Security modelling and assessment of modern networks using time independent Graphical Security Models

Graphical Security Models (GSMs), such as an Attack Graph, are used to assess the security of networks, but they are often limited to assess the security of the given network state (i.e., a snapshot at the current time). To address this issue, we develop a GSM named Time-independent Hierarchical Attack Representation Model (TI-HARM), which analyses the security of multiple network states combined taking into account the time duration of each network state and the visibility of the network components (e.g., hosts and edges). Also, we develop a new security rating system for dynamic networks to evaluate the changing security posture. Lastly, we present an approach that utilises the functionalities of the TI-HARM to compute global optimal defence solutions for dynamic networks. Our experimental results show that the TI-HARM can model and analyse the security of multiple states of dynamic networks, which the existing GSMs mostly assumed that it is static. Also, we found that the TI-HARM can be used to effectively compute the global optimal security solutions compared to existing models that only focus on local optimal solutions. Therefore, our proposed approach could be used to aid security administrators to understand the security posture of dynamic networks better and be able to enhance the security taking into account multiple changes in dynamic networks.

[1]  Sushil Jajodia,et al.  Optimal IDS Sensor Placement and Alert Prioritization Using Attack Graphs , 2008, Journal of Network and Systems Management.

[2]  Sushil Jajodia,et al.  Surviving unpatchable vulnerabilities through heterogeneous network hardening options , 2018, J. Comput. Secur..

[3]  Scott A. DeLoach,et al.  Investigating the application of moving target defenses to network security , 2013, 2013 6th International Symposium on Resilient Control Systems (ISRCS).

[4]  Cynthia A. Phillips,et al.  A graph-based system for network-vulnerability analysis , 1998, NSPW '98.

[5]  Kim G. Larsen,et al.  Quantitative Evaluation of Attack Defense Trees Using Stochastic Timed Automata , 2017, GraMSec@CSF.

[6]  Mariam Ibrahim,et al.  A2G2V: Automatic Attack Graph Generation and Visualization and Its Applications to Computer and SCADA Networks , 2020, IEEE Transactions on Systems, Man, and Cybernetics: Systems.

[7]  Rodolphe Ortalo,et al.  Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security , 1999, IEEE Trans. Software Eng..

[8]  Babu M. Mehtre,et al.  Graph similarity metrics for assessing temporal changes in attack surface of dynamic networks , 2017, Comput. Secur..

[9]  Mariam Ibrahim,et al.  A2G2V: Automated Attack Graph Generator and Visualizer , 2018 .

[10]  Sushil Jajodia,et al.  Optimizing the network diversity to improve the resilience of networks against unknown attacks , 2019, Comput. Commun..

[11]  Jin B. Hong,et al.  A systematic evaluation of cybersecurity metrics for dynamic networks , 2018, Comput. Networks.

[12]  Mariëlle Stoelinga,et al.  Fault tree analysis: A survey of the state-of-the-art in modeling, analysis and tools , 2014, Comput. Sci. Rev..

[13]  Steven Noel,et al.  A Review of Graph Approaches to Network Security Analytics , 2018, From Database to Cyber Security.

[14]  Barbara Kordy,et al.  DAG-based attack and defense modeling: Don't miss the forest for the attack trees , 2013, Comput. Sci. Rev..

[15]  Richard Lippmann,et al.  Modeling Modern Network Attacks and Countermeasures Using Attack Graphs , 2009, 2009 Annual Computer Security Applications Conference.

[16]  Reza Pulungan,et al.  Time-Dependent Analysis of Attacks , 2014, POST.

[17]  Sushil Jajodia,et al.  VULCON: A System for Vulnerability Prioritization, Mitigation, and Management , 2018, ACM Trans. Priv. Secur..

[18]  Somesh Jha,et al.  Two formal analyses of attack graphs , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[19]  Jin B. Hong,et al.  What Vulnerability Do We Need to Patch First? , 2014, 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[20]  Jin B. Hong,et al.  Assessing the Effectiveness of Moving Target Defenses Using Security Models , 2016, IEEE Transactions on Dependable and Secure Computing.

[21]  Xinming Ou,et al.  A scalable approach to attack graph generation , 2006, CCS '06.

[22]  Jin B. Hong,et al.  Security Modelling and Analysis of Dynamic Enterprise Networks , 2016, 2016 IEEE International Conference on Computer and Information Technology (CIT).

[23]  Bill Morrow,et al.  BYOD security challenges: control and protect your most sensitive data , 2012, Netw. Secur..

[24]  Bharat K. Bhargava,et al.  Extending Attack Graph-Based Security Metrics and Aggregating Their Application , 2012, IEEE Transactions on Dependable and Secure Computing.

[25]  Georgios Kambourakis,et al.  Optimal Countermeasures Selection Against Cyber Attacks: A Comprehensive Survey on Reaction Frameworks , 2018, IEEE Communications Surveys & Tutorials.

[26]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[27]  Joel Winstead,et al.  Using Attack Graphs to Design Systems , 2007, IEEE Security & Privacy.

[28]  Yu Liu,et al.  Network vulnerability assessment using Bayesian networks , 2005, SPIE Defense + Commercial Sensing.

[29]  Cong Jin,et al.  Dynamic Attack Tree and Its Applications on Trojan Horse Detection , 2010, 2010 Second International Conference on Multimedia and Information Technology.

[30]  Sushil Jajodia,et al.  Time-efficient and cost-effective network hardening using attack graphs , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012).

[31]  Jin B. Hong,et al.  Composite Metrics for Network Security Analysis , 2020, ArXiv.

[32]  Jin B. Hong,et al.  Towards scalable security analysis using multi-layered security models , 2016, J. Netw. Comput. Appl..

[33]  Jin B. Hong,et al.  Evaluating the Effectiveness of Security Metrics for Dynamic Networks , 2017, 2017 IEEE Trustcom/BigDataSE/ICESS.

[34]  Sushil Jajodia,et al.  Measuring network security using dynamic bayesian network , 2008, QoP '08.

[35]  Jin B. Hong,et al.  Time Independent Security Analysis for Dynamic Networks Using Graphical Security Models , 2018, 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/ 12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE).

[36]  Fernando M. V. Ramos,et al.  Software-Defined Networking: A Comprehensive Survey , 2014, Proceedings of the IEEE.

[37]  Sushil Jajodia,et al.  Network Attack Surface: Lifting the Concept of Attack Surface to the Network Level for Evaluating Networks’ Resilience Against Zero-Day Attacks , 2021, IEEE Transactions on Dependable and Secure Computing.

[38]  Indrajit Ray,et al.  Dynamic Security Risk Management Using Bayesian Attack Graphs , 2012, IEEE Transactions on Dependable and Secure Computing.

[39]  Jin B. Hong,et al.  Dynamic security metrics for measuring the effectiveness of moving target defense techniques , 2018, Comput. Secur..

[40]  Scott A. DeLoach,et al.  Metrics of Security , 2014, Cyber Defense and Situational Awareness.

[41]  Jin B. Hong,et al.  A survey on the usability and practical applications of Graphical Security Models , 2017, Comput. Sci. Rev..

[42]  Edward Roback,et al.  SP 800-12. An Introduction to Computer Security: the NIST Handbook , 1995 .

[43]  Diptikalyan Saha,et al.  Extending logical attack graphs for efficient vulnerability analysis , 2008, CCS.

[44]  Jin B. Hong,et al.  Scalable Security Model Generation and Analysis Using k-importance Measures , 2013, SecureComm.

[45]  Marcus Pendleton,et al.  A Survey on Systems Security Metrics , 2016, ACM Comput. Surv..