WK,QWHUQDWLRQDO&RQIHUHQFHRQ&RPSXWHUDQG.QRZOHGJH(QJLQHHULQJ,&&.(

Network Security Risk Mitigation Using Bayesian Decision Networks Masoud Khosravi-Farmad1, Razieh Rezaee2, Ahad Harati3, and Abbas Ghaemi Bafghi4 1,2,4

Data and Communication Security Lab., Computer Engineering Department, Ferdowsi University of Mashhad, Mashhad, Iran [email protected], [email protected], [email protected] 3 Computer Engineering Department, Faculty of Eng., Ferdowsi University of Mashhad, Mashhad, Iran [email protected]

focus on individual vulnerabilities and do not consider the interactions between them. This is important because when an attacker wants to compromise a network, he generally exploits sequences of related vulnerabilities. Such attacks are called multi-step attacks. Attack graphs are powerful tools that can demonstrate possible multi-step attacks which enable the attacker to achieve a particular goal [3] and [4].

Abstract- Network security risk assessment and mitigation are two processes in the risk management framework which need to be done accurately to improve the overall security level of a network. In this paper, in order to increase the accuracy of vulnerability exploitation probability estimation in the risk assessment phase, in addition to inherent characteristics of vulnerabilities, their temporal characteristics are also considered. In the risk mitigation phase, Bayesian decision networks are used to model interconnections between vulnerabilities that enable the attacker to achieve a particular goal, the security countermeasures covering these vulnerabilities, their cost of implementation and resulted outcome. Using Bayesian decision networks, our approach yields scalability and integration of risk assessment and mitigation processes. A cost-benefit analysis is done to identify the minimum-cost hardening security measures in situations where the allocated budget for network security hardening is limited. The experimental results show that the proposed method effectively improves the security level of a test network in terms of determining the optimal security risk mitigation plans.

One of the main drawbacks of attack graphs is that they give no information about the probability of exploiting multistep attacks [5], which is needed for doing risk analysis. So it is difficult to assess the damages caused by multi-step attacks on the network hosts using only attack graphs. Therefore attack graphs alone cannot be efficient in doing risk analysis. Hence it is needed to use some other methods beside attack graphs to overcome these limitations. Bayesian networks are powerful tools that can represent information about the probability of exploiting multi-step attacks. with slight changes, Bayesian networks can be converted to Bayesian Attack Graphs (BAGs) [6], so all possible multi-step attacks are demonstrated by using them. Also by employing Bayesian Network concepts on the attack graphs, it is possible to capture uncertainties about attacker actions. The main shortcoming about Bayesian attack graphs proposed in [6] is that they don’t provide any information about possible security countermeasures, their coverage, implementation cost and expected outcome, which are needed in security risk mitigation phase.

Keywords—Security risk mitigation; Bayesian decision networks; Attack graphs; Vulnerability; CVSS framework;

I. INTRODUCTION In today's complex networked environments, one of the main objectives of network security administrators is to assess the risk to their systems and to defend their network against potential attacks in terms of determining the best possible set of security hardening options, the process which is done during security risk management activity.

In this paper, Bayesian decision networks are used to model the network attacks, so in addition of demonstrating all possible multi-step attacks and capturing uncertainties about attacker actions, it is possible to model the different security countermeasures characteristics for performing risk mitigation. Using Bayesian decision networks allows network security administrators to define countermeasures covering vulnerabilities, the cost of implementing countermeasures and their coverage outcome. Contributions of this paper are as follows:

Security risk management involves identification, analysis and mitigation of possible risks involved in the system [1]. The goal of security risk management is minimizing or eliminating potential risks in the system. To manage the risks, they must be identified before adversely affecting the system. Conversion of risk data into risk decision-making information is done in risk analysis phase. In this step, identified risks are ranked by assessing the probability and severity of the loss for each risk. Risk mitigation includes prioritizing and selecting the most critical risks to address. It defines how risk reduction will be conducted in a particular system by defining risk-reduction activities. Risk mitigation produces a situation in which the risk items are eliminated or otherwise resolved. There are several techniques for identifying and measuring individual vulnerabilities characteristics, such as the Common Vulnerability Scoring System (CVSS) [2], but the major limitation of these techniques is that they only

,(((

The main contribution of this paper is using Bayesian decision networks to modify and enhance Bayesian attack graphs to make risk mitigation possible in an integrated manner.

We have conducted a cost-benefit analysis compatible with Bayesian decision networks, so it is possible for network security administrators to identify the optimal subset of security countermeasures even if the allocated budget for securing the network is limited.

C. Bayesian Decision Networks A decision network combines a Bayesian network with additional node types for actions and utilities [7]. Therefore a decision network consists of three types of nodes: 1) chance nodes, which represent random variables, exactly as in Bayesian networks, 2) decision nodes, which represent points where the decision maker has a choice of actions, and 3) utility nodes, which represent agent's utility function.

The probability of exploiting vulnerabilities may change over time, depending on the availability of some information about vulnerabilities. In this paper these changes are handled considering temporal characteristics of vulnerabilities. So the result is more accurate than other methods.

The rest of the paper is organized as follows: The next section reviews relevant concepts of Bayesian networks, Bayesian attack graph, Bayesian decision networks and CVSS framework. Section III presents a brief review on related work. Section IV and V present the proposed method for risk assessment and risk mitigation. Results of applying the proposed method on a test network are presented in section VI. The last section concludes the paper.

The utility node represents the expected utility ( ) associated with each action given the evidence as defined by ( | )=

The Base metrics quantify the intrinsic characteristics of a vulnerability. The base exploitability subscore is composed of the access vector ( ), access complexity ( ) and authentication instances ( ) metrics. The Temporal metrics quantify the characteristics of a vulnerability that change over time. These metrics measure the current state of exploitable tools and techniques ( ), the remediation status of the vulnerability ( ) and report confidence ( ). The Environmental metrics capture the characteristics of a vulnerability that are associated with a certain user's IT environment.

Given a set of random variables = { , … , } in a Bayesian network, the probability of all the variables is given by the chain rule as ( |

( ))

(1)

where ( ) denotes the specific values of the variables in the parent nodes of . In Bayesian networks, probabilistic beliefs about the connections strength are updated as new information becomes available using Bayes' theorem ( | )=

( ) ( | ) ( )

(3)

D. CVSS Framework The Common Vulnerability Scoring System ( ) provides an open framework for assessing the severity level of IT vulnerabilities. It consists of three metric groups: Base, Temporal and Environmental. Each group produces a numeric score ranging from 0 to 10 [2].

A. Bayesian Networks A Bayesian network is a directed acyclic graph ( ) in which each node corresponds to a random variable and arcs represent conditional independencies among them. Each node has a conditional probability distribution that quantifies the effect of the parents on the node [7].

)=

| , ) ( | )

Where is the available evidence, is an action with possible outcome states , ( | ) is the utility of each of the outcome states, given that action is taken, and ( | , ) is the conditional probability distribution over the possible outcome states, given that evidence is observed and action is taken.

