Considering temporal and environmental characteristics of vulnerabilities in network security risk assessment

Assessing the overall security of a network requires a thorough understanding of interconnections between host vulnerabilities. In this paper, Bayesian attack graphs are used to model interconnections between vulnerabilities that enable the attacker to achieve a particular goal. In order to estimate the success probability of vulnerability exploitation, in addition to inherent characteristics of vulnerabilities, their temporal characteristics are also used to have more accurate estimation for current time of risk assessment. Since impacts of vulnerability exploitations in different environments varies from one organization to the other, environmental factors that affect the security goals such as confidentiality, integrity and availability are also considered which leads to a more precise assessment. Finally, the risk of each asset compromise is calculated by multiplying the unconditional probability of penetrating each asset in its resulted impact. The experimental results show that the proposed method effectively reduces the security risk in a test network in comparison to similar works.

[1]  Indrajit Ray,et al.  Dynamic Security Risk Management Using Bayesian Attack Graphs , 2012, IEEE Transactions on Dependable and Secure Computing.

[2]  Karen A. Scarfone,et al.  A Complete Guide to the Common Vulnerability Scoring System Version 2.0 | NIST , 2007 .

[3]  Peng Liu,et al.  Using Bayesian networks for cyber security analysis , 2010, 2010 IEEE/IFIP International Conference on Dependable Systems & Networks (DSN).

[4]  Yancheng Wang,et al.  A Novel Comprehensive Network Security Assessment Approach , 2011, 2011 IEEE International Conference on Communications (ICC).

[5]  Воробьев Антон Александрович Анализ уязвимостей вычислительных систем на основе алгебраических структур и потоков данных National Vulnerability Database , 2013 .

[6]  Laurent Gallon,et al.  CVSS Attack Graphs , 2011, 2011 Seventh International Conference on Signal Image Technology & Internet-Based Systems.

[7]  Sushil Jajodia,et al.  Measuring Security Risk of Networks Using Attack Graphs , 2010, Int. J. Next Gener. Comput..

[8]  Soumya K. Ghosh,et al.  An Approach for Security Assessment of Network Configurations Using Attack Graph , 2009, 2009 First International Conference on Networks & Communications.

[9]  Sushil Jajodia,et al.  Aggregating CVSS Base Scores for Semantics-Rich Network Security Metrics , 2012, 2012 IEEE 31st Symposium on Reliable Distributed Systems.

[10]  Minqiang Li,et al.  A security risk analysis model for information systems: Causal relationships of risk factors and vulnerability propagation analysis , 2014, Inf. Sci..

[11]  Suleyman Kondakci Network Security Risk Assessment Using Bayesian Belief Networks , 2010, 2010 IEEE Second International Conference on Social Computing.

[12]  Andrew W. Appel,et al.  MulVAL: A Logic-based Network Security Analyzer , 2005, USENIX Security Symposium.

[13]  Peter Norvig,et al.  Artificial Intelligence: A Modern Approach , 1995 .

[14]  Lingyu Wang,et al.  Measuring Network Security Using Bayesian Network-Based Attack Graphs , 2008, 2008 32nd Annual IEEE International Computer Software and Applications Conference.

[15]  Duminda Wijesekera,et al.  Scalable, graph-based network vulnerability analysis , 2002, CCS '02.

[16]  Thomas Norman Risk Analysis and Security Countermeasure Selection , 2009 .

[17]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[18]  Laurent Gallon,et al.  Using CVSS in Attack Graphs , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[19]  Sushil Jajodia,et al.  An Attack Graph-Based Probabilistic Security Metric , 2008, DBSec.

[20]  Yu Liu,et al.  Network vulnerability assessment using Bayesian networks , 2005, SPIE Defense + Commercial Sensing.