Abstract
We propose a novel approach for statistical risk modeling of network attacks that lets an operator perform risk analysis using a data model and an impact model on top of an attack graph in combination with a statistical model of the attacker community exploitation skill. The data model describes how data flows between nodes in the network – how it is copied and processed by softwares and hosts – while the impact model models how exploitation of vulnerabilities affects the data flows with respect to the confidentiality, integrity and availability of the data. In addition, by assigning a loss value to a compromised data set, we can estimate the cost of a successful attack. The statistical model lets us incorporate real-time monitor data from a honeypot in the risk calculation. The exploitation skill distribution is inferred by first classifying each vulnerability into a required exploitation skill-level category, then mapping each skill-level into a distribution over the required exploitation skill, and last applying Bayesian inference over the attack data. The final security risk is thereafter computed by marginalizing over the exploitation skill.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Nessus: The network vulnerability scanner (April 2009), http://www.nessus.org
Lippman, R., Ingols, K.: An annotated review of past papers on attack graphs. Project Report PR-IA-1, MIT Lincoln laboratory (March 2005)
Dacier, M., Deswarte, Y., Kaaniche, M.: Quantitative assessment of operational security: Models and tools (1996)
Ortalo, R., Deswarte, Y.: Experimenting with quantitative evaluation tools for monitoring operational security. IEEE Transactions on Software Engineering 25, 633–650 (1999)
Jha, S., Sheyner, O., Wing, J.M.: Minimization and reliability analyses of attack graphs. Technical Report CMU-CS-02-109, School of Computer Science, Carnegie Mellon University (2002)
Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.M.: Automated generation and analysis of attack graphs. In: IEEE Symposium on Security and Privacy, pp. 273–284 (2002)
Mehta, V., Bartzis, C., Zhu, H., Clarke, E., Wing, J.: Ranking attack graphs. In: Zamboni, D., Krügel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 127–144. Springer, Heidelberg (2006)
Gehani, A., Kedem, G.: RheoStat: Real-time risk management. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 296–314. Springer, Heidelberg (2004)
Årnes, A., Valeur, F., Vigna, G., Kemmerer, R.A.: Using hidden markov models to evaluate the risks of intrusions - system architecture and model validation. In: Zamboni, D., Krügel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 145–164. Springer, Heidelberg (2006)
Haslum, K., Abraham, A., Knapskog, S.: Dips: A framework for distributed intrusion prediction and prevention using hidden markov models and online fuzzy risk assessment. In: Third International Symposium on Information Assurance and Security. IEEE Computer Society Press, Los Alamitos (2007)
Haslum, K., Abraham, A., Knapskog, S.J.: Hinfra: Hierarchical neuro-fuzzy learning for online risk assessment. In: Asia International Conference on Modelling and Simulation, pp. 631–636 (2008)
Stoneburner, G., Goguen, A., Feringa, A.: Risk management guide for information technology systems. Technical Report NIST SP 800-30, Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology (2002)
Ingols, K., Lippmann, R., Piwowarski, K.: Practical attack graph generation for network defense. In: Computer Security Applications Conference, pp. 121–130 (2006)
Gelman, A., Carlin, J.B., Stern, H.S., Rubin, D.B.: Bayesian Data Analysis, 2nd edn. Chapman & Hall/CRC, Boca Raton (July 2003)
CVSS: Common vulnerability scoring system (April 2009), http://www.first.org/cvss/
Olsson, T.: Impact estimation using data flows over attack graphs. In: Proceedings of the 14th Nordic Conference on Secure IT Systems, NordSec (2009)
NVD: National vulnerability database (April 2009), http://nvd.nist.gov/
Abramowitz, M., Stegun, I.A. (eds.): Handbook of Mathematical Functions with Formulas, Graphs, and Mathematical Tables. Dover, New York (1972)
McGrew, R., Vaughn, R.B.: Experiences with honeypot systems: Development, deployment, and analysis. In: Proceedings of the 39th Hawaii International Conference on System Sciences (2006)
Alata, E., Nicomette, V., Kaâniche, M., Dacier, M., Herrb, M.: Lessons learned from the deployment of a high-interaction honeypot. In: EDCC 2006, 6th European Dependable Computing Conference (October 2006)
Marzot, G.S.: Netstat: A probabilistic network connectivity analysis tool. Technical Report A838262, MITRE CORP BEDFORD MA (1993)
Filar, J.A., Vrieze, K.: Competitive Markov Decision Processes. Springer, Heidelberg (1996)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Olsson, T. (2009). Assessing Security Risk to a Network Using a Statistical Model of Attacker Community Competence. In: Qing, S., Mitchell, C.J., Wang, G. (eds) Information and Communications Security. ICICS 2009. Lecture Notes in Computer Science, vol 5927. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-11145-7_24
Download citation
DOI: https://doi.org/10.1007/978-3-642-11145-7_24
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-11144-0
Online ISBN: 978-3-642-11145-7
eBook Packages: Computer ScienceComputer Science (R0)