II. PRELIMINARIES The concepts used in this paper are Bayesian networks, Bayesian attack graphs, Bayesian decision networks and CVSS framework, which are briefly explained in this section.

( ,…,

(

III.

RELATED WORKS

Measuring various aspects of network security plays an important role in protecting networks against malicious intrusions. Over the time, several approaches have been proposed to qualitatively assess network security based on attack graphs. But the main problem is that the qualitative nature of attack graph analysis is imprecise. Assessing the overall security of a network requires a thorough understanding on the interconnections between host vulnerabilities. Such an understanding is difficult to obtain with qualitative methods, so the quantitative analysis is desirable.

(2)

where ( | ) is the posterior probability, ( ) is the prior ( | ) is the probability of observed probability, information given a particular event and ( ) is the unconditional probability of occurring . B. Bayesian Attack Graph A Bayesian attack graph is a tuple =( , , , ) where denotes the set of nodes which are divided into three categories: terminal nodes which are end points in the attack graph, internal nodes and external nodes which are entry points of the attack graph [6]. The set of ordered pair, , reflects the edges in the graph. represents the relation between edges entering a node with possible values of {and, or}. is a set of conditional probability distributions representing the values of ( | ( )). In a Bayesian attack graph, each node has a conditional probability table (CPT) which specifies the chances of the node being compromised, given different combinations of states of its parents.

In order to quantitatively assess the security of networks, several methods have been proposed. Most of them use CVSS scores as the probability of successful vulnerability exploitation [6], [8] and [9]. Among them, some approaches propagate the probabilities through the attack graph according to its conjunctive and disjunctive dependencies, like [10], [11] and [12], and some others use the concept of Bayesian networks. The idea of using Bayesian networks to model network vulnerabilities and to determine a quantitative value representing the security of the network was first mentioned by Liu and Man [13]. After that many

approaches used Bayesian networks in their models [14], [15] and [16].

RISK ASSESSMENT USING BAYESIAN DECISION NETWORKS In the proposed approach, network attacks are modeled using Bayesian decision networks. This graph depicts the paths of multi-step attacks in the network, along with the security countermeasures preventing these attacks, their cost of implementation and their outcome. The probability of every path is calculated using Bayesian theorem. The probability of each single vulnerability in the graph is specified using relevant CVSS metrics, and the probabilities of the internal nodes are calculated by propagating probabilities through the graph. IV.

Most of recent works only use the score of base metrics group of CVSS as the probability of successful vulnerability exploitation [8], [9] and [5], regardless of taking into account factors that may change over time which affect the vulnerabilities exploitation. These factors are considered in this study. In this paper, the probability of vulnerability exploitation is calculated using relevant base and temporal metrics of CVSS and is propagated through the Bayesian attack graph. We have proposed a risk assessment method in [17] which considers the influence of different environments on the risk that a vulnerability poses to an organization. In this study, we assume that the network under assessment is independent of the environments.

As the technology progresses and the tools for exploiting vulnerabilities become more available and easy to use, exploitability of the vulnerabilities increases. This paper not only uses the base metrics of CVSS, but also the temporal metrics to consider the current situation of vulnerabilities and make more precise security risk assessment.

Many risk mitigation methods have been adopted by researchers to determine a set of potential safeguards, and related security countermeasure implementation costs. In [18], exploit dependency graphs are used to compute minimum-cost hardening measures. In [19], the minimal set of attacks critical for reaching a goal is determined and then the minimal set of security measures that covers this set of attacks is found. These cost analysis techniques are useful, but they miss out one major issue. The network security administrator often has to work within a given set of budget constraints that may preclude him from implementing all possible countermeasures or even measures that cover all of the vulnerabilities. Therefore the network security administrator needs to find a trade-off between the cost of implementing a subset of security countermeasures and the residual damage after the security decisions have been made.

In this section the steps of building Bayesian attack graph are explained. A. Bayesian attack graph of the networks Before building Bayesian decision networks, the Bayesian attack graph of the network must be generated. To generate a Bayesian attack graph for a network, several items are needed: first, the topology of the network including the hosts, their specifications and their connections; second, the vulnerabilities existing on each host. We have used MulVAL [21] to generate attack graphs. B. Estimating the probability of vulnerabilities exploitation In Bayesian attack graphs there are several paths from entry points of attacker to his goals. Every path consists of one or more vulnerabilities. The probability of each vulnerability is calculated using the selected relevant metrics from base and temporal metrics of CVSS.

The mentioned problem is first formulated in [20] as a series of multi-objective optimization problems. The main shortcoming in this method is that it is static, while there is a dynamic aspect to the security planning process. For every attack, depending on what the contributing factors for the attack are and how they are changing, there is a probability of occurrence that may change during the lifetime of a network. This problem is solved in [6] by proposing Bayesian attack graph. In particular, they have adapted the notion of Bayesian networks to encode the contribution of different security conditions during system compromise and have provided a platform for static and dynamic analysis of risks in networked systems.

Exploitability of each vulnerability is calculated as follows: = 2∗

∗

(4)

∗

Exploitability value reflects only the inherent properties of vulnerabilities. To consider temporal properties of vulnerabilities which change over time, we also used temporal category of CVSS metrics. These temporal metrics adjust the value of exploitability as follows: ( ) =( ∗ ∗

The significant shortcoming of aforementioned methods is that they don’t provide an integrated platform which contains all the information needed for risk mitigation by itself, such as the existence of multiple security countermeasures covering a group of vulnerabilities, the cost of implementing countermeasures and their related outcome.

)∗

(5)

Which TP indicates temporal probability of each vulnerability. TP includes both inherent and temporal properties of vulnerabilities and is more precise because it takes into account the current time of vulnerability evaluation.

In this paper, an extension of Bayesian attack graph proposed in [6] is presented which enhance its usability for risk mitigation phase. The proposed approach uses Bayesian decision networks instead of using only Bayesian networks to be able to model security countermeasures using decision nodes and their outcome using utility nodes provided by Bayesian decision networks.

C. Conditional probability tables In a Bayesian attack graph, each node has a conditional probability table (CPT). This table shows the probability of a node given the states of its parents. In the proposed network, the CPT of each node is generated as follows. The exploit which changes the state of the network from to for ∊ [ ] is called . The conditional

probability distribution function of is defined as fallows.

is Pr( |

If the relation between incoming edges to node AND, the product rule is used.

=

( | ⎧0 , ⎪

∃

∊

,

= 0;

ℎ

.

(6) =

TP ( ) ,

is OR,

If the relation between incoming edges to node the noisy OR operator is used [13].

=

[ ]) ∀

∊

,

= 0;

(7) =1−

⎨ ⎪ ⎩

Fig. 1 shows the Bayesian decision network for the test network shown in Fig. 2. In this network, attacker exploits are shown as ovals, with edges for their preconditions and postconditions. Security countermeasures covering vulnerabilities are shown as rectangles, and utility nodes are represented as hexagonals.

is

[ ])

⎨ ⎪ ⎩

( | ⎧ 0, ⎪

the chance node representing a vulnerability and the decision nodes covering that chance node.

