ADVISE Meta Two Nets Tutorial

From Mobius Wiki
Jump to: navigation, search

Return to Workshop Home

Getting Started

The first time you run the alpha tool, you may be prompted for your Mobius license. Enter your Mobius user account (this is NOT the same as your account for this wiki).

Building an Ontology

Before we can start creating ADVISE Meta models, we need an ontology to work with. You can download and import this ontology if you'd like to skip to the "Creating an ADVISE Meta Model" section.

The first time you open Mobius, the Ontology view is probably not visible. Show it by selecting the menu Window -> Show View -> Ontology Explorer.

Adding a Package

To begin defining our ontology we need to define a new package.

  1. Right click on the white space in the Ontology view.
  2. Select Add Package.
  3. To the right, a package editor should have appeared.
  4. Enter a URL address with at least one directory after the host name. If you are unsure what to put, you can enter http://www.example.com/myPackage.
  5. Close this editor by clicking on the X on the editor's tab. When prompted to save, click yes.

Adding components and relationships

Now that we have defined a package, we can begin adding components, relationships, and modeling elements. We will define three component classes and one relationship.

Ontology tree after the package, components, attribute, and relationship has been added.
  1. Right click the package you defined before and select Add Component.
  2. Change the name to System.
  3. Click the File -> Save menu item to save the System component.
  4. Add two more components called Network and Firewall, but don't save them yet. Networks and firewalls are both types of systems. In our ontology, we can define that inheritance relationship by specifying System as a parent of Network and Firewall.
    1. Bring the Network component editor tab to the top.
    2. Next to the Parents list, click the Edit button.
    3. Double click the System component in the left pane to select it and click Finish.
    4. Repeat the process in the Firewall component editor.
    5. When done, right click one of the editor tabs and select Close All.
    6. When prompted, save all.
  5. Attributes allow you to specify properties about a component. We would like to specify whether or not a network has an IDS currently monitoring it.
    1. Right click the Network component and select Add Attribute.
    2. Change the name to, isIDSOperational.
    3. Change the type to Boolean.
    4. Change the default value to true.
    5. Save and close the attribute editor.
  6. Notice that our package now contains three component classes. Next, let's create a relationship.
    1. Right click the package and select Add Relationship.
    2. Change the name to connectedTo.
    3. Relationships are directional, so when you say that component A is connectedTo component B, that does not mean that B is necessarily connected to A. However, we'd like this relationship to be symmetric, which means that A connectedTo B implies that B connectedTo A. To do this, check the Symmetric checkbox.
    4. The domain of a relationship defines which types of components this relationship can originate from. We would like to be able to use this relationship to connect Networks, Firewalls, and even Systems together. Relationships leverage the inheritance structure of components, so to accomplish this, we only need to add System to the domain.
      1. Click the Edit button next to the Domain list.
      2. Select the System component class from the available list and click the > button to add it to the selected list. Click Finish when done.
    5. The range of a relationship is similar to the domain, except that it defines what types of components this relationship can connect to. Add System to the range of the relationship.
    6. Save and close the Relationship.

Adding ADVISE State Variables

We now have everything we need to begin drawing System diagrams containing systems, networks, and firewalls and connected by the connectedTo relationship. However, in order to begin generating useful ADVISE models from our ADVISE Meta model, we must define the underlying elements that will be generated. Let's start with the ADVISE state variables.


