A Security Model Based Approach for Dynamic Risk Assessment of Multi-Step Attacks in Computer Networks

Document Type : Original Article

Author

Faculty Member of Semann University

Abstract

Multi-facet dependency of human life on computer networks and its widespread vulnerability has made network robustness a necessity. With cost as a limiting factor, network robustness is considered as a great challenge for network administrators. This goal would be achievable by prioritizing the vulnerabilities based on their risk and choosing the most hazardous ones for elimination. Nowadays, CVSS is being used as the most widely used vulnerability scoring system. In CVSS, vulnerability ranking is based on its intrinsic features while temporal features such as the probability of developing exploitation tools, are ignored.  So, dynamic risk evaluation is not possible with CVSS and it is incapable of performing effective vulnerability discretion. This is because, only limited number of vulnerabilities are available for prioritization of infinite number of vulnerabilities. In addition, CVSS only ranks single step attacks whilst a wide variety of attacks are multi-step attacks. In this paper, a security system is proposed that is an improvement over CVSS and some other existing vulnerability scoring systems. It performs dynamic risk evaluation of multi-step attacks by considering vulnerabilities' temporal features. As the introduced model is developed based on security metrics of the security model, security evaluation of multi-step attacks is now possible by CVSS. Also, the capability of risk evaluation of zero-day attacks is one unique feature of the proposed system which cannot be accomplished by the present vulnerability scoring systems. In CVSS, the impact of exploiting 35.5% of vulnerabilities on confidentiality, integrity and availability are scored the same. But, in the proposed      system, by considering the relative priority of the three mentioned security parameters, vulnerability       discrimination of risk score of the mentioned percentage of vulnerabilities may be possible. On the other hand, the continuity of the probability assessment function of the proposed method in comparison to the discrete one in CVSS, improves the score diversity.
 

