Bayesian attack graphs for platform virtualized infrastructures in clouds

Abstract

Virtualization security is an important aspect to be carefully addressed while provisioning cloud services. In this paper, we propose a novel model using Bayesian Attack Graphs (BAG) to perform security risk assessment for platform virtualized infrastructures that are used for building cloud services. BAGs are powerful mechanisms that can be used to model the uncertainties inherent in security attacks. We build upon the reference conditional probability tables for the BAG nodes using the reported attacks on virtualized systems from the Common Vulnerabilities and Exposures (CVE) database. We employ Bayesian probabilistic inference techniques on the model presented and showcase the results obtained that can be used by system architects for the risk assessment of such infrastructures. In addition to the probabilistic model, we also present a deterministic approach with security metrics for attack graphs and derive the values for the modeled BAG, which can be used for assessing and comparing with other architectures. The approach described here to draw inferences from the BAG can be employed by system architects to find explanations to critical queries in security design and also to carefully select the countermeasures to be installed. The model can also be used to learn from future a-posteriori evidence data from actual security breaches to provide an efficient risk assessment.