Network Security Risk Assessment Using Bayesian Belief Networks

Network Security Risk Assessment Using Bayesian Belief Networks

Suleyman KONDAKCI Izmir University of Economics, Faculty of Engineering & Computer Sciences,

35330 Balcova–Izmir, Turkey Email: [email protected]

Abstract—This paper presents a causal assessment model based on Bayesian Belief Networks to analyze and quantify information security risks caused by various threat sources.

The proposed model can be applied to a variety of information security evaluation tasks, risk assessment, software develop- ment projects, IT products, and other decision making systems.

This unique concept can also be used for the determination of joint risk propagation and interdependence structures within computer networks, information systems, and other engineer- ing tasks in general. By this manner, we can facilitate the determination of probabilistic outputs caused by some precal- culated input probabilities or by marginal/joint probabilities found so far within the chain of an interdependence structure.

Keywords-information security; threat modeling; risk mod- eling; quantitative risk assessment;

I. INTRODUCTION

The purpose of this paper is to introduce a causal risk assessment method (CRAM), based on Bayesian Belief Networks (BBN), for identification and analyses of causal threatsand quantification of risks associated with them. The CRAM model presented here should not be intermingled with the well–known risk analysis and management method CRAMM (www.cramm.com). Due to the rapid growth of the complexity of Internet interconnections and increased uncertainty in the diversity of threat sources and their impacts, appropriate threat analyses and risk assessment models providing quantitative outputs are also attracting many researchers and security product vendors.

CRAM uses BBNs to make probabilistic inferences for the estimation of causal risks. The reason of choosing the BBNs as the base methodology is clear, because, BBNs offer consistent semantics for representing uncertainty and an intuitive graphical representation of the interactions between various causes and their effects. BBNs are useful when the information about the past and/or the current situation is vague, incomplete, conflicting, and uncertain [1], [2]. With the historical information stored in conditional probability tables, CRAM can be used to facilitate the automation of a decision-making process. In short, CRAM can be used to perform inductive reasoning (diagnosing a cause given an effect), and deductive reasoning (predicting an effect given a cause).

Although there exist numerous work covering risk and vulnerability analysis, we have failed so far to find practi- cally sound approaches similar to the CRAM method. As also mentioned in [3], risk analyses are often focused on physical accesses to systems, however, today the scope of information security threats is virtually widened throughout Internet, and it is now more difficult to achieve accurate results aligned with these virtual threats. The CRAM model is unique, simple, and easily applicable to solutions of quantitative risk assessment problems and modeling of the risk propagation in computer networks. Based on our lab- oratory experiments dealing with various types of attacks, application of Bayesian inference, compared to classical sta- tistical methods, require less data and computational power to forecast eventual impacts.

We define a security risk as the weighed combination of a system malfunction caused by a threat, an attempt to mis- use/abuse information systems, and a threat exploiting some vulnerabilities that could cause harm to some assets. There are several risk analysis methodologies, both qualitative and quantitative, aimed at addressing the needs of a diverse range of environments, e.g., nuclear power plants, railway, energy transportation, medical, and ecological systems. Various research methods, analytical, statistical, and deterministic, have been used to analyze Internet attacks that provide decision analysis. An example of the decision analysis of statistically detecting distributed denial–of–service flooding attacks is presented in [4]. However, approaches applying BBNs to the analysis of information security risk propaga- tion are hard to find.

The core of CRAM is built on a single asset (atomic) model, which is further expanded to determine causal risks for multiple assets using the interdependence structure of the assets and threats to them. This approach is more effective, because, assets can face many types of threats of varying complexity and uncertainty, which can be more difficult to handle in larger sets. Hence, more accurate risk assessment results, and in turn, balanced safety measures for dynamically growing heterogeneous environments can be effectively achieved by using the atomic components and the associated BBN to build a propagation tree of threats for the overall assessment process. As can be quickly seen, BBNs can effectively model such trees of threats that can cause IEEE International Conference on Social Computing / IEEE International Conference on Privacy, Security, Risk and Trust

a risk propagation through the interdependence structure of the assets and interconnected systems.

Mostly, existing standards, e.g., NIST02 (http://csrc.nist.

gov/publications/), [5], and ISO27002 (www.27000.org), do not specify a certain methodology for risk assessment, however, they specify only that the organization should use a systematic approach to risk assessment and encourage the use of external tools and techniques available for test and evaluation facilities. The causal method proposed here can be incorporated into existing test and evaluation systems for the quantitative assessment of IT security risks.

Known security tools such as intrusion detection systems and other vulnerability scanners are often used to track events in dynamic environments to assess risks. However, the definition of risk assessment from a broader perspective is more than a network security scanning; it is a proactive mea- sure against the occurrence of security incidents in future, which can lead to unexpectedly high losses. Vulnerability scanning is an operational risk assessment process, which is effective only in discovering current design deficiencies and operational malfunctions. To support this, the causal risk assessment method (CRAM) can be used to effectively track sources of potential losses in IT environments in order to implement more precise and balanced security mechanisms against dynamically evolving threat patterns.

