Automatic Hybrid Attack Graph (AHAG) Generation for Complex Engineering Systems ^†

Abstract

Complex Engineering Systems are subject to cyber-attacks due to inherited vulnerabilities in the underlying entities constituting them. System Resiliency is determined by its ability to return to a normal state under attacks. In order to analyze the resiliency under various attacks compromising the system, a new concept of Hybrid Attack Graph (HAG) is introduced. A HAG is a graph that captures the evolution of both logical and real values of system parameters under attack and recovery actions. The HAG is generated automatically and visualized using Java based tools. The results are illustrated through a communication network example.

1. Introduction

As a result of the rapid advancement of complex engineering systems such as infrastructure, communications, energy systems, industrial automation, artificial intelligence, and cyber-physical systems, new research directions in modeling, monitoring, diagnosis, optimization, and control have emerged in recent years [1]. For instance, a control chart scheme for production processes was developed by [2] for monitoring the mean time between two events under the neutrosophic statistics using the belief estimator for the neutrosophic gamma distribution. The diagnosis and correction of many production problems which often cause huge loss to the production unit can substantially be improved with the utilization of the effective control chart technique.

In [3], the advantages of using Proportional-Integral (PI ) controller for pH control in the raceway reactor during the whole day against traditional On/Off control were demonstrated. The paper also presented an event-based control architecture for Proportional–Integral–Derivative (PID) controllers. The objective is to tune a classical time-driven PI for pH control in the raceway reactor, and then to add event-based capabilities, but keeping the initial PI control design. The event-based systems allow a trade-off between control performance and control effort, which is perfect for the microalgae process in raceway reactors. The performed tests were oriented to establish a trade-off between control effort and control performance and present an alternative to traditional control.

The applicability of the Distributed Model Predictive Control (DiMPC) was investigated in [4] to deal with the constraints in the steam/water loop of a steam power plant. A comparison was conducted between the Decentralized Model Predictive Control (DeMPC), the Centralized Model Predictive Control (CMPC), and the DiMPC. The results showed the effectiveness of the DiMPC [5] designed an Optimal Nonlinear Adaptive Control (ONAC) strategy to achieve optimal parameter tuning of Nonlinear Adaptive Control (NAC) for Voltage Source Converter (VSC) operating in both rectifier mode and inverter mode where an optimal and robust control can be achieved under different operation scenarios.

A novel pole-zero cancelation method was proposed by [6] for Multi-Input Multi-Output (MIMO) temperature control in heating process systems. In the proposed method, the temperature differences and the transient response of each point can be controlled by considering the dead time and the coupling effect of the MIMO system. In [7], the Slow-Mode-Based Control (SMBC) method combined with decoupling and dead-time compensation was applied to the MIMO temperature control system. The temperature differences and the transient response of all points can be controlled and improved by making the output of the fast modes follow that of the slow mode. The results were then compared to the conventional PI control and gradient temperature control methods.

The Deep Deterministic Policy Gradient (DDPG) technique for the optimum boost control on a Variable Geometry Turbocharger (VGT)-equipped engine is implemented by [8]. The proposed DDPG algorithm is compared with a fine-tuned PID controller to validate its optimality. The results showed that the control performance based on the proposed DDPG algorithm can achieve a good transient control performance from scratch by autonomously learning the interaction with the environment, without relying on model supervision or complete environment models.

A framework was proposed by [9] to use the structural information in each Possible Conflict (PC) for fault diagnosis of complex industrial system to design a different kind of executable model. They proposed to build grey-box models based on a state space neural network architecture derived from that structural information in the PC, which links measurements with equations, and consequently with parameters related to faulty behavior. The state space Neural Networks (ssNN) were used to track the system behavior, but once a fault detection was confirmed, the structural information in the models and the consistency-based diagnosis paradigm were used to perform fault isolation.

Total decomposition of nonstationary variables for distributed monitoring of nonstationary industrial processes was handled by [10], in which different variable blocks were separated with both overlapping and nonoverlapping relationships considered, capturing different nonstationary characteristics. A two-level monitoring strategy was designed that can supervise both the local cointegration relationships and the interrelationship among different nonstationary blocks with enhanced interpretation of the nonstationary process.