Keywords


[1]     S. Abraham and S. Nair, “A Predictive Framnework for Cyber Security Analytics Using Attack Graphs,” International Journal of Computer Networks & Communications (IJCNC), vol. 7, no. 1, pp. 1-17, 2015.##
[2]     C. Frühwirth and T. Männistö, “Improving CVSS-based vulnerability prioritization and response with context information,” Proceeedings of International Workshop on Security Measurement and Metrics (MetriSec), pp. 535-544, 2009.##
[3]     H. Ghani, J. Luna, and N. Suri, “Quantitative assessment of software vulnerabilities based on economic-driven security metrics,” International Conference on Risks and Security of Internet and Systems (CRiSIS), pp. 1-8, 2013.##
[4]     S. H. Houmb and V. N. L. Franqueira, “Estimating ToE Risk Level Using CVSS,” International Conference on Availability, Reliability and Security, pp. 718-725, 2009.##
[5]     G. Spanos, A. Sioziou, and L. Angelis, “WIVSS: a new methodology for scoring information systems vulnerabilities,” Panhellenic Conference on Informatics,  pp. 83-90, 2013.##
[6]     MITRE CVE, “Common Vulnerabilities an Scoring,” https://cve.mitre.org/, 2018.##
[7]     OSVBD, “Open Sourced Vulnerability Database,” http://osvdb.org/, 2018.##
[8]     Nessus, “Vulnerability Assessment Solution,” http://www.tenable.com/products/nessus-vulnerability-scanner, 2018.##
[9]     L. Gallon, “Vulnerability discrimination using cvss framework,” In New Technologies, Mobility and Security (NTMS), 4th IFIP International Conference, pp. 1 –6, 2010.##
[10]  N. Idika and B. Bhargava, “Extending Attack         Graph-based Security Metrics and Aggregating Their Application,” IEEE Transactions on Dependable and Secure Computing, vol. 9, no.1, pp. 1-12, 2010.##
[11]  T. Hamid, C. Maple, and P. Sant, “Methodologies to Develop Quantitative Risk Evaluation Metrics,” International Journal of Computer Applications, vol. 48, no. 14, pp. 17-24, 2012.##
[12]  L. Xie, X. Zhang, and J. Zhang, “Network Security Risk Assessment Based on Attack Graph,” Journal of Computers, vol. 8, no. 9, pp. 2339-2347, 2013.##
[13]  J. Pamula, S. Jajodia, P. Ammann, and V. Swarup, “A Weakest-Adversary Security Metric for Network Configuration Security Analysis,” Proc. Second ACM Workshop Quality of Protection, pp. 31-38, 2006.##
[14]  IBM, “X-Force frequently asked questions,” http://www-35.ibm.com/services/us/iss/xforce/faqs.html,  2018.##
[15]  Qualys, “Severities Knowledge Base,” http://www.qualys.com/research/knowledge/severity/, 2018.##
[16]   CVSS, “Common Vulnerability Scoring System,” https://www.first.org/cvss, 2018.##
[18]  K. Scarfone and P. Mell, “An Analysis of CVSS Version 2 Vulnerability Scoring,” Proceeding of 3rd International Symposium on Empirical Software Engineering and Measurement, pp. 516- 525, 2009.##
[19]  M. Keramati, “Attack Graph Based system for Risk Assessment of Multi-Step Attacks,” Proceedings of the 2nd International Conference on Combinatorics, Cryptography and Computation (I4C2017), pp. 171-182, 2017.##
[20]  Mozilla, “Mozilla Foundation Security Advisories,” "http://www.mozilla.org/security/announce/, 2018.##
[21]  Q. Liu and Y. Zhang, “VRSS: A new system for rating and scoring vulnerabilities,” Computer Communications, vol. 34, no. 3, pp. 264-273, 2011.##
[22]  M. Albanese, S. Jajodia, A. Singhal, and L. Wang, “An Efficient Framework for Evaluating the Risk of       Zero-Day Vulnerabilities,” In E-Business and Telecommunications, Springer, pp. 322-340, 2014.##
[23]   W. Nzoukou, L. Wang, S. Jajodia, and A. Singhal, “A unified framework for measuring a network's mean time-to-compromise,” Proc. 32nd Int'l. Symp. on Reliable Distributed Systems (SRDS), pp. 215-224, 2013.##
[24]  NVD, “National Vulnerability DataBase,” https://nvd.nist.gov, 2018.##
[25]  F. Chen, D. Liu,Y. Zhang, and J. Su, “A Scalable Approach to Analyzing Network Security using Compact Attack Graphs,” Journal  of  Networks, vol. 5, no. 5, pp. 543-550, 2010.##
[26]  H. Joh and Y. K. Malaiya, “Defining and Assessing Quantitative Security Risk Measures Using Vulnerability Lifecycle and CVSS Metrics,” Proc. Int. Conference on Security and Management, pp. 10-16, 2011.##