A. Outline of the Paper

In the following, Section II presents a brief review on related work and Section III introduces the BBN inference and presents the modeling of risk propagation during a security planing process. Section IV introduces the CRAM model starting with the per–asset (atomic) threat model, extends the atomic model to contain multiple assets, and applies the model to a real life example. Section V concludes the paper.

II. RELATEDWORK

Indeed, information security threat modeling combined with quantitative risk assessment techniques similar to the concept presented here is hard to encounter. As also men- tioned in [6], existing methods are typically experimental, e.g., [7], highly dependent of the assessor’s experience, while the security metrics and assessment approaches are usually of qualitative art. Some work (e.g., [8]) focus on vulnerability analysis based on specific software develop- ment systems. The qualitative risk analysis and manage- ment tool CRAMM was created in 1987 by the Central Computing and Telecommunications Agency (CCTA) of the United Kingdom. A CRAMM–based approach is presented in [9], which describes a method for risk analysis based on subjective logic to calculate the likelihood of an asset incident, which, in line with CRAM (presented here) and nearly all risk analysis methods asserts that risk is dependent on asset values, threats, and vulnerabilities.

Primarily, to any risk management approach, it is fun- damental to identify assets and all forms of information (electronic, non–electronic) that require protection. An ap- proach to lifecycle information security risk assessment is presented in [10], which can provide useful guidance prior to starting a risk assessment process. At present, there is little formal guidance on how to combine what can be learned from the data using the Bayesian inference, however, there is a growing interest in how to apply Bayesian Networks (BNs) using both data and some evidence information.

Related to this, a methodology focusing on parameterizing and evaluating a BN that deals with a risk assessment case study for ecological assets is presented in [11].

A composite concept for the generation of attack data and an associated risk assessment approach using a homogeneity algorithm for fast evaluation of large networks is presented in [12]. Instead of testing each asset separately by applying repetitive attacks and assessments over and over, the com- posite concept generates and executes attacks once for a set of assets with similar characteristics, composes risk data, and uses the risk data for the assessment of the remaining group of the assets as well as the entire network.

Together with the growing activities of standard organi- zations, there are several other initiatives that immensely consider risk assessment methodologies and tools, some of which are discussed in [13]–[16]. An object-oriented toolset, called NetGraph, for risk assessment applications is presented in [13]. A full network security assessment of working networks is considered in [14], which proposes a method for the assessment of network elements with no actual touches of the network itself. We agree with [15]

stating that both qualitative and quantitative methodologies to assess security are still missing. This is possibly due to the lack of knowledge about the major threat categories that must be parameterized for each asset. Another detailed approach for modeling and analyzing information system vulnerabilities is presented in [16]. The approach, called Vulnerability Take Grant, is a graph-based model consisting of subjects/objects as nodes and rights/relations as edges to represent protection states of the nodes.

III. MODELING THERISKPROPAGATION

First, by defining a BBN model, we present the basics of Bayesian Belief Networks for modeling and inferring the propagation of threat impacts in order to compute the risk for a single asset and multi–assets. The model can then be rendered both analytically and numerically by using a BBN toolset, e.g., Netica (www.norsys.com).

The key probabilistic inference undertaken in a BBN application is always associated with a dependence graph and a conditional probability table (CPT) for each node in the dependence graph. The dependence graph is usu- ally constructed as a directed acyclic graph (DAG) that defines the behavior of a system in terms of a series of

local conditional probabilities, where an associated BBN provides the correct global framework to propagate the local conditional information and related uncertainties. Indeed, BBNs provide a link between probability theory and a graphical structure, where the graphical structure represents an associated probabilistic structure composed of a joint probability distribution. Let us consider the DAG shown in Fig. 1 with its dependencies explicitly modeled. The joint probability distribution P (a, b, c, d, e) of the DAG can be easily verified to be

P (a, b, c, d, e) = P (a | b)∗P (b | c, d)∗P (d | e)∗P (c)∗P (e).

Note that, the notation P (x | y) expresses the conditional probability of x given the value of y, whereas P (x | y, z) expresses the conditional probability ofx given the values of y and z. When two or more events will happen at the same









Figure 1. Dependence graph representation of a BBN

time, and the events are independent, then the special rule of multiplication law is used to find the joint probability. Hence, considering the general case of a joint probability structure of a BBN with nodesa¹, a², . . . , an such that some parents (ˆaj, j = 1, 2, . . . ,) of node aiexist, then the joint probability distribution of the set can be determined by

P (ai, . . . , an) =

n

Y

i=1

P (ai| ˆaj), j = 1, 2, . . . , (1) That is, for each node in the DAG, the conditional probabil- ity is iteratively determined using the values of its parents. In general, each node may grow into several branches making a tree of parent nodes. Then, the joint distribution of the nodes a to z each with a finite number of parent nodes (denoted bym, j, . . . o) becomes

P (a, . . . , z) =

m

Y

i=1

P (ai| ˆau)

n

Y

j=1

P (bj| ˆbv), . . . ,

o

Y

k=1

P (zk| ˆzy).