A novel diagnosis framework was proposed by [11] for considering the deep feature learning and cross-domain feature distribution alignment simultaneously for industrial applications. Extending the Marginal Distribution Adaptation (MDA) to Joint Distribution Adaptation (JDA), the proposed framework can exploit the discrimination structures associated with the labeled data in source domain to adapt the conditional distribution of unlabeled target data, and thus, guarantee a more accurate distribution matching [12]. They reviewed over 220 technical research programs in total, with more attention on the recent developments of the fault diagnosis approaches and their applications during the last decade. Knowledge-based fault diagnosis, hybrid fault diagnosis, and active fault diagnosis were reviewed comprehensively. The distinctive advantages and various constrains of these diagnosis methods were commented on. A recent survey by [1] also summarized papers on monitoring and diagnosis for complex engineering systems.

The implementation of diagnostic and prognostic architectures can aid the implementation of advanced control algorithms in a resilient control system to recognize sensor degradation, as well as failures with industrial process equipment associated with the control algorithms [13]. A resilient control system is one that maintains state awareness and an accepted level of operational normalcy in response to disturbances, including threats of an unexpected and malicious nature [14]. As a result, it is hard to obtain true expectations about the consequences when a fault/attack occurs effecting or compromising the system. Hence, evaluating systems resilience in terms of stability, performance, and recovery time is crucial and valuable for cost management and design tradeoff. The traditional Attack graphs can generate various attack scenarios compromising the system in terms of violations of a security property. However, they are only concerned with tracking the logical changes in the system parameters under attacks, as captured by the pre and post-conditions. Therefore, the novelty of this work lies in introducing and generating automatically a Hybrid Attack Graph (HAG) using our new Automatic Hybrid Attack Graph (AHAG) Java based tool that combines logical and real values of system parameters. In fact, HAG can be used to provide additional information about the expected changes that could affect the system state by different attack scenarios constituting the graph. In such cases, attack scenarios could be compared for the worst attack scenario that would compromise a system. This can be done by determining the associated real values (i.e., the resilience levels as determined in [15]). The results are illustrated through two-communication networks example. The networks models and security properties (written using Architecture Analysis & Design Language (AADL) [16] and AADL Annex Assume Guarantee REasoning Environment (AGREE) plug-in [17] that relies on JKind model-checker tool [18]) are fed to the AHAG tool, which generates all possible attack scenarios of the systems model and visualizes the graphs using Unity software [19].

This paper extends the conference version [20] significantly by introducing the concept of the Hybrid Attack Graph (HAG), and a new developed tool for its automatic generation (AHAG). The tool is implemented on communication networks example. The remainder of this paper is organized as follows: Section 1.1 reviews the related work. Section 2 describes the model based attack graph implementation through illustrative communication networks example. Section 3 explains the Level-of-resilience assessment. Section 4 presents the Hybrid Attack Graph. Section 5 introduces our AHAG tool to automatically generate the Hybrid attack graph and shows the experimental results. Section 6 summarizes and presents certain future directions.

1.1. Related Work

Existing Attack graph generation tools can be summarized as follows [21]. One research implemented a tool that consisted of three main pieces: a model builder (it takes as input information about network topology, configuration, and a library of attack rules), an attack graph generator (SPIN), and a Graphical User Interface (GUI) for graphical presentation. Topological Vulnerability Analysis (TVA), Network Security Planning Architecture (NETSPA), and Multi-host Multi-stage Vulnerability Analysis (MULVAL) tools [22]. These tools can explore all potential methods an attacker can use to corrupt an enterprise network by determining the configuration information of the hosts and the network. The Cauldron tool implemented by [23] automatically mapped all paths of vulnerability by correlating, aggregating, normalizing, and fusing data from various assets. The Network Attack Graph GENeration (Naggen) tool is developed by [24] to generate attack graph. Other research [5] has illustrated how logical attack graph complexity can be simply elevated when a network becomes denser and larger [25]. They utilized the MULVAL tool, but they changed its engine so that the trace of evaluation was recorded and sent to a graph builder.

