Selecting optimal countermeasures for attacks against critical systems using the attack volume model and the RORI index

The impact quantification of attacks and security countermeasures is an active research in the information and communications technology domain. Supporters of the Return On Investment (ROI), and all its variants, propose quantitative models that estimate their parameters based on expert knowledge, statistical data, simulation and risk assessment tools. Although results are used for relative comparisons, a great level of subjectivity is considered while estimating each parameter composing the model. In single attack scenarios, the use of cost sensitive metrics allows the evaluation and selection of security countermeasures. However, for attack attacks against critical infrastructures, this approach is not accurate enough to determine the impact of the equipment(s), subject(s), and/or action(s) that take part in a security incident. This paper proposes, therefore, a geometrical model that represents the volume of systems, attacks and countermeasures based on a three-dimensional coordinate system (i.e., user, channel, and resource). As a result, volumes are related to risks, making it possible to select optimal countermeasures against complex attacks based on a cost-sensitive metric. A case study on a critical infrastructure control process is provided at the end of the paper to show the applicability of our model in a scenario with two attacks.

[1]  Nora Cuppens-Boulahia,et al.  A Service Dependency Model for Cost-Sensitive Intrusion Response , 2010, ESORICS.

[2]  Christian Locher Methodologies for Evaluating Information Security Investments - What Basel II Can Change in the Financial Industry , 2005, ECIS.

[3]  R. Hinden,et al.  Internet protocol, version 6 , 1995 .

[4]  Frédéric Cuppens,et al.  Organization based access control , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[5]  Hervé Debar,et al.  RORI-based countermeasure selection using the OrBAC formalism , 2013, International Journal of Information Security.

[6]  Brian Haberman,et al.  Special-Purpose IP Address Registries , 2013, RFC.

[7]  David F. Ferraiolo,et al.  Guide to Attribute Based Access Control (ABAC) Definition and Considerations , 2014 .

[8]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[9]  Adrian Mizzi,et al.  Return on Information Security Investment - The Viability Of An Anti-Spam Solution In A Wireless Environment , 2010, Int. J. Netw. Secur..

[10]  Stephen E. Deering,et al.  Internet Protocol, Version 6 (IPv6) Specification , 1995, RFC.

[11]  Roy T. Fielding,et al.  Uniform Resource Identifiers (URI): Generic Syntax , 1998, RFC.

[12]  Jeannette M. Wing,et al.  An Attack Surface Metric , 2011, IEEE Transactions on Software Engineering.

[13]  Sami Petäjäsoja,et al.  IMS Threat and Attack Surface Analysis Using Common Vulnerability Scoring System , 2011, 2011 IEEE 35th Annual Computer Software and Applications Conference Workshops.

[14]  Eric Vétillard,et al.  Combined Attacks and Countermeasures , 2010, CARDIS.

[15]  Marco Cremonini,et al.  Evaluating Information Security Investments from Attackers Perspective: the Return-On-Attack (ROA) , 2005, WEIS.

[16]  Mark Jeffery,et al.  Return on Investment Analysis for E‐business Projects , 2004 .

[17]  Thomas Norman Risk Analysis and Security Countermeasure Selection , 2009 .

[18]  Joseph D. Touch,et al.  Updated Specification of the IPv4 ID Field , 2013, RFC.

[19]  Stuart Cheshire,et al.  Internet Assigned Numbers Authority (IANA) Procedures for the Management of the Service Name and Transport Protocol Port Number Registry , 2011, RFC.

[20]  Michael Howard,et al.  Measuring Relative Attack Surfaces , 2005 .

[21]  Jan vom Brocke,et al.  Return on Security Investments - Design Principles of Measurement Systems Based on Capital Budgeting , 2007, AMCIS.

[22]  Wes Sonnenreich,et al.  Return On Security Investment (ROSI) - A Practical Quantitative Modell , 2005, J. Res. Pract. Inf. Technol..