Top

Journal of Network and Systems Management

Published in:

03-08-2020

Bayesian Decision Network-Based Security Risk Management Framework

Authors: Masoud Khosravi-Farmad, Abbas Ghaemi-Bafghi

Published in: Journal of Network and Systems Management | Issue 4/2020

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Network security risk management is comprised of several essential processes, namely risk assessment, risk mitigation and risk validation and monitoring, which should be done accurately to maintain the overall security level of a network in an acceptable level. In this paper, an integrated framework for network security risk management is presented which is based on a probabilistic graphical model called Bayesian decision network (BDN). Using BDN, we model the information needed for managing security risks, such as information about vulnerabilities, risk-reducing countermeasures and the effects of implementing them on vulnerabilities, with the minimum need for expert’s knowledge. In order to increase the accuracy of the proposed risk assessment process, vulnerabilities exploitation probability and impact of vulnerabilities exploitation on network assets are calculated using inherent, temporal and environmental factors. In the risk mitigation process, a cost-benefit analysis is efficiently done using modified Bayesian inference algorithms even in case of budget limitation. The experimental results show that network security level enhances significantly due to precise assessment and appropriate mitigation of risks.

previous article Decomposition Based Cloud Resource Demand Prediction Using Extreme Learning Machines

next article Expand or Oversize? Planning Internet Access Network in a Demand Growth Scenario

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Thomas, PR.: Information security risk analysis, 3rd edition, Auerbach publications, Boco Raton (2010)

Ross, R.S.: Guide for conducting risk assessments, Special Publication (NIST SP)-800-30 Rev. 1, (2012)

Evan, W.: Security risk management: building an information security risk management program from the ground up, 1st edn. Elsevier, Burlington (2011)

Mell, P., et al.: A complete guide to the common vulnerability scoring system version 2.0, Published by FIRST-Forum of Incident Response and Security Teams, vol. 1, (2007)

Ammann, P., et al.: Scalable, graph-based network vulnerability analysis, Proceedings of the 9th ACM Conference on Computer and Communications Security, ACM (2002)

Sheyner, O., et al.: Automated generation and analysis of attack graphs, In Proceedings 2002 IEEE Symposium on Security and Privacy. IEEE, New York (2002)

Gallon, L., Bascou, J. J.: Cvss attack graphs, In 2011 Seventh International Conference on Signal Image Technology & Internet-Based Systems, pp. 24–31. IEEE, New York (2011)

Liu, Y., Man, H.: Network vulnerability assessment using Bayesian networks, In Data mining, intrusion detection, information assurance, and data networks security, vol. 5812, pp. 61–71, International Society for Optics and Photonics, Bellingham (2005)

Poolsappasit, N., et al.: Dynamic security risk management using bayesian attack graphs. IEEE Trans. Dependable Secure Comput. 9(1), 61–74 (2012)CrossRef

10.

Hong, J.B., et al.: A survey on the usability and practical applications of graphical security models. Comput. Sci. Rev. 26, 1–16 (2017)MathSciNetCrossRef

11.

Lippmann, R.P., Ingols, K.W.: An annotated review of past papers on attack graphs, No. PR-IA-1, Massachusetts Inst of Tech Lexington Lincoln Lab (2005)

12.

Garg, U., et al.: Empirical analysis of attack graphs for mitigating critical paths and vulnerabilities. Comput. Security 77, 349–359 (2018)CrossRef

13.

Kaynar, K.: A taxonomy for attack graph generation and usage in network security. J. Inform. Security Appl. 29, 27–56 (2016)

14.

He, W., et al.: Unknown vulnerability risk assessment based on directed graph models: a survey. IEEE Access 7, 168201–168225 (2019)CrossRef

15.

Cheng, P., et al.: Aggregating CVSS base scores for semantics-rich network security metrics, In 2012 IEEE 31st Symposium on Reliable Distributed Systems, IEEE, New York (2012)

16.

