Probabilistic Obstruction Temporal Logic:
a Probabilistic Logic to Reason about Dynamic Models

The contribution is structured as follows. Theoretical background is presented in Section 2. In Section 3, we present the syntax and the semantics of our new logic, called Probabilistic Obstruction Temporal Logic (POTL). In Section 4, we show our model checking algorithm and prove that the model checking problem for POTL is decidable in polyonimal-time. In section 5, we present an illustrative example related to the cybersecurity analysis. In Section 6, we compare our approach to related work. Finally, Section 7 concludes and presents possible future directions.

Let $\mathbb{N}$ be the set of natural numbers, we refer to the set of natural numbers containing $0$ as $\mathbb{N}_{\geq 0}$, $\mathbb{R}_{\geq 0}$ the set of non-negative reals and $\mathbb{Z}$ the set of integers. Let $X$ and $Y$ be two sets and $|X|$ denotes its cardinality. The set operations of intersection, union, complementation, set difference, and Cartesian product are denoted $X$ $\cap$ $Y$, $X$ $\cup$ $Y$, $\overline{X}$, $X$ $\setminus$ $Y$, and $X$ $\times$ $Y$, respectively. Inclusion and strict inclusion are denoted $X$ $\subseteq$ $Y$ and $X$ $\subset$ $Y$, respectively. The empty set is denoted $\emptyset$. Let $\pi=x_{1},\ldots,x_{n}$ be a finite sequence, $last(\pi)$ denotes the last element $x_{n}$ of $\pi$.

Let $Q$ be a finite set and $\mu:Q\to[0,1]$ be a probability distribution function over $Q$ such that $\sum_{q\in Q}$ $\mu(q)=1$. We denote by $\mathcal{D}(Q)$ the set of all such distributions over $Q$. For a given $\mu$ $\in$ $\mathcal{D}(Q)$, $supp(\mu)$ = $\{q\in Q\mid\mu(q)>0\}$ is called the support of $\mu$. The standard notation of a probability space is a triple $(\Omega,\mathcal{F},\textsf{Pr})$, where $\Omega$ is a sample space that represents all possible outcomes, $\mathcal{F}\subseteq\mathcal{P}(\Omega)=2^{\Omega}$ is a $\sigma$-algebra over $\Omega$, i.e., it includes the empty subset, and it is closed under countable unions and complement, and Pr: $\mathcal{F}\to[0,1]$ is a probability measure over $(\Omega,\mathcal{F})$. We denote the set of all finite and infinite sequences of elements of $Q$ by $Q^{+}$ and $Q^{*}$, respectively.

A malicious attack is defined as an attempt by an attacker to gain unauthorized access to resources or compromise the integrity of the system. In this context, the Attack Graph (AG) (Kaynar 2016) is a widely recognized and increasingly popular attack model. By leveraging an AG, it is possible to model interactions between an attacker and a defender who dynamically deploys Moving Target Defense (MTD) mechanisms (Cho et al. 2020). MTD mechanisms, such as Address Space Layout Randomization (ASLR) (Marco-Gisbert and Ripoll Ripoll 2019), are active defenses that use partial system reconfiguration to alter the attack surface and reduce the chances of success of the attack. However, activating an MTD countermeasure impacts system performance: during reconfiguration, system services may be partially or completely unavailable. Thus, it is crucial to select MTD deployment strategies that minimize both residual cybersecurity risks and the negative impact on system performance. However, despite the progress made in the field of AG (Kaynar 2016; Catta, Leneutre, and Malvone 2023a) none of them takes into account some of the uncertainties in the network. Probabilistic Attack Graphs (PAG) are AG enriched with probabilities that model the likelihood of compromise of each node in the graph based on their specific characteristics (Li et al. 2022; Milani et al. 2020).

A PAG can be viewed as a Probabilistic Kripke Structure (PKS). Now, we will formally define PKS, the Kripke structure that is used to represent all the possible attacks on a networked system.

A KS can be extended via MC (Kleinberg 2012) to define Probabilistic Kripke Structure (PKS) as follows.

A path $\pi$ over $\mathcal{G}$ is a finite or infinite sequence of states $\pi$ = $q_{0},q_{1},q_{2},\ldots$ starting in the initial state $q_{0}$ that are built by consecutive steps, i.e., $\mathbf{P}(q_{i},q_{i+1})>0$ for all $i\in\mathbb{N}$. We write $\pi_{i}$ to denote the $i$-th element $q_{i}$ of $\pi$, $\pi_{\leq i}$ to denote the prefix $q_{0},\ldots,q_{i}$ of $\pi$, and $\pi_{\geq i}$ to denote the suffix $q_{i},q_{i+1}\ldots$ of $\pi$. The set of all finite paths starting from $q\in Q$ in the model $\mathcal{G}$ is denoted by $\textsf{Paths}_{\mathcal{G},q}^{+}$, and the set of all infinite paths starting from $q$ is denoted by $\textsf{Paths}_{\mathcal{G},q}^{*}$. A history $h$ is any finite prefix of some path. We use $H$ to denote the set of histories. Write $last(h)$ for the last state of a history $h$.

