## Uncertainty in Security Analysis

**Researcher**: Hoang Nguyen

Models proliferate in security analysis. Models of systems typically include identification of devices and their interconnection. The models may include identification of software services running on some or all of those devices, device configurations, and descriptions of attackers and defenders. The problem is that in practice the information one has about the system is incomplete. There is considerable uncertainty about the predictions of a model as a result of uncertainty about the components of the model. This project aims to provide some rigor (both formal and experimental) to uncertainty analysis of security models. There is a large literature on uncertainty quantification in physical systems; there are in fact at least two journals dedicated to it. While there is much to learn from the ideas developed in that context, a significant difference exists. Physical models have some “ground truth” to which analysis can appeal and quantify variation in results relative to ground truth. In discrete models, and for security analysis in particular, such ground truth as exists is very specialized. For example, it may or may not be possible for an attacker to make lateral movement through a network from host hA to hB. Whether it is possible or not is a binary outcome. A security analysis focused on the possibility cannot with certainty say that it is not possible if the model analyzed fails to include crucial specifics. Early work on capturing uncertainty in connectivity is our own paper “An Approach to Incorporating Uncertainty in Network Security Analysis,” which first brought an uncertainty model to network reachability analysis. This paper analyzed uncertainty in the existence of paths allowing an attacker lateral movement. The project will extend the approach to include uncertainty in attacker and defender behavior, and use a more sophisticated model of belief function for traversing a potential connection.

For each of several approaches to modeling uncertainty in an attacker’s ability to reach a host or inhibit some system service, one hypothesis to test is that the approach is monotonic, i.e., including more model specifics decreases uncertainty. Another hypothesis to test is that the approach is sparse, i.e., the range of uncertainty is not much larger than it absolutely has to be, as a function of the model description about which there is uncertainty.

The main research thrust is (1) to develop uncertainty models associated with an attacker’s ability to move through a network and inhibit functionality of the network from accessed vantage points, and then (2) to evaluate those models with respect to their ability to constrain the assessment of uncertainty as tightly as possible. For a sequence of increasingly complex system models, we will construct a known “ground truth” model (GTM) from which questions of connectivity and attacker access are deterministically answerable. Then we will progress through a set of models based on the GTM that increasingly omit details about the network, attacker, and defender. For each model we will use the measures developed in Task 3 to compute the minimum uncertainty, and then compare that with the uncertainty predicted by the uncertainty model that has no access to the GTM. In this fashion, for those system models, we will test the hypotheses that the uncertainty models are monotone and sparse.

**Hard Problems Addressed**

- Resilient architectures
- Policy-governed secure collaboration
- Security metrics

**Publications**

- Hoang Hai Nguyen, Kartik Palani, and David M. Nicol, “An Approach to Incorporating Uncertainty in Network Security Analysis”,
*Hot Topics in the Science of Security**(HotSOS 2017)*, Raleigh, NC, April 10-11, 2017. [full text] - Hoang Hai Nguyen, Kartik Palani, and David M. Nicol, “Extensions of Network Reliability Analysis”,
*49th IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2019)*, Portland, OR, June 24-27, 2019.