Modeling cyberattacks with extended Petri nets

Abstract

A research program consisting of several interconnected research projects in cybersecurity modeling is described. First, a public database of known cyberattack patterns is automatically processed to generate executable cyberattack component models, one for each attack pattern. The models are expressed using a form of Petri nets extended with additional features specific to modeling cyberattacks, including representations of the attacker and defender, their strategies, and the cost of their actions. Second, because the cyberattack pattern database used in the first project to generate the cyberattack component models describes the attacks in an attacker-centric manner, the cyberattack component models are enhanced to include defender actions and responses and representations of normal user activities on the computer system. Third, subsets of the cyberattack component models that have been previously generated and stored in a repository are automatically selected and composed (linked) to form a complete model of a particular target computer system. Fourth, the assembled composite cyberattack model is verified and validated as an accurate model of the specific cyberattacks and the target computer system. This process uses application-relevant verification and validation methodologies. Finally, the validated cyberattack model is executed in order to simulate cyberattacks on the target computer system. Multiple simulation iterations are used to drive reinforcement learning methods that automatically improve strategies to attack or defend the target computer system.