• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Computing Risk without Numbers:  A Semantic Approach to Risk Metrics - Tim Keanini
 

Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Keanini

on

  • 1,319 views

Scoring methods are highly reliant on mathematics but what do the numbers really mean? W3C semantic standards allow us to create a more direct meaning-based model. Through set theory and description ...

Scoring methods are highly reliant on mathematics but what do the numbers really mean? W3C semantic standards allow us to create a more direct meaning-based model. Through set theory and description logics, we can compute classification and ranking through ontological-based reasoning. This method finally addresses the multiple viewpoints and perspectives often found within a large enterprise.

Statistics

Views

Total Views
1,319
Views on SlideShare
1,316
Embed Views
3

Actions

Likes
2
Downloads
13
Comments
0

1 Embed 3

http://www.slideshare.net 3

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Computing Risk without Numbers:  A Semantic Approach to Risk Metrics - Tim Keanini Computing Risk without Numbers: A Semantic Approach to Risk Metrics - Tim Keanini Presentation Transcript

    • Computing Risk Without Numbers: A Semantic Approach to Risk Metrics Tim “TK” Keanini, CTO © nCircle 2010. All rights reserved.
    • Scoring Systems and Everyday Classification • Credit-worthiness Class • Legal to drink / Legally drunk • Weight Class • Social-Economic Class • Age Class Given a number, within a social context, we are able to infer membership to a class * The term ‘Set’ and ‘Class’ are synonymous in this presentation 2 © nCircle 2010 All rights reserved.
    • Scoring Systems: syntax and semantics • Numbers digitize certain aspects of an observable domain – They also help ignore what is not being counted! • Unlike the physical domain, before we can count things in the information domain, we must all agree on what is being counted. – The challenge is that we don’t share the same domain expertise and understanding across an enterprise • Scoring systems are dependant on social processes that institutionalize semantics – They often fall short when asked to support multiple perspectives and points of view 3 © nCircle 2010 All rights reserved.
    • The role of Classification and Ranking • Classification methods helps us explain how many different things are the same – Naming (enumeration) differentiates the members of the set • Ranking methods help us explain how the same things [members of the class] are different. * Ranking is just one of the many methods of member differentiation 4 © nCircle 2010 All rights reserved.
    • Thinking in Sets/Class and Membership There are 3 blue triangles Triangle …is a member of the intersection of the set Blue, the set Triangle, Blue Three and the set Three 5 © nCircle 2010 All rights reserved.
    • Scoring Systems as a Ranking Function • Scoring Systems help us rank the members of a certain class. – CVSS does well in ranking members of the vulnerability class v 10.0 v 9.0v v 8.0 v v 7.0 v v 6.0 v v 5.0 v 4.0 v v v v 3.0 * Omitted Temporal and v 2.0 v Environmental Metric in this diagram v 1.0 v v v v A set whose members are vulnerabilities 6 © nCircle 2010 All rights reserved.
    • Scoring systems: Challenges POV 1: SCORE CARDS • Can be too Coarse? POV 2: COMPLIANCE – Too many of one number? POV 3: IT OPERATIONS 10.0 472377 Fix 1 F • Can be too Precise? 10.0 9.0 86335 FAIL hour – Too many to be actionable 10.0 8.0 70357 10.0 D 7.0 69372 Fix in • But ultimately, we end up 10.0 6.0 65822 7 days with a classification 10.0 5.0 4577 C scheme that is actionable 10.0 4.0 4116 10.0 3.0 646 PASS and meaningful to a 10.0 2.0 601 Fix in B 30 particular communities 10.072 1.0 days Point of View (POV) 10.014 10.012 A Scoring systems today do not carry with them enough information to support multiple interpretations of the numbers 7 © nCircle 2010 All rights reserved.
    • Summary of Scoring System Challenges • Ensuring that everyone understands the aspects of the scoring system the same way has been challenging – Given the heterogeneous viewpoints of an Enterprise, this could be impractical – If it is at all practical, it may be lossful – Often too static for the dynamic nature of the world it is modeling • The scoring system accounts for each member in isolation – Difficult to account for compositional vulnerabilities – Difficult to model the relationships between members of certain classes • The numbers are not precise enough or too precise • Ultimately, computing the membership to meaningful sets is the goal 8 © nCircle 2010 All rights reserved.
    • W3C Semantic Technologies 9 © nCircle 2010 All rights reserved.
