**Spotlight on ****Lablet**** Research #8 -**

**Project: Uncertainty in Security Analysis**

Lablet:** **University of Illinois at Urbana-Champaign

The goal of this project is to develop a mathematical basis for describing and analyzing the ability of an adversary to laterally traverse networks in the presence of uncertainty about connections and uncertainty about exploitable vulnerabilities. The research team will then use this basis to develop algorithms for quantified risk analysis of Cyber-Physical Systems (CPS).

Cyber-security vulnerabilities in CPS allow an adversary to remotely reach and damage physical infrastructure. Following the initial point of entry, the adversary may move laterally through the computer network using connections that are allowed by the access control but which give access to services with exploitable vulnerabilities. Using lateral movement, the adversary may eventually have control of monitors and actuators in the CPS, corrupt data being reported and/or issue malicious control commands, the consequences of which may inflict significant damage. Analyses of the risk of such attacks are known, under the assumption that all vulnerabilities and all connections in the cyber-system are known perfectly. They aren't. The research team, led by Principal Investigator (PI) David Nicol, is interested in developing the mathematical basis for describing the ability of the adversary to reach actuators in the presence of uncertainty with respect to the connections and the vulnerabilities which enable lateral movement.

Edges derived from the topological analysis may be thought to have "exploitation probabilities," which quantify with a single probability the possibility of the adversary traversing that edge in a lateral movement. An edge probability models the possibility of an adversary on one host A being able to connect to another host B and exploit a vulnerability there, enabling the adversary to launch further attacks from B. In a previous study, researchers used expressions of Boolean random variables to describe these probabilities, in order to be able to escape the otherwise necessary assumption of independence among edges. Since edges quantify the likelihood of an adversary exploiting a vulnerability, distinct edges that describe the same vulnerability will not have independent probabilities. Using Boolean expressions enables researchers to describe those correlations they know must exist. The current investigation generalized this model. Point probabilities implicitly assert certainty *in the probability*. There are different reasons why an exploitation probability may be non-zero, and some uncertainty in knowing just what causes the variability in connection. The new work replaces edge probabilities with edge probability distributions, which allows greater flexibility in expressing the certain or uncertainty of the edge probability. Using the beta distribution, one set of parameters can create a very spiked distribution centered on the mean, while another set of parameters can create a distribution with the same mean, but with the probability mass distributed so as greater variance is captured. However, while beta distributions are closed under some operations, they are not closed under others, and so the new work considers how to compute the parameters of approximated betas with good accuracy.

In investigating the potential computational benefit of the Beta approximation result, the research showed that using a small number of samples (less than a few thousands), computing the parameters of an approximating Beta yields a significantly better estimate of the reliability distribution than constructing the empirical distribution. The researchers used the proposed model to study the reliability of two realistic systems, a distributed system with redundant deployment and a gas distribution network. They also completed the evaluation of the simulation-based experiments. Numerical results from Monte Carlo simulation of an approximation scheme and from two case studies strongly support the observations made above, especially for non-corner cases where the model parameters do not take extreme values. The next phase of the project is to embed the developed security model in a risk assessment framework. More specifically, the research team is systematically surveying the literature on risk assessment in SCADA systems to identify the common approaches, their abilities, and limitations. The lessons learned will help them build their own risk assessment framework.

This research intersects the predictive security *metric problem* since researchers are attempting to predict uncertainty associated with a system model. It also intersects with resilience as a system's resilience will be established by analysis of some model and decisions (e.g., how significant the breach may be, whether to interdict and where, where to focus recovery activity) will be made as a result. Those decisions will be better informed when some notion of uncertainty is built into the model predictions, or accompanies those model predictions.

Additional details on this project can be found here.