[ ]) which

[1 − TP ( )] ,

ℎ

.

RISK MITIGATION USING BAYESIAN DECISION NETWORKS In risk management framework, the next step after risk assessment is risk mitigation. In risk mitigation process, the security countermeasures are prioritized to be applied on vulnerabilities which lead to a more secure network. In this paper, Bayesian decision networks are used to model security countermeasures and their properties. Bayesian decision networks provide an integrated approach to be used in the security risk mitigation phase. Using decision networks, security administrators are able to model the effects of combining multiple security countermeasures that cover a vulnerability and a security countermeasure which covers multiple vulnerabilities, the countermeasures implementation cost and the outcome resulted by applying a countermeasure or even combination of multiple countermeasures on a vulnerability. V.

Fig. 1. Bayesian decision network of the test network shown in Figure 2

After the decision network is built, it is possible to propagate the probabilities of vulnerabilities exploitation and infer the optimal set of security countermeasures to mitigate the risks caused by these vulnerabilities. This process is described in the next two sections.

So far the probabilities of exploiting vulnerabilities are calculated using the methods proposed in the previous section. This section is devoted to describe how to build a Bayesian decision network for a network under assessment and how to use it to infer the optimal set of security countermeasures in the phase of risk mitigation.

B. Probability propagation in the Bayesian decision networks In Bayesian decision networks, threat sources are shown as external nodes. The probability of external nodes is estimated by network administrator who is aware of probable threat sources and can assess the power of potential attackers. This probability is unconditional and is called prior probability.

A. Building Bayesian decision networks As mentioned before, a Bayesian decision network is an extension of a Bayesian attack graph with additional node types for actions and utilities. Therefore to build a Bayesian decision network, the Bayesian attack graph of a network must be generated according to what mentioned before.

Some of vulnerabilities are considered as preconditions for some other vulnerabilities to exploit. So, successful exploitation of these preconditions makes the network state more probable for the other exploits. In other words, the probability of each node is affected by the probability of its casual parents. Moreover, the security countermeasures implementing on each asset will also affect its vulnerabilities exploitation probabilities. These effects are encoded in chance nodes CPTs. Prior probabilities are propagated using CPTs and the Bayes’ theorem (Equation 2) and hence the unconditional probabilities of internal nodes are calculated.

In order to convert a Bayesian attack graph to a Bayesian decision network, two types of nodes must be added in appropriate positions. The first nodes are the decision nodes. These nodes must be added wherever there are security countermeasures covering a vulnerability with arcs pointing to that vulnerability. These nodes contain the choices about available countermeasures covering vulnerabilities.

A network may experience different attacks or changes during its lifetime. The unconditional probabilities of the chance nodes will be changed if any evidence in the network is observed. For example if an attack is successful in

The second nodes are the utility nodes which have utility tables. Each decision made has an impact to the affected vulnerabilities; this impact is quantified using utility tables. Therefore the incoming arcs to each utility node come from

exploiting the vulnerability of a chance node, the probability of that node will be changed to 1. Or if a countermeasure is applied to remedy the vulnerability of a chance node, its probability will be reduced according to that countermeasure’s coverage. In the case of observing evidence and modifying the probability of a chance node, the effect of this change should be computed on the probability of its descendants and also its ancestors. For modification of probabilities, the changes in node states are propagated through the Bayesian decision network in two ways:

VI. EXPERIMENTAL RESULTS The proposed approach is applied to a test network shown in Fig. 2. The hosts in this network are located within two subnets: The DMZ subnet which contains the web server. This subnet is accessible to the public through a firewall. The second subnet consists of SQL server and several local desktops, which is the trusted zone, so accesses from external sources are restricted. A DMZ tri-homed firewall is installed with policies to ensure that the web server is separated from the local network. The firewall prevents remote access to internal hosts. In order to accommodate web service's transactions, the web server is allowed to send SQL queries to the SQL server. Several local machines are located behind the firewall and their communications are delivered through the gateway server. In addition, the remote desktop service of all local desktops is enabled to facilitate remote operations for employees working from remote sites.

Forward propagation - For descendants of the affected node which are affected directly by the evidence. This modification is done by using Equation (2) as described before in propagating prior probabilities of external nodes. Backward propagation - For ancestors of the affected node, with obtaining their posterior probability after observing evidence by using Equation (8). Pr

= Pr ( | ) × Pr ( )/ Pr( )

(8)

C. Inferring the optimal set of security countermeasures A security countermeasure is a preventive measure that reduces the exploitability of the affected vulnerabilities so as to prevent an attacker from reaching its goals. In this study, the security countermeasures are defined as Bernoulli random variables with the true state signifying that the countermeasure is implemented and false signifying that the countermeasure is not implemented. Each security countermeasure also has an associated cost of implementation ( ). A security risk mitigation plan is a Boolean vector ⃗, representing which countermeasures ( ) have been chosen for enforcement as part of the network security hardening process. Therefore the total cost of each security mitigation plan (Mitigation Plan Cost) can be calculated using Equation (9): ⃗ =

Fig. 2. Topology of the test network for performing experiments

A list of all vulnerabilities in this network with their CVE numbers [22] is listed in Table I. In this table, the probability of each vulnerability considering its temporal characteristics is computed using Equation (5) and the CVSS metrics values obtained from NVD database [23].

(9)

In order to defend against network attacks, a security administrator can choose to implement a variety of countermeasures, i.e. security mitigation plans, each of which comes with different cost and coverage. So he needs to make a decision toward maximum resource utilization. Hence the expected utility (EU) value of each plan is considered in this study. So the plan with the highest expected utility is desired. But as usually the budget for risk mitigation is limited, it is not possible to eliminate all the risks in a network by implementing all security countermeasures. So the cost of implementing each plan must be considered too. Two factors considered in this study are mitigation plan cost (MPC) and expected utility (EU) of each plan. In case of budget limitation, the plan with highest expected utility and the implementation cost lower that the limited budget is desired.

TABLE I.

LIST OF VULNERABILITIES IN T EST NETWORK

Host

Vulnerability

CVE #

Exploitability

Temporal Probability

Web server

IIS vulnerability in WebDAV service Improper cookie handler in OpenSSH Remote login LICQ Buffer Overflow (BOF) MS Video ActiveX Stack BOF

CVE 20091535

0.49

0.4422

CVE 20074752

1

0.7438

0.39

0.3335

Gateway server Local desktops SQL server

SQL Injection

CA 1996-83 CVE 20010439 CVE 20080015 CVE 20085416

1

0.855

0.86

0.7761

0.8

0.6264

The security countermeasures covering network vulnerabilities, their cost of implementation, their outcome (gained by avoiding vulnerability exploitation damage) and their net benefit (outcome - cost) are listed in Table II.

