Automated security investment analysis of dynamic networks

It is important to assess the cost benefits of IT security investments. Typically, this is done by manual risk assessment process. In this paper, we propose an approach to automate this using graphical security models (GSMs). GSMs have been used to assess the security of networked systems using various security metrics. Most of the existing GSMs assumed that networks are static, however, modern networks (e.g., Cloud and Software Defined Networking) are dynamic with changes. Thus, it is important to develop an approach that takes into account the dynamic aspects of networks. To this end, we automate security investments analysis of dynamic networks using a GSM named Temporal-Hierarchical Attack Representation Model (T-HARM) in order to automatically evaluate the security investments and their effectiveness for a given period of time. We demonstrate our approach via simulations.

[1]  Xiang Ji,et al.  Attack-defense trees based cyber security analysis for CPSs , 2016, 2016 17th IEEE/ACIS International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing (SNPD).

[2]  Vamsi Paruchuri,et al.  Threat modeling using attack trees , 2008 .

[3]  Panagiotis Katsaros,et al.  Hands on Dependability Economics , 2009, 2009 Second International Conference on Dependability.

[4]  R. Weisberg A-N-D , 2011 .

[5]  Dong Seong Kim,et al.  Scalable optimal countermeasure selection using implicit enumeration on attack countermeasure trees , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012).

[6]  Jin B. Hong,et al.  What Vulnerability Do We Need to Patch First? , 2014, 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[7]  Kai Petersen,et al.  Prioritizing Countermeasures through the Countermeasure Method for Software Security (CM-Sec) , 2010, PROFES.

[8]  Cynthia A. Phillips,et al.  Computer-attack graph generation tool , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[9]  Jin B. Hong,et al.  Assessing the Effectiveness of Moving Target Defenses Using Security Models , 2016, IEEE Transactions on Dependable and Secure Computing.

[10]  Dijiang Huang,et al.  NICE: Network Intrusion Detection and Countermeasure Selection in Virtual Network Systems , 2013, IEEE Transactions on Dependable and Secure Computing.

[11]  Neeraj Suri,et al.  Quantitative assessment of software vulnerabilities based on economic-driven security metrics , 2013, 2013 International Conference on Risks and Security of Internet and Systems (CRiSIS).

[12]  Barbara Kordy,et al.  Foundations of Attack-Defense Trees , 2010, Formal Aspects in Security and Trust.

[13]  Sushil Jajodia,et al.  Measuring Security Risk of Networks Using Attack Graphs , 2010, Int. J. Next Gener. Comput..

[14]  Ruth Breu,et al.  Quantitative Assessment of Enterprise Security System , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[15]  Sushil Jajodia,et al.  A weakest-adversary security metric for network configuration security analysis , 2006, QoP '06.

[16]  Dong Seong Kim,et al.  Attack countermeasure trees (ACT): towards unifying the constructs of attack and defense trees , 2012, Secur. Commun. Networks.

[17]  Sushil Jajodia,et al.  Measuring network security using dynamic bayesian network , 2008, QoP '08.

[18]  Stefano Bistarelli,et al.  Evaluation of complex security scenarios using defense trees and economic indexes , 2012, J. Exp. Theor. Artif. Intell..

[19]  Marco Cremonini,et al.  Evaluating Information Security Investments from Attackers Perspective: the Return-On-Attack (ROA) , 2005, WEIS.

[20]  Bharat K. Bhargava,et al.  Extending Attack Graph-Based Security Metrics and Aggregating Their Application , 2012, IEEE Transactions on Dependable and Secure Computing.

[21]  Haojin Zhu,et al.  Security Assessment in Vehicular Networks , 2013, SpringerBriefs in Computer Science.

[22]  R.F. Mills,et al.  Using Attack and Protection Trees to Analyze Threats and Defenses to Homeland Security , 2006, MILCOM 2006 - 2006 IEEE Military Communications conference.

[23]  Richard Lippmann,et al.  Practical Attack Graph Generation for Network Defense , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[24]  Ronald L. Krutz,et al.  The CISSP Prep Guide: Mastering the Ten Domains of Computer Security , 2001 .

[25]  Wes Sonnenreich,et al.  Return On Security Investment (ROSI) - A Practical Quantitative Modell , 2005, J. Res. Pract. Inf. Technol..

[26]  Jin B. Hong,et al.  Security Modelling and Analysis of Dynamic Enterprise Networks , 2016, 2016 IEEE International Conference on Computer and Information Technology (CIT).

[27]  Indrajit Ray,et al.  Dynamic Security Risk Management Using Bayesian Attack Graphs , 2012, IEEE Transactions on Dependable and Secure Computing.

[28]  Jin B. Hong,et al.  Composite Metrics for Network Security Analysis , 2020, ArXiv.

[29]  Jin B. Hong,et al.  Towards scalable security analysis using multi-layered security models , 2016, J. Netw. Comput. Appl..

[30]  Jin B. Hong,et al.  Evaluating the Effectiveness of Security Metrics for Dynamic Networks , 2017, 2017 IEEE Trustcom/BigDataSE/ICESS.

[31]  Jin B. Hong,et al.  Proactive defense mechanisms for the software-defined Internet of Things with non-patchable vulnerabilities , 2018, Future Gener. Comput. Syst..

[32]  Rainer Böhme,et al.  Security Metrics and Security Investment Models , 2010, IWSEC.

[33]  E. Gossen,et al.  Anti-counterfeiting Effectivity Analysis Using Attack and Defense Tree Scenario Methods , 2015 .

[34]  Jin B. Hong,et al.  A framework for automating security analysis of the internet of things , 2017, J. Netw. Comput. Appl..