Severity-Based Triage of Cybersecurity Incidents Using Kill Chain Attack Graphs: Supplementary Materials
This repository contains proof-of-concept implementation of an approach from paper Severity-Based Triage of Cybersecurity Incidents Using Kill Chain Attack Graphs.
If you use or further modify this implementation, please use the following reference to cite the original work:
- SADLEK, Lukáš; YAMIN, Muhammad Mudassar; ČELEDA, Pavel; KATT, Basel. Severity-Based Triage of Cybersecurity Incidents Using Kill Chain Attack Graphs. 2024.
The installation guide was inspired by our previous work.
The repository is structured into several folders.
- Folder
alertscontains Wazuh data captured during six days. Files should be decompressed. - Folder
evaluationcontains files related to the evaluation.- File
analysis.pycontains functionality for computing evaluation results presented in the paper. - File
ground_truth.pycontains ground truth and related constants. - File
scenarios.mdcontains description of attack procedures used during attack scenarios.
- File
- Folder
outputscontains important files present in the MulVAL working directory after execution of this implementation.- File
input_file.Pcontains input for the MulVAL generator. - Files
VERTICES.CSVandARCS.CSVcontain vertices and edges from the attack graph. - File
attack_paths.zipcontains attack paths used during evaluation. - File
KCAG.zipcontains kill chain attack graph generated during evaluation. - Files
results.txtandresults_threshold05.txtare results for individual days of evaluation when no threshold and 0.5 threshold were used. - File
roc_jisa_final.pdfcontains ROC curve for the approach. - File
sequences_sorted.jsoncontains evidence paths generated during the evaluation. - Files with suffix
with_portsare variants containing port numbers.
- File
- Folder
rulescontains the ruleset created using the KCAG methodology described in the paper. The ruleset contains a version that extends rules used during evaluation by equality predicates in some attack rules. The same evaluation results can be reproduced by omitting the equality predicates.
The proof-of-concept implementation contains several files:
custom_detection.pycontains custom detection of several attack techniques.evidence_path.pycontains functionality that processes data from the SIEM server and identifies sequences of attack techniques.final_report.pydetermines the final evaluation of the severity levels for IP addresses and sequences of attack techniques.generator.pycontains procedure for generating the attack graph.input_convertor.pyconverts input JSON files into input files for MulVAL.output_postprocessing.pyprocesses the attack graph generated by MulVAL. It adds kill chain phases and labels for vertices. It also determines strategic phases, techniques, and countermeasures.run_mulval.pycontains utility that runs MulVAL from command line.utils.pycontains utilities that return set of phases and mapping function of techniques. They also check kill chain phases.
Mapping of names from the CTS Analyzer architecture to filenames used in supplementary materials:
| Name in the Paper | Python Module(s) |
|---|---|
| Input converter | input_convertor.py |
| MulVAL attack graph generator | generator.py, run_mulval.py |
| Attack graph post-processing | output_postprocessing.py |
| Custom detection | custom_detection.py |
| Evidence path constructor | evidence_path.py |
| Reporting tool | final_report.py |
| — | utils.py |
Evaluation was accomplished in a testbed that contained two copies of identical /16 subnet.
The first one with range 10.11.0.0/16 was used for testing purposes. The second one with range
10.12.0.0/16 was used for executing attack scenarios listed in the paper. Even though we aimed
to limit the influence of testing subnet on the published data, some data from the subnet can appear
in the published data mainly for DNS and active directory servers. However, they should not influence results
from the evaluation.
| Hostname | IP Address | Operating System |
|---|---|---|
| internal-m-1 | 10.12.1.10 | Microsoft Windows Server 2022 Standard |
| internal-m-2 | 10.12.1.20 | Microsoft Windows Server 2022 Standard |
| web-machine-1 | 10.12.2.10 | Ubuntu 20.4 LTS |
| web-machine-2 | 10.12.2.20 | Ubuntu 20.4 LTS |
| dmz-machine-1 | 10.12.3.10 | Ubuntu 20.4 LTS |
| dmz-machine-2 | 10.12.3.20 | Ubuntu 20.4 LTS |
| ad-server | 10.77.77.77 | Microsoft Windows Server 2022 Standard |
| dns-server | 10.10.10.10 | Ubuntu 20.4 LTS |
First, it is necessary to create input files for MulVAL.