In [26], the New Symbolic Model Checker (NuSMV) model checker was implemented to develop Attack graph counterexamples. The value iteration method was also implemented to determine the reliability of Attack graph, which allowed designers to identify which nominal set of security defenses would assure systems safety. A model-checking-based Automated Attack Graph Generator and Visualizer (A2G2V) was proposed by [27]. The proposed A2G2V algorithm used existing model-checking tools, an architecture description tool, and C code to generate an attack graph that enumerates the set of all possible sequences in which atomic-level vulnerabilities can be exploited to compromise system security. The A2G2V tool required building three main functions: a counterexample parsing function, a cyclic testing function, and a Luster model editing function.

In [28], a heuristic algorithm was used to automatically determine the optimal security hardening through cost-benefit analysis [29]. They used multiple algorithms, such as Vulnerability Node Matching, Attack Graph Optimization, Maximum Loss Flow, Path Seeking, and Multi-Objective Augmented Road Sorting, to investigate the vulnerability, estimate the global path, and determine the optimal attack path. The surveys conducted by [30,31] illustrated the state-of-the-art technologies in Attack graph construction in computer networks, and their potential development challenges. Alerts were also analyzed from intrusion detection system, and how well the approaches scaled to larger networks.

A Hybrid Attack Graph (HAG) was modeled by [32], using linguistics and type extensions of traditional attack graph given the necessary inputs of asset, topology, and fact declarations in the typed grammar. The HAG was illustrated through an example of an attacker who is trying to compromise an automotive car by forcing it to drivetoward a wall. The tool automates the task of creating HAGs by compiling the inputs specified and making the appropriate connections. A Hybrid Attack Dependency Graph (HADG) was presented by [33], which allowed discretization into intervals of the reachable and related ranges of the system’s state variables and their evolution over the execution of attacks with duration. The HAG generation software of [33] was used by [34] to model a Cyber physical System’s attack for a smart grid in which an attacker has to obtain access to a Supervisory Control and Data Acquisition (SCADA) system to cause the transformer to overheat. Thus, transformer temperature was the continuous value in question and was discretized into intervals. The HAG was built by matching exploit patterns to a particular system state.

The concept of adding priorities to HAGs was introduced by [35]; if multiple exploit preconditions were met in a given state, only those with the highest priority value would be expanded into new states of the attack graph. Lower priority exploits would then only be considered if all exploits with higher priorities failed to meet their preconditions. By applying exploit priorities as a heuristic measure, attack graph states can be explored in a more strategic manner.

A novel Hybrid Attack Model (HAM) was introduced by [36] that combines Probabilistic Learning Attacker, Dynamic Defender (PLADD) game model and a Markov Chain model to simulate the planning and execution stages of a bad data injection attack in power grid. The hybrid model is shown to be capable of modeling long time-to-completion actions in the preparation stage and short time-to-completion actions in the execution stage.

Table 1. Main characteristics and limitations of the existed studies in Hybrid Attack Graph (HAG) generation.

	Main Characteristics	Limitations
HAG [32]	Stateful graph. Captures blended attack vectors (comprising discrete and continuous exploit events). Time is implemented using a single group of global exploits, each of which increments a class of assets’ position in time depending upon its particular state.	Generation of attack graphs from nontrivial scenarios (with tens of hybrid assets) in acceptable time is daunting.
Hybrid Attack Dependency Graph (HADG) [33]	Replaces the state transition graph with a dependency graph. A hybrid attack takes a range of real values as preconditions and output a range of values as postconditions. Provides the capability of modeling continuous state variables and their evolution over the execution of attacks with duration.	The process for generating HADGs must be articulated and formalized and its performance characterized to better handle continuous variables. Expansion of the exploit list and the asset parameters in the network file is required to fully explore the attack space.
HAG [36]	Hybrid Attack Model (HAM) consists of both Probabilistic Learning Attacker, Dynamic Defender (PLADD) nodes and Markov state nodes. The attacker must have control over all PLADD nodes, which represent the preparation for an attack, to be able to execute an attack by traversing through the Markov states. Considers the time difference between the attacker’s action to prepare for an attack in comparison to the attacker’s action to execute for an attack.	The number of time steps in the Markov Chain model per unit time in the PLADD model must be specified by a domain expert. The PLADD and the Markov Chain models do not have the means to run a simulation where the time-to-completion of an action for attacker and defender can be significantly different in the preparation stage and the execution stage.
Automatic Hybrid Attack Graph (AHAG)	Stateful graph. Specifies attack patterns as sets of preconditions and postcondition. The integration of level of resilience values captures the system response under sequential attack and recovery actions.	Requires comprehensive overview of the system model and security/resiliency property. Levels-of-Resilience values need to be determined under attacks.

summarizes the main characteristics and limitations of the existed studies in HAG generation as compared to our Automatic Hybrid Attack Graph (AHAG) tool.