Additionally, a CPT for each node in the tree should be defined and filled whether arbitrarily or by use of some historical data. As a simple example, prior to building the CPT for nodeb shown in Fig. 1, CPTs for the children nodes leading tob should already be computed. Here, for instance, the conditional distributionP (b | c, d) is needed in order to specify the CPT forP (a | b).

As a simple example, let us assess two systems (A and B) in order to evaluate their strengths (availability) against the same type of denial of service (DoS) attack.

The assessment results will help us determine two statuses:

(i) current system strength under the specific DoS attack, (ii) in a future assessment, determine some new causal effects using the results of the current attack on system say A and some observation data (evidence) when something happens to system B, or vice versa. Hence, for a probabilistic inference, our BBN–based assessment process will make use of two main sets of variables, hypothesis and information (or evidence). To clarify this, let us consider the necessary BBN setup shown in Fig. 2 with two different systems, System A and System B, being affected from the same type of DoS attack. There can be other threats but we focus on the computation of separate probabilities of two different systems, whether they are affected given the knowledge about the occurrence of a specific attack while ignoring the others. It can be readily seen from Fig. 2 that the hypothesis variables for the BBN are associated with our belief in System A or System B being affected (failed). These beliefs are constrained to exist between the two discrete states, true or false. The information variable on which the hypothesis variables, System A and System B, have some level of dependence is the Attack variable. For this example, there is a 10% chance of an attack at any given time.

  

 

 

 

 

   

 

! 

  

 

 " #

 $

#



 

%&

  

'  

 (  



  

)&

Figure 2. Probabilistic impacts of an attack on two different systems

Now, with the overall structure and variables explained above and the associated CPTs specified in Fig. 2, we can apply Bayesian theory to making necessary inference for determining states of the system A and System B;

true =down, f lase = up. Thereafter, we can observe the current output in the BBN and use it as a new evidence to update the probabilities in order to determine the propaga- tion patterns of new causal effects. For example, given the attack states {ℵ (Attack = true), ¬ℵ (Attack = false) }, we can calculate the marginal probability,P (A), that System A

fails as:

P (A) = [P (A | ℵ) ∗ P (ℵ)] + [P (A | ¬ℵ) ∗ P (¬ℵ)]

= (0.8 ∗ 0.1) + (0.1 ∗ 0.9) = 0.17

Similarly, using the CPT tables shown in Fig 2, we can compute the marginal probability, P (B), that System B is failed to be 0.51.

After making some observations, we can revise the marginal probabilities in line with differences observed in the state variables. That is, during the observations we gather evidence data and update the CPTs. The tables, in our example, already contain the revised probabilities for System A being failed (0.8) and for System B being failed (0.6).

Suppose, however, that we do not know if there occurred an attack, but do observe that System A has failed. Then, by instantiatingA = true, we can determine (i) the probability, ℵ, that there occurred an attack, (ii) the probability that System B will also fail. Hence, by applying Bayes’ theorem given a partition (i.e.,{ℵi}) of the event space

P (ℵi| A) = P (A ∩ ℵi)

P (A) = P (A | ℵi)P (ℵi) P

jP (ℵj)P (A | ℵj), (2) we can compute the conditional probability ℵ given the evidence that ”System A has failed”:

P (ℵ | A) = P (A | ℵ) ∗ P (ℵ)

P (A) =(0.8 ∗ 0.1) 0.17 = 0.47 Note that, according to Bayes’ rule, the probability P (A) given in the denominator of Eq. (2) can be expressed as

P (A) =X

j

P (A ∩ ℵj) =X

j

P (ℵj)P (A | ℵj).

Obviously, the observation of the evidence that ”System A has failed” significantly increases the probability (from 0.1 to 0.47) that there occurred an attack. Moreover, from this fact, we can use the revised CPTs to calculate the probability, P (B), that System B has also failed. Thus, according to the law of total probability, [17], defined as

P (B) =X

i

P (B ∩ Ai) =X

i

P (Ai)P (B | Ai), and expanding this to all combinations ofA ∩ B as

P (B) = P (A ∩ B) + P (¬A ∩ B)

= P (B | A)P (A) + P (B | ¬A)P (¬A), (3) we obtain

P (B) = P (B | ℵ) ∗ P (ℵ) + P (B | ¬ℵ) ∗ P (¬ℵ)

= (0.6 ∗ 0.47) + (0.5 ∗ 0.53) = 0.55.