We need to measure the probability of certain sets of paths. Formally, to every $q$ $\in$ $Q$ we associate the probability space $(\Omega,\mathcal{F},\textsf{Pr})$ where $\mathcal{F}$ is the $\sigma$-algebra generated by all basic cylinders sets of paths called cylinder sets, which gather all paths sharing a given finite prefix (i.e., $\textsf{Prefix}(\pi)$). Given a finite path $\hat{\pi}$ = $q_{0},q_{1},\ldots,q_{n}$ of states, the cylinder set of $\hat{\pi}$, denoted $\textsf{Cyl}(\hat{\pi}$) = $\{\pi\in\textsf{Paths}_{\mathcal{G},q_{0}}^{*}\mid\hat{\pi}\in\textsf{Prefix}(\pi)\}$, is the set of infinite paths $\pi=q_{0},q_{1},\cdots,q_{n},\cdots$, where $\hat{\pi}$ is a prefix of $\pi$. The set of infinite paths is supposed to be equipped with the $\sigma$-algebra generated by the cylinder sets of the finite paths and the probability measure given by $\textsf{Pr}_{\mathcal{G}}^{q_{0}}$$(\textsf{Cyl}(\hat{\pi}))$ = $\prod_{i=0}^{n-1}\mathbf{P}(q_{i},q_{i+1})$. The extension of $\textsf{Pr}_{\mathcal{G}}^{q}$ from cylinders to the $\sigma$-algebra they generate is unique, and we still denote it $\textsf{Pr}_{\mathcal{G}}^{q}$. Note that not all sets of paths are measurable with respect to $\textsf{Pr}_{\mathcal{G}}^{q}$, but the sets we will consider in this paper are simple enough to avoid such difficulties. For the mathematical details of the underlying $\sigma$-algebra and probability measure refer to (Baier and Katoen 2008).

Let $\mathcal{G}$ be a PKS and $q$ $\in$ $Q$ be one of its states, $\textsf{pre}(q)$ denotes the set of predecessors of $q$, i.e., $\textsf{pre}(q)=\{q^{\prime}\in Q\mid\mathbf{P}(q^{\prime},q)>0\}$. Similarly, $\textsf{post}(q)$ denotes the set of successors of $q$, i.e., $\textsf{post}(q)=\{q^{\prime}\in Q\mid\mathbf{P}(q,q^{\prime})>0\}$, and $\textsf{E}(q)$ denotes its outgoing edges $\textsf{E}(q)=\{e\in Q\times Q\mid e=(q,q^{\prime})\text{ for some $q^{\prime}\in Q$ and }\mathbf{P}(q,q^{\prime})>0\}$.

Let $\mathcal{M}$ be a model, $Q$ be states in $\mathcal{M}$, $\mathsf{C}$ is the function cost and $n$ be a natural number, a $n$-strategy is a function $\mathfrak{S}:H\to 2^{Q\times Q}$ that, given a history $h$, returns a subset $T\in Q\times Q$, such that: (i) $T\subset\textsf{E}(last(h))$, (ii) $(\sum_{e\in T}\mathsf{C}(e))\leq n$. A memoryless n-strategy is a n-strategy $\mathfrak{S}$ such that for all histories $h$ and $h^{\prime}$ if $last(h)=last(h^{\prime})$ then $\mathfrak{S}(h)=\mathfrak{S}(h^{\prime})$. A memoryless n-strategy can be seen as a function whose domain is the set $Q$ of states of a model $\mathcal{M}$. As in ATL logic, the notion of a path that is compatible with a strategy is central to the semantics of Probabilistic Obstruction Logic (POTL) formulas. We define this notion by saying that a path $\pi$ is compatible with an n-strategy $\mathfrak{S}$ if for all $i\geq 1$ we have that $(\pi_{i},\pi_{i+1})\notin\mathfrak{S}(\pi_{\leq i})$. The set of outcomes of an $n$-strategy $\mathfrak{S}$ and state $q$ is denoted as $\textsf{Out}(q,\mathfrak{S})$ and it returns the set of all paths that can result from a strategy $\mathfrak{S}$ and a state $q$. As said in the introduction, our logic (POTL) aims to capture strategies for a particular type of game played over a POTS, in such games, one of the two players (the Demon) has the power to temporally deactivate some transitions of the model. We now introduce the syntax of our logic.