If your system contains created directory /tmp/mulval_dir, you can
execute the following commands. Otherwise, create the folder with name /tmp/mulval_dir before executing
the following commands.
from input_convertor import convert_input
convert_input('/tmp/mulval_dir/input_file.P')The next step is to generate the KCAG. The following commands will output its attack paths, strategic techniques, and strategic countermeasures.
from generator import generate_kcag
generate_kcag()As the last step, it is necessary to process data from the SIEM server and determine the severity levels. This functionality is provided by the following commands.
from evidence_path import process_restricted_files
process_restricted_files()Functionality from evaluation/analysis.py can be executed to obtain results from the evaluation.
The implementation uses MulVAL. The installation guide was tested with:
- openjdk-8-jdk (works with the dom4j dependency),
- Ubuntu 20.04 (Ubuntu 22.04 may use a too new version of the c++ compiler).
It is necessary to install MulVAL:
$ wget -P /opt https://people.cs.ksu.edu/~xou/argus/software/mulval/mulval_1_1.tar.gz
$ cd /opt
$ tar -xzf mulval_1_1.tar.gz
$ rm mulval_1_1.tar.gzMulVAL also requires XSB as installation prerequisite:
$ wget -P /opt http://xsb.sourceforge.net/downloads/XSB.tar.gz
$ tar -xzf XSB.tar.gz
$ rm XSB.tar.gzThen you need to set environment variables for MulVAL and XSB. PATH must contain paths to MulVAL and XSB.
$ export MULVALROOT=/opt/mulval
$ export XSBROOT=/opt/XSB
$ export PATH=$PATH:$MULVALROOT/bin:$MULVALROOT/utils:$XSBROOT/bin:$XSBROOT/buildIt is necessary to compile XSB and MULVAL. Install C++ compiler, Java, and bison and flex in you system. For C++ compiler, bison and flex:
$ apt-get install build-essential
$ apt-get install bison flexYou may also have to install make and g++ if you don't have them already. (apt-get).
Now, you need to make XSB using these commands:
$ cd XSB/build
$ ./configure
$ ./makexsbAfter that you can test your XSB installation using
$ /opt/XSB/bin/xsband type halt. to exit XSB (with dot at the end).
Now, you need to compile MULVAL:
$ cd /opt/mulval
$ makeIf output of make command contains javac: Command not found it means that you don't have Java installed in your
system or Java is not in your PATH. Note: you need JDK and in it javac command. Add to PATH the directory which
contains javac command.
Open JDK may also require dom4j JAR package. Switch to folder for external java packages,
which has usually form of /usr/lib/jvm/<name of java>/jre/lib/ext and then download the required JAR using:
wget -P . https://github.com/dom4j/dom4j/releases/download/dom4j_1_6_1/dom4j-1.6.1.jarAfter successful make of MULVAL you can run testing command (in MULVALROOT directory)
$ cd testcases/3host/
$ graph_gen.sh input.P -l -pYou need to set variables in conf.ini before running the generator.
- Set
mulval_root/xsb_rootvariables to the same path you used when installing MULVAL / XSB. - Variable
mulval_dirshould contain location of directory in which the files necessary for AG generation will be created. - Variable
interaction_rules_filepoints torules/ruleset.Pfile. Change its value only in a case you want to rename this file and rename the file appropriately.
Necessary requirements are listed in file requirements.txt. Functionality was
tested with Python 3.9 and 3.10.
Install with pip3 install -r requiremets.txt. (requires pip3 to be installed)