang. 2024. The Road Towards Autonomous Cybersecurity Agents: Remedies for Simulation Environments. In Computer Security. ESORICS 2023 International Workshops, Katsikas et al. (Ed.). Springer Nature Switzerland, Cham, 738–749. https://doi.org/10.1007/978-3-031-54129-2_43
[9]
Jonathan Ezekiel and Gerald Lüttgen. 2008. Measuring and Evaluating Parallel State-Space Exploration Algorithms. Electronic Notes in Theoretical Computer Science 198, 1 (2008), 47–61. https://doi.org/10.1016/j.entcs.2007.10.020 Proceedings of the 6th International Workshop on Parallel and Distributed Methods in verifiCation (PDMC 2007).
[10]
Firemon, LLC. 2023. Security Manager. https://www.firemon.com/products/security-manager/ Accessed on 23 Feb 2024.
[11]
Patrice Godefroid, Gerard J. Holzmann, and Didier Pirottin. 1995. State-space caching revisited. Formal Methods in System Design 7, 3 (01 Nov 1995), 227–241. https://doi.org/10.1007/BF01384077
[12]
Wajih Ul Hassan, Adam Bates, and Daniel Marino. 2020. Tactical Provenance Analysis for Endpoint Detection and Response Systems. In 2020 IEEE Symposium on Security and Privacy (SP). IEEE, San Francisco, CA, USA, 1172–1189. https://doi.org/10.1109/SP40000.2020.00096
[13]
Eric Hutchins, Michael Cloppert, and Rohan Amin. 2011. Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains. Leading Issues in Information Warfare & Security Research 1 (01 2011). https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-Defense.pdf
[14]
Sushil Jajodia, Steven Noel, Pramod Kalapa, Massimiliano Albanese, and John Williams. 2011. Cauldron mission-centric cyber situational awareness with defense in depth. In 2011 - MILCOM 2011 Military Communications Conference. IEEE, Baltimore, MD, USA, 1339–1344. https://doi.org/10.1109/MILCOM.2011.6127490
[15]
Pontus Johnson, Robert Lagerström, and Mathias Ekstedt. 2018. A Meta Language for Threat Modeling and Attack Simulations. In Proceedings of the 13th International Conference on Availability, Reliability and Security (Hamburg, Germany) (ARES ’18). Association for Computing Machinery, New York, NY, USA, Article 38, 8 pages. https://doi.org/10.1145/3230833.3232799
[16]
Kerem Kaynar. 2016. A taxonomy for attack graph generation and usage in network security. Journal of Information Security and Applications 29 (2016), 27–56. https://doi.org/10.1016/j.jisa.2016.02.001
[17]
Jong-Keun Lee, Min-Woo Lee, Jang-Se Lee, Sung-Do Chi, and Syng-Yup Ohn. 2005. Automated Cyber-attack Scenario Generation Using the Symbolic Simulation. In Artificial Intelligence and Simulation, Tag Gon Kim (Ed.). Springer Berlin Heidelberg, Berlin, Heidelberg, 380–389. https://doi.org/10.1007/978-3-540-30583-5_41
[18]
Lorenzo Livi and Antonello Rizzi. 2013. The graph matching problem. Pattern Analysis and Applications 16 (08 2013). https://doi.org/10.1007/s10044-012-0284-8
[19]
Microsoft. 2023. Technical Documentation. https://learn.microsoft.com/en-us/docs/
[20]
Sadegh M. Milajerdi, Birhanu Eshete, Rigel Gjomemo, and V.N. Venkatakrishnan. 2019. POIROT: Aligning Attack Behavior with Kernel Audit Records for Cyber Threat Hunting. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (London, United Kingdom) (CCS ’19). Association for Computing Machinery, New York, NY, USA, 1795–1812. https://doi.org/10.1145/3319535.3363217
[21]
Stephen Moskal and Shanchieh Jay Yang. 2020. Cyberattack Action-Intent-Framework for Mapping Intrusion Observables. https://doi.org/10.48550/arXiv.2002.07838 arxiv:2002.07838 [cs.CR]
[22]
Xinming Ou, Sudhakar Govindavajhala, and Andrew W Appel. 2005. MulVAL: A Logic-based Network Security Analyzer. In USENIX security symposium, Vol. 8. Baltimore, MD, USENIX Association, Baltimore, MD, 113–128. https://www.usenix.org/legacy/event/sec05/tech/full_papers/ou/ou_html/
[23]
Gavin O’Gorman and Eric Chien. 2011. The Nitro Attacks Stealing Secrets from the Chemical Industry. https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2011/the_nitro_attacks.pdf
[24]
Paul Pols. 2017. THE UNIFIED KILL CHAIN. https://www.unifiedkillchain.com Accessed on 1 Nov 2023.