    • W3C Semantic Technology Stack Ontologies: OWL Inference OWL-Full Querying: OWL-DL SPARQL OWL-Lite Vocabularies: RDFS Data Interchange: RDF Structure Access: XML Query Validation: XML Schema Syntax: XML / Namespaces Coding Identifiers: URI Character Set: UNICODE 10 © nCircle 2010 All rights reserved.
    • RDF – Resource Description Framework Ontologies: OWL Inference OWL-Full Querying: OWL-DL SPARQL OWL-Lite YOU ARE HERE Vocabularies: RDFS Data Interchange: RDF Structure Access: XML Query Validation: XML Schema Syntax: XML / Namespaces Coding Identifiers: URI Character Set: UNICODE 11 © nCircle 2010 All rights reserved.
    • RDF – Labeled-Directed Graph • Data Model is a ‘labeled-directed graph’ – All nodes and arcs have some type of label (identifier) – Arcs point only in one direction Shared WebServer Library Apache OpenSSL 1.3.30 Apache123 5/13/2009 OpenSSL456 0.9.7c 12 © nCircle 2010 All rights reserved.
    • RDF – Statements in the form of a triple • All statements in the form of a triple – Subject-Predicate-Object (S,P,O) – Set of these triples begin to model a domain in the form of a graph rdfs:subClassOf Apache WebServer Subject (S) Predicate (P) Object (O) Apache rdfs:subClassOf WebServer Apache123 rdf:type Apache Apache123 dct:hasVersion 1.3.30 Apache123 :installedOn 05/13/2009 Apache123 :bundles OpenSSL456 OpenSSL456 dct:hasVersion 0.9.7c OpenSSL456 rdf:type OpenSSL OpenSSL rdfs:subClassOf SharedLibrary 13 © nCircle 2010 All rights reserved.
    • Subject (S) Predicate (P) Object (O) Apache rdfs:subClassOf WebServer RDF – Graph Model Apache123 rdf:type Apache Apache123 dct:hasVersion 1.3.30 Apache123 :installedOn 05/13/2009 Apache123 :bundles OpenSSL456 Shared WebServer OpenSSL456 dct:hasVersion 0.9.7c Library OpenSSL456 rdf:type OpenSSL OpenSSL rdfs:subClassOf SharedLibrary Apache OpenSSL 1.3.30 Apache123 5/13/2009 OpenSSL456 14 © nCircle 2010 All rights reserved. 0.9.7c
    • RDF – Different Syntax • How one would express: – Apache is a member of the set Webserver • RDF/XML <rdf:Description rdf:about="#Apache"> <rdf:type rdf:resource="#Webserver"/> </rdf:Description> • N3 :Apache rdf:type :Webserver . :Apache a :Webserver . • RDF/XML-ABBREV <Webserver rdf:ID="Apache"/> • SeeAlso: TURTLE and N-TRIPLE 15 © nCircle 2010 All rights reserved.
    • RDF - Nodes and Arcs are first-class entities If X is a member of the Set Linux; If A hasCVE B; Then X is a member of the Set OS; Then A hasVulnerability B; OS hasVulnerability subClass subProperty subProperty Linux hasCVEid hasBugtraqID Assertion: RedHat rdf:type Linux Inference: RedHat rdf:type OS Assertion: OpenSSL_0.9.7c hasCVEid CVE-2004-0112 Inference: OpenSSL_0.9.7c hasVulnerability CVE-2004-0112 16 © nCircle 2010 All rights reserved.
    • Quick Review • RDF is a Labeled-Directed Graph • An RDF statement is made up of a Subject-Predicate- Object sometimes called a “Triple” • Both nodes and arcs are first-class • Next Stop: The Power of Inference 17 © nCircle 2010 All rights reserved.
    • RDF Schema YOU ARE HERE Ontologies: OWL Inference OWL-Full Querying: OWL-DL SPARQL OWL-Lite Vocabularies: RDFS Data Interchange: RDF Structure Access: XML Query Validation: XML Schema Syntax: XML / Namespaces Coding Identifiers: URI Character Set: UNICODE 18 © nCircle 2010 All rights reserved.
    • RDF Schema (RDF-S) • RDF Vocabulary Description Language 1.0: RDF Schema – Vocabulary defined with RDF statements (triples) • RDF-S Vocabulary is small – Relation between classes (Class , subClassOf) – Relation between properties (Property, subPropertyOf) – Class membership of individuals via properties (domain, range) • Provides some sense of “meaning” to the RDF data – Meaning = what we can explicitly infer from the data – Axioms that express exactly what inference can be drawn – Semantics expressed through the mechanism of inference – Lets explore in the next slides how this works 19 © nCircle 2010 All rights reserved.
    • Type Propagation AXIOM • rdfs:Class IF A rdfs:subClassOf B . :Root_Kit rdf:type rdfs:Class . r rdf:type A . :Malware rdf:type rdfs:Class . THEN r rdf:type B . • rdfs:subClassOf :Root_Kit rdfs:subClassOf :Malware . Malware foobar :foobar rdf:type :Root_Kit . we can then infer the triple rdfs:subClassOf :foobar rdf:type :Malware . Root_Kit foobar 20 © nCircle 2010 All rights reserved.
    • Relationship Propagation • rdfs:Property :hasBrother rdf:type rdfs:Property . :hasSibling rdf:type rdfs:Property . • rdfs:subPropertyOf :hasBrother rdfs:subPropertyOf :hasSibling . :alice :hasBrother :bob . we can infer the triple :alice :hasSibling :bob . AXIOM IF P rdfs:subPropertyOf R . APB. THEN ARB. 21 © nCircle 2010 All rights reserved.
