Analysis of Vulnerability Risk Using Game Model and Risk Matrix

(1)

2016 International Conference on Computer, Mechatronics and Electronic Engineering (CMEE 2016) ISBN: 978-1-60595-406-6

Analysis of Vulnerability Risk Using Game Model and Risk Matrix

Heng-wei ZHANG* and Tao LI

Zhengzhou Institute of Information Science and Technology, Zhengzhou, China

*Corresponding author

Keywords: vulnerability risk; Game model; Risk matrix; Comprehensive connection

Abstract: For the quantitative analysis of vulnerability risk in the information system, the paper

proposes the non-cooperative and nonzero-sum game model of vulnerability attack-defense, in which the value of vulnerability is evaluated by expected payoffs on the equilibrium. In the paper, with the two operators proposed, the comprehensive connection of the vulnerabilities is calculated through the quantitative analysis of the vulnerabilities connection using attack graph and risk matrix. Then the assessment method of system vulnerability risk is devised through the above vulnerability value and comprehensive connection. Based on the quantitative analysis of the vulnerabilities’ own risk and transmission risk, the proposed method comprehensively assesses the global risk of vulnerabilities, whose result can be used to recognize the key vulnerability and improve the effectiveness of system security defense. Finally the model and method proposed in this paper are proved to be valid through an example.

Introduction

In recent years, the manner of attacks against the information system has become diverse and complex. As vulnerability is the primary cause for successful attacks, comprehensive and accurate analysis of vulnerability risk is the key to improve the effectiveness of system security defense [1].

There exist two problems for the assessment of vulnerability risk based on attack graph and risk matrix. One is how to assess the value of vulnerability not considering risk transmission, which also means the assessment of potential loss caused independently by vulnerability. However, the methods proposed in [2][3][4] lack the restriction between attacker and defender. In essence, vulnerability is influenced by both attacker and defender. There is close dependence between vulnerability and the policy of attacker and defender. Assessment could not be comprehensive and objective only out of the attacker of defender.

The other problem is how to accurately assess the probability of multi-step attack using risk matrix. Zhou et al.[5] calculated the probability of multi-step attack qualitatively and quantitatively through analytic hierarchy process and attack recurrence method. But it depended on expertise and historical data much more.

(2)

vulnerabilities could be calculated precisely. Based on the above, the security administrator manages to recognize the critical vulnerability.

Related Definition

Definition 1. Vulnerability connectivity. In the actual attack-defense process, the attacker may use multiple vulnerability nodes to attain the goal. Then we define the probability of using the node n_i to penetrate the node n_j as vulnerability connectivityp_ij (0 p_ij 1). Vulnerability connectivity is closely related to information acquisition of the originating node n_i, resource availability and attack complexity of the target node. Referring Common Vulnerability Scoring System to define vulnerability connectivity, information acquisition is referred to Access Vector. Resource availability is referred to Authentication, and attack complexity is referred to Access Complexity. Then the connectivity p_ij of the adjacent node between i and j is denoted as

i ij

i j i

AU p

AU AC AV 

 

(1)

Definition 2. Risk matrix. Supposing VAG consists of several vulnerabilities, we define M as the risk

matrix of VAG, whose element indicates the connectivity of the two directly related vulnerabilities.

11 1

1

v

v vv

p p

M

p p

 

 

  

 

 

The diagonal elements of the matrix are zero, and pij implies the connectivity between the node ni

and the node nj. There is a corresponding relationship between risk matrix and attack graph. More

details can be referred to the literature [6].

Analysis of Vulnerability Value Based on Attack-Defense Game Model

Definition 3. Attack-defense game model. In this paper, the attack-defense game model is defined by

the five tuples NSADG（P B F AS DS, , , , ）.

(1) P=



P P_a, _d



indicates participant set of the game. Participant of the game is the subject of policy formulation and policy selection. Attack-defense game is a two-person game between attacker Pa and

defender Pd.