Hence, the observation of the evidence ”System A failed”

implies the increase of the probability (from 0.5 to 0.55) that System B will also fail. These observations and probability propagations show also the inference of beliefs for various states of the BBN domain considered.

A. Systems With Binary Outcomes

Many types of attacks to information systems result in a binary valued impact, either fail or success. We can model this type of attack and its impact as a probabilistic decision tree shown in Fig. 3. A system with two states

*

+

* +

* + ,

-

. /

1

−ε

(1−p)(1−ε) (1−p)ε pε p(1−ε) 1

ε

−

ε ε

01 2 34

0 1

( , )I I

534 2 34

0 1

(O O, )

Figure 3. Probabilities of a failure or success attack model

under a specific attack (e.g., DoS) can be modeled as a binary system. Suppose that the attack fails (false state = 0) with probability1 − p and succeeds (true state = 1) with probability p, and suppose that a random error ε denoting the probability whether there was a success or failure. LetIi

denote a successful attack, and let Oi be the output of this attack, where clearly (Ii, Oi) ∈ {0, 1}. More generally, Let Ii be the event for inputi, Oi be the event for outputi, for i = 0, 1. State i = 1 denotes an attack for the input Ii, state i = 0 denotes no attack for the input Ii. Similarly,i = 1 states the success of an attack resulting in outputOi,i = 0 denotes failure of an attack resulting in output Oi. Hence, the result of an attack can be determined by probability

P [Ii∩ Oi], fori = 0, 1.

The probabilities denoting the success and failure states of an attack can be obtained by referring to the tree diagram shown in Fig. 3 as

P [I0∩ O0] = (1 − p)(1 − ε), P [I0∩ O1] = (1 − p)ε, P [I¹∩ O⁰] = pε,

P [I¹∩ O¹] = p(1 − ε). (4) The impact (output) can be easily determined to be true (1) or false (0), depending on the value of ε, whether 1/2 <

ε < 1/2. In terms of the tree diagram shown in Fig. 3, the probability of the input attack going either direction (1 − p orp) is considered equally to be 1/2/, which will be further modified by ε . This can be justified as follows. Let Ii be the event denoting the attack (input) of i (i = 0, 1), then I0 andI1 are the only variables of the input sample space.

Likewise, Oi be the event denoting the impact (output) of i (i = 0, 1), where O⁰ andO¹ are the only variables of the output sample space. Thus, due to sum of probabilities rule [18] applied to the right side of Fig 3, the probability ofO1

(successful attack) becomes

P (O¹) = P (O¹| I⁰)P (I⁰) + P (O¹| I¹)P (I¹)

= ε1 2

+(1 − ε)1 2

=1

2. (5)

For the determination of the input–output causal effect, the posterior probabilities can be obtained by applying the Bayes’ rule given in Eq. (2). Thus, givenP (O¹) and an em- piric value of ε, input probabilities {P (Ii) = 0, P (Ii) = 1}

can be obtained as follows:

P (I⁰| O¹) = P (O¹| I⁰)P (I⁰) P (O1) = ε/2

1/2 = ε P (I¹| O¹) = P (O¹| I¹)P (I¹)

P (O¹) =(1 − ε)/2

1/2 = 1 − ε.

(6) Thus, if ε < 1/2, then an attack (input = 1) is more likely when an attack (output = 1) is observed at the system. It is often conceivable that an arbitrarily large number of attacks will be launched until the victim system collapses, i.e., a denial of service (DoS) takes place. Suppose a DoS attack is repeated n times until a success achieved, and let Nk be the number of trials in which the kth attack results in the first success (DoS). For large n the relative frequencies of successes are

f (k) ≈ Nk

n =1 2

k

, k = 1, 2, . . . . (7) Since we have either success or failure with the probability of1/2 for each state, we can conclude that probability (α^k) of k attacks until the first success is

α^k=1 2

^k .

Probabilities for various numbers of attacks can be verified to add up to 1 by using the geometric series with α = 1/2:

∞

X

k=1

α^k= α 1 − α

_α=1/2= 1.

B. Systems With Joint Impacts

An asset (or system) can be threatened by various threat types, and as a consequence, the impact of the attacks can be described as a compound likelihood of real numbers.

The primary step is to construct a directed acyclic graph (DAG) containing all relations and dependence structures for the asset under consideration. Then, we can easily transform the DAG to a BBN model in order to make the necessary inference. A general model representing the single asset threats given as a simple DAG is shown in Fig. 4, in which the asset is associated with a risk value (Ra) determined by the combination of an asset weight (wa), a human–related parameter (α), a joint causal–internal parameter (β), an internal (δ) and an external (γ) threat parameter. The causal-internal threat is a compound quantity

Od

Oc

Ec

Ed

Ic

Ra

Id

wa 1

Hc 2

Hc

6 7789:

c1

I

2

Ic c3

I

Figure 4. The compound risk model of a single asset with joint–direct and indirect threats

(Ic= Ic1∪Ic2∪Ic3) produced by the joint effect of human–

based (H), external (E), and by operational (O) type threats.

