Abstract

Network attack graphs are originally used to evaluate what the worst security state is when a concerned net-work is under attack. Combined with intrusion evidence such like IDS alerts, attack graphs can be further used to perform security state posterior inference (i.e. inference based on observation experience). In this area, Bayesian network is an ideal mathematic tool, however it can not be directly applied for the following three reasons: 1) in a network attack graph, there may exist directed cycles which are never permitted in a Bayesian network, 2) there may exist temporal partial ordering relations among intrusion evidence that can-not be easily modeled in a Bayesian network, and 3) just one Bayesian network cannot be used to infer both the current and the future security state of a network. In this work, we improve an approximate Bayesian posterior inference algorithm–the likelihood-weighting algorithm to resolve the above obstacles. We give out all the pseudocodes of the algorithm and use several examples to demonstrate its benefit. Based on this, we further propose a network security assessment and enhancement method along with a small network scenario to exemplify its usage.

Highlights

  • Bayesian network is an ideal mathematic tool, it can not be directly applied for the following three reasons: 1) in a network attack graph, there may exist directed cycles which are never permitted in a Bayesian network, 2) there may exist temporal partial ordering relations among intrusion evidence that cannot be modeled in a Bayesian network, and 3) just one Bayesian network cannot be used to infer both the current and the future security state of a network

  • Network attack graphs [1,2,3,4,5] are widely used as a good tool to analyze network security state in comprehensive consideration of exploits, vulnerabilities, privileges, network connectivity, etc

  • Security alerts generated by intrusion detection systems (IDSs) as well as reports generated by system monitoring tools can be integrated into Bayesian networks

Read more

Summary

Introduction

Network attack graphs [1,2,3,4,5] are widely used as a good tool to analyze network security state in comprehensive consideration of exploits, vulnerabilities, privileges, network connectivity, etc. At performing attack graph-based posterior inference, two questions are most often raised: 1) what is the current state of a network, and 2) what is the future state of it This means one set of observed intrusion evidence should be used to infer two temporally different states. In Bayesian inference, this demands two prior conditional probabilistic distribution, one for current state inference and one for future state inference We think it feasible to define the later one (For example we say an exploit will happen in probability 0.8 if an attacker was given enough time), it is really a disaster to define the former one (how to assess the exploit probability when the attacker has got two hours).

Directed Cycles
Evidence Partial Ordering Relations
Posterior Inference for Multi-State
The Underlying Model
The Posterior Inference Algorithm
Node Belief Computation Examples
Comparison with HCPN-Based Inference
Algorithm Performance Evaluation
Security Assessment
C I A
Security Enhancement
Basic Posterior Inference
Conclusions
10. References

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.