In the next section, we will conduct experiments on a test network to find the best security risk mitigation plan. Then it is assumed that the allocated budget for network security hardening is limited and the best plan(s) regarding this limitation will be determined.

TABLE II.

LIST OF COUNTERMEASURES COVERING VULNERABILITIES

Security Countermeasure C1- Apply OpenSSH security patch C2- Apply MS workaround C3- Filtering external traffic C4- Disable WebDAV C5- Apply MS09-004 workaround C6- Add firewall C7- Query restriction

Coverage

Cost

Outcome

Net benefit

CVE 2007-4752

63

785.89

722.89

CVE 2008-0015 CA 1996-83, CVE 2009-1535 CVE 2009-1535

14

580.45

566.45

70

586.84

516.84

250

473.90

223.90

CVE 2008-5416

31

239.10

208.10

CVE 2001-0439 CVE 2008-5416

205 84

259.15 59

54.15 -25.00

[2]

[3]

[4]

[5]

Using junction tree clustering algorithm implemented by GeNIe software package [24], the expected utility of all security risk mitigation plans are computed and are shown in Figure 3. This diagram shows that the highest expected utility (2745.75) is accessible by implementing all countermeasures except for {C7} with the overall cost of 633 units.

[6] [7] [8]

[9]

[10] [11] [12]

Fig. 3. The expected utility versus implementation cost of all possible security risk mitigation plans

If the budget allocated for network security hardening is limited, only plans with the overall implementation costs lower that the allocated budget must be determined. This approach will prune the decision tree, because many solutions will not be generated. For example, if the allocated budget is 400 units, the expected utility of mitigation plans with implementation costs more than 400 units will not be calculated. In this case, the highest expected utility (2486 units) is accessible by implementing {C1,C2,C3,C4} with the overall cost of 397 units. However, implementing {C1,C2,C5,C6,C7} will also takes 397 units, but in this case, the resulted expected utility will be 1446 units.

[13] [14] [15]

[16]

[17]

VII. CONCLUSION AND FUTURE WORK This paper presents a method to quantitatively assess and mitigate the risk of exploiting vulnerabilities on a given network. In the presented method, in order to estimate the probability of successful exploitations, both inherent and temporal properties of vulnerabilities are considered, which results in a more accurate estimation based on current time of evaluation. Moreover, by using Bayesian decision networks, it is possible to model the existence of multiple countermeasures with different costs and effects for mitigating vulnerabilities. Therefore network security administrators can identify and select the optimal set of countermeasures for risk mitigation given a specified amount of budget.

[18]

[19] [20]

[21] [22] [23]

REFERENCES [1]

P. M. Chawan, J. Patil, and R. Naik, "Software Risk Management," International Journal of Advances in Engineering Sciences, vol. 3, pp. 17-21, 2013.

[24]

P. Mell, K. Scarfone, and S. Romanosky, "A complete guide to the common vulnerability scoring system version 2.0", Published by FIRST-Forum of Incident Response and Security Teams, pp. 1-23, 2007. P. Ammann, D. Wijesekera, and S. Kaushik, "Scalable, graph-based network vulnerability analysis," in Proceedings of the 9th ACM Conference on Computer and Communications Security, pp. 217224, 2002. O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J. M. Wing, "Automated generation and analysis of attack graphs," in Security and Privacy, 2002. Proceedings. 2002 IEEE Symposium on, 2002, pp. 273-284. L. Gallon and J.-J. Bascou, "Cvss attack graphs," in Signal-Image Technology and Internet-Based Systems (SITIS), 2011 Seventh International Conference on, pp. 24-31, 2011. N. Poolsappasit, R. Dewri, and I. Ray, "Dynamic security risk management using bayesian attack graphs," Dependable and Secure Computing, IEEE Transactions on, vol. 9, pp. 61-74, 2012. S. Russell, "Artificial Intelligence: A Modern Approach Author: Stuart Russell, Peter Norvig, Publisher: Prentice Hall Pa," 2009. P. Cheng, L. Wang, S. Jajodia, and A. Singhal, "Aggregating CVSS base scores for semantics-rich network security metrics," in Reliable Distributed Systems (SRDS), 2012 IEEE 31st Symposium on, pp. 3140, 2012. C. Wang, Y. Wang, Y. Dong, and T. Zhang, "A Novel Comprehensive Network Security Assessment Approach," in Communications (ICC), 2011 IEEE International Conference on, pp. 1-6, 2011. S. Noel, S. Jajodia, L. Wang, and A. Singhal, "Measuring security risk of networks using attack graphs," International Journal of NextGeneration Computing, vol. 1, pp. 135-147, 2010. L. Wang, T. Islam, T. Long, A. Singhal, and S. Jajodia, "An attack graph-based probabilistic security metric," in Data and applications security XXII, ed: Springer, 2008, pp. 283-296. N. Ghosh and S. K. Ghosh, "An approach for security assessment of network configurations using attack graph," in Networks and Communications, 2009. NETCOM'09. First International Conference on, 2009, pp. 283-288. Y. Liu and H. Man, "Network vulnerability assessment using Bayesian networks," in Defense and Security, pp. 61-71, 2005. M. Frigault and L. Wang, Measuring network security using bayesian network-based attack graphs: IEEE, 2008. P. Xie, J. H. Li, X. Ou, P. Liu, and R. Levy, "Using Bayesian networks for cyber security analysis," in Dependable Systems and Networks (DSN), 2010 IEEE/IFIP International Conference on, pp. 211-220, 2010. N. Feng, H. J. Wang, and M. Li, "A security risk analysis model for information systems: Causal relationships of risk factors and vulnerability propagation analysis," Information Sciences, vol. 256, pp. 57-73, 2014. M. Khosravi-Farmad, R. Rezaee, and A. Ghaemi Bafghi, "Considering Temporal and Environmental Characteristics of Vulnerabilities in Network Security Risk Assessment," in Information Security and Cryptology (ISCISC), 2014 11th International ISC Conference on, 2014. S. Noel, S. Jajodia, B. O'Berry, and M. Jacobs, "Efficient minimumcost network hardening via exploit dependency graphs," in Computer Security Applications Conference, 2003. Proceedings. 19th Annual, pp. 86-95, 2003. S. Jha, O. Sheyner, and J. Wing, "Two formal analyses of attack graphs," in Computer Security Foundations Workshop, 2002. Proceedings. 15th IEEE, pp. 49-63, 2002. R. Dewri, N. Poolsappasit, I. Ray, and D. Whitley, "Optimal security hardening using multi-objective optimization on attack tree models of networks," in Proceedings of the 14th ACM conference on Computer and communications security, pp. 204-213, 2007. X. Ou, S. Govindavajhala, and A. W. Appel, "MulVAL: A logicbased network security analyzer," in 14th USENIX Security Symposium, pp. 1-16, 2005. "Common Vulnerabilities and Exposures". http://www.cve.mitre.org, 2014. "National vulnerability database". Available at : http://www.nvd.org. 2014. "The GeNIe 2.0 (Graphical Network Interface) software package". http://genie.sis.pitt.edu/, 2004.