Ontology tree after the state variables have been added.
  1. We'd like to define an access element that indicates that the adversary as gained access to a network.
    1. Right click the package and select Add ADVISE Element -> Access.
    2. Change the name to NetworkAccess.
  2. We also need an SystemSV that indicates that an adversary has installed malware on a Network.
    1. Right click the package and select Add ADVISE Element -> System State Variable.
    2. Change the name to MalwareInstalled.
    3. Change the type to Boolean.
    4. Change the value to false. This indicates that this state variable will start out with an initial value of false.
  3. Save all open editors.
  4. We want the generator to create instances of NetworkAccess and MalwareInstalled for every network that we define in our system diagram. To do this, we need to reopen the Network component and indicate that these state variables are dependent elements of the Network component.
    1. Double click the Network component to open its editor.
    2. In the Dependents section, use the Edit button to add the two state variables.
  5. Save and close all editors.
  6. Finally, we want to add a skill that defines how effective the adversary is at brute force attacks.
    1. Right click the package and select Add ADVISE Element -> Skill.
    2. Change the name to BruteForceSkill.
    3. Very often with skills, we don't want to create instances that are associated with individual components in our system diagram, but rather a single instance that is used throughout. In other words, an adversary doesn't have a BruteForceSkill for each individual network in our system, but rather a single skill of that type that defines how skilled he is in a behavior. To accomplish this, we need to make this a global element. When an ADVISE model is generated, a single instance of each global element is also generated regardless of what system is defined by the diagram.
      1. Click the Global check box.
  7. Save and close all editors.

Adding ADVISE Attack Steps

We have defined the elements that will give our generated ADVISE models state. We now need to define attack steps that will change the model's state. There are a lot of similarities between attack steps in ADVISE and the attack step classes we will define in the ontology. If you aren't familiar with ADVISE attack steps, please review the documentation before proceeding.

Ontology tree after the attack steps have been added.
  1. Let's create an attack step that installs malware on a network.
    1. Right click the package and select Add ADVISE Element -> Attack Step.
    2. Change the name to InstallMalwareOnNetwork.
    3. Save the attack step.
  2. Open the Network component and add InstallMalwareOnNetwork to the list of dependent elements. Now when a network is defined in the system diagram, an InstallMalwareOnNetwork attack step for that network will be generated in the ADVISE model.
    1. The next few fields are similar to what you'd find in an ADVISE model, so we won't go into depth on each one.
      1. Set the cost expression to return 10;
      2. Set the timing distribution to an exponential with rate return 0.5;.
      3. Set the precondition expression to return ${theNetworkAccess};
    2. Save the attack step.
  3. Everything you have done in this section until now should look familiar except the precondition expression above. Unlike the other expressions, this is not valid C++ code. Instead it include a macro variable called theNetworkAccess. The entire string ${theNetworkAccess} will be replaced at generation time with the appropriate ADVISE element. However, we must specify in the ontology how to do that replacement using a Precondition Element.
    1. Right click the InstallMalwareOnNetwork attack step and select Add Precondition -> Element.
    2. Change the label to theNetworkAccess. Notice that this is the same string as the inside of the macro variable from the code expression we wrote earlier. Attack steps can have many precondition elements and this identifies which element the macro is referring to.
    3. Now we need to give the generator instructions on how to find the correct ADVISE element to insert into the code expression in place of the macro variable. We do this by creating a path from the attack step's defining component (a Network component). The path for the precondition element is a very simple one, but we will create a more complex one soon.
      1. Right click theNetworkAccess precondition element and select Add Path Condition -> Element'. This tells the generator to look for an ADVISE element that is a dependent of the Network component (the defining component of this attack step).
      2. In the editor, change Dependent Element to NetworkAccess.
    4. Save and close all editors.

We've created an attack step and used a precondition element to tell the generator that when it sees ${theNetworkAccess} in code expressions, it should find the NetworkAccess associated with the attack step's defining network and put that element's name in the code instead. We need to finish defining the InstallMalwareOnNetwork attack step by defining a set of outcomes for the attack step.

  1. Create a failure outcome on the InstallMalwareOnNetwork attack step.
    1. Right click the InstallMalwareOnNetwork attack step and select Add Outcome.
    2. Change the name to Failure.
    3. Change the outcome probability to return 0.1;.
    4. Change the detection probability to if(${idsOperational}) return 0.99; else return 0.2;.
    5. Leave the effects expression blank.
  2. Create a success outcome on the InstallMalwareOnNetwork attack step.
    1. Change the name to Success.
    2. Change the outcome probability to return 0.9;.
    3. Change the detection probability to if(${idsOperational}) return 0.6; else return 0.1;.
    4. Change the effects expression to ${malInstalled} = 1;
  3. Create a precondition element on the attack step that binds to the Network's isIDSOperational attribute.
    1. Set the precondition element's label to idsOperational.
    2. Add an element path condition and set the dependent element to Network.isIDSOperational.
  4. Create an affected element on the attack step similar to how we created a precondition element earlier.
    1. Set the affected element's label to malInstalled.
    2. Add an element path condition and select the dependent element to be MalwareInstalled.

