Exact Inference Techniques for the Dynamic Analysis of Attack Graphs

Attack graphs are a powerful tool for security risk assessment by analysing network vulnerabilities and the paths attackers can use to compromise valuable network resources. The uncertainty about the attacker's behaviour and capabilities make Bayesian networks suitable to model attack graphs to perform static and dynamic analysis. Previous approaches have focused on the formalization of traditional attack graphs into a Bayesian model rather than proposing mechanisms for their analysis. In this paper we propose to use efficient algorithms to make exact inference in Bayesian attack graphs, enabling the static and dynamic network risk assessments. To support the validity of our proposed approach we have performed an extensive experimental evaluation on synthetic Bayesian attack graphs with different topologies, showing the computational advantages in terms of time and memory use of the proposed techniques when compared to existing approaches.

[1]  Brendan J. Frey,et al.  Factor graphs and the sum-product algorithm , 2001, IEEE Trans. Inf. Theory.

[2]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[3]  Siv Hilde Houmb,et al.  Estimating ToE Risk Level Using CVSS , 2009, 2009 International Conference on Availability, Reliability and Security.

[4]  Judea Pearl,et al.  Probabilistic reasoning in intelligent systems - networks of plausible inference , 1991, Morgan Kaufmann series in representation and reasoning.

[5]  Xinming Ou,et al.  A scalable approach to attack graph generation , 2006, CCS '06.

[6]  Lingyu Wang,et al.  Measuring Network Security Using Bayesian Network-Based Attack Graphs , 2008, 2008 32nd Annual IEEE International Computer Software and Applications Conference.

[7]  Richard Lippmann,et al.  Modeling Modern Network Attacks and Countermeasures Using Attack Graphs , 2009, 2009 Annual Computer Security Applications Conference.

[8]  Gregory F. Cooper,et al.  The Computational Complexity of Probabilistic Inference Using Bayesian Belief Networks , 1990, Artif. Intell..

[9]  David J. Spiegelhalter,et al.  Local computations with probabilities on graphical structures and their application to expert systems , 1990 .

[10]  Nevin L. Zhang,et al.  A simple approach to Bayesian network computations , 1994 .

[11]  Evan Wheeler Security Risk Management: Building an Information Security Risk Management Program from the Ground Up , 2011 .

[12]  Sushil Jajodia,et al.  An Attack Graph-Based Probabilistic Security Metric , 2008, DBSec.

[13]  Yu Liu,et al.  Network vulnerability assessment using Bayesian networks , 2005, SPIE Defense + Commercial Sensing.

[14]  Duminda Wijesekera,et al.  Creating Integrated Evidence Graphs for Network Forensics , 2013, IFIP Int. Conf. Digital Forensics.

[15]  Rina Dechter,et al.  Bucket elimination: A unifying framework for probabilistic inference , 1996, UAI.

[16]  Sushil Jajodia,et al.  Cauldron mission-centric cyber situational awareness with defense in depth , 2011, 2011 - MILCOM 2011 Military Communications Conference.

[17]  Kristian G. Olesen,et al.  An algebra of bayesian belief universes for knowledge-based systems , 1990, Networks.

[18]  Adnan Darwiche,et al.  Inference in belief networks: A procedural guide , 1996, Int. J. Approx. Reason..

[19]  Judea Pearl,et al.  Reverend Bayes on Inference Engines: A Distributed Hierarchical Approach , 1982, AAAI.

[20]  Judea Pearl,et al.  A Computational Model for Causal and Diagnostic Reasoning in Inference Systems , 1983, IJCAI.

[21]  Prakash P. Shenoy,et al.  A Comparison of Lauritzen-Spiegelhalter, Hugin, and Shenoy-Shafer Architectures for Computing Marginals of Probability Distributions , 1998, UAI.

[22]  Sushil Jajodia,et al.  Measuring network security using dynamic bayesian network , 2008, QoP '08.

[23]  Brendan J. Frey,et al.  Graphical Models for Machine Learning and Digital Communication , 1998 .

[24]  Dan Geiger,et al.  Optimizing Exact Genetic Linkage Computations , 2004, J. Comput. Biol..

[25]  Cynthia A. Phillips,et al.  A graph-based system for network-vulnerability analysis , 1998, NSPW '98.

[26]  L. Rabiner,et al.  An introduction to hidden Markov models , 1986, IEEE ASSP Magazine.

[27]  Kevin P. Murphy,et al.  Machine learning - a probabilistic perspective , 2012, Adaptive computation and machine learning series.