Probability Analysis of Cyber Attack Paths against Business and Commercial Enterprise Systems

The level of risk of attack from new cyber-crime related malware is difficult to quantify as standard risk analysis models often take an incomplete view of the overall system. In order to understand the full malware risk faced by organisations any model developed to support the analysis must be able to address a statistical combination of all feasible attack scenarios. Moreover, since all parametric aspects of a sophisticated cyber attack cannot be quantified, a degree of expert judgement needs to be applied. We develop a modeling approach that will facilitate risk assessment of common cyber attack scenarios together with likely probabilities of successful attack for each scenario. The paper demonstrates through use cases how a combined attack can be assessed.

[1]  Roger M. Cooke,et al.  Probabilistic Risk Analysis: Expert opinion , 2001 .

[2]  Zhu Jian-qi,et al.  Simulation on email worms propagation , 2011, 2011 International Conference on Mechatronic Science, Electric Engineering and Computer (MEC).

[3]  Karen A. Scarfone,et al.  A Complete Guide to the Common Vulnerability Scoring System Version 2.0 | NIST , 2007 .

[4]  Jiming Liu,et al.  Modeling and predicting the dynamics of mobile virus spread affected by human behavior , 2011, 2011 IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks.

[5]  P ? ? ? ? ? ? ? % ? ? ? ? , 1991 .

[6]  U. Renker [Motivation for work]. , 1975, Zeitschrift fur die gesamte Hygiene und ihre Grenzgebiete.

[7]  Miles A. McQueen,et al.  Time-to-Compromise Model for Cyber Risk Reduction Estimation , 2006, Quality of Protection.

[8]  Jiming Liu,et al.  Modeling and Restraining Mobile Virus Propagation , 2013, IEEE Transactions on Mobile Computing.

[9]  Liz David-Barrett Avoiding corruption risks in the city: The Bribery Act 2010 , 2010 .

[10]  Donald F. Towsley,et al.  Email worm modeling and defense , 2004, Proceedings. 13th International Conference on Computer Communications and Networks (IEEE Cat. No.04EX969).

[11]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[12]  Kenton O'Hara,et al.  Social Impact , 2019, Encyclopedia of Food and Agricultural Ethics.

[13]  Christopher Krügel,et al.  Detection and analysis of drive-by-download attacks and malicious JavaScript code , 2010, WWW '10.

[14]  J. O. Irwin,et al.  MATHEMATICAL EPIDEMIOLOGY , 1958 .

[15]  James F Kilroy,et al.  The Threat Of Evolution , 2007 .

[16]  John Haigh,et al.  Probabilistic Risk Analysis: Foundations and Methods , 2003 .

[17]  Albert-László Barabási,et al.  Understanding the Spreading Patterns of Mobile Phone Viruses , 2009, Science.

[18]  C. Wilson Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress , 2008 .

[19]  Edoardo M. Airoldi,et al.  Technologies to Defeat Fraudulent Schemes Related to Email Requests , 2005, AAAI Spring Symposium: AI Technologies for Homeland Security.

[20]  Mathias Ekstedt,et al.  Success Rate of Remote Code Execution Attacks - Expert Assessments and Observations , 2012, J. Univers. Comput. Sci..

[21]  Stefan Saroiu,et al.  A preliminary investigation of worm infections in a bluetooth environment , 2006, WORM '06.

[22]  Chen Zengqiang,et al.  Dynamic epidemic model of smart phone virus propagated through Bluetooth and MMS , 2007 .

[23]  John A. Major Advanced Techniques for Modeling Terrorism Risk , 2002 .

[24]  Yves Younan,et al.  Efficient Countermeasures for Software Vulnerabilities due to Memory Management Errors (Efficiënte tegenmaatregelen voor softwarekwetsbaarheden veroorzaakt door geheugenbeheerfouten) , 2008 .

[25]  Wenke Lee,et al.  Modeling Botnet Propagation Using Time Zones , 2006, NDSS.

[26]  J. Hunt,et al.  Trust and Bribery: The Role of the Quid Pro Quo and the Link with Crime , 2004, SSRN Electronic Journal.