That is, each incident of a threat can pose a direct or an indirect (also causal) effect or both at the same time, e.g., causal-operational (Oc) and direct-operational (Od) effects of the human-related threat as modeled in Fig. 4. The quantified value of Ra can be mapped either to a scalar risk value or to a probability distribution, as appropriate.

The causal–internal threatIc is composed of human and external threats, while the direct internal threatIdis specific to the asset itself. External attacks are intentional and dedicated to cause serious exploits such as DoS, intended buffer overflows, and malicious code injections using SQL- injection and cross-site scripting techniques.

1) Numerical Analysis: Suppose that, for the model shown in Fig. 4, we have run several experiments to gather the prior (input information) data defined as follows:

P (H) = 0.64, P (E) = 0.28, P (I) = 0.08, P (Ic ⊆ H) = 0.40, P (O ⊆ H) = 0.60,

P (Ic ⊆ O) = 0.30, P (Ic⊆ E) = 0.40. (8) That is, 64% of registered incidents are human-related(H), 60% of which are OD-threats(O ⊆ H) and 40% are the second proportion of causal–internal threat(Ic2= Ic⊆ H).

Internal threat (I) is 8% and external threat (E) is 28%, 40% of which constitutes the third proportion of the internal threat(Ic3 = Ic ⊆ E). The first proportion of the internal threat is 30% of the OD-threats, (Ic1 = Ic ⊆ O). Later, during a security assessment we have observed the following conditional probabilities:

P (H^′) = 0.76, P (E^′) = 0.30, P (I^′) = 0.10, P (I_c^′ ⊆ H^′) = 0.30, P (O^′⊆ H^′) = 0.70,

P (I_c^′ ⊆ O^′) = 0.32, P (I_c^′ ⊆ E^′) = 0.48. (9) That is, 76% of the observed incidents found to be from human–related(H^′), of which 70% makes the OD-threats, (O^′ ⊆ H^′), and 30% makes the second proportion of the measured causal–internal threat (I_c^′ ⊆ H^′). Other internal threat(I^′) is 10% and external threat (E^′) is 30%, of which 48% makes the third proportion of the causal–internal threat,

(I_c^′ ⊆ E^′). The first proportion of the causal–internal threat is measured as 32% of the OD-threats,(I_c^′ ⊆ O^′).

Now, given the above data and relationships, what is the probability that a randomly selected threat group presents increased incident? First of all, using the definitions given in (8), we compute the prior joint probabilitiesα, β, and γ for the model given in Fig. 4:

P (O) = P (H)P (O ⊆ H) = 0.64 × 0.60 = 0.384, P (Ic1) = P (O)P (Ic ⊆ O) = 0.384 × 0.30 = 0.115, P (Ic2) = P (H)P (Ic ⊆ H) = 0.64 × 0.40 = 0.256, P (Ic3) = P (E)P (Ic ⊆ E) = 0.28 × 0.40 = 0.112.

The joint probabilities are then computed as

α = P (O) − P (Ic1) = 0.384 − 0.115 = 0.269, β = P (Ic1) + P (Ic2) + P (Ic3) = 0.483, γ = P (E) − P (Ic3) = 0.28 − 0.112 = 0.168,

δ = P (I) = 0.080.

C. Finding the Dominating Threat Group

Applying the above procedure we obtain the revised con- ditional probabilities α^′, β^′, γ^′, and δ^′ as α^′ = 0.362, β^′ = 0.542, γ^′ = 0.156, and δ^′ = 0.10. By the law of total probability,

P (b) =X

j

P (b | aj)P (aj), (10)

we obtain the probability of increased incidents by comput- ing the total probability for asseta as

P (a) = (α×α^′)+(β×β^′)+(γ×γ^′)+(δ×δ)^′= 0.393. (11) The probability of any individual threat group assumed to cause incident, can be calculated by applying the Bayes’

theorem Eq. (2). Thus, adapting Eq. (2) to each threat group we get the incident rate (probability) of each group as:

P (α | a) = α × α^′

P (a) =0.269 × 0.362

0.393 = 0.248, P (β | a) = β × β^′

P (a) =0.483 × 0.542

0.393 = 0.666, P (γ | a) = γ × γ^′

P (a) = 0.168 × 0.156

0.393 = 0.067, P (δ | a) = δ × δ^′

P (a) =0.08 × 0.10

0.393 = 0.020.

Thus, to verify this, sum of the joint probabilities should be 1, i.e.,P (α | a) + P (β | a) + P (γ | a) + P (δ | a) = 1.

D. Finding the Per–asset Risk

Though, mostly they are subjective values, for conve- nience, we choose risk values and asset values in tact as both varying between 0 to 5 (5 being the maximum value).

Given the above values and an asset weight a total risk for the asset under consideration can be easily computed using R^w_a = wP (a); P (a) ∈ [0, 1], (Ra, w) ∈ [0, 5]. (12) Using Eq. (11) the per-asset risk probabilityP (a) is obtained as 0.393. For example, setting the asset valuew = 4.0, the total per-asset risk is computed as

R⁴_T^.0= wP (a) = 4.0 × 0.393 = 1.57.

Alternatively, considering the risk levels instead of using the probabilistic values given above, we can use Eq. (13)

R^w= w 5N

"_N X

i=1

sjRi

#

; (R^w, Ri, w) ∈ [0, 5], sj ∈ [0, 1].

(13) to compute the per–asset risk. Since each asset can be threatened by several threats, each threat may lead to an individual risk for a given asset. Here,Ri is used to index the individual risks for the asset. A subjectively defined constantsjdenotes the relative strength of thejth individual risk relative to others, where PN

k sj = 1. This assumes that the individual risk valuesRE, RH, and RI = Rδ have already been determined. For example, letRE= 3.0, RH= 4.0, RI= Rδ = 0.8, and w = 4.0, and to compute the total risk we need to first determine values ofRO, Rα,Rβ, and γ:

RO = RH× 0.70 = 2.80, RIc1 = RO× 0.32 = 0.90, RIc2 = RH× 0.30 = 1.20, RIc3 = RE× 0.48 = 1.44, Rα = RO− RIc1= 1.90, Rγ = RE− RIc3= 1.56,

Rβ = RIc1+ RIc2+ RIc3= 3.54.

and, hence, the per–asset risk is obtained using Eq. (13) with sj= 1 and w = 4.0 as

R^4.0=4.0 × (Rα+ Rβ+ Rγ+ Rδ) 5 × 4

=4.0 × (1.90 + 3.54 + 1.56 + 0.8)

20 = 1.56.

This is the total risk for a single asset consisting of multiple attributes (or sub–assets) where each attribute is assigned an individual risk value of 0 ≤ Ri ≤ 5. The result (1.56) corresponds to a medium risk level, given that the valid risk ranges are defined as:

Low:{0.0 − 1.0}, Medium: {1.1 − 2.0}, Medium-to-high:{2.1 − 3.0},

High:{3.1 − 4.0}, and Severe: {4.1 − 5.0}.

Note that, these ranges are subjectively chosen, which could be redefined by using different rang levels and score values for each range level.

In case ofM assets each with N sub–assets, the overall risk is iteratively computed by

R= 1 M

N

X

i=1

R_i^w, R∈ [0, 1]. (14) Where,R^w_i is computed by Eq. (13).

1) Using a BBN Tool for Inference: The risk parameters α, β, γ and, δ from Fig. 4 can also be incorporated into a BBN model shown in Fig. 5, using the Netica toolset, the joint probability of threats towards a single asset can be ef- fectively computed. Given the CTPs of the prior distributions shown in Fig. 5, we obtain a joint risk value of1.57. That is, with the risk probability of39.3% and an asset value of w = 4.0 the risk–impact figure becomes as high as 1.57. It should be noted that the same result was also obtained earlier by the numerical analysis, see Section III-B1. Applying the same rule, we obtain 0.393 as the risk level for an asset weighed 1, and 1.97 for an asset weighed 5. That is, in addition to the asset weight, the risk level is mainly affected by the joint probabilities of the potential threats.

ga mm a = P(F via E) True

False 11.2 88.8 0 ± 0 be ta = P(Ic) True

False 24.0 76.0 P(O) True False

38.4 61.6 P(H)

True False

64.0 36.0

P(E) True False

28.0 72.0

delta = P(I) True

False 10.0 90.0 a lpha = P(D via O) True

False 80.3 19.7 0.598 ± 0.33

AssetRisk True False

39.3 60.7

Figure 5. BBN description of the joint risk for the single asset model shown in Fig 4

IV. RISK PROPAGATION VIAMULTIPLEASSETS

Here, we consider the computation of the risk for a set of assets (or a network of several nodes) modeled as in Fig. 6.

In short, we focus on the causal relations existing among all components in a given network architecture. The relations among the parts of a complex system, relations among the systems and an asset (or multiple assets) are considered here.

So far, we have dealt with small sized BBNs that were computationally feasible. However, for modeling domains with more than just a few variables and states, the number of variables can become intractably large, as every possible state combination over every variable must be represented.

For example, assuming a model containing only 10 binary variables would require 2¹⁰ individual probabilities. The number of individual probabilities increases dramatically with the increased number of states. There exist several

1

pb

2

pb

3

pb ⁴

pb

5

pb

6

pb

;<<=>?

