论文信息 - Exact Inference Techniques for the Analysis of Bayesian Attack Graphs

Exact Inference Techniques for the Analysis of Bayesian Attack Graphs

Attack graphs are a powerful tool for security risk assessment by analysing network vulnerabilities and the paths attackers can use to compromise network resources. The uncertainty about the attacker's behaviour makes Bayesian networks suitable to model attack graphs to perform static and dynamic analysis. Previous approaches have focused on the formalization of attack graphs into a Bayesian model rather than proposing mechanisms for their analysis. In this paper we propose to use efficient algorithms to make exact inference in Bayesian attack graphs, enabling the static and dynamic network risk assessments. To support the validity of our approach we have performed an extensive experimental evaluation on synthetic Bayesian attack graphs with different topologies, showing the computational advantages in terms of time and memory use of the proposed techniques when compared to existing approaches.

[1] Siv Hilde Houmb,et al. Estimating ToE Risk Level Using CVSS , 2009, 2009 International Conference on Availability, Reliability and Security.

[2] Cynthia A. Phillips,et al. Computer-attack graph generation tool , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[3] Sushil Jajodia,et al. Measuring network security using dynamic bayesian network , 2008, QoP '08.

[4] Xinming Ou,et al. A scalable approach to attack graph generation , 2006, CCS '06.

[5] Sushil Jajodia,et al. An Attack Graph-Based Probabilistic Security Metric , 2008, DBSec.

[6] Brendan J. Frey,et al. Graphical Models for Machine Learning and Digital Communication , 1998 .

[7] Yu Liu,et al. Network vulnerability assessment using Bayesian networks , 2005, SPIE Defense + Commercial Sensing.

[8] Nevin L. Zhang,et al. A simple approach to Bayesian network computations , 1994 .

[9] Jeannette M. Wing,et al. Tools for Generating and Analyzing Attack Graphs , 2003, FMCO.

[10] David J. Spiegelhalter,et al. Local computations with probabilities on graphical structures and their application to expert systems , 1990 .

[11] Katina Michael,et al. Security Risk Management: Building an Information Security Risk Management Program from the Ground Up , 2012, Comput. Secur..

[12] Kevin P. Murphy,et al. Machine learning - a probabilistic perspective , 2012, Adaptive computation and machine learning series.

[13] Prakash P. Shenoy,et al. A Comparison of Lauritzen-Spiegelhalter, Hugin, and Shenoy-Shafer Architectures for Computing Marginals of Probability Distributions , 1998, UAI.

[14] Lingyu Wang,et al. Measuring Network Security Using Bayesian Network-Based Attack Graphs , 2008, 2008 32nd Annual IEEE International Computer Software and Applications Conference.

[15] Brendan J. Frey,et al. Factor graphs and the sum-product algorithm , 2001, IEEE Trans. Inf. Theory.

[16] Duminda Wijesekera,et al. Scalable, graph-based network vulnerability analysis , 2002, CCS '02.

[17] Robert J. Ellison,et al. Attack Trees , 2009, Encyclopedia of Biometrics.

[18] Alex Bateman,et al. An introduction to hidden Markov models. , 2007, Current protocols in bioinformatics.

[19] Adnan Darwiche,et al. Inference in belief networks: A procedural guide , 1996, Int. J. Approx. Reason..

[20] Nir Friedman,et al. Probabilistic Graphical Models - Principles and Techniques , 2009 .

[21] Judea Pearl,et al. Reverend Bayes on Inference Engines: A Distributed Hierarchical Approach , 1982, AAAI.

[22] Prakash P. Shenoy,et al. Probability propagation , 1990, Annals of Mathematics and Artificial Intelligence.

[23] Sushil Jajodia,et al. Cauldron mission-centric cyber situational awareness with defense in depth , 2011, 2011 - MILCOM 2011 Military Communications Conference.

[24] Dan Geiger,et al. Optimizing exact genetic linkage computations , 2003, RECOMB '03.

[25] Derek G. Corneil,et al. Complexity of finding embeddings in a k -tree , 1987 .

[26] Judea Pearl,et al. A Computational Model for Causal and Diagnostic Reasoning in Inference Systems , 1983, IJCAI.

[27] Dawn Xiaodong Song,et al. A Learning-Based Approach to Reactive Security , 2009, IEEE Transactions on Dependable and Secure Computing.

[28] Sushil Jajodia,et al. Topological analysis of network attack vulnerability , 2006, PST.

[29] Sushil Jajodia,et al. Time-efficient and cost-effective network hardening using attack graphs , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012).

[30] Kristian G. Olesen,et al. An algebra of bayesian belief universes for knowledge-based systems , 1990, Networks.

[31] Duminda Wijesekera,et al. Creating Integrated Evidence Graphs for Network Forensics , 2013, IFIP Int. Conf. Digital Forensics.

[32] Prakash P. Shenoy,et al. Axioms for probability and belief-function proagation , 1990, UAI.

[33] Richard Lippmann,et al. Modeling Modern Network Attacks and Countermeasures Using Attack Graphs , 2009, 2009 Annual Computer Security Applications Conference.

[34] Gregory F. Cooper,et al. The Computational Complexity of Probabilistic Inference Using Bayesian Belief Networks , 1990, Artif. Intell..

[35] Rina Dechter,et al. Bucket elimination: A unifying framework for probabilistic inference , 1996, UAI.

[36] Somesh Jha,et al. Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[37] Judea Pearl,et al. Probabilistic reasoning in intelligent systems - networks of plausible inference , 1991, Morgan Kaufmann series in representation and reasoning.

[38] Radford M. Neal. Pattern Recognition and Machine Learning , 2007, Technometrics.

[39] Cynthia A. Phillips,et al. A graph-based system for network-vulnerability analysis , 1998, NSPW '98.

[40] Indrajit Ray,et al. Dynamic Security Risk Management Using Bayesian Attack Graphs , 2012, IEEE Transactions on Dependable and Secure Computing.

[41] Uue Kjjrull. Triangulation of Graphs { Algorithms Giving Small Total State Space Triangulation of Graphs { Algorithms Giving Small Total State Space , 1990 .