[27]   S. Frei, S. May, U. Fiedler and B. Plattner, “Large-scale vulnerability analysis,” LSAD ’06: Proceedings of the 2006 Sigcomm workshop on Large-scale attack defense, pp. 131–138, 2006.##
[28]  E. Triantaphyllou and K. Baig, “The Impact of Aggregating Benefit and Cost Criteria in Four MCDA Methods,” IEEE Transactions on Engineering Management, vol. 52, no. 2, pp. 213-226, 2005.##
[29]  N. Ghosh and S. K. Ghosh, “An Approach for Security Assessment of Network Configurations Using Attack Graph,” 1st International Conference on Networks and Communications, IEEE, pp. 283-288, 2009.##
[30]  S. Abraham and S. Nair,  “Cyber Security Analytics: A Stochastic Model for Security Quantification Using Absorbing Markov Chains,” Journal of Communications, vol. 9, no. 12, pp. 899-907, 2014.##
[31]  ‌Y. Ru et al., “Risk assessment of cyber attacks in ECPS based on attack tree and AHP,” 2016 12th International Conference on Natural Computation, Fuzzy Systems and Knowledge Discovery (ICNC-FSKD), Changsha, pp. 465-470, 2016.##
[32]  S. C. Liu and Y. Liu, “Network security risk assessment method based on HMM and attack graph model,” 2016 17th IEEE/ACIS International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing (SNPD), Shanghai, pp. 517-522, 2016.##
[33]  A. V. Sathanur and D. J. Haglin, “A novel centrality measure for network-wide cyber vulnerability assessment,” 2016 IEEE Symposium on Technologies for Homeland Security (HST), Waltham, MA, pp. 1-5, 2016.##
[34]  E. Weintraub, “Evaluating Damage Potential in Security Risk Scoring Models,” International Journal of Advanced Computer Science and Applications, vol. 7, no. 5, pp. 345-353, 2016.##
[35]  A. Younis, Y. K.  Malaiya, and I. Ray, “Evaluating CVSS Base Score Using Vulnerability Rewards Programs,” In: Hoepman J. H., Katzenbeisser S. (eds) ICT Systems Security and Privacy Protection, SEC 2016, IFIP Advances in Information and Communication Technology, Springer, Cham, vol. 471, pp. 62-75, 2016.##
[36]  P. Johnson, A. Vernotte, D. Gorton, M. Ekstedt, and L. Robert, “Quantitative Information Security Risk Estimation Using Probabilistic Attack Graphs,” (eds) Risk Assessment and Risk-Driven Quality Assurance, RISK 2016, Lecture Notes in Computer Science, vol 10224, Springer, Cham, pp. 37-50, 2017.##
[37]  I. Kotenko and  A.  Chechulin, “Fast Network Attack Modeling and Security Evaluation based on Attack Graphs,” Journal of Cyber Security and Mobility, vol.  3, pp.  27-46, 2014.##
[38]  J. C. Acosta, E. Padilla, and J. Homer, “Augmenting attack graphs to represent data link and network layer vulnerabilities,” MILCOM 2016 - 2016 IEEE Military Communications Conference, Baltimore, MD, pp.   1010-1015, 2016.##
[39]  W.  Zhou, H. Zhang, and  Li. Q.-M., “A network risk assessment method based on attack-defense graph model,” Journal of Computers (Taiwan), vol. 28, pp. 105-118, 2017.##
[40]  M. Keramati, “An Attack Graph Based Method for Predictive Risk Evaluation of Zero-Day Attacks,” IJICTR, vol. 9, no. 3, pp. 7-16, 2017.##
[41]  M. Keramati, “Dynamic Risk Assessment System for the Vulnerability Scoring,” IJICTR., vol. 9, no.4, pp. 57-68, 2017.##
[42]  V. Hosseinnezhad and A. Pourhaji Kazem, “Bayesian Networks Based Trust Model in Social Networks,” Journal of Electronical & Cyber Defence, vol. 6 , no 4, pp. 29-38, 2018.##
[43]  K. Shoushian, A. J. Rashidi, and M. Dehghani,                “Modeling of cyber-attacks obfuscation based on the attack analogous to the to the technique of insertion attacks,” Journal of Electronical & Cyber Defence, vol. 7, no. 4, pp.  59-74, 2020. (In Persian)##
[44]  W. Wang, F. Shi, M. Zhang, C. Xu, and J. Zheng, “A Vulnerability Risk Assessment Method Based on  Heterogeneous Information Network,” In IEEE Access, vol. 8, pp. 148315-148330, 2020. doi: 10.1109/ACCESS.2020.3015551.##
[45]  A. Ur-Rehman, I. Gondal, J. Kamruzzaman, et al., “Vulnerability Modelling for Hybrid Industrial Control System Networks,” J. Grid Computing, 2020. https://doi.org/10.1007/s10723-020-09528-w##
Volume 9, Issue 1 - Serial Number 33
Serial No. 33, Spring Quarterly
April 2021
Pages 157-173
  • Receive Date: 07 August 2020
  • Revise Date: 19 September 2020
  • Accept Date: 26 October 2020
  • Publish Date: 21 April 2021