This Article 
 Bibliographic References 
 Add to: 
Dynamic Security Risk Management Using Bayesian Attack Graphs
January/February 2012 (vol. 9 no. 1)
pp. 61-74
Nayot Poolsappasit, Missouri University of Science and Technology, Rolla
Rinku Dewri, University of Denver, Denver
Indrajit Ray, Colorado State University, Fort Collins
Security risk assessment and mitigation are two vital processes that need to be executed to maintain a productive IT infrastructure. On one hand, models such as attack graphs and attack trees have been proposed to assess the cause-consequence relationships between various network states, while on the other hand, different decision problems have been explored to identify the minimum-cost hardening measures. However, these risk models do not help reason about the causal dependencies between network states. Further, the optimization formulations ignore the issue of resource availability while analyzing a risk model. In this paper, we propose a risk management framework using Bayesian networks that enable a system administrator to quantify the chances of network compromise at various levels. We show how to use this information to develop a security mitigation and management plan. In contrast to other similar models, this risk model lends itself to dynamic analysis during the deployed phase of the network. A multiobjective optimization platform provides the administrator with all trade-off information required to make decisions in a resource constrained environment.

[1] P. Ammann, D. Wijesekera, and S. Kaushik, "Scalable, Graph-Based Network Vulnerability Analysis," Proc. Ninth Conf. Computer and Comm. Security, pp. 217-224, 2002.
[2] S. Jha, O. Sheyner, and J.M. Wing, "Two Formal Analysis of Attack Graphs," Proc. 15th IEEE Computer Security Foundations Workshop, pp. 49-63, 2002.
[3] C. Phillips and L.P. Swiler, "A Graph-Based System for Network-Vulnerability Analysis," Proc. New Security Paradigms Workshop, pp. 71-79, 1998.
[4] O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J.M. Wing, "Automated Generation and Analysis of Attack Graphs," Proc. IEEE Symp. Security and Privacy, pp. 273-284, 2002.
[5] L.P. Swiler, C. Phillips, D. Ellis, and S. Chakerian, "Computer Attack Graph Generation Tool," Proc. Second Defense Advanced Research Projects Agency (DARPA) Information Survivability Conf. and Exposition, pp. 307-321, 2001.
[6] J. Dawkins, C. Campbell, and J. Hale, "Modeling Network Attacks: Extending the Attack Tree Paradigm," Proc. Workshop Statistical Machine Learning Techniques in Computer Intrusion Detection, 2002.
[7] A.P. Moore, R.J. Ellison, and R.C. Linger, "Attack Modeling for Information Survivability," Technical Note CMU/SEI-2001-TN-001, Carnegie Melon Univ. / Software Eng. Inst., Mar. 2001.
[8] I. Ray and N. Poolsappasit, "Using Attack Trees to Identify Malicious Attacks from Authorized Insiders," Proc. 10th European Symp. Research in Computer Security (ESORICS '05), pp. 231-246, 2005.
[9] B. Schneier, "Attack Trees," Dr. Dobb's J., Dec. 1999.
[10] R. Dantu, K. Loper, and P. Kolan, "Risk Management Using Behavior Based Attack Graphs," Proc. Int'l Conf. Information Technology: Coding and Computing, pp. 445-449, 2004.
[11] Y. Liu and H. Man, "Network Vulnerability Assessment Using Bayesian Networks," Proc. SPIE, vol. 5812, pp. 61-71, 2005.
[12] S. Noel, S. Jajodia, B. O'Berry, and M. Jacobs, "Efficient Minimum-Cost Network Hardening via Exploit Dependency Graphs," Proc. 19th Ann. Computer Security Applications Conf., pp. 86-95, 2003.
[13] R. Dewri, N. Poolsappasit, I. Ray, and D. Whitley, "Optimal Security Hardening Using Multi-Objective Optimization on Attack Tree Models of Networks," Proc. 14th ACM Conf. Computer and Comm. Security, pp. 204-213, 2007.
[14] M. Schiffman, "Common Vulnerability Scoring System (CVSS)," html, 2011.
[15] W. Lee, "Toward Cost-Sensitive Modeling for Intrusion Detection and Response," J. Computer Security, vol. 10, no. 1, pp. 5-22, 2002.
[16] G. Stoneburner, A. Goguen, and A. Feringa, "Risk Management Guide for Information Technology Systems," Proc. Nat'l Inst. of Standards and Technology (NIST) Special Publication, pp. 800-830, 2002.
[17] B. Berger, "Data-Centric Quantitative Computer Security Risk Assessment," SANS Inst. of InfoSec Reading Room, 2003.
[18] A. Arora, D. Hall, C.A. Piato, D. Ramsey, and R. Telang, "Measuring the Risk-Based Value of IT Security Solutions," IT Professional, vol. 6, no. 6, pp. 35-42, 2004.
