Skip to content

Graph algorithms for MAL attack graphs generated by mal-toolbox.

Notifications You must be signed in to change notification settings

beatajoh/mal-traverser

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Overview

Interactive tool for applying graph algorithms to MAL attack graphs generated by mal-toolbox.

Contact: Beata Johansson, [email protected]

Installation

Virtual environment

Set up a virtual environment with necessary dependencies.

python -m venv env
source env/bin/activate
pip install mal-toolbox
pip install py2neo

Note: You need a Python version >= 3.9, the latest the better.

Set up the Neo4j database

We need an open Neo4j instance running with a database with the following credentials:

  • username: neo4j
  • password: mgg12345!
  • dbname: neo4j

Note that the Neo4j project name and the DBMS name used within the project are irrelevant, the most important thing is that the password matches as the username and specific database name are set to default values.

Usage

Run the tool with:

python main.py

Graph traversal algorithms

Algorithm Description
Step by step attack Simulate the attack path from the attacker node by manually choosing which nodes to compromise.
Shortest path Dijkstra Get the shortest path from the attacker node to a target attack step.
Random path Get a random path of attack steps. It is possible to search for a target attack step or add a cost budget for the attacker.
BFS Get a subgraph where all nodes are within the cost budget of the attacker in all directions. Note that the attack graph logic is not considered.

Example to get started for a coreLang attack graph

  1. Run the program with python main.py.
  2. Now you can choose the algorithm to apply from the command line.
  3. Select an algorithm.
  4. Input an example from the Examples section below. Note: The attacker and its entry points for all simulations are fixed in the code and are specific for a model and this will be necessary to modify.
  5. Query match (n) return n in Neo4j to see the output path.

Examples

Random path input example:

  • Leave target and attacker cost budget empty.
  • Set target to Data:4:accessDecryptedData (this is a reachable node), and leave attacker cost budget empty or try with limited cost budget e.g. 10.
  • The target should be in the path, and if the random path is run twice with the same input it is unlikely to get the same path or cost.

Shortest path Dijkstra input example:

  • Set target to Data:4:accessDecryptedData (this is a reachable node).
  • The target should be in the path, and the cost is 64.

Tests for coreLang attack graph

The file test.py contains tests for the Shortest path Dijkstra and the Random path algorithms in the model.json coreLang attack graph. Run the test file with python test.py. These test cases use special settings of node necessity, node viability, attacker entry points, target nodes, and attacker cost budgets.

TTC

To use Time-To-Comprimse (TTC) for attack steps, instanciate the AttackSimulation object with use_ttc=True.

About

Graph algorithms for MAL attack graphs generated by mal-toolbox.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages