14-05-2013, 01:32 PM
Dynamic Security Risk Management Using Bayesian Attack Graphs
Dynamic Security.pdf (Size: 2.07 MB / Downloads: 83)
Abstract
Security risk assessment and mitigation are two vital processes that need to be executed to maintain a productive IT
infrastructure. On one hand, models such as attack graphs and attack trees have been proposed to assess the cause-consequence
relationships between various network states, while on the other hand, different decision problems have been explored to identify the
minimum-cost hardening measures. However, these risk models do not help reason about the causal dependencies between network
states. Further, the optimization formulations ignore the issue of resource availability while analyzing a risk model. In this paper, we
propose a risk management framework using Bayesian networks that enable a system administrator to quantify the chances of
network compromise at various levels. We show how to use this information to develop a security mitigation and management plan. In
contrast to other similar models, this risk model lends itself to dynamic analysis during the deployed phase of the network. A
multiobjective optimization platform provides the administrator with all trade-off information required to make decisions in a resource
constrained environment.
INTRODUCTION
TRADITIONAL information security planning and management
begins with risk assessment that determines threats
to critical resources and the corresponding loss expectancy.A
number of researchers have proposed risk assessment
methods by building security models of network systems,
using paradigms like attack graphs [1], [2], [3], [4], [5] and
attack trees [6], [7], [8], [9], and then finding attack paths in
these models to determine scenarios that could lead to
damage. However, a majority of these models fail to consider
the attacker’s capabilities and, consequently, the likelihood of
a particular attack being executed. Without these considerations,
threats and their impact can be easily misjudged.
To alleviate such drawbacks, Dantu et al. [10] propose a
probabilistic model to assess network risks. They model
network vulnerabilities using attack graphs and apply
Bayesian logic to perform risk analysis. Liu and Man [11]
use Bayesian networks to model potential attack paths in a
system, and develop algorithms to compute an optimal
subset of attack paths based on background knowledge of
attackers and attack mechanisms.
ATEST NETWORK
Fig. 1 depicts the test network used in this study. The
network consists of eight hosts located within two subnets.
A DMZ tri-homed firewall is installed with preset policies to
ensure that the web server, Mail server, and the DNS server,
located in the DMZ network, are separated from the local
network. The firewall has a strong set of policies (shown in
the inset table) to prevent remote access to the internal hosts.
In particular, all machines in the DMZ zone passively
receive service requests and only respond to the sender as
needed. However, in order to accommodate web service’s
transactions, the web server is allowed to send SQL queries
to the SQL server located in the trusted zone on a designated
channel. Local machines are located behind a NAT firewall
so that all communications to external parties are delivered
through the Gateway server. In addition, all local desktops,
including the administrator machine, have remote desktop
enabled to facilitate remote operations for company employees
working from remote sites. The remote connections are
monitored by SSHD installed in the Gateway server.
SECURITY RISK ASSESSMENT WITH BAG
Security risk management consists of threat analysis, risk
assessment, loss expectancy, potential safeguards, and risk
mitigation analysis. Using a BAG, the administrator performs
risk assessment and risk mitigation as follows:
1. Static Risk Assessment: Risk assessment begins with the
identification of system characteristics, potential
threat sources, and attacker capabilities. Threat
sources are represented as the external nodes in a
BAG, along with their impact on other network
attributes. One set of attributes act as preconditions
to an exploit, which when successfully executed by an
attacker, can make the network state favorable for
subsequent exploits. Estimating the amount of risk at
each node therefore requires some judgment on
attacker capabilities. Often this judgment is indirectly
stated as the system administrator’s subjective belief
on the likelihood of a threat source becoming active
and the difficulty of an exploit. The former is
represented by the probabilities PrðSiÞ for all
Si 2 Nexternal, also called the prior probabilities, and is
subjectively assigned by the administrator. The latter
is incorporated into an internal node’s LCPD. Thereafter,
given the prior probability values and the
LCPDs, we can compute the unconditional probability
PrðSjÞ for any node Sj 2 Ninternal [ Nterminal. These
risk estimates can be used to help locate weak spots in
the system design and operations.