We have now fully defined the attack step. Notice that we have added a new precondition element that binds to the network component's isIDSOperational attribute. We use a precondition element because the attack step doesn't modify the value of this attribute, only reads it. In an ADVISE model, the System State Variable that represents the attribute will be connected by and arc that points towards the attack step. We also defined an affected element that binds to the network component's MalwareInstalled system state variable. In the generated ADVISE model, the SSV that indicates whether malware has been installed on the network will be connected to that attack step by an arc that points away from the attack step.

We now have to create a second attack step that will defeat a firewall and allow the adversary to gain network access to all connected networks. We will use an affected collection in this attack step definition that will contain all NetworkAccess elements from any networks connected to the firewall.

  1. Create the new attack step in the package.
    1. Change the name to DefeatFirewall.
    2. Set the cost expression to return 35;.
    3. Set the timing distribution to an normal distribution with mean 
      if(${bruteForceSkill} > 600) 
	return 20; 
else 
	return 40;
      and variance return 10;.
    4. Set the precondition expression to 
      bool oneNotPossessed = false;
bool atleastOnePossessed = false;

for(auto const &n : ${theNetworkAccesses}) {
	if(n->Mark())
		atleastOnePossessed = true;
	else 
		oneNotPossessed = true;
}

return atleastOnePossessed && oneNotPossessed;
    5. Save the attack step.
  2. Create a new Outcome on DefeatFirewall called Success.
    1. Set the outcome probability to return 0.3;.
    2. Set the detection probability to return 0.05;.
    3. Set the effects to 
      for (auto const &n : ${theNetworkAccesses})
	n->Mark() = 1;
    4. Save the outcome.
  3. Create a new Outcome on DefeatFirewall called Failure.
    1. Set the outcome probability to return 0.7;.
    2. Set the detection probability to return 0.4;.
    3. Save the outcome.
  4. Add an affected collection to the attack step called theNetworkAccesses.
  5. Add a relationship path condition to the affected collection and select the connectedTo relationship.
  6. Add a component path condition to the relationship path condition and select the Network component.
  7. Add an element path condition to the component path condition and select the NetworkAccess element.
  8. Add a precondition element to the attack step called bruteForceSkill.
  9. Add a global path condition to the precondition element and select the BruteForceSkill global element.
  10. Save and close all editors.
  11. Open the Firewall component and add DefeatFirewall to the list of dependent elements.
  12. Save and close all editors.

Adding an ADVISE Adversary

Ontology tree after the Crime Organization adversary has been added.

We now must define at least one adversary profile template. We will create an adversary called Criminal Organization and specify the default parameter values.

  1. Right click on the package and add a new Adversary (Add ADVISE Element -> Adversary).
  2. Change the name to Criminal Organization.
  3. Change the planning horizon to 3.
  4. Change the cost, detection, and payoff preference weights to 0.2, 0.05, and 0.75 respectively.
  5. In the skills section, add the BruteForceSkill.
    1. Click the Add... button.
    2. Double click the BruteForceSkill in the left pane to select it.
    3. In the right pane, click the default initial value for the skill to edit it. Change the value to 700.
    4. Click Finish.
  6. Save and close the adversary.

Adding a Metric

Ontology tree after the Goal Achieved metric has been added.

We will now define a metric.

  1. Right click on the package and add a new Metric (Add ADVISE Element -> Metric).
  2. Change the Name to Goal Achieved.
  3. Change the Expression to return ${Goal};.
  4. Change the First Instant to ${Start}.
  5. Change the Upper Bound to ${Stop}.
  6. Change the Step Size to ${Step}.
  7. Save and close the metric.

We have to define User Input elements for each of the macro labels we used above. For Goal, we want the user to select one of the goals that were created in the meta model.

  1. Right click on the Goal Achieved metric and select Add User Input... -> Choice.
  2. Change the Label to Goal.
  3. Change the Field Name to Goal.
  4. Change the User Instructions to Enter the goal you wish to observe..
  5. In the class restrictions section, check the box next to Goal.