Network Security Risk Mitigation Using Bayesian Decision Networks Masoud Khosravi-Farmad1, Razieh Rezaee2, Ahad Harati3, and Abbas Ghaemi Bafghi4 1,2,4

Data and Communication Security Lab., Computer Engineering Department, Ferdowsi University of Mashhad, Mashhad, Iran [email protected], [email protected], [email protected] 3 Computer Engineering Department, Faculty of Eng., Ferdowsi University of Mashhad, Mashhad, Iran [email protected]

focus on individual vulnerabilities and do not consider the interactions between them. This is important because when an attacker wants to compromise a network, he generally exploits sequences of related vulnerabilities. Such attacks are called multi-step attacks. Attack graphs are powerful tools that can demonstrate possible multi-step attacks which enable the attacker to achieve a particular goal [3] and [4].

Abstract- Network security risk assessment and mitigation are two processes in the risk management framework which need to be done accurately to improve the overall security level of a network. In this paper, in order to increase the accuracy of vulnerability exploitation probability estimation in the risk assessment phase, in addition to inherent characteristics of vulnerabilities, their temporal characteristics are also considered. In the risk mitigation phase, Bayesian decision networks are used to model interconnections between vulnerabilities that enable the attacker to achieve a particular goal, the security countermeasures covering these vulnerabilities, their cost of implementation and resulted outcome. Using Bayesian decision networks, our approach yields scalability and integration of risk assessment and mitigation processes. A cost-benefit analysis is done to identify the minimum-cost hardening security measures in situations where the allocated budget for network security hardening is limited. The experimental results show that the proposed method effectively improves the security level of a test network in terms of determining the optimal security risk mitigation plans.

One of the main drawbacks of attack graphs is that they give no information about the probability of exploiting multistep attacks [5], which is needed for doing risk analysis. So it is difficult to assess the damages caused by multi-step attacks on the network hosts using only attack graphs. Therefore attack graphs alone cannot be efficient in doing risk analysis. Hence it is needed to use some other methods beside attack graphs to overcome these limitations. Bayesian networks are powerful tools that can represent information about the probability of exploiting multi-step attacks. with slight changes, Bayesian networks can be converted to Bayesian Attack Graphs (BAGs) [6], so all possible multi-step attacks are demonstrated by using them. Also by employing Bayesian Network concepts on the attack graphs, it is possible to capture uncertainties about attacker actions. The main shortcoming about Bayesian attack graphs proposed in [6] is that they don’t provide any information about possible security countermeasures, their coverage, implementation cost and expected outcome, which are needed in security risk mitigation phase.

Keywords—Security risk mitigation; Bayesian decision networks; Attack graphs; Vulnerability; CVSS framework;

I. INTRODUCTION In today's complex networked environments, one of the main objectives of network security administrators is to assess the risk to their systems and to defend their network against potential attacks in terms of determining the best possible set of security hardening options, the process which is done during security risk management activity.

In this paper, Bayesian decision networks are used to model the network attacks, so in addition of demonstrating all possible multi-step attacks and capturing uncertainties about attacker actions, it is possible to model the different security countermeasures characteristics for performing risk mitigation. Using Bayesian decision networks allows network security administrators to define countermeasures covering vulnerabilities, the cost of implementing countermeasures and their coverage outcome. Contributions of this paper are as follows:

Security risk management involves identification, analysis and mitigation of possible risks involved in the system [1]. The goal of security risk management is minimizing or eliminating potential risks in the system. To manage the risks, they must be identified before adversely affecting the system. Conversion of risk data into risk decision-making information is done in risk analysis phase. In this step, identified risks are ranked by assessing the probability and severity of the loss for each risk. Risk mitigation includes prioritizing and selecting the most critical risks to address. It defines how risk reduction will be conducted in a particular system by defining risk-reduction activities. Risk mitigation produces a situation in which the risk items are eliminated or otherwise resolved. There are several techniques for identifying and measuring individual vulnerabilities characteristics, such as the Common Vulnerability Scoring System (CVSS) [2], but the major limitation of these techniques is that they only

,(((

The main contribution of this paper is using Bayesian decision networks to modify and enhance Bayesian attack graphs to make risk mitigation possible in an integrated manner.

We have conducted a cost-benefit analysis compatible with Bayesian decision networks, so it is possible for network security administrators to identify the optimal subset of security countermeasures even if the allocated budget for securing the network is limited.

C. Bayesian Decision Networks A decision network combines a Bayesian network with additional node types for actions and utilities [7]. Therefore a decision network consists of three types of nodes: 1) chance nodes, which represent random variables, exactly as in Bayesian networks, 2) decision nodes, which represent points where the decision maker has a choice of actions, and 3) utility nodes, which represent agent's utility function.

The probability of exploiting vulnerabilities may change over time, depending on the availability of some information about vulnerabilities. In this paper these changes are handled considering temporal characteristics of vulnerabilities. So the result is more accurate than other methods.

The rest of the paper is organized as follows: The next section reviews relevant concepts of Bayesian networks, Bayesian attack graph, Bayesian decision networks and CVSS framework. Section III presents a brief review on related work. Section IV and V present the proposed method for risk assessment and risk mitigation. Results of applying the proposed method on a test network are presented in section VI. The last section concludes the paper.

The utility node represents the expected utility ( ) associated with each action given the evidence as defined by ( | )=

The Base metrics quantify the intrinsic characteristics of a vulnerability. The base exploitability subscore is composed of the access vector ( ), access complexity ( ) and authentication instances ( ) metrics. The Temporal metrics quantify the characteristics of a vulnerability that change over time. These metrics measure the current state of exploitable tools and techniques ( ), the remediation status of the vulnerability ( ) and report confidence ( ). The Environmental metrics capture the characteristics of a vulnerability that are associated with a certain user's IT environment.

Given a set of random variables = { , … , } in a Bayesian network, the probability of all the variables is given by the chain rule as ( |

( ))

(1)

where ( ) denotes the specific values of the variables in the parent nodes of . In Bayesian networks, probabilistic beliefs about the connections strength are updated as new information becomes available using Bayes' theorem ( | )=

( ) ( | ) ( )

(3)

D. CVSS Framework The Common Vulnerability Scoring System ( ) provides an open framework for assessing the severity level of IT vulnerabilities. It consists of three metric groups: Base, Temporal and Environmental. Each group produces a numeric score ranging from 0 to 10 [2].

A. Bayesian Networks A Bayesian network is a directed acyclic graph ( ) in which each node corresponds to a random variable and arcs represent conditional independencies among them. Each node has a conditional probability distribution that quantifies the effect of the parents on the node [7].

)=

| , ) ( | )

Where is the available evidence, is an action with possible outcome states , ( | ) is the utility of each of the outcome states, given that action is taken, and ( | , ) is the conditional probability distribution over the possible outcome states, given that evidence is observed and action is taken.