(2) B indicates the prior belief space of attacker and defender. B P( aH) and ( )

L a

B P are the prior belief of defender to attacker. We suppose B P( _aH) denotes the attacker of high attack ability and B P( _aL) denotes the attacker of low attack ability. B P( _d) is the prior belief of attacker to defender. According to the primary theory, we can attain B P( _aH)q, B P( _aL) 1 q, B P( _d) 1 .

(3) F=



f_a,f_d



is the payoff function of Pa and Pd. Different policies in the game would result in

different payoffs for attacker and defender.

(4) AS, DS is the respective policy space of attacker and defender. AS



A_i 1 i m



_{indicates the}

attack policy set, and DS



D_j 1 j n



indicates the defense policy set.

(3)

indicates the successful probability of attack policy when attack policy and defense policy is respectively implemented. Attack success rate can be gotten through the analysis of historical data.

Assessment of Vulnerability Risk Based On Risk Matrix

Because of the independence of each other, the value and the connectivity of vulnerability node are used to assess vulnerability risk respectively. Comprehensive connection of any two vulnerabilities, proposed in the paper, indicates the probability of attacking target vulnerability through different attack paths from originating vulnerability node, whose calculation is shown in Figure 1.

1

2

5

4

p12 p35

p₁₄ p15 _p₄₅

3 p23

[image:3.612.191.423.208.277.2]

Figure 1 Analysis of vulnerability connectivity via different attack paths.

As shown in the above, there are 3 paths between node 1 and node 5, and then the three-step connection is (3)

15 12 23 35

p p p p . The two-step connection is (2)

15 14 45

p  p p .

Given the path between the nodes whose length is 1, comprehensive connection between the nodes is (2) (3)

15 1 (1 p15)(1 p15 )(1 p15 )

      , where 15 implies the total probability of attacking the node 5 from the node 1 via different paths.

On the basis of the above analysis, we define connection operator of risk matrix to quantify the connection.

Definition 5. Risk matrix operator (multiplication operator  and addition operator ). According

to the multiplication of matrixes, we define multiplication operator  as follows:

(2) (2) 11 1 (2) (2) (2) 1 v v vv p p

M M M

p p       _{ } _    

, (2)

1

1 (1 )

v

ij ik kj

k

p p p



 



  (2)

According to the addition of matrixes, we define addition operator  as follows:

11 1

(1) (2) ( ) 1

v n

v vv

M M M

           _{ } _     , ( ) 1

1 (1 )

n r ij ij r p    



 ( ) 1

1 (1 )

n r ij ij r p  

 



 (3)

From the elaboration of the element in risk matrix M, pijindicates the connection between the

directly related vulnerability node ni and nj. Then the three-step connection can be calculated through

the multiplication  of risk matrix M in the following: (3) (3) 11 1 (3) (2) (3) (3) 1 v v vv p p

M M M M M M

p p          _{ } _    

(4)

Definition 6. Vulnerability risk (Rs,Ro and Rw). Vulnerabilities’ own risk Rs implies the risk

caused by threats via the vulnerability, which is related to value of the vulnerability the connection between the vulnerability node and other vulnerability node. When the vulnerability is independent from other vulnerabilities, the own risk is equal to the value of vulnerability. Vulnerability transmission risk

o

R implies risk transmitted from the vulnerability to the other vulnerability, which is related to the value and connection of the other vulnerability. There is RwRsRo.

Firstly the own risk Rs is calculated via multiplying risk probability of the vulnerability by the loss

caused by risk. For the vulnerability c_{, there may be several attack paths. Adding all the risk probability}

of different paths attains the total risk probability of the vulnerability c. According to definition 5, bc

denotes the total probability of attacking the target vulnerability c_{via the originating vulnerability}b. Vulnerability value w c( )_{denotes the probable losses after being attacked. Then we know risk for the} target vulnerabilityc_is R b c_s( , )_bcw c( ).