2. Model-Based Attack Graph Implementation

2.1. Networked Systems Examples

The two images of Figure 1a,b show two communication networks with identical clients and services (Email, File Transfer Protocol (FTP), and Video), but with different topologies [15]. In both networks, the routers R₁, R₂, and R₃ are built with Routing Protocol (RIP) [37], where the traffic is rerouted under faults as a recovery action through a redundant path (if it exists) based on hop count [37]. In addition to that, R₁ is linked to three Local Area Networks (LANs); LAN₁, LAN₂, and LAN₃, where every LAN has 10 clients. R₂ is linked to LAN₄, which has 10 clients as well. Router R₃ has three more links, which connect it, respectively, to an Email server through the Internet, an FTP server, and a Video workstation. The second communication network, CN₂, has similar clients and services as CN₁, but has a different topology.

2.2. Formal System Description for Networked Examples

The generation of Attack Graph requires an overall formal description of the system model and security property being investigated, encoded in Architecture Analysis and Design Language (AADL) and checked using JKind. Here, the formal descriptions of CN₁ and CN₂, respectively, are given as follows [20].

• Set of Routers R = 1, 2, 3, IP Cloud; Variable I ∈ {1, 2, 3, 4} (static parameters).
• Set of LANs N = 1, 2, 3, 4; Variable k ∈ {1, 2, 3, 4} (static parameters).
• Set of Service Providers S; Variable s ∈ {Ftp, Email, Video} (static parameters).
• Set of Connection Links L ⊆ R × R, R × N, R × S; Labeled l_ij ≡ Link is placed between component i and component j (static parameters).
• System Connectivity C = L; Boolean c_ij = 1 if there is a connection between component i and component j (dynamic variables).
• System Stability T; Boolean t = 1 if system is stable (dynamic variable).
• System Performance P ⊆ S; Boolean f_k = 1 if ftp service is provided to LAN k, Boolean e_k = 1 if Email service is provided on LAN k and Boolean v_k = 1 if Video service is provided on LAN k (dynamic variables).
• System recovery Action R; Variable r ∈ {p, a, d}, in case of normal operation r = p, in case of recovery action r = a, and in case of no action can be done, r = d (dynamic variables).
• Number of faulted Links that occur sequentially N; Variable n ∈ {0, 1, 2}, in case of no fault n = 0, in case of first fault n = 1, and in case of second fault n = 2 (dynamic variables).
• Attack Instance AI ⊆ A × R × R, A × R × N, A × R × S, Labeled a_ij^m ≡ Attack a on the Link between component i and component j, where m ⊆ L is a sequence of the previous faulted link(s) if exists. (static parameters)
• Pre-Attack conditions for CN₁:
