Selection of countermeasures against network attacks based on dynamical calculation of security metrics

This paper considers the issue of countermeasure selection for ongoing computer network attacks. We outline several challenges that should be overcome for the efficient response: the uncertainty of an attacker behavior, the complexity of interconnections between the resources of the modern distributed systems, the huge set of security data, time limitations, and balancing between countermeasure costs and attack losses. Although there are many works that are focused on the particular challenges, we suppose that there is still a need for an integrated solution that takes into account all of these issues. We suggest a model-driven approach to the security assessment and countermeasure selection in the computer networks that takes into account characteristics of different objects of assessment. The approach is based on integration with security information and event management systems to consider the dynamics of attack development, taking into account security event processing. Open standards and databases are used to automate security data processing. The suggested technique for countermeasure selection is based on the countermeasure model that was defined on the basis of open standards, the family of interrelated security metrics, and the security analysis technique based on attack graphs and service dependencies. We describe the prototype of the developed system and validate it on several case studies.

[1]  Marianne Swanson,et al.  Security metrics guide for information technology systems , 2003 .

[2]  Elena Doynikova,et al.  Dynamical Calculation of Security Metrics for Countermeasure Selection in Computer Networks , 2016, 2016 24th Euromicro International Conference on Parallel, Distributed, and Network-Based Processing (PDP).

[3]  Nora Cuppens-Boulahia,et al.  A Service Dependency Model for Cost-Sensitive Intrusion Response , 2010, ESORICS.

[4]  Richard Lippmann,et al.  GARNET: A Graphical Attack Graph and Reachability Network Evaluation Tool , 2008, VizSEC.

[5]  Marc Dacier,et al.  Quantitative Assessment of Operational Security: Models and Tools * , 1996 .

[6]  Ram Dantu,et al.  Network risk management using attacker profiling , 2009, Secur. Commun. Networks.

[7]  R. Cunningham,et al.  Validating and Restoring Defense in Depth Using Attack Graphs , 2006, MILCOM 2006 - 2006 IEEE Military Communications conference.

[8]  David Waltermire,et al.  Common Remediation Enumeration (CRE) Version 1.0 , 2011 .

[9]  Peter Martini,et al.  Graph based Metrics for Intrusion Response Measures in Computer Networks , 2007, 32nd IEEE Conference on Local Computer Networks (LCN 2007).

[10]  Michael M. May,et al.  How much is enough? A risk management approach to computer security , 2000 .

[11]  Sushil Jajodia,et al.  Measuring network security using dynamic bayesian network , 2008, QoP '08.

[12]  Christopher Krügel,et al.  Evaluating the impact of automated intrusion response mechanisms , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[13]  John C. Mitchell,et al.  Using Strategy Objectives for Network Security Analysis , 2009, Inscrypt.

[14]  Yancheng Wang,et al.  A Novel Comprehensive Network Security Assessment Approach , 2011, 2011 IEEE International Conference on Communications (ICC).

[15]  Jeannette M. Wing,et al.  An Attack Surface Metric , 2011, IEEE Transactions on Software Engineering.

[16]  Karl N. Levitt,et al.  Using Specification-Based Intrusion Detection for Automated Response , 2003, RAID.

[17]  Marco Cremonini,et al.  Evaluating Information Security Investments from Attackers Perspective: the Return-On-Attack (ROA) , 2005, WEIS.

[18]  Ioannis Lambadaris,et al.  Current Trends and Advances in Information Assurance Metrics , 2004, Conference on Privacy, Security and Trust.

[19]  Ehab Al-Shaer,et al.  A Novel Quantitative Approach For Measuring Network Security , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[20]  Karen A. Scarfone,et al.  A Complete Guide to the Common Vulnerability Scoring System Version 2.0 | NIST , 2007 .

[21]  Igor V. Kotenko,et al.  Common Framework for Attack Modeling and Security Evaluation in SIEM Systems , 2012, 2012 IEEE International Conference on Green Computing and Communications.

[22]  Sushil Jajodia,et al.  Efficient minimum-cost network hardening via exploit dependency graphs , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[23]  Igor V. Kotenko,et al.  Countermeasure Selection in SIEM Systems Based on the Integrated Complex of Security Metrics , 2015, 2015 23rd Euromicro International Conference on Parallel, Distributed, and Network-Based Processing.

[24]  Karen A. Scarfone,et al.  The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.2 , 2009 .

[25]  Eugene H. Spafford,et al.  Automated adaptive intrusion containment in systems of interacting services , 2007, Comput. Networks.

[26]  Igor V. Kotenko,et al.  Security Assessment of Computer Networks Based on Attack Graphs and Security Events , 2014, ICT-EurAsia.

[27]  Richard Lippmann,et al.  Practical Attack Graph Generation for Network Defense , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[28]  David Waltermire,et al.  Proposed Open Specifications for an Enterprise Remediation Automation Framework , 2011 .

[29]  Hervé Debar,et al.  Individual Countermeasure Selection Based on the Return On Response Investment Index , 2012, MMM-ACNS.

[30]  Johnny S. Wong,et al.  Intrusion response cost assessment methodology , 2009, ASIACCS '09.

[31]  Indrajit Ray,et al.  Dynamic Security Risk Management Using Bayesian Attack Graphs , 2012, IEEE Transactions on Dependable and Secure Computing.

[32]  Igor V. Kotenko,et al.  Attack Graph Based Evaluation of Network Security , 2006, Communications and Multimedia Security.

[33]  Anoop Singhal,et al.  Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs , 2011 .

[34]  Rayford B. Vaughn,et al.  Information assurance measures and metrics - state of practice and proposed taxonomy , 2003, 36th Annual Hawaii International Conference on System Sciences, 2003. Proceedings of the.