Network vulnerability assessment using Bayesian networks

While computer vulnerabilities have been continually reported in laundry-list format by most commercial scanners, a comprehensive network vulnerability assessment has been an increasing challenge to security analysts. Researchers have proposed a variety of methods to build attack trees with chains of exploits, based on which post-graph vulnerability analysis can be performed. The most recent approaches attempt to build attack trees by enumerating all potential attack paths, which are space consuming and result in poor scalability. This paper presents an approach to use Bayesian network to model potential attack paths. We call such graph as "Bayesian attack graph". It provides a more compact representation of attack paths than conventional methods. Bayesian inference methods can be conveniently used for probabilistic analysis. In particular, we use the Bucket Elimination algorithm for belief updating, and we use Maximum Probability Explanation algorithm to compute an optimal subset of attack paths relative to prior knowledge on attackers and attack mechanisms. We tested our model on an experimental network. Test results demonstrate the effectiveness of our approach.

[1]  Paul Ammann,et al.  Using model checking to analyze network vulnerabilities , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[2]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[3]  Cynthia A. Phillips,et al.  Computer-attack graph generation tool , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[4]  Rodolphe Ortalo,et al.  Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security , 1999, IEEE Trans. Software Eng..

[5]  A. Hasman,et al.  Probabilistic reasoning in intelligent systems: Networks of plausible inference , 1991 .

[6]  Cynthia A. Phillips,et al.  A graph-based system for network-vulnerability analysis , 1998, NSPW '98.

[7]  Brendan J. Frey,et al.  Graphical Models for Machine Learning and Digital Communication , 1998 .

[8]  Duminda Wijesekera,et al.  Scalable, graph-based network vulnerability analysis , 2002, CCS '02.

[9]  Somesh Jha,et al.  Two formal analyses of attack graphs , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[10]  Rina Dechter,et al.  Bucket elimination: A unifying framework for probabilistic inference , 1996, UAI.