论文信息 - A New Risk Assessment Framework Using Graph Theory for Complex ICT Systems

A New Risk Assessment Framework Using Graph Theory for Complex ICT Systems

In this paper, we propose a new risk analysis framework that enables to supervise risks in complex and distributed systems. Our contribution is twofold. First, we provide the Risk Assessment Graphs (RAGs) as a model of risk analysis. This graph-based model is adaptable to the system changes over the time. We also introduce the potentiality and the accessibility functions which, during each time slot, evaluate respectively the chance of exploiting the RAG's nodes, and the connection time between these nodes. In addition, we provide a worst-case risk evaluation approach, based on the assumption that the intruder threats usually aim at maximising their benefits by inflicting the maximum damage to the target system (i.e. choosing the most likely paths in the RAG). We then introduce three security metrics: the propagated risk, the node risk and the global risk. We illustrate the use of our framework through the simple example of an enterprise email service. Our framework achieves both flexibility and generality requirements, it can be used to assess the external threats as well as the insider ones, and it applies to a wide set of applications.

[1] Xinming Ou,et al. A scalable approach to attack graph generation , 2006, CCS '06.

[2] Duminda Wijesekera,et al. Scalable, graph-based network vulnerability analysis , 2002, CCS '02.

[3] Elwood S. Buffa,et al. Graph Theory with Applications , 1977 .

[4] Alexander Schrijver,et al. Combinatorial optimization. Polyhedra and efficiency. , 2003 .

[5] Karen Scarfone,et al. Common Vulnerability Scoring System , 2006, IEEE Security & Privacy.

[6] 백응기. [국외 광기술 연구ㆍ개발 현황] NIST(National Institute of Science and Technology) , 1999 .

[7] Atul Prakash,et al. Distilling critical attack graph surface iteratively through minimum-cost SAT solving , 2011, ACSAC '11.

[8] Cynthia A. Phillips,et al. A graph-based system for network-vulnerability analysis , 1998, NSPW '98.

[9] Wei Huang,et al. Toward optimal multi-objective models of network security: Survey , 2011, The 17th International Conference on Automation and Computing.