When the user creates a new instance of this metric in their meta model, they will be prompted using the information you just provided. The will be asked to choose among all Goals defined in the Meta Model. Next, we need to create user inputs for the three parts of the incremental time range.

  1. Right click on the Goal Achieved metric and select Add User Input... -> String.
  2. Change the Label to Start.
  3. Change the Field Name to First Observation.
  4. Change the User Instructions to Enter the first observation time point..
  5. Create another User Input String with Label Stop, Field Name Upper Bound, and User Instructions Enter the upper bound on observation times..
  6. Create another User Input String with Label Step, Field Name Step Size, and User Instructions Enter the length of time between observations..
  7. Save and close all ontology editors.

We have now completed our ontology. We've added three component types, one attribute, one relationship, three state variables (really four when you count the component attribute) and two attack steps. We have also added an adversary template and a metric. We are now ready to start building ADVISE Meta models!

Defining an ADVISE Meta Model

By this point, you should have an ontology fully defined from the previous tutorial. However, if you'd like to skip the ontology development section, you can download and import this complete ontology package that we will use in this example going forward.

Let's build a small system with two networks, SCADA and Corporate. The two networks will both have a single firewall, which joins the two.

Starting up Mobius and Creating a New ADVISE Meta Model

  1. Launch the Mobius ADVISE Meta Alpha Tool.
  2. Right click the Open Projects folder and select New Project.
  3. Name the project Tutorial1.
  4. Right click on the Tutorial1 project folder and select New.
  5. Select Atomic in the bottom pane and click Next.
  6. Select the Advise Meta Model from the list, enter the name twoNets, and click Finish.
  7. Select the File -> Save menu item.

Adding Components and Relationships to the Diagram

System diagram tab.
  1. In the components tree on the left, expand the System component node to make the Firewall and Network component types visible.
  2. Add a Network component called CorporateLAN
    1. Drag and drop a Network component on to the diagram.
    2. Click on the new Network 1 component and select the Edit Details button.
    3. Change the name to CorporateLAN.
    4. Set the isIDSOperational attribute to false.
    5. Click Finish.
  3. Add a Network component called SCADALAN and leave the isIDSOperational attribute set to true.
  4. Add a Firewall and name it CorpSCADAFW.
  5. Add a new connectedTo relationship from the firewall to the corporate LAN component.
    1. Select the CorpSCADAFW component, click Add Relationship, and click on the CorporateLAN component.
    2. Select the connectedTo relationship from the drop down list.
    3. Click Finish.
  6. Add a new connectedTo relationship from the firewall to the SCADALAN component.
  7. Click the File -> Save menu item.

Defining Goals

Goal definition tab.
  1. Select the Goals tab at the bottom of the ADVISE Meta Atomic Model Editor window.
  2. Select the New Goal 1 goal from the list in the upper right.
  3. Change the name below to read Malware on SCADA Net
  4. Add the SCADALAN_MalwareInstalled state variable to the list of state variables
    1. Expand the SCADALAN component in the Available State Variables tree on the left side of the window.
    2. Click and drag the MalwareInstalled system state variable.
    3. Drop it in the list of Dependent State Variables.
  5. Change the Goal Expression.
    1. Highlight "false."
    2. Double click the SCADALAN_MalwareInstalled state variable in the Dependent State Variable list above.
    3. Note that "->Mark()" was automatically appended onto the state variable name. If you type the name yourself, don't forget to add the "->Mark()", without the quotes, or the code will not compile.
  6. Click the File -> Save menu item.

Defining Adversaries

Adversaries definition tab.
  1. Select the Adversaries tab at the bottom of the ADVISE Meta Atomic Model Editor window.
  2. Click and drag the Crime Organization adversary template over to the Adversaries list on the right side.
  3. Change the name below to The Corleone Family.
  4. Change the planning horizon to 2 and leave the cost of detection the same as what is defined in the template.
  5. In the Access section, add the CorporateLAN_NetworkAccess
    1. Click the Add button.
    2. Select the CorporateLAN_NetworkAccess element in the left pane.
    3. Click the > button.
    4. Click Finish.
  6. In the Skills section, change the Corleone family's BruteForceSkill to 400.
    1. Click on the initial value column where you see the number 700.
    2. Enter 400 and hit the enter key.
  7. In the Goals section, add the Malware on SCADA Net goal.
    1. Set the payoff to 500.
  8. Click the File -> Save menu item.