Probability of Vulnerability Exploitation
In order to compute the local conditional probability
distribution of an attribute, the administrator needs to
estimate the probability of success while an attacker
exploits a known vulnerability exploitation. We use the
metrics defined in NIST’s Common Vulnerability Scoring
System [14] to estimate the attack likelihood.
A CVSS score is a decimal number on a scale of 0 to 10. It is
composed of three groups—base, temporal, and environmental.
The base metrics quantify the intrinsic characteristics of a
vulnerability with two subscores—1) the exploitability subscore,
composed of the access vector (B AV ), access complexity
(B AC), and authentication instances (B AU), and 2) the
impact subscore, expressing the potential damage on confidentiality
(B C), integrity (B I), and availability (B A). The
temporal metrics quantify dynamic aspects of a vulnerability
on the environment around the organization. These metrics
take into account the availability of exploitable tools and
techniques (T E), remediation level (T RL), and report
confidence (T RC). The environmental metrics quantify
two aspects of impact that are dependent on the environment
surrounding the organization. More details on CVSS metrics
and their scoring computation can be found in the CVSS
guide [14]. In this study, we are interested in likelihood
estimation and hence the impact subscore and environmental
metrics are ignored in the analysis.
Posterior Probability with Attack Evidence
The BAG is next used to address dynamic aspects of the
security planning process. Every network state has a certain
probability of occurrence. This probability can change
during the lifetime of the system due to emerging security
conditions, changes in contributing factors, or the occurrence
of attack incidents. The BAG can then be used to
calculate the posterior probabilities in order to evaluate the
risk from such emerging conditions.
SECURITY RISK MITIGATION WITH BAG
Although many researchers have studied risk assessment
schemes, including the NIST, the methodologies used to
estimate loss varies from organization to organization. Loss
can be measured in terms of monetary units, relative
magnitudes [15], [16], [17], [18] or multiunits [13], [19], [20].
In a BAG, the security manager can choose to evaluate the
risks by considering an expected loss/gain quantity. The
expected loss/gain is computed from organization specific
factors such as potential loss or gain associated with an
attribute’s states. It usually reflects the impact of attack
likelihoods on the economic turnout of an organization. We
will describe this scheme later in the section. We begin with
the notion of a security control in the context of the BAG.
Assessing the Security Mitigation Plan
In order to defend against the attacks possible, a security
manager can choose to implement a variety of safeguard
technologies, each of which comes with different cost and
coverage. For example, to defend against the “ftp/.rhost”
exploit, one might choose to apply a security patch,
firewall, or simply disable the FTP service. Each choice of
action has a different cost and different outcome. A security
administrator has to assess the technologies and make a
decision toward maximum resource utilization. The two
objectives we consider in this study are the total security
control cost and the expected loss/gain. The singleobjective
problem is the most likely approach to be taken
by a decision maker.
RELATED WORKS
Attack graphs have been studied in several areas of
security risk management. Wang et al. [26], [27] propose
an attack graph-based probabilistic metric model to
quantify the overall security of network system. In this
paper, attack graph is used to represent the causal
relationship between vulnerabilities encoded in the attack
graph. Similar to the Bayesian attack graph model, a node
in attack graph is assigned with an intrinsic score
representing the likelihood of vulnerability exploitation
but the final probability of success in that node is computed
by conjunctive probability or disjunctive probability. The
authors focus their efforts in solving the problem of cycles
in attack graph. Although cycles can occur in our Bayesian
attack graph model, we argue that such cycles can be
disregarded. As a result, we are able to focus on other
applications of attack graph analysis in addition to those
proposed by Wang et al. [27].
CONCLUSION
In this paper, we address the system administrators’
dilemma, namely, how to assess the risk in a network system
and select security hardening measures from a given set of
controls so as to maximize resource utilization. One
important contribution of our solution methodology is the
use of a BAG model of the network to drive the decision
process. We have provided formal definitions for network
characteristics, attacks, and security measures under this
model. We also show that by using a BAG, we are able to
better understand the causal relationships between preconditions,
vulnerability exploitations, and postconditions. This
is facilitated by computing the likelihoods of different
outcomes possible as a result of the cause-consequence
relationships. We have demonstrated how the BAG can be
used to revise these likelihoods in the event of attack
incidents.