The Attack Vector That Isn't

In my last article I wrote about using a database of cyber security attacks as a (mathematical) matrix to model the effect (impact) of groups of attacks that share common characteristics, producing a risk matrix of attack groups against consequences by a simple matrix-matrix multiplication.

They key to what I did is 'linear algebra' - very well known to mathematicians who use it, but less so in other fields. A cyber-attack database lists attacks against their characteristics in a table: in linear algebra that is a matrix, that maps the characteristics into the attacks - I can look up an attack in the table (by searching down, for instance, the 'ID' column) and find all its characteristics by working along its row in the table. Some of the characteristics can be grouped into subsets: for example, consequences (CIA), and the Mechanisms (ways of attacking). The Mechanism matrix maps the Mechanisms into attacks, the Consequences matrix maps attacks into Consequences: and if I have a map of Mechanisms into attacks, and a map of attacks into Consequences, then I can use one after the other to map Mechanisms into Consequences - which is what multiplying the matrices does in linear algebra, and what I did in the last article to produce the Consequences versus mechanisms Risk Matrix.

But for now, let's note that in linear algebra a matrix 'maps one vector space into another' and it is this property that I used. The columns of the attack matrix are vectors (lists of attacks) and the rows are also vectors (lists of characteristics). Each vector defines a 'vector space'.

Linear algebra is also familiar to people in Signal Processing, but we generally view them as geometrical objects rather than the more formal and abstract mathematics of linear algebra. Vectors are used a lot in communications: they are the main way in which we encode messages, encrypt them, make them resilient against noise, and devise ways of compressing or securing messages and signals. Claude Shannon, who gave Signal Processing its formal mathematical status, is best known for the concepts of 'Shannon Entropy' and 'Sampling Theorem': but in the same paper he introduced the powerful concept of 'Geometrical Representation of Signals', and it is this that I will explore here.

If you're still with me, be reassured that linear algebra - and vector spaces and matrices - are easy once you know what they are and how to use them. In fact, anyone who can point to something is already working in a vector space and anyone who can create a shopping list from a recipe is already doing linear algebra.

I will explain the basics behind this - which are vectors and matrices - and how we can use them to model risk in cyber security, and in doing so apply valuable quantitative analysis tools but also gain valuable intuitive and visualisation insights into cyber (attack) space.

As with the cyber-security Risk Matrix, a cyber 'Attack Vector' isn't really a vector: it's more of a point - a network port, a software library, a physical door lock, whatever. We probably all know vectors: they point in a direction (yes, 'point' is an overloaded word..). Vectors have length and direction, they point into a space, they are often drawn as arrows. A point (of attack) isn't a vector.

But I'm not here to attack vectors, I want to extend our understanding and use of them.

A vector is a line that points in a direction. In a vector space a vector points to a point in space.

The space doesn’t have to be ‘real’ space: it can be conceptual. For instance, Frequency Modulation (FM) and Amplitude Modulation (AM) are common ways to encode radio transmissions - AM and FM. Phase Modulation (PM) is used just as much but is less commonly known (it's also usually called Phase Shift Keying but I will stick with Phase Modulation). To encode a radio signal, we can modulate its Amplitude (AM), its Frequency (FM), its Phase (PM), or any combination of two or all three.

To visualize the modulated signal, we can draw a graph showing its frequency, amplitude, and phase modulation. If we modulate all three then we can draw three graphs – one each for frequency, amplitude and phase – and, if we want, we can combine all three as three sides of a box, showing all three views at once.

The figure shows this: there are three axes to the central diagram, each being one dimensional - a line. Each pair of axes defines a 2D surface which is like the 'side' of a 3D 'box': the 'floor' is Frequency against Phase, the left 'wall' is Phase against Amplitude, and the back 'wall' is Frequency against Amplitude.

The three modulated parameters define three ‘dimensions’ in a 3D space: and the combined modulation defines a vector that points into that space, indicating the combined effect of all three modulations.

The box creates a 3D space - the space of Frequency, Amplitude and Phase - and we can plot the position of any combination of modulations of Frequency, Amplitude and Phase as a vector, pointing to a point (sorry..) in that space.

The diagram shows Frequency, Amplitude, Phase space with three different vectors: each encoded here as three symbols, being the value along each of the three axes. So, 101 is Frequency Modulation of 1, Amplitude Modulation of 0, and Phase Modulation of 1, which is a vector in the Frequency-Phase 2D plane that is the 'floor' of this 'box': while 011 is FM of 0, AM of 1 and PM of 1, which is a vector in the Phase-Amplitude 2D plane that is the left 'wall' of the 'box'; and 111 is FM, AM and PM all being 1, which points right into the middle of the box in 3D space.