  • Pre(a₁₃) ≡ (c₁₃ = 1) ∧ (t = 1) ∧ (r = p) ∧ (n = 0)
  • Pre(a₁₂) ≡ (c₁₂ = 1) ∧ (t = 1) ∧ (r = p) ∧ (n = 0)
  • Pre(a₂₃) ≡ (c₂₃ = 1) ∧ (t = 1) ∧ (r = p) ∧ (n = 0)
  • Pre(a₂₃¹³) ≡ (c₂₃ =1) ∧ (r = a) ∧ (n = 1)
  • Pre(a₂₃¹²) ≡ (c₂₃ =1) ∧ (r = p) ∧ (n = 1)
  • Pre(a₁₃²³) ≡ (c₁₃ =1) ∧ (r = a) ∧ (n = 1)
  • Pre(a₁₃¹²) ≡ (c₁₃ =1) ∧ (r = p) ∧ (n = 1)
  • Pre(a₁₂¹³) ≡ (c₁₂ =1) ∧ (r = a) ∧ (n = 1)
  • Pre(a₁₂²³) ≡ (c₁₂ =1) ∧ (r = a) ∧ (n = 1).
• Post-Attack conditions for CN₁:
  • Post(a₁₃) ≡ (c₁₃ = 0) ∧ (r = a) ∧ (n = 1)
  • Post(a₁₂) ≡ (c₁₂ = 0) ∧ (r = p) ∧ (n = 1)
  • Post(a₂₃) ≡ (c₂₃ = 0) ∧ (r = a) ∧ (n = 1)
  • Post(a₂₃¹³) ≡ (t = 0) ∧ (c₂₃ = 0) ∧ (f₁ = f₂ = f₃ = f₄ = e₁ = e₃ = e₄ = v₂ = v₃ = 0) ∧ (r = d) ∧ (n = 2)
  • Post(a₂₃¹²) ≡ (t = 0) ∧ (c₂₃ = 0) ∧ (f₄ = e₄ = 0) ∧ (r = d) ∧ (n = 2)
  • Post(a₁₃²³) ≡ (t = 0) ∧ (c₁₃ = 0) ∧ (f₁ = f₂ = f₃ = f₄ = e₁ = e₃ = e₄ = v₂ = v₃ = 0) ∧ (r = d) ∧ (n = 2)
  • Post(a₁₃¹²) ≡ (t = 0) ∧ (c₁₃ = 0) ∧ (f₁ = f₂ = f₃ = e₁ = e₃ = v₂ = v₃ =0) ∧ (r = d) ∧ (n = 2)
  • Post(a₁₂¹³) ≡ (t = 0) ∧ (c₁₂ = 0) ∧ (f₁ = f₂ = f₃ = e₁ = e₃ = v₂ = v₃ = 0) ∧ (r = d) ∧ (n = 2)
  • Post(a₁₂²³) ≡ (t = 0) ∧ (c₁₂ = 0) ∧ (f₄ = e₄= 0) ∧ (r = d) ∧ (n = 2)
• Pre-Attack conditions for CN₂:
  • Pre(a₁₃) ≡ (c₁₃ = 1) ∧ (t = 1) ∧ (r = p) ∧ (n = 0)
  • Pre(a₁₂) ≡ (c₁₂ = 1) ∧ (t = 1) ∧ (r = p) ∧ (n = 0)
  • Pre(a₂₃) ≡ (c₂₃ = 1) ∧ (t = 1) ∧ (r = p) ∧ (n = 0)
  • Pre(a₂₃¹³) ≡ (c₂₃ =1) ∧ (r = a) ∧ (n = 1)
  • Pre(a₂₃¹²) ≡ (c₂₃ =1) ∧ (r = p) ∧ (n = 1)
  • Pre(a₁₃²³) ≡ (c₁₃ =1) ∧ (r = a) ∧ (n = 1)
  • Pre(a₁₃¹²) ≡ (c₁₃ =1) ∧ (r = p) ∧ (n = 1)
  • Pre(a₁₂¹³) ≡ (c₁₂ =1) ∧ (r = a) ∧ (n = 1)
  • Pre(a₁₂²³) ≡ (c₁₂ =1) ∧ (r = a) ∧ (n = 1).
• Post-Attack conditions for CN₂:
  • Post(a₁₃) ≡ (c₁₃ = 0) ∧ (r = a) ∧ (n = 1)
  • Post(a₁₂) ≡ (c₁₂ = 0) ∧ (r = p) ∧ (n = 1)
  • Post(a₂₃) ≡ (c₂₃ = 0) ∧ (r = a) ∧ (n = 1)
  • Post(a₂₃¹³) ≡ (t = 0) ∧ (c₂₃ = 0) ∧ (f₂ = f₃ = f₄= e₃ = e₄ = v₂ = v₃ = 0) ∧ (r = d) ∧ (n = 2)
  • Post(a₂₃¹²) ≡ (t = 0) ∧ (c₂₃ = 0) ∧ (f₄ = e₄ = 0) ∧ (r = d) ∧ (n = 2)
  • Post(a₁₃²³) ≡ (t = 0) ∧ (c₁₃ = 0) ∧ (f₂ = f₃ = f₄= e₃ = e₄ = v₂ = v₃= 0) ∧ (r = d) ∧ (n = 2)
  • Post(a₁₃¹²) ≡ (t = 0) ∧ (c₁₃ = 0) ∧ (f₂ = f₃ = e₃ = v₂ = v₃ = 0) ∧ (r = d) ∧ (n = 2)
  • Post(a₁₂¹³) ≡ (t = 0) ∧ (c₁₂ = 0) ∧ (f₂ = f₃ = e₃ = v₂ = v₃= 0) ∧ (r = d) ∧ (n = 2)
  • Post(a₁₂²³) ≡ (t = 0) ∧ (c₁₂ = 0) ∧ (f₄ = e₄ = 0) ∧ (r = d) ∧ (n = 2)
• Initial state: (t =1) ∧ (c₂₃ = c₁₂ = c₁₃ = 1) ∧ (f₁ = f₂ = f₃ = f₄ = e₁ = e₃ = e₄ = v₂ = v₃ = 1) ∧ (r = p) ∧ (n = 0). (Initially, the system is stable, normally operated, and no service outages).
• The security/resiliency property φ is that both CN₁ and CN₂ are always stable under the given attacks/faults. This can then be written by a CTL formula: φ ≡ AG(t = 1) ≡ AG(¬ (t = 0)).