II. PRELIMINARIES The concepts used in this paper are Bayesian networks, Bayesian attack graphs, Bayesian decision networks and CVSS framework, which are briefly explained in this section.

( ,…,

(

III.

RELATED WORKS

Measuring various aspects of network security plays an important role in protecting networks against malicious intrusions. Over the time, several approaches have been proposed to qualitatively assess network security based on attack graphs. But the main problem is that the qualitative nature of attack graph analysis is imprecise. Assessing the overall security of a network requires a thorough understanding on the interconnections between host vulnerabilities. Such an understanding is difficult to obtain with qualitative methods, so the quantitative analysis is desirable.

(2)

where ( | ) is the posterior probability, ( ) is the prior ( | ) is the probability of observed probability, information given a particular event and ( ) is the unconditional probability of occurring . B. Bayesian Attack Graph A Bayesian attack graph is a tuple =( , , , ) where denotes the set of nodes which are divided into three categories: terminal nodes which are end points in the attack graph, internal nodes and external nodes which are entry points of the attack graph [6]. The set of ordered pair, , reflects the edges in the graph. represents the relation between edges entering a node with possible values of {and, or}. is a set of conditional probability distributions representing the values of ( | ( )). In a Bayesian attack graph, each node has a conditional probability table (CPT) which specifies the chances of the node being compromised, given different combinations of states of its parents.

In order to quantitatively assess the security of networks, several methods have been proposed. Most of them use CVSS scores as the probability of successful vulnerability exploitation [6], [8] and [9]. Among them, some approaches propagate the probabilities through the attack graph according to its conjunctive and disjunctive dependencies, like [10], [11] and [12], and some others use the concept of Bayesian networks. The idea of using Bayesian networks to model network vulnerabilities and to determine a quantitative value representing the security of the network was first mentioned by Liu and Man [13]. After that many

approaches used Bayesian networks in their models [14], [15] and [16].

RISK ASSESSMENT USING BAYESIAN DECISION NETWORKS In the proposed approach, network attacks are modeled using Bayesian decision networks. This graph depicts the paths of multi-step attacks in the network, along with the security countermeasures preventing these attacks, their cost of implementation and their outcome. The probability of every path is calculated using Bayesian theorem. The probability of each single vulnerability in the graph is specified using relevant CVSS metrics, and the probabilities of the internal nodes are calculated by propagating probabilities through the graph. IV.

Most of recent works only use the score of base metrics group of CVSS as the probability of successful vulnerability exploitation [8], [9] and [5], regardless of taking into account factors that may change over time which affect the vulnerabilities exploitation. These factors are considered in this study. In this paper, the probability of vulnerability exploitation is calculated using relevant base and temporal metrics of CVSS and is propagated through the Bayesian attack graph. We have proposed a risk assessment method in [17] which considers the influence of different environments on the risk that a vulnerability poses to an organization. In this study, we assume that the network under assessment is independent of the environments.

As the technology progresses and the tools for exploiting vulnerabilities become more available and easy to use, exploitability of the vulnerabilities increases. This paper not only uses the base metrics of CVSS, but also the temporal metrics to consider the current situation of vulnerabilities and make more precise security risk assessment.

Many risk mitigation methods have been adopted by researchers to determine a set of potential safeguards, and related security countermeasure implementation costs. In [18], exploit dependency graphs are used to compute minimum-cost hardening measures. In [19], the minimal set of attacks critical for reaching a goal is determined and then the minimal set of security measures that covers this set of attacks is found. These cost analysis techniques are useful, but they miss out one major issue. The network security administrator often has to work within a given set of budget constraints that may preclude him from implementing all possible countermeasures or even measures that cover all of the vulnerabilities. Therefore the network security administrator needs to find a trade-off between the cost of implementing a subset of security countermeasures and the residual damage after the security decisions have been made.

In this section the steps of building Bayesian attack graph are explained. A. Bayesian attack graph of the networks Before building Bayesian decision networks, the Bayesian attack graph of the network must be generated. To generate a Bayesian attack graph for a network, several items are needed: first, the topology of the network including the hosts, their specifications and their connections; second, the vulnerabilities existing on each host. We have used MulVAL [21] to generate attack graphs. B. Estimating the probability of vulnerabilities exploitation In Bayesian attack graphs there are several paths from entry points of attacker to his goals. Every path consists of one or more vulnerabilities. The probability of each vulnerability is calculated using the selected relevant metrics from base and temporal metrics of CVSS.

The mentioned problem is first formulated in [20] as a series of multi-objective optimization problems. The main shortcoming in this method is that it is static, while there is a dynamic aspect to the security planning process. For every attack, depending on what the contributing factors for the attack are and how they are changing, there is a probability of occurrence that may change during the lifetime of a network. This problem is solved in [6] by proposing Bayesian attack graph. In particular, they have adapted the notion of Bayesian networks to encode the contribution of different security conditions during system compromise and have provided a platform for static and dynamic analysis of risks in networked systems.

Exploitability of each vulnerability is calculated as follows: = 2∗

∗

(4)

∗

Exploitability value reflects only the inherent properties of vulnerabilities. To consider temporal properties of vulnerabilities which change over time, we also used temporal category of CVSS metrics. These temporal metrics adjust the value of exploitability as follows: ( ) =( ∗ ∗

The significant shortcoming of aforementioned methods is that they don’t provide an integrated platform which contains all the information needed for risk mitigation by itself, such as the existence of multiple security countermeasures covering a group of vulnerabilities, the cost of implementing countermeasures and their related outcome.

)∗

(5)

Which TP indicates temporal probability of each vulnerability. TP includes both inherent and temporal properties of vulnerabilities and is more precise because it takes into account the current time of vulnerability evaluation.

In this paper, an extension of Bayesian attack graph proposed in [6] is presented which enhance its usability for risk mitigation phase. The proposed approach uses Bayesian decision networks instead of using only Bayesian networks to be able to model security countermeasures using decision nodes and their outcome using utility nodes provided by Bayesian decision networks.

C. Conditional probability tables In a Bayesian attack graph, each node has a conditional probability table (CPT). This table shows the probability of a node given the states of its parents. In the proposed network, the CPT of each node is generated as follows. The exploit which changes the state of the network from to for ∊ [ ] is called . The conditional

probability distribution function of is defined as fallows.

is Pr( |

If the relation between incoming edges to node AND, the product rule is used.

=

( | ⎧0 , ⎪

∃

∊

,

= 0;

ℎ

.

(6) =

TP ( ) ,

is OR,

If the relation between incoming edges to node the noisy OR operator is used [13].

=

[ ]) ∀

∊

,

= 0;

(7) =1−

⎨ ⎪ ⎩

Fig. 1 shows the Bayesian decision network for the test network shown in Fig. 2. In this network, attacker exploits are shown as ovals, with edges for their preconditions and postconditions. Security countermeasures covering vulnerabilities are shown as rectangles, and utility nodes are represented as hexagonals.

is

[ ])

⎨ ⎪ ⎩

( | ⎧ 0, ⎪

the chance node representing a vulnerability and the decision nodes covering that chance node.

