Abstract
We propose a solution which provides a system operator with valuation of security risk introduced by various components of the communication and information system. This risk signature of the system enables the operator to make an informed decision about which network elements shall be used in order to provide a service requested by the user while minimising security risk related to service execution. In considered scenario transmitted data can be intercepted, modified or dropped by an attacker. Each network component and path can be potentially used to compromise information, since an adversary is able to utilise various vulnerabilities of network elements in order to perform an attack. The impact and probability of such successful attacks can be assessed by analysing the severity of the vulnerabilities and the difficulty of exploiting them, including the required equipment and knowledge. In consequence, each possible service work-flow can be assigned a security risk signature.
Chapter PDF
Similar content being viewed by others
References
CCTA Risk Analysis and Management Method, http://www.cramm.com/
Common Vulnerabilities and Exposures, http://cve.mitre.org/
EAR/Pilar - Risk Analysis Environment, https://www.ccn-cert.cni.es/
MEHARI - Method for Harmonized Analysis of Risk, http://www.clusif.asso.fr/
MulVAL Attack Paths Engine, http://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/MulVAL_Attack_Paths_Engine_-_User_and_Programmer_Guide
National Vulnerability Database, http://nvd.nist.gov/
Play Framework, http://www.playframework.org/
SMILE Documentation, http://genie.sis.pitt.edu/wiki/SMILE_Documentation
Agence nationale de la sécurité des systèmes d’information: Expression des Besoins et Identification des Objectifs de Sécurité (EBIOS) (2010)
Alberts, C.J., Behrens, S.G., Pethia, R.D., Wilson, W.R.: Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Framework, version 1.0 (1999)
Apiecionek, Ł., Romantowski, M., Śliwa, J., Jasiul, B., Goniacz, R.: Safe exchange of information for civil-military operations. In: Military Communications and Information Technology: A Comprehensive Approach Enabler, pp. 39–50. WAT Publishing (2010)
Barber, D.: Bayesian Reasoning and Machine Learning. Cambrdge University Press (2013)
Bursztein, E., Mitchell, J.C.: Using strategy objectives for network security analysis. In: Bao, F., Yung, M., Lin, D., Jing, J. (eds.) Inscrypt 2009. LNCS, vol. 6151, pp. 337–349. Springer, Heidelberg (2010)
Darwiche, A.: Modeling and reasoning with Bayesian networks. Cambridge Univ. (2009)
Domingo, A., Wietgrefe, H.: A NNEC-compliant approach for a Future Mission Network. In: Proc. of the Military Communications Conference, MILCOM (2012)
Hu, V.C., Ferraiolo, D., Kuhn, R., Friedman, A.R., Lang, A.J., Cogdell, M.M., Schnitzer, A., Sandlin, K., Miller, R., Scarfone, K.: Guide to Attribute Based Access Control Definition and Considerations, Draft. NIST Special Publication 800-162, Gaithersburg (2013)
Ingols, K., Lippmann, R., Piwowarski, K.: Practical attack graph generation for network defense. In: Proc. of ACSAC Conf. 2006, pp. 121–130. IEEE Computer Society (2006)
ISO/IEC: ISO/IEC 27001:2005 Information technology – Security techniques – Information security management systems – Requirements (2008)
Kjaerulff, U., Madsen, A.: Bayesian Networks and Influence Diagrams: A Guide to Construction and Analysis. Springer (2008)
Lagadec, P., Dandurand, L., Bouillon, E., Wrona, K., Torrente, S.: Cyber Defence Situational Awareness and Dynamic Risk Assessment. In: NATO Research and Technology Organisation Symposium on Information Assurance and Cyber Defence, Tallin, Estonia (2010)
Lauritzen, S., Spiegelhalter, D.J.: Local computations with probabilities on graphical structures and their application to expert systems. Journal of the Royal Statistical Society series B 50, 157–224 (1988)
Matousek, P., Ráb, J., Rysavy, O., Svéda, M.: A Formal Model for Network-Wide Security Analysis. In: Proceedings of the 15th Annual IEEE International Conference and Workshop on the Engineering of Computer Based Systems, pp. 171–181. IEEE Comp. Soc. (2008)
McGraw, R.: Risk-adaptable access control (radac). In: NIST Privilege (Access) Management Workshop (2009)
Ministerio de Administraciones Públicas: MAGERIT version 2, Methodology for Information Systems Risk Analysis and Management, Book I The Method (2006)
Nalepa, G.J., Ligęza, A.: Designing reliable Web security systems using rule-based systems approach. In: Menasalvas, E., Segovia, J., Szczepaniak, P.S. (eds.) AWIC 2003. LNCS (LNAI), vol. 2663, pp. 124–133. Springer, Heidelberg (2003)
Nalepa, G.J., Ligęza, A., Kaczor, K.: Formalization and modeling of rules using the XTT2 method. International Journal on Artificial Intelligence Tools 20(6), 1107–1125 (2011)
OASIS: eXtensible Access Control Markup Language ver. 3.0. Tech. Rep. (August 2010)
Ou, X., Govindavajhala, S., Appel, A.: MulVAL: A logic-based network security analyzer. In: Proc. of 14th USENIX Security Symposium, Baltimore, Maryland, USA (2005)
Schneier, B.: Attack trees: Modeling security threats. Dr. Dobbs’ Journal (1999)
Sliwa, J., Gleba, K., Chmiel, W., Szwed, P., Glowacz, A.: IOEM - Ontology Engineering Methodology for Large Systems. In: Jędrzejowicz, P., Nguyen, N.T., Hoang, K. (eds.) ICCCI 2011, Part I. LNCS, vol. 6922, pp. 602–611. Springer, Heidelberg (2011)
Szpyrka, M.: Analysis of VME-Bus communication protocol – RTCP-net approach. Real-Time Systems 35(1), 91–108 (2007)
Szpyrka, M.: Design and analysis of rule-based systems with Adder Designer. In: Cotta, C., Reich, S., Schaefer, R., Ligéza, A. (eds.) Knowledge-Driven Computing. SCI, vol. 102, pp. 255–271. Springer, Heidelberg (2008)
Szpyrka, M.: Exclusion rule-based systems – case study. In: International Multiconference on Computer Science and Information Technology, Wisła, Poland, vol. 3, pp. 237–242 (2008)
Szpyrka, M., Szmuc, T.: Decision tables in Petri net models. In: Kryszkiewicz, M., Peters, J.F., Rybiński, H., Skowron, A. (eds.) RSEISP 2007. LNCS (LNAI), vol. 4585, pp. 648–657. Springer, Heidelberg (2007)
Wrona, K., Hallingstad, G.: Real-time automated risk assessment in protected core networking. Telecommunication Systems 45(2-3), 205–214 (2010)
Wrona, K., Hallingstad, G.: Controlled information sharing in NATO operations. In: IEEE Military Communications Conference (MILCOM), pp. 1285–1290. IEEE (2011)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 IFIP International Federation for Information Processing
About this paper
Cite this paper
Szpyrka, M., Jasiul, B., Wrona, K., Dziedzic, F. (2013). Telecommunications Networks Risk Assessment with Bayesian Networks. In: Saeed, K., Chaki, R., Cortesi, A., Wierzchoń, S. (eds) Computer Information Systems and Industrial Management. CISIM 2013. Lecture Notes in Computer Science, vol 8104. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-40925-7_26
Download citation
DOI: https://doi.org/10.1007/978-3-642-40925-7_26
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-40924-0
Online ISBN: 978-3-642-40925-7
eBook Packages: Computer ScienceComputer Science (R0)