Security risk assessment and prevention in ICT systems rely on the analysis of data on the joint behavior of the system and its (malicious) users. The Haruspex tool models intelligent, goal-oriented agents that reach their goals through attack sequences. Data is synthetically generated through a Monte Carlo method that runs multiple simulations of the attacks against the system. In this paper, we present a sequential pattern mining analysis of the database of attack sequences. The intended objective is to extract an high-level and succinct understanding of the behavior of an attacker on the system under analysis. Such an understanding is expressed as a set of sequential patterns that cover, and possibly partition, the attack sequences. The set can be extracted in isolation, or in contrast with the behavior of other attackers. In such a case, sequential patterns represent a signature of the behavior of the attacker. We formally motivate the need for using the class of maximal sequential patterns in covering attack sequences, instead of frequent or closed sequential patterns. When contrasting the behavior of different attackers, we resort to distinguishing sequential patterns. We report an extensive experimentation on a specific case study of a system with 36 nodes, 6 attackers, and 600K attack sequences.

Sequential pattern mining for ICT risk assessment and management

Baiardi, Fabrizio;Lipilini, Jacopo;Ruggieri, Salvatore;Tonelli, Federico
In corso di stampa

Abstract

Security risk assessment and prevention in ICT systems rely on the analysis of data on the joint behavior of the system and its (malicious) users. The Haruspex tool models intelligent, goal-oriented agents that reach their goals through attack sequences. Data is synthetically generated through a Monte Carlo method that runs multiple simulations of the attacks against the system. In this paper, we present a sequential pattern mining analysis of the database of attack sequences. The intended objective is to extract an high-level and succinct understanding of the behavior of an attacker on the system under analysis. Such an understanding is expressed as a set of sequential patterns that cover, and possibly partition, the attack sequences. The set can be extracted in isolation, or in contrast with the behavior of other attackers. In such a case, sequential patterns represent a signature of the behavior of the attacker. We formally motivate the need for using the class of maximal sequential patterns in covering attack sequences, instead of frequent or closed sequential patterns. When contrasting the behavior of different attackers, we resort to distinguishing sequential patterns. We report an extensive experimentation on a specific case study of a system with 36 nodes, 6 attackers, and 600K attack sequences.
D’Andreagiovanni, Michele; Baiardi, Fabrizio; Lipilini, Jacopo; Ruggieri, Salvatore; Tonelli, Federico
File in questo prodotto:
Non ci sono file associati a questo prodotto.

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: http://hdl.handle.net/11568/941809
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 6
  • ???jsp.display-item.citation.isi??? ND
social impact