2.3. Attack Scenarios Implementation

In this section, we present the Attack Graphs resulted by running the JKind model checker for the encoded AADL CN₁ and CN₂ descriptions, respectively, against the security property φ [20]. JKind is an infinite state model checker for checking safety properties of synchronous systems [38], which are expressed in Lustre, a formally defined, declarative, and synchronous dataflow programming language for programming reactive systems [39]. The Verification is based on k-induction and property directed reachability using a back-end Satisfiability Modulo Theories (SMT) solver. A verified property is determined to be true for all runs of the system. A property violation is reported with an explicit Counter-Example (CE), which is given here as an attack scenario (a sequence of attack and recovery actions resulting in system disruption).

In our work, the CN₁ and CN₂ descriptive models included entities and their interfaces and connections, which were encoded using Architecture Analysis and Design Language (AADL), within the open-source integrated development environment (Osate2). The AADL models were embedded with the AGREE Annex plug-in [17] that is used to specify the component models and system-level security properties. AGREE also translates the AADL+Annex models and properties to Lustre language, which JKind can verify against a security property of concern and delivers the result as a CE, if it exists [40].

Figure 2 and Figure 3 show the Attack graphs for CN₁ and CN₂, respectively [20], capturing the state evolution of the two networks dynamical variables given in the earlier formal description under attack instances. These graphs are visualized using Unity tool that supports two-dimensional (2D) and three-dimensional (3D) graphics, drag-and-drop functionality, and scripting using C# [41].

From the obtained graphs it can be seen that both networks have six attack scenarios, resulting in networks loss of stability as determined by the unbounded traffic loss over time [42]. Each attack is a sequence of faults and recovery actions occurring sequentially as follow:

S₁: a₁₃ → a₂₃¹³

S₂: a₁₃ → a₁₂¹³

S₃: a₁₂ → a₂₃¹²

S₄: a₂₃ → a₁₃²³

S₅: a₂₃ → a₁₂²³

S₆: a₁₂ → a₁₃¹²

3. Level-of-Resilience Assessment

Each path in the graph is a single attack scenario and has an associated Level-of-Resilience (LoR) [20]. The following definition can be utilized to identify the worst case Level-of-Resilience of a system with its Attack graph given. A system is the worst resilient to an attack scenario in the graph if it acquires the highest loss of stability, the highest loss of performance, or the highest recovery-time.

Definition 1

([20]). Given a system M and an attack graph A_G comprising a set of attack scenarios S ≡ ∪ S_i, i ∈ {1,…, z}, where z is the number of attack scenarios, we say that LoR(M, S_i) is the worst if:

[LoS_R(M, S_i) > LoS_R(M, S − S_i)]
∨ [[LoS_R(M, S_i) = LoS_R(M, S − S_i)
∧ [LoP_R(M, S_i) >LoP_R(M, S − S_i)]]
∨ [[LoS_R(M, S_i) = LoS_R(M, S − S_i)]
∧ [LoP_R(M, S_i) = LoP_R(M, S − S_i)]
∧ [RT(M, S_i) > RT(M, S − S_i)]]

The next definition compares the LoR of many systems against an Attack scenario. A system is the most resilient to an attack scenario if this attack acquires a smallest loss of stability, a smallest loss of performance, or smallest recovery-time.