Based on the above statement, we can calculate risks of all the attack paths whose target is vulnerability c_{. In line with definition 6 the own risk of vulnerability} c_is

1 1

( ) ( , ) ( ( ))

v v

s s bc

b b

R c R b c  w c

 









 (4)

The total own risk of all the vulnerabilities in information system is denoted by the vector ( _s) _s(1), _s(2), , _s( )

V R  R R R v _.

Next transmission risk Ro indicates the risk transmitted from the penetrated vulnerability to the other

vulnerability. Since risk is transmitted from the originating vulnerability c_{to the other vulnerability}

through different attack paths, the transmission risk of vulnerability c R c_o( ) is

1

( ) ( ( ))

v

o cb

b

R c  w b







1

( ) ( ( ))

v

o cb

b

R c  w b





 (5)

The total transmission risk of all the vulnerabilities in information system is denoted by the vector ( _o) _o(1), _o(2), , _o( )

V R  R R R v _

Finally the global risk of all the vulnerabilities is denoted by the vector (1) (1) (1)

(2) (2) (2) ( ) ( ) ( )

( ) ( ) ( )

s o w

T T T

w s o

s o w

R R R

V R V R V R

R v R v R v

     

     

    

     

     

Simulation Experimental Analysis

Validity of the method and model proposed in the paper is verified through the topology of network information system as shown in literature[5]. Referring data supported by NVD[5], we suppose vulnerabilities existing in the hosts of the system as follows.

To analyze the game model and evaluate the value of vulnerability, putting the vulnerability 1(CVE-2006-2918) of firewall as an example, for which attack policy consists of (A1) Heart blood；(A2)

(5)

location；(D2) Stopping TP Service；(D3) Changing port ID；(D4) Restricting iusr_server, we suppose

[image:5.612.81.535.141.502.2]

success rate of attack as Table 2 shows. Based on the literature [7], we get the attack graph in Figure 2 according to formula 1 and CVSS.

Table 1. The existence of vulnerabilities.

No. Host Vulnerability-ID Vulnerability Description Result

1 Firewall CVE-2006-2918 RedHat Linux Remote buffer overflow User

2 Web

Server CVE-2008-0076 ASP Remote buffer overflow

Root

3 Mail

Server

CVE-2012-0385 LDAP Authentication access restrictions

bypassing

User

4 CVE-2004-1127 Windows Server Remote buffer overflow Root

5 Database

Server CVE-2010-0104 Oracle R2 Remote command execution Root

13 0.47 p  12 0.45 p  24 0.54 p  35 0.43 p  45 0.55 p  34 0.43 p  1 2 3 4 5 CVE-2006-2918 User CVE-2008-0076 Root CVE-2012-0385 User CVE-2004-1127 Root CVE-2010-0104 Root

Figure 2. Attack Graph.

Table 2. Success rate of attack.

Attack policy

Defense policy Policy A1 Policy A2 Policy A3 Policy A4

Policy D1

Policy D2

Policy D3

Policy D4

0.60 0.78 0.58 0.48 0.65 0.96 0.88 0.72 0.75 0.94 0.72 0.64 0.55 0.82 0.83 0.45

The payoffs matrix (M_AH,M_DH) and (M_AL,M_DL) of vulnerability game is calculated by the method proposed in the above.

(21,8) (14, 6) (7.9,5.2) (7.6,15.6) ( , ) (17, 23) (25,35) (10, 4.2) (17.2,9.8)

(0.2,11) (9.1,11) (12, 25) (15,8.8)

H H A D M M           

( 7 . 8 , 2 2 ) ( 6 . 4 , 1 8 . 4 ) ( 8 . 5 , 8 . 4 ) ( 4 . 6 , 1 8 ) ( 6 . 4 , 1 8 . 1 ) ( 9 . 8 , 1 8 ) ( 0 . 9 , 1 3 ) ( 1 5 , 2 6 ) ( , )

( 7 . 5 , 1 6 ) ( 3 . 2 , 9 . 2 ) ( 1 2 , 1 . 7 ) ( 7 . 5 , 1 5 )