Defining Metrics

Metrics definition tab.
  1. Click and drag the Goal Achieved metric over to the Metrics table in the upper right corner of the window to create the new metric.
  2. Change the name to MalwareOnSCADALAN.
  3. Select the Malware On SCADA Net goal.
  4. Enter 0 for the First Observation.
  5. Enter 24 for the Upper Bound.
  6. Enter 2 for the Step Size.
  7. Click the File -> Save menu item.

Defining Configurations

Configuration definition tab.
  1. Select the Configurations tab at the bottom of the ADVISE Meta Atomic Model Editor window.
  2. Select the New Configuration 1 configuration from the list on the left.
  3. Change the name on the right side to read CorpSCADANetworks
  4. Add the goal defined above to the configuration.
    1. Click the Add button in the Goals section.
    2. Select the Malware on SCADA Net goal from the list.
    3. Click Finish.
  5. Select The Corleone Family as the adversary for this configuration.
  6. Add the metric defined above to the configuration.
    1. Click the Add button in the Metrics section.
    2. Select the MalwareOnSCADALAN metric from the list.
    3. Click Finish.
  7. Click the File -> Save menu item.

Generating the ADVISE Model

Generator tab.
  1. Select the Generator tab at the bottom of the ADVISE Meta Atomic Model Editor window.
  2. Select the CorpSCADANetworks configuration from the list on the left.
  3. Click the Generate button.
  4. Read the messages on the right and make sure there were no errors.

Once the generation completes, the simulator window should appear and begin executing the simulation. After a brief execution, the results file should be displayed.


Under Construction

The remaining of this tutorial is currently under construction and is using an older version of the tool.


The Generated ADVISE Model

If you look in the Atomic folder of your project, a new ADVISE model called CorpSCADANetworks should now exist. Open that model to see something like the image below. Notice that this doesn't generate a complete ADVISE model based on your system diagram. Instead, it generates a trimmed ADVISE model based on your diagram and the goal definitions in the configuration you generated. For example, the CorporateLAN_InstallMalwareOnNetwork attack step is absent because the only goal we defined does not include that step in any of the possible paths. If you want to see the complete ADVISE model, create a new Goal Definition called Malware on Corporate Net like we did for the SCADA LAN and either add it to your CorpSCADANetworks configuration or create a new configuration that includes both goals.

Generated ADVISE model with only the single Malware on SCADA Net goal included in the configuration.
Generated ADVISE model's adversary profile.
Generated ADVISE model with both the Malware on SCADA Net goal and Malware on Corporate Net goal included in the configuration.

Defining the Reward Model

Let's create the remaining pieces of this Möbius model. We will be adding two performance variables to report the state of the accesses and another performance variable to report the state of the goal. These steps are done the same way as the normal Möbius distribution, so we'll describe them at a higher level. If you're new to Möbius, please review the Möbius tutorial in the Möbius Manual.

  1. Right click on the Tutorial1 project and select "New" from the popup menu.
  2. Select "Reward" from the Component Category and select the "Next >" button at the bottom of the dialog.
  3. The component type will be "Performance Variable Model". Enter "CorpSCADANetworksRM" in the Component Name field and select "Next >".
  4. Select "CorpSCADANetworks" and click "Finish".
  5. Add a new variable called "a_CorporateLAN_NetworkAccess".
    1. In the "Rate Rewards" tab, define the reward function to be: 
        return CorpSCADANetworks->CorporateLAN_NetworkAccess->Mark();
    2. In the "Time" tab, define the timing type to be an "Instant of Time" with an incremental range. The range should be 0-500 with a step size of 10.
  6. Add a new variable called "a_SCADALAN_NetworkAccess".
    1. In the "Rate Rewards" tab, define the reward function to be: 
        return CorpSCADANetworks->SCADALAN_NetworkAccess->Mark();
    2. In the "Time" tab, define the timing type to be an "Instant of Time" with an incremental range. The range should be 0-500 with a step size of 10.
  7. Add a new variable called "g_MalwareOnSCADANet".
    1. In the "Rate Rewards" tab, define the reward function to be: 
        return CorpSCADANetworks->MalwareOnSCADANet->Mark();
    2. In the "Time" tab, define the timing type to be an "Instant of Time" with an incremental range. The range should be 0-500 with a step size of 10.
  8. Save and close the reward model.