In the above syntax, we distinguish between state formulas $\varphi$ and path formulas $\theta$. State formulas are evaluated over states and path formulas over paths. A model property is always expressed as a state formula, path formulas appear only as parameters of the probabilistic path operator $\langle\textbf{\raisebox{2.15277pt}{\makebox[0.0pt][l]{\rule[-0.2pt]{3.22916pt}{0.4pt}}\makebox[3.22916pt]{\rule[-2.15277pt]{0.4pt}{6.45831pt}}}}_{n}^{\bowtie k}\rangle\theta$. The operators $X$ (next), $\,\mathsf{U}\,^{\leq m}$ (bounded until), $\,\mathsf{U}\,$ (until), $\,\mathsf{R}\,^{\leq m}$ (bounded release), and $\,\mathsf{R}\,$ (release), which are standard in temporal logic, are allowed as path formulas. The number $n$ is called the grade of the strategic operator. The boolean connectives $\bot$, $\vee$ and $\to$ can be defined as usual, we define $\langle{\textbf{\raisebox{2.15277pt}{\makebox[0.0pt][l]{\rule[-0.2pt]{3.22916pt}{0.4pt}}\makebox[3.22916pt]{\rule[-2.15277pt]{0.4pt}{6.45831pt}}}}_{n}^{\bowtie k}}\rangle\mathsf{F}\varphi:=\langle{\textbf{\raisebox{2.15277pt}{\makebox[0.0pt][l]{\rule[-0.2pt]{3.22916pt}{0.4pt}}\makebox[3.22916pt]{\rule[-2.15277pt]{0.4pt}{6.45831pt}}}}_{n}^{\bowtie k}}\rangle(\top\,\mathsf{U}\,\varphi)$, $\langle{\textbf{\raisebox{2.15277pt}{\makebox[0.0pt][l]{\rule[-0.2pt]{3.22916pt}{0.4pt}}\makebox[3.22916pt]{\rule[-2.15277pt]{0.4pt}{6.45831pt}}}}_{n}^{\bowtie k}}\rangle\mathsf{G}\,\varphi:=\langle{\textbf{\raisebox{2.15277pt}{\makebox[0.0pt][l]{\rule[-0.2pt]{3.22916pt}{0.4pt}}\makebox[3.22916pt]{\rule[-2.15277pt]{0.4pt}{6.45831pt}}}}_{n}^{\bowtie k}}\rangle(\bot\,\mathsf{R}\,\varphi)$ and $\langle{\textbf{\raisebox{2.15277pt}{\makebox[0.0pt][l]{\rule[-0.2pt]{3.22916pt}{0.4pt}}\makebox[3.22916pt]{\rule[-2.15277pt]{0.4pt}{6.45831pt}}}}_{n}^{\bowtie k}}\rangle(\varphi\,\mathsf{W}\,\psi):=\langle{\textbf{\raisebox{2.15277pt}{\makebox[0.0pt][l]{\rule[-0.2pt]{3.22916pt}{0.4pt}}\makebox[3.22916pt]{\rule[-2.15277pt]{0.4pt}{6.45831pt}}}}_{n}^{\bowtie k}}\rangle(\psi\,\mathsf{R}\,(\varphi\vee\psi))$. The size $|\varphi|$ of a formula $\varphi$ is the number of its connectives. The intuitive meaning of a formula $\langle{\textbf{\raisebox{2.15277pt}{\makebox[0.0pt][l]{\rule[-0.2pt]{3.22916pt}{0.4pt}}\makebox[3.22916pt]{\rule[-2.15277pt]{0.4pt}{6.45831pt}}}}_{n}^{\bowtie k}}\rangle\varphi$ with $\varphi$ temporal formula is “there is a demonic strategy such that all paths of the graphs that are compatible with the strategy satisfy $\varphi$ with a probability in relation $\bowtie$ with constant $k$” where “demonic strategy” means “a strategy for disabling arcs”. Formulas of POTL can be interpreted over POTS. We can now precisely define the semantics of POTL formulas.

Let $\varphi$ be a formula and $\mathcal{M}$ be a model, then Sat$({\varphi},\mathcal{M})$ denotes the set of states of $\mathcal{M}$ verifying $\varphi$, i.e., Sat$(\varphi,\mathcal{M})=\{q\in Q\ \,|\,\ \mathcal{M},q\models\varphi\}$. Two formulas $\varphi$ and $\psi$ are equivalent (denoted by $\varphi\equiv\psi$) if for all models $\mathcal{M}$, Sat$(\varphi,\mathcal{M})$ = Sat$(\psi,\mathcal{M})$ The semantics of the obstruction probabilistic operator $\langle{\textbf{\raisebox{2.15277pt}{\makebox[0.0pt][l]{\rule[-0.2pt]{3.22916pt}{0.4pt}}\makebox[3.22916pt]{\rule[-2.15277pt]{0.4pt}{6.45831pt}}}}_{n}}^{\bowtie k}\rangle$ refers to the probability for the sets of paths for which a path formula holds. To ensure that this is well-defined, we need to establish that the events specified by POTL path formulas are measurable. Since the set $\{\pi\in\textsf{Out}(q,\mathfrak{S})\mid\mathcal{M},\pi\models\varphi\}$ for POTL path formula $\varphi$ can be considered as a countable union of cylinder sets, its measurability is ensured. This follows from the following lemma.