Definition 2

([20]). Given a set of systems M ≡ ∪M_j, j ∈ {1, …, y}, where y is the number of systems, and an attack scenario S_i ∈ S, we say that LoR(M_i, S_i) > LoR(M-M_i, S_i) if:

[LoS_R(M_i, S_i) < LoS_R(M − M_i, S_i)]
∨ [[LoS_R(M_i, S_i) = LoS_R(M − M_i, S_i)]
∧ [LoP_R(M_i, S_i) < LoP_R(M − M_i, S_i)]]
∨ [[LoS_R(M_i, S_i) = LoS_R(M − M_i, S_i)]
∧ [LoP_R(M_i, S_i) = LoP_R(M − M_i, S_i)]
∧ [RT(M_i, S_i) < RT(M − M_i, S_i)]].

4. Hybrid Attack Graph (HAG)

The states of Attack graph reflect the logical evolution of system parameters (e.g., system stability and services are either true or false) during attacks until reaching the final states where the security property φ is violated and hence are the worst states. As multiple attacks can reach the same final state, it is essential to identify the worst attack scenario. A Hybrid Attack Graph (HAG) associates real values to all attack scenarios terminating in these final states. These real values correspond to the Level-of-Resilience parameters determined from the system dynamical response. The detailed computations of LoS_R, eventual LoP_R and RT of networks CN₁ and CN₂ under A_G scenarios are given in [43], and [15]. We formally define HAG as follows.

Definition 3.

A Hybrid Attack Graph (HAG) of a system model M is a data structure representing a union of all attack paths comprising A_G annotated with the associated Levels-of-Resilience.

HAG = A_G ∪ LoR(M, A_G).

Algorithm 1 compares the Levels-of-Resilience, associated with the attacks comprising an Attack graph, and alerts the worst-case scenario.

Algorithm 1 Alerting Worst-Case Attack Scenario

INPUT: Attack graph (AG) Comprising Attack Scenarios ($\mathrm{S}\equiv {\displaystyle \cup }{\mathrm{S}}_{\mathrm{i}},\mathrm{i}\in \left\{1,\dots ,\mathrm{z}\right\}$) and associated LoR values OUTPUT: Alert Worst Case S[i] Procedure: for Case [LoSR, LoPR, RT]   if S[i]{LoSR} > S$-$S[i] {LoSR}:   Alert Worst Case S[i]   else if S[i] {LoPR, Ftp} > S$-$S[i] {LoPR, Ftp}   Alert Worst Case S[i]   else if S[i]{LoPR, Video} > S$-$S[i] {LoPR, Video}   Alert Worst Case S[i]   else if S[i]{LoPR, Email} > S$-$S[i]{LoPR, Email}   Alert Worst Case S[i]   else if S[i]{RT} > S$-$S[i] {RT}:   Alert Worst Case S[i]   else   no Alert

5. Automatic Hybrid Attack Graph (AHAG) Tool

In Section 2, the attack scenarios were generated by repeatedly running AGREE, and updating the security property in every run to exclude the previously generated attack scenarios. Here, the automatic generation of attack scenarios is presented.

The Automatic Hybrid Attack Graph (AHAG) tool was developed through NetBeans, an Integrated Development Environment (IDE) for Java [44]. NetBeans allows applications to be developed from a set of modular software components called modules. In addition to Java development, NetBeans has extensions for other languages like Personal Home Page (PHP), C, C++, and fifth version of Hyper Text Markup Language (HTML5). Maven, a build automation tool used primarily for Java projects, was selected as the main project for the AHAG tool in NetBeans [45].

When running an AGREE based JKind model-checker for Lustre models within Osate2, it can only produce one counterexample at a time. However, if executed more than once, it may repeat the same counterexample. The AHAG tool shown in Figure 4 confirms that a different new counterexample is produced (if exists) each time the JKind is called, and automatically, all possible attack scenarios are visualized using Unity software.