[25]
David Raymond, Tom Cross, Gregory Conti, and Michael Nowatkowski. 2014. Key terrain in cyberspace: Seeking the high ground. In 2014 6th International Conference On Cyber Conflict (CyCon 2014). IEEE, Tallin, Estonia, 287–300. https://doi.org/10.1109/CYCON.2014.6916409
[26]
George F. Riley and Thomas R. Henderson. 2010. The ns-3 Network Simulator. Springer Berlin Heidelberg, Berlin, Heidelberg, 15–34. https://doi.org/10.1007/978-3-642-12331-3_2
[27]
Ádám Ruman, Martin Drašar, Lukáš Sadlek, Shanchieh Jay Yang, and Pavel Čeleda. 2024. Supplementary Materials: Adversary Tactic Driven Scenario and Terrain Generation with Partial Infrastructure Specification. Zenodo. https://doi.org/10.5281/zenodo.11183639
[28]
Ádám Ruman et al.2024. PAGAN prototype implementation. https://gitlab.ics.muni.cz/cyst-public/pagan
[29]
Ádám Ruman et al.2024. PAGAN-RS. https://gitlab.ics.muni.cz/ai-dojo/pagan-rs
[30]
Lukáš Sadlek, Pavel Čeleda, and Daniel Tovarňák. 2022. Identification of Attack Paths Using Kill Chain and Attack Graphs. In NOMS 2022 - 2022 IEEE/IFIP Network Operations and Management Symposium (Budapest, Hungary). IEEE Xplore Digital Library, Budapest, Hungary, 1–6. https://doi.org/10.1109/NOMS54207.2022.9789803
[31]
Oleg Sheyner and Jeannette Wing. 2004. Tools for Generating and Analyzing Attack Graphs. In Formal Methods for Components and Objects. Springer Berlin Heidelberg, Berlin, Heidelberg, 344–371. https://doi.org/10.1007/978-3-540-30101-1_17
[32]
Geir Skjotskift, Fredrik Borg, Martin Eian, and Siri Bromander. 2021. Adversary Emulation Planner. Mnemonic. https://github.com/mnemonic-no/aep Accessed on 4 Dec 2023.
[33]
Zhiping Zeng, Anthony K. H. Tung, Jianyong Wang, Jianhua Feng, and Lizhu Zhou. 2009. Comparing stars: on approximating graph edit distance. Proceedings of the VLDB Endowment 2, 1 (aug 2009), 25–36. https://doi.org/10.14778/1687627.1687631
Index Terms
- Adversary Tactic Driven Scenario and Terrain Generation with Partial Infrastructure Specification
Recommendations
Adversary-driven state-based system security evaluation
MetriSec '10: Proceedings of the 6th International Workshop on Security Measurements and MetricsTo provide insight on system security and aid decision-makers, we propose the ADversary VIew Security Evaluation (ADVISE) method to quantitatively evaluate the strength of a system's security. Our approach is to create an executable state-based security ...
FAEG: Feature-Driven Automatic Exploit Generation
Internetware '23: Proceedings of the 14th Asia-Pacific Symposium on InternetwareBuffer overflow vulnerabilities are prevalent in software applications, and their automatic detection and exploitation are of great significance. Modern operating systems implement security mitigation to prevent the exploitation of these ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
July 2024
2032 pages
ISBN:9798400717185
DOI:10.1145/3664476
Copyright © 2024 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 30 July 2024
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Funding Sources
- Ministry of the Interior of the Czech Republic
Conference
ARES 2024
ARES 2024: The 19th International Conference on Availability, Reliability and Security
July 30 - August 2, 2024
Vienna, Austria
Acceptance Rates
Overall Acceptance Rate 228 of 451 submissions, 51%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 157Total Downloads
- Downloads (Last 12 months)157
- Downloads (Last 6 weeks)31
Reflects downloads up to 13 Feb 2025
Other Metrics
Citations
View Options
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML FormatLogin options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in