1

pa ^p₃^a

4

pa

2

pa

5

pa

;< <= >@

Figure 6. The graph of risk propagation through multiple assets or network nodes

computer-based tools applying BBN algorithms to simplify calculations. In the following examples we use the Netica tool both for modeling the BBNs and making inferences. Al- though the dependence graph shown in Fig. 6 represents two simple networks each consisting of multiple nodes/assets, to compute beliefs for such networks exactly, the network must be converted to an equivalent singly connected one. There are a few ways to perform this task [19], however, the most common ways are variations of a technique known as clustering, in which, nodes are combined until the resulting graph is singly connected.

Questions regarding proper asset protection, obstacles to the protection system, errors arising during the protection, and causal relation between the components can be answered by modeling a joint structure to expose the details. Thus, interdependence analysis of the components can give an idea about the overall security picture. The BBN model representation of the interdependence structure shown in Fig.

6 is given in Fig. 7. The inference is based on the method

p<3,a >

Low High

78.6 21.4

p<4,a>

Low High

67.2 32.8 p<2,a>

Low High

70.6 29.4

p<3,b>

Low High

92.1 7.89

p<5,b>

Low High

39.2 60.8 p<4,b>

Low High

39.7 60.3 p<1,a>

Low High

73.0 27.0

p<5,a>

Low High

64.5 35.5

p<1,b>

Low High

69.3 30.7

p<2,b>

Low High

68.8 31.2

p<6,b>

Low High

74.9 25.1

R Low High 48.4

51.6

Figure 7. Risk inference using the Bayesian Belief Network

presented earlier in Section III-D1. The overall probabilistic impact of the sample network is about as high as 51.6%.

A. A Real-life Example

Once fully parameterized, a BBN can enable us to make inference about any domain with a causal dependence structure. For example, we can describe the inference of a virus infection and recovery model presented by [20]

using the BBN. The infection process in this example is

mainly affected via the virus source defined as connectivity, which depicts the contact intensity of the victim node to other infectious networks, see Fig. 8. Here, the hypothetical

ABCDEBFBG

H IJ

K L MNOP

QRON

SFTUVWXYYBF

H IJ

K L ZORM

[\ON ]BT^Y_`

H IJ

K L NaOb

R[OQ cUVYTUY WVd

ef ghi

jiIhk ZQOQ

\M Ob lml n_TFB

efghi

jiIhk bNOR

PRO\

opWTX^ WVd

e fgh i

jiIhk Q QOR

M M O\

qDUUBCYXEXY`

HIJ

KL [bOa

QOaa

lFDYBCYXDU

HIJ

KL MNO[

QROZ

nrVCBsYXtX^XY`

HI J

KL Q bOP

M PON

cUuBCYBG

HIJ

KL

\bOa

Z QOa

vrTFTUYXUBG

H IJ

K L M\O M

QZO M

Figure 8. BBN detailing the infection and recovery inferences on a victim node with a high contact rate to infectious networks

network can be infected via three intermediate sources, (i) e-mail messages, (ii) a peer-to-peer (P2P) file shares, and (iii) via instant messengers, each with the probability shown in Fig. 8. It is assumed that the victim nodes are protected with 57.9% chance of reliability. With this protection level, 46.3% of the nodes will become susceptible to any infection, so that 86% of the susceptible nodes may be infected. It was observed that 58.5% of the infected nodes are quarantined for recovery, whereas only 57.3% of the quarantined hosts became recovered. Since we have 1.25% unrecoverable (transmitter) nodes, we end up with 70.6% healthy hosts following the quarantine and recovery processes.

V. CONCLUSION

We have shown that computations of quantitative risk levels for single and multi assets were trivial if we could adequately model the domain, and combine chances of incidents, joint probability propagations, and the asset values found in that domain. Threat analysis, producing quantitative risk values, is necessary in order to numerically illustrate risk-impact figures, and failure rates in a distributed comput- ing environment. We have introduced a generic threat model that can also be applied to risk computation of various types of IT assets and dependable computing environments. Clas- sification of information security threats (human–related, internal, and external) is modeled as a compound structure with four dependable parameters (α, β, γ, and δ). We have developed a new risk propagation model using the condi- tional probability method and the average score scheme, by which risk levels can be easily estimated and quanti- fied for different assessment systems. For example, in a given network, if we have asset weights, new observations, and optionally some up-to-date vulnerability statistics, we can run inference on these assets both for diagnosing the

causes and determining the causal effects (risk of causes) represented as numeric values between 0 and 5. With its simplicity, this model can be easily implemented for using as a complementary tool in information security assessments performed by test and evaluation facilities.

We have chosen Bayesian Belief Networks (BBNs) as the base methodology in making inferences, which were orig- inally used to represent knowledge and develop automated reasoning systems. We have observed that BBNs were pow- erful tools in determining risk propagation and dependence structures virtually and physically interconnected network assets. Prior distributions are traditionally obtained from facts and figures. However, traditional inference methods are difficult to apply to determining posterior distributions of risk factors in dynamically changing IT environments.

