Multi-step Attack Modelling and Simulation (MsAMS) Framework based on Mobile Ambients

Abstract

Attackers take advantage of any security breach to penetrate an organisation perimeter and exploit hosts as stepping stones to reach valuable assets, deeper in the network. The exploitation of hosts is possible not only when vulnerabilities in commercial off-the-shelf (COTS) software components are present, but also e.g. when an attacker acquires a key (e.g. a password) on one host which allows him to exploit further hosts on the network. Finding attacks involving the latter case requires the ability to represent dynamic models. In this paper we present MsAMS (Multi-step Attack Modelling and Simulation), an implemented framework, based on Mobile Ambients, to discover attacks in networks. The idea of ambients fits naturally into this domain and has the advantage of providing flexibility for modelling. Additionally, the concept of mobility allows the simulation of attackers exploiting opportunities derived either from the exploitation of vulnerable as well as from the exploitation of non-vulnerable hosts, through the acquisition of keys.