AHAG tool takes only the first Lustre model (a translation of the system model and the security property from AGREE). Then, it generates all possible combinations of potential attack scenarios (i.e., CEs) as (.lus) format files. Next, AHAG communicates with the model checker JKind through the Command Prompt Commands (CMD) to iteratively check the system model and the potential CE against the security property within the Lustre files. Doing so, AHAG generates all corresponding results as separate Excel files, illustrating if the potential CE is truly an attack scenario or not. Once all Excel files are generated, AHAG converts them to (.csv) files to be used later along with LoR values in Unity Visualizer.

The AHAG Algorithm 2 is as follows. The user inserts the first Lustre Model as input and defines the attack instances/actions constituting the attack paths in a single-dimensional array. In addition to that, the user has to choose the maximum expected length n of an attack scenario. AHAG in turns, generates all potential combinations of attack scenarios Aⁿ, where A is number of attack instances/actions. Each new potential attack scenario is stored as a variable CE_1 within (.lus) generated files. Next, JKind is called iteratively to check these files against the security property ϕ. If CE_1 violates the security property, then it is a true attack scenario, which belongs to the Attack graph, and the result is given as an Excel sheet (.xlsx). Otherwise, AHAG will reject the CE_1. Afterward, since it is easier for Unity visualizer to read (.csv) files, AHAG converts xlsx to csv files and feed them to Unity.

Algorithm 2 AHAG

INPUT: System Model (Luster 0.lus), Attack instances A[ ], maximum length (n) OUTPUT: All attack scenario in (.csv) Procedure:   insert attack instances in the Single-Dimensional Array (A)   set maximum length (n) loop 1:   CE_1 = possible combination from A[ ] of length n   New Lustre = do new (.lus) copy (Lustre 0.lus)   New Lustre = New Lustre + CE_1   goto loop 1 loop 2:   call JKIND through cmd   New Lustre.xlsx= do result in (.xlsx) format loop 3:   New Lustre.csv = replace (New Lustre.xlsx) format to (.csv) format   goto loop 3   goto loop 2 loop 4:   if New Lustre.csv contains CE_1 = False   delete (New Lustre.csv)   goto loop 4 generate violating attack scenarios

The generated attack scenarios were visualized using Unity visualizer tool and the Levels-of-Resilience values, including Level-of-Stability-Reduction (LoS_R), Level-of-Performance-Reduction (LoP_R) in the networks applications (given by $FT{P}_R$, $Emai{l}_R$, and $Vide{o}_R$), and the Recovery-Time (RT) are annotated to the attack scenarios terminating at the final states using Algorithm 1. This generates the HAG for CN₁ and CN₂, as shown in Figure 5 and Figure 6, respectively. It can be seen that Attack scenario S₄ was chosen as the worst attack scenario (highlighted in red). The detailed computations of Levels-of-Resilience values for networks CN₁ and CN₂ are given in [43], and [15]. By comparing the generated HAGs to the traditional Attack graphs of Figure 2 and Figure 3, respectively, it is clear how HAG can aid in differentiating attack scenarios terminating in the same state, yet with distinguishable resilience levels. Thus, network designers can have a better overview on the attack scenario that the network is most vulnerable to.

6. Conclusions

In this paper, we presented a new concept of Hybrid Attack Graph (HAG), which captures both the logical changes in the system parameters under attacks (as determined by the pre and post-conditions), and the real values of the levels of resilience parameters associated with the attacks constituting the graph. The nearest C-language based tool, Automated Attack Graph Generator and Visualizer (A2G2V), proposed by [27], interacts with the model-checker JKind for the generation of the attack paths one at a time, and with another tool Graph visualization (Graphviz) for visual display of the attack graph. Similar to our Automatic Hybrid Attack Graph (AHAG) tool, A2G2V tool requires one-time modeling effort to obtain the system description for components, connectivity, services, and their vulnerabilities. However, AHAG integrates the Levels-of-Resilience values obtained from system’s dynamical response with the Attack graph. This automatically generates a HAG, which can aid system designers to investigate and select the worst LoR system design and its corresponding attack scenario from the graph. This ensures an appropriate defense and countermeasures placement in the system. The results were illustrated through a communication networks example.