Attack-Defense Utility Quantification And Security Risk Assessment

With the developing of the attack and defense technology, the cyber environment has been more and more sophisticated. We failed to give an accurate evaluation of network security situation, as we lack a quantitative assessment of attack-defense behaviors. In response to this situation, we extended the attack-defense stochastic game model (ADSGM) in terms of the utility calculation to evaluate attack-defense behaviors more accurately. Moreover, we analyzed the different defensive capabilities of distinct defense mechanism, putting forward a corresponding utility calculation coping with these capabilities. Through a case study, we showed the impact of defense capabilities as well as the attack time we defined, demonstrating the effectiveness of our methods on attack-defense behavior quantification. This paper filled up the gap in the quantitative assessment of defensive measures, which makes the quantitative evaluation of attack-defense more comprehensive and accurate.

[1]  Khurram Shahzad,et al.  P2CySeMoL: Predictive, Probabilistic Cyber Security Modeling Language , 2015, IEEE Trans. Dependable Secur. Comput..

[2]  A. M. Fink,et al.  Equilibrium in a stochastic $n$-person game , 1964 .

[3]  Xiaobin Tan,et al.  Network Security Situation Awareness Approach Based on Markov Game Model: Network Security Situation Awareness Approach Based on Markov Game Model , 2011 .

[4]  Mathias Ekstedt,et al.  Cyber Security Risks Assessment with Bayesian Defense Graphs and Architectural Models , 2009, 2009 42nd Hawaii International Conference on System Sciences.

[5]  Mathias Ekstedt,et al.  A probabilistic relational model for security risk analysis , 2010, Comput. Secur..

[6]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[7]  Peng Liu,et al.  Using Bayesian networks for cyber security analysis , 2010, 2010 IEEE/IFIP International Conference on Dependable Systems & Networks (DSN).

[8]  Ibrahim Sogukpinar,et al.  Scalable risk assessment method for cloud computing using game theory (CCRAM) , 2015, Comput. Stand. Interfaces.

[9]  Indrajit Ray,et al.  Dynamic Security Risk Management Using Bayesian Attack Graphs , 2012, IEEE Transactions on Dependable and Secure Computing.

[10]  Sushil Jajodia,et al.  Cyber Deception , 2016, Springer International Publishing.

[11]  Wei Jiang,et al.  Evaluating Network Security and Optimal Active Defense Based on Attack-Defense Game Model: Evaluating Network Security and Optimal Active Defense Based on Attack-Defense Game Model , 2009 .