[ ]) which

[1 − TP ( )] ,

ℎ

.

RISK MITIGATION USING BAYESIAN DECISION NETWORKS In risk management framework, the next step after risk assessment is risk mitigation. In risk mitigation process, the security countermeasures are prioritized to be applied on vulnerabilities which lead to a more secure network. In this paper, Bayesian decision networks are used to model security countermeasures and their properties. Bayesian decision networks provide an integrated approach to be used in the security risk mitigation phase. Using decision networks, security administrators are able to model the effects of combining multiple security countermeasures that cover a vulnerability and a security countermeasure which covers multiple vulnerabilities, the countermeasures implementation cost and the outcome resulted by applying a countermeasure or even combination of multiple countermeasures on a vulnerability. V.

Fig. 1. Bayesian decision network of the test network shown in Figure 2

After the decision network is built, it is possible to propagate the probabilities of vulnerabilities exploitation and infer the optimal set of security countermeasures to mitigate the risks caused by these vulnerabilities. This process is described in the next two sections.

So far the probabilities of exploiting vulnerabilities are calculated using the methods proposed in the previous section. This section is devoted to describe how to build a Bayesian decision network for a network under assessment and how to use it to infer the optimal set of security countermeasures in the phase of risk mitigation.

B. Probability propagation in the Bayesian decision networks In Bayesian decision networks, threat sources are shown as external nodes. The probability of external nodes is estimated by network administrator who is aware of probable threat sources and can assess the power of potential attackers. This probability is unconditional and is called prior probability.

A. Building Bayesian decision networks As mentioned before, a Bayesian decision network is an extension of a Bayesian attack graph with additional node types for actions and utilities. Therefore to build a Bayesian decision network, the Bayesian attack graph of a network must be generated according to what mentioned before.

Some of vulnerabilities are considered as preconditions for some other vulnerabilities to exploit. So, successful exploitation of these preconditions makes the network state more probable for the other exploits. In other words, the probability of each node is affected by the probability of its casual parents. Moreover, the security countermeasures implementing on each asset will also affect its vulnerabilities exploitation probabilities. These effects are encoded in chance nodes CPTs. Prior probabilities are propagated using CPTs and the Bayes’ theorem (Equation 2) and hence the unconditional probabilities of internal nodes are calculated.

In order to convert a Bayesian attack graph to a Bayesian decision network, two types of nodes must be added in appropriate positions. The first nodes are the decision nodes. These nodes must be added wherever there are security countermeasures covering a vulnerability with arcs pointing to that vulnerability. These nodes contain the choices about available countermeasures covering vulnerabilities.

A network may experience different attacks or changes during its lifetime. The unconditional probabilities of the chance nodes will be changed if any evidence in the network is observed. For example if an attack is successful in

The second nodes are the utility nodes which have utility tables. Each decision made has an impact to the affected vulnerabilities; this impact is quantified using utility tables. Therefore the incoming arcs to each utility node come from

exploiting the vulnerability of a chance node, the probability of that node will be changed to 1. Or if a countermeasure is applied to remedy the vulnerability of a chance node, its probability will be reduced according to that countermeasure’s coverage. In the case of observing evidence and modifying the probability of a chance node, the effect of this change should be computed on the probability of its descendants and also its ancestors. For modification of probabilities, the changes in node states are propagated through the Bayesian decision network in two ways:

VI. EXPERIMENTAL RESULTS The proposed approach is applied to a test network shown in Fig. 2. The hosts in this network are located within two subnets: The DMZ subnet which contains the web server. This subnet is accessible to the public through a firewall. The second subnet consists of SQL server and several local desktops, which is the trusted zone, so accesses from external sources are restricted. A DMZ tri-homed firewall is installed with policies to ensure that the web server is separated from the local network. The firewall prevents remote access to internal hosts. In order to accommodate web service's transactions, the web server is allowed to send SQL queries to the SQL server. Several local machines are located behind the firewall and their communications are delivered through the gateway server. In addition, the remote desktop service of all local desktops is enabled to facilitate remote operations for employees working from remote sites.

Forward propagation - For descendants of the affected node which are affected directly by the evidence. This modification is done by using Equation (2) as described before in propagating prior probabilities of external nodes. Backward propagation - For ancestors of the affected node, with obtaining their posterior probability after observing evidence by using Equation (8). Pr

= Pr ( | ) × Pr ( )/ Pr( )

(8)

C. Inferring the optimal set of security countermeasures A security countermeasure is a preventive measure that reduces the exploitability of the affected vulnerabilities so as to prevent an attacker from reaching its goals. In this study, the security countermeasures are defined as Bernoulli random variables with the true state signifying that the countermeasure is implemented and false signifying that the countermeasure is not implemented. Each security countermeasure also has an associated cost of implementation ( ). A security risk mitigation plan is a Boolean vector ⃗, representing which countermeasures ( ) have been chosen for enforcement as part of the network security hardening process. Therefore the total cost of each security mitigation plan (Mitigation Plan Cost) can be calculated using Equation (9): ⃗ =

Fig. 2. Topology of the test network for performing experiments

A list of all vulnerabilities in this network with their CVE numbers [22] is listed in Table I. In this table, the probability of each vulnerability considering its temporal characteristics is computed using Equation (5) and the CVSS metrics values obtained from NVD database [23].

(9)

In order to defend against network attacks, a security administrator can choose to implement a variety of countermeasures, i.e. security mitigation plans, each of which comes with different cost and coverage. So he needs to make a decision toward maximum resource utilization. Hence the expected utility (EU) value of each plan is considered in this study. So the plan with the highest expected utility is desired. But as usually the budget for risk mitigation is limited, it is not possible to eliminate all the risks in a network by implementing all security countermeasures. So the cost of implementing each plan must be considered too. Two factors considered in this study are mitigation plan cost (MPC) and expected utility (EU) of each plan. In case of budget limitation, the plan with highest expected utility and the implementation cost lower that the limited budget is desired.

TABLE I.

LIST OF VULNERABILITIES IN T EST NETWORK

Host

Vulnerability

CVE #

Exploitability

Temporal Probability

Web server

IIS vulnerability in WebDAV service Improper cookie handler in OpenSSH Remote login LICQ Buffer Overflow (BOF) MS Video ActiveX Stack BOF

CVE 20091535

0.49

0.4422

CVE 20074752

1

0.7438

0.39

0.3335

Gateway server Local desktops SQL server

SQL Injection

CA 1996-83 CVE 20010439 CVE 20080015 CVE 20085416

1

0.855

0.86

0.7761

0.8

0.6264

The security countermeasures covering network vulnerabilities, their cost of implementation, their outcome (gained by avoiding vulnerability exploitation damage) and their net benefit (outcome - cost) are listed in Table II.

In the next section, we will conduct experiments on a test network to find the best security risk mitigation plan. Then it is assumed that the allocated budget for network security hardening is limited and the best plan(s) regarding this limitation will be determined.

