Abstract
The paper suggests an automated approach to risk assessment for computer networks with mobile components. The approach is based on the modeling of attacks against computer network as attack graphs and application of open databases of attack patterns and vulnerabilities. Distinctive features of the attacks against networks with mobile components are analyzed. On the base of this analysis we develop the technique of attack graph generation taking into account vulnerabilities of software and hardware for mobile access points as well as weaknesses of mobile devices and mobile connection channels. The technique for calculation of risk assessment metrics is suggested. Operation of the technique for the attack graph generation and calculation of risks is shown on a sample network with mobile components.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
CAPEC-512: Communications. https://capec.mitre.org/data/definitions/512.html
CAPEC-553: Mobile Device Patterns. https://capec.mitre.org/data/definitions/553.html
Check Point Software Technologies Ltd.: Check Point – 2016 Security Report. https://www.checkpoint.com/resources/security-report/
Common Attack Pattern Enumeration and Classification (CAPEC). https://capec.mitre.org
Common Configuration Enumeration (CCE). http://cce.mitre.org/
Common Vulnerabilities and Exposures (CVE). http://cve.mitre.org/
Common Weakness Enumeration (CWE). https://cwe.mitre.org/data/index.html
Doynikova, E., Kotenko, I.: Security assessment based on attack graphs and open standards for computer networks with mobile components. Res. Brief. Inf. Commun. Technol. Evol. 2, 5:1–5:11 (2016)
Frei, D.: Conducting a risk assessment for mobile devices. In: Central-VA-ISSA-May-2012-Meeting (2012)
Frigault, M., Wang, L., Singhal A., Jajodia, S.: Measuring network security using dynamic bayesian network. In: 2008 ACM Workshop on Quality of Protection (2008)
ISO/IEC 27005:2011: Information technology—Security techniques—Information security risk management, 2nd edn. (2011)
Kotenko, I., Chechulin, A.: A cyber attack modeling and impact assessment framework. In: 5th International Conference on Cyber Conflict 2013 (CyCon 2013), pp. 119–142. IEEE and NATO COE Publications, Tallinn (2013)
Kotenko, I., Doynikova, E.: Evaluation of computer network security based on attack graphs and security event processing. J. Wirel. Mob. Netw. Ubiquitous Comput. Dependable Appl. (JoWUA) 5(3), 14–29 (2014)
Kotenko, I., Doynikova, E.: Security assessment of computer networks based on attack graphs and security events. In: Linawati, Mahendra, M.S., Neuhold, E.J., Tjoa, A.M., You, I. (eds.) ICT-EurAsia 2014. LNCS, vol. 8407, pp. 462–471. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55032-4_47
Mell, P.: A Complete Guide to the Common Vulnerability Scoring System (2007)
NVD website. https://nvd.nist.gov/
OWASP Mobile Checklist Final 2016. https://drive.google.com/file/d/0BxOPagp1jPHWYmg3Y3BfLVhMcmc/view
Platform Enumeration (CPE). http://cpe.mitre.org/
Jing, Y., Ahn, G.-J., Zhao, Z., Hu, H.: RiskMon: continuous and automated risk assessment of mobile applications. In: The 4th ACM Conference on Data and Application Security and Privacy, pp. 99–110 (2014)
Theoharidou, M., Mylonas, A., Gritzalis, D.: A risk assessment method for smartphones. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) SEC 2012. IAICT, vol. 376, pp. 443–456. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30436-1_36
Schneider, P. (ed.): Threat and Risk Analysis for Mobile Communication Networks and Mobile Terminals. Deliverable 5. Attack analysis and Security concepts for MObile Network infrastructures, supported by collaborative Information exchAnge project (2012)
Pandita, R., Xiao, X., Yang, W., Enck, W., Xie, T.: WHYPER: towards automating risk assessment of mobile applications. In: 22nd USENIX Conference on Security (SEC 2013), pp. 527–542 (2013)
Acknowledgements
This research is being supported by the grants of the Russian Foundation of Basic Research (15-07-07451, 16-37-00338, 16-29-09482), partial support of budgetary subjects 0073-2015-0004 and 0073-2015-0007, and Grant 074-U01.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Doynikova, E., Kotenko, I. (2018). An Automated Graph Based Approach to Risk Assessment for Computer Networks with Mobile Components. In: You, I., Leu, FY., Chen, HC., Kotenko, I. (eds) Mobile Internet Security. MobiSec 2016. Communications in Computer and Information Science, vol 797. Springer, Singapore. https://doi.org/10.1007/978-981-10-7850-7_9
Download citation
DOI: https://doi.org/10.1007/978-981-10-7850-7_9
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-10-7849-1
Online ISBN: 978-981-10-7850-7
eBook Packages: Computer ScienceComputer Science (R0)