Wang, C., et al.: A novel comprehensive network security assessment approach, In 2011 IEEE International Conference on Communications (ICC), IEEE, New York (2011)

17.

Wang, S., et al.: Exploring attack graph for cost-benefit security hardening: a probabilistic approach. Comput. Security 32, 158–169 (2013)CrossRef

18.

Wang, L., et al.: An attack graph-based probabilistic security metric, In IFIP Annual Conference on Data and Applications Security and Privacy, pp. 283–296. Springer, Berlin, Heidelberg (2008)

19.

Ghosh, N., Ghosh, S.K.: An approach for security assessment of network configurations using attack graph, In 2009 First International Conference on Networks Communications, pp. 283–288. IEEE, New York (2009)

20.

Noel, S., et al.: Measuring security risk of networks using attack graphs. Int. J. Next Gen. Comput. 1(1), 135–147 (2010)

21.

Frigault, M., Wang, L.: Measuring network security using Bayesian network-based attack graphs, In 2008 32nd Annual IEEE International Computer Software and Applications Conference, pp. 698–703. IEEE, New York (2008)

22.

Kondakci, S.: Network security risk assessment using Bayesian belief networks, In 2010 IEEE Second International Conference on Social Computing, pp. 952–960. IEEE, New York(2010)

23.

Xie, P., et al.: Using Bayesian networks for cyber security analysis, In 2010 IEEE/IFIP International Conference on Dependable Systems & Networks (DSN), pp. 211–220. IEEE, New York (2010)

24.

Feng, N., et al.: A security risk analysis model for information systems: causal relationships of risk factors and vulnerability propagation analysis. Inform. Sci. 256, 57–73 (2014)CrossRef

25.

Le, A., et al.: Incorporating FAIR into bayesian network for numerical assessment of loss event frequencies of smart grid cyber threats. Mobile Networks Appl.24(5), 1713–1721 (2019)CrossRef

26.

Wang, J., et al.: A Bayesian network approach for cybersecurity risk assessment implementing and extending the FAIR model, Computers Security 89, 101659

27.

Frigault, M., et al.: Measuring the overall network security by combining cvss scores based on attack graphs and Bayesian networks, in Network Security Metrics, pp. 1–23. Springer, Cham (2017)

28.

Noel, S., Jajodia, S.: A suite of metrics for network attack graph analytics, in network security metrics, pp. 141–176. Springer, Cham (2017)

29.

Norman, T.L.: Risk analysis and security countermeasure selection, 2nd edn. CRC Press, Cleveland (2015)

30.

Wheeler, E.: Security risk management: building an information security risk management program from the Ground Up, 1st edn. Elsevier, Amsterdam (2011)

31.

Russell, S.J., Norvig, P.: Artificial intelligence: a modern approach, 4th edn. Pearson Education Limited, Malaysia (2020)MATH

32.

Koller, D., Friedman, N., Bach, F.: Probabilistic graphical models: principles and techniques, 1st edition, MIT press, Cambridge (2009)

33.

Ahmed, M.S., et al.: Objective risk evaluation for automated security management. J. Network Syst. Manag. 19(3), 343–366 (2011)CrossRef

34.

Alali, M., et al.: Improving risk assessment model of cyber security using fuzzy logic inference system. Comput. Security 74, 323–339 (2018)CrossRef

35.

Dai, F., et al.: Exploring risk flow attack graph for security risk assessment. IET Infor. Security 9(6), 344–353 (2015)CrossRef

36.

Wangen, G., et al.: A framework for estimating information security risk assessment method completeness. Int. J. Inform. Security 17(6), 681–699 (2018)CrossRef

37.

Rusek, K., et al.: Effective risk assessment in resilient communication networks. J. Network Syst. Manag. 24(3), 491–515 (2016)CrossRef

38.

Awan, M.S.K., et al.: Identifying cyber risk hotspots: a framework for measuring temporal variance in computer network risk. Comput. Security 57, 31–46 (2016)CrossRef

39.