TABLE II.

LIST OF COUNTERMEASURES COVERING VULNERABILITIES

Security Countermeasure C1- Apply OpenSSH security patch C2- Apply MS workaround C3- Filtering external traffic C4- Disable WebDAV C5- Apply MS09-004 workaround C6- Add firewall C7- Query restriction

Coverage

Cost

Outcome

Net benefit

CVE 2007-4752

63

785.89

722.89

CVE 2008-0015 CA 1996-83, CVE 2009-1535 CVE 2009-1535

14

580.45

566.45

70

586.84

516.84

250

473.90

223.90

CVE 2008-5416

31

239.10

208.10

CVE 2001-0439 CVE 2008-5416

205 84

259.15 59

54.15 -25.00

[2]

[3]

[4]

[5]

Using junction tree clustering algorithm implemented by GeNIe software package [24], the expected utility of all security risk mitigation plans are computed and are shown in Figure 3. This diagram shows that the highest expected utility (2745.75) is accessible by implementing all countermeasures except for {C7} with the overall cost of 633 units.

[6] [7] [8]

[9]

[10] [11] [12]

Fig. 3. The expected utility versus implementation cost of all possible security risk mitigation plans

If the budget allocated for network security hardening is limited, only plans with the overall implementation costs lower that the allocated budget must be determined. This approach will prune the decision tree, because many solutions will not be generated. For example, if the allocated budget is 400 units, the expected utility of mitigation plans with implementation costs more than 400 units will not be calculated. In this case, the highest expected utility (2486 units) is accessible by implementing {C1,C2,C3,C4} with the overall cost of 397 units. However, implementing {C1,C2,C5,C6,C7} will also takes 397 units, but in this case, the resulted expected utility will be 1446 units.

[13] [14] [15]

[16]

[17]

VII. CONCLUSION AND FUTURE WORK This paper presents a method to quantitatively assess and mitigate the risk of exploiting vulnerabilities on a given network. In the presented method, in order to estimate the probability of successful exploitations, both inherent and temporal properties of vulnerabilities are considered, which results in a more accurate estimation based on current time of evaluation. Moreover, by using Bayesian decision networks, it is possible to model the existence of multiple countermeasures with different costs and effects for mitigating vulnerabilities. Therefore network security administrators can identify and select the optimal set of countermeasures for risk mitigation given a specified amount of budget.

[18]

[19] [20]

[21] [22] [23]

REFERENCES [1]

P. M. Chawan, J. Patil, and R. Naik, "Software Risk Management," International Journal of Advances in Engineering Sciences, vol. 3, pp. 17-21, 2013.

[24]

P. Mell, K. Scarfone, and S. Romanosky, "A complete guide to the common vulnerability scoring system version 2.0", Published by FIRST-Forum of Incident Response and Security Teams, pp. 1-23, 2007. P. Ammann, D. Wijesekera, and S. Kaushik, "Scalable, graph-based network vulnerability analysis," in Proceedings of the 9th ACM Conference on Computer and Communications Security, pp. 217224, 2002. O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J. M. Wing, "Automated generation and analysis of attack graphs," in Security and Privacy, 2002. Proceedings. 2002 IEEE Symposium on, 2002, pp. 273-284. L. Gallon and J.-J. Bascou, "Cvss attack graphs," in Signal-Image Technology and Internet-Based Systems (SITIS), 2011 Seventh International Conference on, pp. 24-31, 2011. N. Poolsappasit, R. Dewri, and I. Ray, "Dynamic security risk management using bayesian attack graphs," Dependable and Secure Computing, IEEE Transactions on, vol. 9, pp. 61-74, 2012. S. Russell, "Artificial Intelligence: A Modern Approach Author: Stuart Russell, Peter Norvig, Publisher: Prentice Hall Pa," 2009. P. Cheng, L. Wang, S. Jajodia, and A. Singhal, "Aggregating CVSS base scores for semantics-rich network security metrics," in Reliable Distributed Systems (SRDS), 2012 IEEE 31st Symposium on, pp. 3140, 2012. C. Wang, Y. Wang, Y. Dong, and T. Zhang, "A Novel Comprehensive Network Security Assessment Approach," in Communications (ICC), 2011 IEEE International Conference on, pp. 1-6, 2011. S. Noel, S. Jajodia, L. Wang, and A. Singhal, "Measuring security risk of networks using attack graphs," International Journal of NextGeneration Computing, vol. 1, pp. 135-147, 2010. L. Wang, T. Islam, T. Long, A. Singhal, and S. Jajodia, "An attack graph-based probabilistic security metric," in Data and applications security XXII, ed: Springer, 2008, pp. 283-296. N. Ghosh and S. K. Ghosh, "An approach for security assessment of network configurations using attack graph," in Networks and Communications, 2009. NETCOM'09. First International Conference on, 2009, pp. 283-288. Y. Liu and H. Man, "Network vulnerability assessment using Bayesian networks," in Defense and Security, pp. 61-71, 2005. M. Frigault and L. Wang, Measuring network security using bayesian network-based attack graphs: IEEE, 2008. P. Xie, J. H. Li, X. Ou, P. Liu, and R. Levy, "Using Bayesian networks for cyber security analysis," in Dependable Systems and Networks (DSN), 2010 IEEE/IFIP International Conference on, pp. 211-220, 2010. N. Feng, H. J. Wang, and M. Li, "A security risk analysis model for information systems: Causal relationships of risk factors and vulnerability propagation analysis," Information Sciences, vol. 256, pp. 57-73, 2014. M. Khosravi-Farmad, R. Rezaee, and A. Ghaemi Bafghi, "Considering Temporal and Environmental Characteristics of Vulnerabilities in Network Security Risk Assessment," in Information Security and Cryptology (ISCISC), 2014 11th International ISC Conference on, 2014. S. Noel, S. Jajodia, B. O'Berry, and M. Jacobs, "Efficient minimumcost network hardening via exploit dependency graphs," in Computer Security Applications Conference, 2003. Proceedings. 19th Annual, pp. 86-95, 2003. S. Jha, O. Sheyner, and J. Wing, "Two formal analyses of attack graphs," in Computer Security Foundations Workshop, 2002. Proceedings. 15th IEEE, pp. 49-63, 2002. R. Dewri, N. Poolsappasit, I. Ray, and D. Whitley, "Optimal security hardening using multi-objective optimization on attack tree models of networks," in Proceedings of the 14th ACM conference on Computer and communications security, pp. 204-213, 2007. X. Ou, S. Govindavajhala, and A. W. Appel, "MulVAL: A logicbased network security analyzer," in 14th USENIX Security Symposium, pp. 1-16, 2005. "Common Vulnerabilities and Exposures". http://www.cve.mitre.org, 2014. "National vulnerability database". Available at : http://www.nvd.org. 2014. "The GeNIe 2.0 (Graphical Network Interface) software package". http://genie.sis.pitt.edu/, 2004.