    • Property-Oriented versus Object-Oriented • Semantic data is focused on the relationship between entities and thus Property-Oriented • In Object-Oriented models, an entity is understood to be a member of a class because the class acts as a “template” for its birth • In Property-Oriented models, an entity is understood to be a member of a class because of its relationships • <DOMAIN> property_P <RANGE> – The domain is the collection of types that use the property – The range is the types of values this property describes – Example: domain:CPE :hasVulnerability range:CVE 22 © nCircle 2010 All rights reserved.
    • Class Membership through Relationships • Similar to domain and range in math AXIOM (subject) IF :property_P rdfs:domain D-class . P rdfs:domain D-class . :property_P rdfs:range R-class . and Domain applies to the Subject xPy. Range applies to the Object THEN x rdf:type D-class . • Example: :usesSharedLib rdfs:domain :Application . :usesSharedLib rdfs:range :SharedLib . – Assertion AXIOM (object) :Apache :usesSharedLib :OpenSSL . IF – Inference P rdfs:range R-class . :Apache rdf:type :Application . and :OpenSSL rdf:type :SharedLib . xPy. THEN y rdf:type R-class . 23 © nCircle 2010 All rights reserved.
    • What are the limits to RDFS? • RDFS may not have enough detail for your modeling – No localized range and domain constraints • Can’t say that “the domain of hasParent is Child when applied to Human and Calf when applied to Elephants” – No existence/cardinality constraints • Can’t say that “all instances of person have a mother that is also a person”, or that persons have exactly 2 parents – No transitive, inverse or symmetrical properties • Can’t say that isAncestorOf is a transitive property • Can’t say that bundles is the inverse of isBundledBy • Can’t say that isMarriedTo or isPeeredWith is symmetrical 24 © nCircle 2010 All rights reserved.
    • How can we compute the membership to a class? © nCircle 2010. All rights reserved.
    • Predicate Subject Object How does inference work? • Basic RDF Triple Vulnerability • Basic RDFS Model rdfs:subClassOf rdfs:domain • Assert an RDF Triple hasScore CVE • Results are new RDF hasScore rdfs:range Score Triples that were inferred from the hasScore CVE-2003-0818 10.0 model rdf:type “We compute the CVE-2003-0818 CVE membership rdf:type CVE-2003-0818 Vulnerability through one objects relationship to 10.0 rdf:type Score another “ 26 © nCircle 2010 All rights reserved.
    • Meaningful classes within the security domain • Consider these sets Secure • Also consider their compliments – Insecure – Expendable Top Mission – Not Compliant Secret Critical – Public • The objective is to compute membership into some meaningful set Compliant 27 © nCircle 2010 All rights reserved.
    • Computing membership into meaningful classes Model: If x hasTopSecretData y; then x is a member of TopSecret SLA: FIX If x hasCVE “CVE-2007-1748”; then x is a member of Insecure NOW Host33 Any member of TopSecret that is also a member of Insecure, assign to SLA: FIX NOW SLA: FIX Inferred: 4hr Asserted: Host33 rdf:type SLA:FIX NOW SLA: FIX Host33 hasTopSecretData “file44” Host33 hasCVE “CVE-2007-1748” in 24hr SLA: FIX Insecure Secure Host33 in 24hr Top Mission Public Expendable Secret Critical Host33 Compliant Not Compliant 28 © nCircle 2010 All rights reserved.
    • Change in feasibility for an entire class of attacks • DNS Cache Poisoning – CVE-2008-1447 • If a X/Y are a DNS server, and has CVE-2008-1447; assign hosts (a/b) who have resolvers pointing at members X/Y to a class called Urgent-Investigation DNSserver Servers X Y CVE-2008-1447 a b Clients a Urgent-Investigation b 29 © nCircle 2010 All rights reserved.
    • Complex Vulnerability Representation • All of these vulnerabilities would not have a very high CVSS score in isolation • Model of the Compositional Vulnerability – Attacker PushExploitTo WindowsWebServerDMZ – WindowsWebServerDMZ isExploitedWith MS08-067 – WindowsWebServerDMZ hasPrivateConnectionto Int-SQLServer – Int-SQLServer isExploitedWith MS09-004 – Int-SQLServer floodsNetworkWith Web-Proxy-Auto-Detect-WPAD • updates for a MaliciousProxy – WebClients PullExploitsFrom MaliciousProxy • Members who satisfy the model are assigned to a set COMPRIMISED • This can be modeled in OWL and reasoning engines can compute the appropriate membership to meaningful classes 30 © nCircle 2010 All rights reserved.
    • Summary • Challenges today – Sharing the same semantics across the enterprise is difficult – The models are too static; Dynamic environments require dynamic modeling – Does not facilitate the modeling of relationships and what is being counted in isolation • Numbers are the means, membership to a meaningful class is the end goal • Using the W3C semantic technology stack, we can compute the membership to classes through the mechanism of inference 31 © nCircle 2010 All rights reserved.