[19] S.A. Butler, "Security Attribute Evaluation Method: A Cost-Benefit Approach," Proc. 24th Int'l Conf. Software Eng., pp. 232-240, 2002.
[20] S.A. Butler and P. Fischbeck, "Multi-Attribute Risk Assessment," Proc. SREIS02 in Conjunction of 10th IEEE Int'l Requirements Eng. Conf., 2002.
[21] D.E. Goldberg, Genetic Algorithms in Search, Optimization and Machine Learning. Addison-Wesley Longman Publishing Co., Inc., 1989.
[22] K. Deb, A. Pratap, S. Agarwal, and T. Meyarivan, "A Fast Elitist Multi-Objective Genetic Algorithm: NSGA-II," IEEE Trans. Evolutionary Computation, vol. 6, no. 2, pp. 182-197, Apr. 2002.
[23] L. Wang, S. Noel, and S. Jajodia, "Minimum-Cost Network Hardening Using Attack Graphs," Computer Comm., vol. 29, no. 18, pp. 3812-3824, Nov. 2006.
[24] X. Ou, S. Govindavajhala, and A.W. Appel, "Mulval: A Logic-Based Network Security Analyzer," Proc. 14th Conf. USENIX Security Symp., pp. 113-128, 2005.
[25] D. Saha, "Extending Logical Attack Graph for Efficient Vulnerability Analysis," Proc. 15th ACM Conf. Computer and Comm. Security, pp. 63-73, 2008.
[26] L. Wang, A. Singhal, and S. Jajodia, "Measuring the Overall Security of Network Configurations Using Attack Graphs," Proc. 21st Ann. IFIP WG 11.3 Working Conf. Data and Application Security, pp. 98-112, 2007.
[27] L. Wang, T. Islam, T. Long, A. Singhal, and S. Jajodia, "An Attack Graph-Based Probabilistic Security Metric," Proc. 22nd Ann. IFIP WG 11.3 Working Conf. Data and Applications Security, pp. 283-296, 2008.
[28] J. Homer and X. Ou, "SAT-Solving Approaches to Context-Aware Enterprise Network Security Management," IEEE J. Selected Areas in Comm., vol. 27, no. 3, pp. 315-322, Apr. 2009.
[29] S. Noel and S. Jajodia, "Optimal IDS Sensor Placement and Alert Prioritizing Using Attack Graphs," J. Network and Systems Management, vol. 16, no. 3, pp. 259-275, Sept. 2008.
[30] L. Wang, A. Liu, and S. Jajodia, "Using Attack Graph for Correlating, Hypothesizing, and Predicting Intrusion Alerts," Computer Comm., vol. 29, no. 15, pp. 2917-2933, Nov. 2006.
[31] M. Frigault and L. Wang, "Measuring Network Security Using Bayesian Network-Based Attack Graphs," Proc. 32nd Ann. IEEE Int'l Computer Software Applications Conf., pp. 698-703, 2008.
[32] M. Frigault, L. Wang, A. Singhal, and S. Jajodia, "Measuring Network Security Using Dynamic Bayesian Network," Proc. 14th ACM Workshop Quality of Protection, 2008.
[33] P. Xie, J.H. Li, X. Ou, P. Liu, and R. Levy, "Using Bayesian Networks for Cyber Security Analysis," Proc. 40th IEEE/IFIP Int'l Conf. Dependable Systems and Networks, 2010.
[34] R. Dantu, P. Kolan, R. Akl, and K. Loper, "Classification of Attributes and Behavior in Risk Management Using Bayesian Networks," Proc. IEEE Intelligence and Security Informatics Conf., pp. 71-74, 2007.
[35] R. Dantu, P. Kolan, and J. Cangussu, "Network Risk Management Using Attacker Profiling," Security and Comm. Networks vol. 2, pp. 83-96, 2009.
[36] E.J. Santos and S.E. Shimony, "Exploiting Case-Based Independence for Approximating Marginal Probabilities," Int'l J. Approximate Reasoning, vol. 14, no. 1, pp. 25-54, Jan. 1996.
[37] E. Alba and M. Tomassini, "Parallelism and Evolutionary Algorithms," IEEE Trans. Evolutionary Computation, vol. 6, no. 5, pp. 443-462, Oct. 2002.

Index Terms:
Security risk assessment, mitigation analysis, Bayesian belief networks, attack graph.
Nayot Poolsappasit, Rinku Dewri, Indrajit Ray, "Dynamic Security Risk Management Using Bayesian Attack Graphs," IEEE Transactions on Dependable and Secure Computing, vol. 9, no. 1, pp. 61-74, Jan.-Feb. 2012, doi:10.1109/TDSC.2011.34
Usage of this product signifies your acceptance of the Terms of Use.