Therefore, dependence analyses in large scale networks can be easily performed by applying Bayesian approaches.

Critical states in complex networks can be easily discovered by the analysis of beliefs of marginal distributions. As a result, BN–supported knowledge representation is a very useful means to illustrate inferences of both qualitative and quantitative character. Related to this, we realized that Bayesian networks were practical tools both for graphically defining the relationships among a set of security variables and for determining the inference of causal effects in infor- mation security threat analyses.

REFERENCES

[1] F. W. F. Fabrizio Ruggeri, Ron Kenett, Encyclopedia of Statistics in Quality and Reliability. John Wiley & Sons, Inc., 2007.

[2] D. Heckerman, A Tutorial on Learning With Bayesian Net- works, Technical Report. Microsoft Research, 1996, no.

MSR-TR-95-06.

[3] E. E. Schultz, “Special systems: Overlooked sources of se- curity risk?” Computers & Security, vol. 25, no. 3, p. 155, 2006.

[4] M. Li, C.-H. Chi, weijia Jia, W. Zhao, W. Zhao, J. Cao, D. Long, and Q. Meng, “Decision analysis of statistically de- tecting distributed denial–of–service flooding attacks,” Jour- nal of Information Technology & Decision Making, vol. 2, no. 3, pp. 397–405, 2003.

[5] A. Blyth and G. L. Kovacich, Information Assurance: Part 3, Security Standards. London, UK: Springer, 2006.

[6] A. J. A. Wang, “Information security models and metrics,”

in ACM-SE 43: Proceedings of the 43rd annual Southeast regional conference. New York, NY, USA: ACM, 2005, pp.

178–184.

[7] W. Li, D. Wu, and H. Lu, “A new information security model based on network service protection,” in ICISE ’09:

Proceedings of the 2009 First IEEE International Conference on Information Science and Engineering. Washington, DC, USA: IEEE Computer Society, 2009, pp. 1547–1549.

[8] O. H. Alhazmi, Y. K. Malaiya, and I. Ray, “Measuring, analyzing and predicting security vulnerabilities in software systems,” Computers & Security, vol. 26, no. 3, pp. 219–228, May 2007.

[9] A. Jøsang, D. Bradley, and S. J. Knapskog, “Belief-based risk analysis,” in ACSW Frontiers ’04: Proceedings of the second workshop on Australasian information security, Data Mining and Web Intelligence, and Software Internationalisa- tion. Darlinghurst, Australia, Australia: Australian Computer Society, Inc., 2004, pp. 63–68.

[10] R. Bernard, “Information lifecycle security risk assessment: A tool for closing security gaps,” Computers & Security, vol. 26, no. 1, pp. 26–30, 2007.

[11] C. A. Pollino, O. Woodberry, A. Nicholson, K. Korb, and B. T. Hart, “Parameterisation and evaluation of a bayesian network for use in an ecological risk assessment,” Environ.

Model. Softw., vol. 22, no. 8, pp. 1140–1152, 2007.

[12] S. Kondakci, “A composite network security assessment,” in IAS ’08: Proceedings of the 2008 The Fourth International Conference on Information Assurance and Security. Wash- ington, DC, USA: IEEE Computer Society, 2008, pp. 249–

254.

[13] S. Uckun, B. Dawant, and K. Kawamura, “Netgraph: an object-oriented graphical toolset for risk assessment,” in IEA/AIE ’89: Proceedings of the 2nd international confer- ence on Industrial and engineering applications of artificial intelligence and expert systems. New York, NY, USA: ACM, 1989, pp. 119–125.

[14] G. L. Wooley, “Results of classroom enterprise security assessment of five large enterprise networks,” J. Comput.

Small Coll., vol. 18, no. 3, pp. 185–195, 2003.

[15] R. Scandariato, B. D. Win, and W. Joosen, “Towards a measuring framework for security properties of software,” in QoP ’06: Proceedings of the 2nd ACM workshop on Quality of protection. New York, NY, USA: ACM, 2006, pp. 27–30.

[16] H. R. Shahriar and R. Jalili, “Vulnerability take grant (vtg):

An efficient approach to analyze network vulnerabilities,”

Computers & Security, vol. 26, pp. 349–360, August 2007.

[17] S. Ghahraman, Fundamentals of Probability With Stochastic Processes 3rd ed. USD, NJ 07458, USA: Pearson Education, Inc., 2005.

[18] R. E. Walpole, R. H. Myers, S. L. Myers, and K. Ye, Probability & Statistics for Engineers and Scientists. USD, NJ 07458, USA: Prentice–Hall, Inc., 2002.

[19] E. Charniak, “Bayesian networks without tears,” AI Magazine, vol. 12, no. 4, pp. 50–63, 1991.

[20] S. Kondakci, “A concise cost analysis of Internet malware,”

Computers & Security, vol. 28, no. 7, pp. 648–659, 2009.