Nespoli, P., et al.: Optimal countermeasures selection against cyber attacks: a comprehensive survey on reaction frameworks. IEEE Commun. Surveys Tutorials 20(2), 1361–1396 (2018)MathSciNetCrossRef

40.

Gehani, A., Kedem, G.: Rheostat Real Time Risk Manag. In: international workshop on recent advances in intrusion detection, pp. 296–314. Springer, Berlin, Heidelberg (2004)

41.

Dabbebi, O., et al.: An online risk management strategy for VoIP enterprise infrastructures. J. Network Syst. Manag. 23(1), 137–162 (2015)CrossRef

42.

Noel, S., et al.: Efficient minimum-cost network hardening via exploit dependency graphs. In 19th Annual Computer Security Applications Conference Proceedings, IEEE, New York. pp. 86–95 (2003)

43.

Jha, S., et al.: Two formal analyses of attack graphs. In Proceedings 15th IEEE Computer Security Foundations Workshop, CSFW-15, IEEE, New York. pp. 49–63 (2002)

44.

Dewri, R., et al.: Optimal security hardening using multi-objective optimization on attack tree models of networks, In Proceedings of the 14th ACM conference on computer and communications security, ACM. pp. 204–213, (2007)

45.

Khosravi-Farmad, M., et al.: Network security risk mitigation using Bayesian decision networks, In 2014 4th International Conference on Computer and Knowledge Engineering (ICCKE), IEEE. pp. 267–272 (2014)

46.

Liu, S. C., Liu, Y.: Network security risk assessment method based on HMM and attack graph model, In 2016 17th IEEE/ACIS International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing (SNPD), IEEE, New York. pp. 517–522 (2016)

47.

Nessus Vulnerability Scanner. http://www.tenable.com/products/nessus-vulnerability-scanner

48.

OpenVAS, Open Vulnerability Assessment System. http://www.openvas.org/

49.

Retina Network Security Vulnerability Scanner. https://www.beyondtrust.com/products/retina-network-security-scanner/

50.

NIST. US National vulnerability database (NVD). https://nvd.nist.gov/

51.

Common Vulnerabilities and Exposures (CVE). https://cve.mitre.org/

52.

Nmap, The Network Mapper. https://nmap.org/

53.

Ou, X., et al., MulVAL: A Logic-based Network Security Analyzer, In USENIX Security Symposium, pp. 113–128 2005

54.

Khosravi-Farmad, M., et al.: Considering temporal and environmental characteristics of vulnerabilities in network security risk assessment, In 2014 11th International ISC Conference on Information Security and Cryptology, IEEE. pp. 186–191 (2014)

55.

GeNIe Modeler, BayesFusion, LLC. https://www.bayesfusion.com/

56.

ben Othmane, L., et al.: Incorporating attacker capabilities in risk estimation and mitigation., Computers Security 51, pp. 41–61 (2015)

57.

Holm, H., et al.: An expert-based investigation of the common vulnerability scoring system. Comput. Security 53, 18–30 (2015)CrossRef

Title: Bayesian Decision Network-Based Security Risk Management Framework
Authors: Masoud Khosravi-Farmad
Abbas Ghaemi-Bafghi
Publication date: 03-08-2020
Publisher: Springer US
Published in: Journal of Network and Systems Management / Issue 4/2020
Print ISSN: 1064-7570
Electronic ISSN: 1573-7705
DOI: https://doi.org/10.1007/s10922-020-09558-5

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Other articles of this Issue 4/2020

Expand or Oversize? Planning Internet Access Network in a Demand Growth Scenario

Bandwidth Utilization and Management Algorithms (BUMAs) for NG-EPON

Analyzing Handover Performances of Mobility Management Protocols in Ultra-dense Networks

SDN-Based Traffic Management Middleware for Spontaneous WMNs

Modified Dual-Path Allocation Algorithm in Elastic Optical Networks

Optimized Sampling Strategies to Model the Performance of Virtualized Network Functions

Premium Partner