Multilayered Impact Evaluation Model for Attacking Missions

In practical application scenarios, direct attacking on a target system to test the impact of attack methods may expose an attacker's intent and result in the difficulty in evaluating the attack method. Therefore, it is essential to design a controllable target range for testing and evaluating the attack impact. In this paper, we construct an attack test platform in order to evaluate the attack impact from different attack tools or the combinations of these attack tools. According to “vulnerability-asset-service-mission” (VASM) relationship, we design a multilayered evaluation model VASM, which includes a four-layer information structure: vulnerability layer, asset layer, service layer, and mission layer, from bottom to top. Considering that each asset may have one or more vulnerabilities, we score the attack impact on each asset based on attack probability and vulnerability and calculate the operational capacity of an asset after an attack. Since services may be provided jointly by one or more assets, we calculate the attack impact on services utilizing the dependencies among assets. The attack impact can be transmitted layer by layer from bottom to top through the dependencies among nodes. Finally, we can obtain the attack impact on missions. We use an actual logistics management and tracking system as the target range and verify the effectiveness and validity of our evaluation model, i.e., VASM, on goods delivery. Experimental results show that VASM cannot only assess the attack impact directly but also conform to the actual situations accurately.

[1]  Anat Bremler-Barr,et al.  Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks , 2013, IEEE Transactions on Computers.

[2]  Miguel Correia,et al.  Vulnerability Discovery with Attack Injection , 2010, IEEE Transactions on Software Engineering.

[3]  Gabriel Jakobson,et al.  Mission cyber security situation assessment using impact dependency graphs , 2011, 14th International Conference on Information Fusion.

[4]  Bin Tang,et al.  Effectiveness of Probabilistic Attacks on Anonymity of Users Communicating via Multiple Messages , 2013, IEEE Systems Journal.

[5]  Karen Scarfone,et al.  Improving the Common Vulnerability Scoring System , 2007, IET Inf. Secur..

[6]  Mike Tanner,et al.  Computing the impact of cyber attacks on complex missions , 2011, 2011 IEEE International Systems Conference.

[7]  Patrick Lardieri,et al.  National Cyber Range (NCR) automated test tools: Implications and application to network-centric support tools , 2010, 2010 IEEE AUTOTESTCON.

[8]  Indrajit Ray,et al.  Dynamic Security Risk Management Using Bayesian Attack Graphs , 2012, IEEE Transactions on Dependable and Secure Computing.

[9]  Seok-Won Lee Probabilistic Risk Assessment for Security Requirements: A Preliminary Study , 2011, 2011 Fifth International Conference on Secure Software Integration and Reliability Improvement.

[10]  Igor V. Kotenko,et al.  A Cyber Attack Modeling and Impact Assessment framework , 2013, 2013 5th International Conference on Cyber Conflict (CYCON 2013).

[11]  G. Manimaran,et al.  Cybersecurity for Critical Infrastructures: Attack and Defense Modeling , 2010, IEEE Transactions on Systems, Man, and Cybernetics - Part A: Systems and Humans.

[12]  Tin Yu Wu,et al.  Early security key exchange for encryption in Mobile IPv6 handoff , 2008, Secur. Commun. Networks.

[13]  Ryan Shea,et al.  Performance of Virtual Machines Under Networked Denial of Service Attacks: Experiments and Analysis , 2013, IEEE Systems Journal.

[14]  Florian Michahelles,et al.  Technology, Standards, and Real-World Deployments of the EPC Network , 2009, IEEE Internet Computing.

[15]  Tin Yu Wu,et al.  An efficient end-to-end security mechanism for IP multimedia subsystem , 2008, Comput. Commun..

[16]  S. Musman,et al.  Evaluating the Impact of Cyber Attacks on Missions , 2010 .

[17]  Wolfgang Kröger,et al.  Performance of Electric Power Systems Under Physical Malicious Attacks , 2013, IEEE Systems Journal.

[18]  J. Bryan Lyles,et al.  Computational Asset Description for Cyber Experiment Support Using OWL , 2011, 2011 IEEE Fifth International Conference on Semantic Computing.

[19]  H. Winter,et al.  System security assessment using a cyber range , 2012 .

[20]  Michael R. Grimaila,et al.  Design Considerations for a Cyber Incident Mission Impact Assessment (CIMIA) Process , 2009, Security and Management.

[21]  Yong Wang,et al.  Research of Network Vulnerability Analysis Based on Attack Capability Transfer , 2012, 2012 IEEE 12th International Conference on Computer and Information Technology.

[22]  Tin Yu Wu,et al.  A GA-based mobile RFID localization scheme for internet of things , 2011, Personal and Ubiquitous Computing.

[23]  Gabriela Hug,et al.  Vulnerability Assessment of AC State Estimation With Respect to False Data Injection Cyber-Attacks , 2012, IEEE Transactions on Smart Grid.

[24]  Ben Walters,et al.  QUIRC: A Quantitative Impact and Risk Assessment Framework for Cloud Security , 2010, 2010 IEEE 3rd International Conference on Cloud Computing.

[25]  Audris Mockus,et al.  Software Dependencies, Work Dependencies, and Their Impact on Failures , 2009, IEEE Transactions on Software Engineering.

[26]  Karen Scarfone,et al.  Common Vulnerability Scoring System , 2006, IEEE Security & Privacy.