( 7 . 2 , 1 7 . 2 ) ( 1 0 , 1 7 ) ( 6 . 6 , 1 8 ) ( 6 . 7 , 1 5 . 7 )

L L A D M M             

Inputting the above payoffs matrix into software Gambit [8], we can get under equilibrium the mixed policies are _x*_{(0.02,0.16,0,0.82)}

and _y*_{(0.45,0,0,0.59)}

respectively, and expected payoffs are denoted by (0.667, 0.334). Then vulnerability value vector of the information system is



0.667 0.303 0.763 0.379 0.574



(6)

The connection matrix of the attack graph is denoted by M, whose maximum length of attack path is 3. With multiplication  of matrix M iterated two times, _M(2)_and _M(3)_{can be calculated. And then} we can obtain comprehensive connection matrix (2) (3)

0

M MM M .

0 0.43 0.49 0 0 0 0 0 0.61 0

0 0 0 0.39 0.41

0 0 0 0 0.62

0 0 0 0 0

M

 

 



 

 

,

0

0 0.43 0.49 0.485 0.493 0 0 0 0.610 0.308

0 0 0 0.390 0.667

0 0 0 0 0.620

0 0 0 0 0

M

 

 



 

 

On the basis of the vector W and the matrix M0, using the formulas (4) and (5), the vector of vulnerabilities’ own risk and transmission risk are respectively as follows:





( _s) 0 0.136 0.313 0.536 1.126

V R  , V R( _o)



0 . 8 7 4 0 . 3 7 5 0 . 5 4 5



0 . 3 1 5 0

In conclusion the global risk vector of vulnerabilities in the system is





( _w) 0.874 0.511 0.858 0.851 1.126

V R  .

The severity degree of the above vulnerabilities ranks by n5 > n1 > n3 > n4 > n2. The vulnerability n5

and n1 have the significant effect on the network system, based on which risk may cause enormous

losses to the network system, so administrator should pay great attention on the two vulnerabilities.

Conclusion

Concerning the quantitative analysis of vulnerability risk, we do the research on vulnerability value, vulnerabilities’ own risk, transmission risk and comprehensive risk. The non-cooperative and nonzero-sum game model of vulnerability attack-defense is proposed in the paper. And then the value of vulnerability is evaluated by expected payoffs on the equilibrium. Based on the above, the comprehensive connection of the vulnerabilities is calculated through the quantitative analysis of the vulnerabilities connection with two matrix operators proposed. Then the comprehensive assessment method of vulnerability risk is devised, calculating the global risk of vulnerabilities accurately, which helps the security administrator manages to recognize the critical vulnerability.

Acknowledgments

This work is supported by the National Natural Science Foundation of China under Grant No. 61303074 and No. 61309013.

References

[1] Gao Zhiwei, Yao Yao, Rao Fei, et al. Predicting model of vulnerabilities based on the type of vulnerability severity [J]. ACTA Electronica Sinica, 2013, 41(9): 1784-1787 (in Chinese).

[2] Wang Yuanzhuo, Lin Chuang. Analysis for network attack-defense based on stochastic game model [J]. Chinese Journal of Computers, 2010, 33(9): 1748-1762 (in Chinese).

(7)

[4] National vulnerability database version 2.5 [EB/OL]. Nation Infrastructure Adviser Committee, 2014[2014-09-17] http://nvd.nis.gov.

[5] Zhou Liang, Li Juner, Lu Tianbo. Research on quantitative assessment model on vulnerability risk for information system [J]. Journal on Communication, 2011, 30(2): 16-21 (in Chinese).

[6] Game Theory [M]. Drew Fudenberg, Jean Tirole, Boston: Massachusetts Institute of Technology Press, 2012: 58-63.

[7] Noel S, Jajodia S. Understanding complex network attack graphs through clustered adjacency matrices [C]. Proc of the 21th Annual Computer Security Applications Conference, Tucson: IEEE, 2013: 160-169.