You now have a reward model for your ADVISE atomic model that measures the state of each knowledge item and goal at 5-time-unit intervals. This should give you a rough view of how the adversary will progress through the model.

Defining the Study

  1. Create a new "Range Study" called "CorpSCADANetworksStudy".
  2. Save and close the study.

Since no global variables are defined in our model, we simply need to create an empty study.

Running the Simulation

  1. Create a new simulation called "CorpSCADANetworksSim" in the "Solver" folder.
  2. The Simulator dialog will open automatically.
  3. The "Simulation Parameters" tab will be shown. The "Build Type" entry will be shown about three-quarters of the way down.
  4. Click in the list box and select "Normal" as the build type.
  5. Make sure the "Enable Mobius Trace" check box is selected. We will use the trace information in the next section.
  6. Click on the "Run Simulation" tab and click the "Start Simulation" button.
  7. Wait for the simulation to complete; you should now be looking at the "Results" tab.
  8. Scroll down to see the mean values of the three reward variables at the various time points.
  9. Values should be similar to these results.

From the results, you should notice that the a_CorporateLAN_NetworkAccess is 1.0 from the very beginning because the adversary has that access as part of their initial access, and at no point during the execution do they lose that access.

The a_SCADALAN_NetworkAccess, on the other hand, is only achieved after a successful outcome of the defeat firewall attack step. The execution of the defeat firewall attack step is controlled by the precondition for having access to either the SCADA LAN or the Corporate LAN and the attack step timing distribution. Access to the Corporate LAN is given in this case. The defeat firewall attack step timing distribution is a normal distribution with a mean of 40 in this case and a variance of 10. Therefore, at the start, there is a very low probability that the attack step will be attempted. At time step 40, the mean of the distribution, the probability of attempting the attack step is 50%, however, the probability of success is only 30%. Combining the two we should expect the probability of achieving access to the SCADA LAN to be around 15%. The 14.48% shown in the results is inline with what we would expect. The a_SCADALAN_NetworkAccess continues the trend towards one because once the access is achieved, it is not taken away in this model.

The goal of installing malware on the SCADA LAN, g_MalwareOnSCADANet, is dependent on achieving access to the SCADA LAN. As a result, the "SCADALAN_InstallMalwareOnNetwork" attack step can not be attempted until the defeat firewall attack step succeeds. Once access to the SCADA LAN has been achieved, the probability of successfully installing malware on the SCADA LAN is very high at 90%. As a result, achieving the goal of installing malware on the SCADA LAN closely follows the a_SCADALAN_NetworkAccess results.

Download the archived version of this project.

Viewing Attack path

One of the features that has been added to this version of Mobius is the ability to visualize the adversary's path through the ADVISE attack execution graph, AEG. In this tutorial, the ADVISE atomic model is call CorpSCADANetworks.

  1. Reopen the CorpSCADANetworks ADVISE atomic model.
  2. In the View menu, select the "Show Results" item. Note: if "Show Results" is already checked, select "Clear" and then reselect "Show Results". This is an issue we are currently working on.
  3. Mobius will scan the solver directory looking for trace files. Note: if no trace files are found, I dialog box will popup asking you to rerun the simulator with the Mobius Trace File option selected.
  4. After the processing of the trace files, the attack path will be drawn on the AEG.
The CorpSCADANetworks ADVISE model with the attack path shown.
Retrieved from "https://www.mobius.illinois.edu/wiki/index.php?title=ADVISE_Meta_Two_Nets_Tutorial&oldid=1058"