In communications the codes like 011 are called 'symbols' and the available symbols form a 'constellation'. If there is noise, for instance, then the vectors might get shifted about in a sort of cloud around each vector's end point - and if the vectors were close their noise clouds might overlap and the messages could be muddled: so, we might shift the vectors around by 'encoding' to make important messages be more distant from each other. To encrypt we might shift the vectors around according to some devious secret scheme, to compress we might shift them all to be closer so we can just send the small differences between them instead of the whole big thing, and so on.

But I digress: my excuse being that I hope to show you how useful and powerful this geometric model of signals can be.

In cyber security we can also imagine 3D vectors: one obvious candidate is the infamous CIA - Confidentiality, Integrity, Availability, which is a triad of consequences. For instance, we can model the combined effect of a group of possible attacks that share a common characteristic to make a 3D CIA vector:

The figure shows the CIA vectors, weighted by impact (risk) for different CAPEC Mechanisms of Attack. (The observation that most of the vectors point in roughly similar directions tells us that their consequences aren't that different: their more varied lengths tell us their impacts do differ.)

Now we come to the key point - and probably the hardest to accept, until you do when it all becomes clear - which is that the axes of the space into which the vector point can be anything at all that we decide: numbers, yes, but also words, symbols, peanuts or rocks if you like.

The diagram shows a 'signal' - which, in Signal Processing, can be anything at all that you decide it to be - that has three values. The signal is represented as a vector in a 3D space - the Signal Space. As with the communications coding constellation, there are three vectors shown: but the key point is that the axes are whatever we say they are. In cyber security they might be CIA, which makes immediate sense: but they might be 'skill', 'pre-requisites' and 'resources' or even 'name', 'description', 'ID'. Whatever they are, they define a space - a vector space of whatever the axes are.

Once we wrap our heads around this abstraction, we should find the next key concept easy. We are not restricted to three dimensions. If you argue this is hard to conceive, I point you to GPS which is 4-dimensional: because it encodes Latitude, Longitude, Altitude - and Time. And we all use GPS without concerning ourselves unduly.

GPS introduces a useful way of viewing vector spaces with more than 3 dimensions, which is - view 3 (or fewer) at once.

The diagram shows a GPS track in a 3D view (on a 2D screen, which gives you a clue as to how we visualize many dimensions..). This doesn't show time, but I can:

The diagram shows elevation against time. This is a 'projection' - literally, projecting the 4D shape into two dimensions, like a 2D shadow of a 3D object. We use projections all the time, like this one:

This diagram is a map - literally a map of the track walked. It is a projection of the 4D GPS track into the 2D map.

These visualizations - views in fewer dimensions - are key to using our very well-developed intuition and understanding of 3D space, when dealing with higher dimensional spaces: just project into fewer dimensions. Or, accept that the same rules apply in a higher dimensional space and apply those rules: distance, direction, rotation, stretching, all sorts of transformations.

We can make vectors with any number of dimensions. In Signal Processing, for instance, a vector might represent the whole sequence of a broadcast digital TV channel, pixel by pixel and sound sample by sound sample: and that might be billions of samples, and so billions of dimensions. The great insight that Shannon brought, in Geometrical Representation of Signals, was that by casting sequences and lists and messages as vectors in spaces we can apply the same rules - and the same reasoning - as we do in 3D space: and most people are really amazingly good at navigating and thinking in space.

But back to our cyber-attack space.

The CIA triad is 3D: which makes it attractively easy to understand. But the Parkerian Hexad has six Consequences, so is a 6D space: and so is the similar but different CAPEC hexad of Consequences. The CAPEC Mechanisms of Attack (MoA) group attacks with similar characteristics: there are nine of them so they define a 9D space. And there are currently 546 CAPEC cyber-attacks: so, they define a 546-dimensional Attack Space.

So, the list of 546 CAPEC cyber-attacks defines an 'Attack Space', and each row of characteristics is the real Attack Vector - pointing into the Attack Space to select one out of all the possible attacks. If I combine attacks - for example to form a Mechanism of Attack - the sum of all those Attack Vectors is a Mechanism of Attack Vector - pointing into the Attack Space and susceptible to being interpreted and quantified, literally letting us look into the Attack Space.

This model of Attack Vectors and the Attack Space is far richer in interpretive meaning, visualization and calculation than just saying which port is attacked.

But to take this further we need to understand how a matrix maps vector spaces, and I will deal with that in my next article: "Matrix as Shopping List".