Bayesian Decision Network-Based Security Risk Management Framework

Abstract

Network security risk management is comprised of several essential processes, namely risk assessment, risk mitigation and risk validation and monitoring, which should be done accurately to maintain the overall security level of a network in an acceptable level. In this paper, an integrated framework for network security risk management is presented which is based on a probabilistic graphical model called Bayesian decision network (BDN). Using BDN, we model the information needed for managing security risks, such as information about vulnerabilities, risk-reducing countermeasures and the effects of implementing them on vulnerabilities, with the minimum need for expert’s knowledge. In order to increase the accuracy of the proposed risk assessment process, vulnerabilities exploitation probability and impact of vulnerabilities exploitation on network assets are calculated using inherent, temporal and environmental factors. In the risk mitigation process, a cost-benefit analysis is efficiently done using modified Bayesian inference algorithms even in case of budget limitation. The experimental results show that network security level enhances significantly due to precise assessment and appropriate mitigation of risks.

This is a preview of subscription content, log in to check access.

Fig. 1
Fig. 2
Fig. 3

References

  1. 1.

    Thomas, PR.: Information security risk analysis, 3rd edition, Auerbach publications, Boco Raton (2010)

    Google Scholar 

  2. 2.

    Ross, R.S.: Guide for conducting risk assessments, Special Publication (NIST SP)-800-30 Rev. 1, (2012)

  3. 3.

    Evan, W.: Security risk management: building an information security risk management program from the ground up, 1st edn. Elsevier, Burlington (2011)

    Google Scholar 

  4. 4.

    Mell, P., et al.: A complete guide to the common vulnerability scoring system version 2.0, Published by FIRST-Forum of Incident Response and Security Teams, vol. 1, (2007)

  5. 5.

    Ammann, P., et al.: Scalable, graph-based network vulnerability analysis, Proceedings of the 9th ACM Conference on Computer and Communications Security, ACM (2002)

  6. 6.

    Sheyner, O., et al.: Automated generation and analysis of attack graphs, In Proceedings 2002 IEEE Symposium on Security and Privacy. IEEE, New York (2002)

  7. 7.

    Gallon, L., Bascou, J. J.: Cvss attack graphs, In 2011 Seventh International Conference on Signal Image Technology & Internet-Based Systems, pp. 24–31. IEEE, New York (2011)

  8. 8.

    Liu, Y., Man, H.: Network vulnerability assessment using Bayesian networks, In Data mining, intrusion detection, information assurance, and data networks security, vol. 5812, pp. 61–71, International Society for Optics and Photonics, Bellingham (2005)

    Google Scholar 

  9. 9.

    Poolsappasit, N., et al.: Dynamic security risk management using bayesian attack graphs. IEEE Trans. Dependable Secure Comput. 9(1), 61–74 (2012)

    Article  Google Scholar 

  10. 10.

    Hong, J.B., et al.: A survey on the usability and practical applications of graphical security models. Comput. Sci. Rev. 26, 1–16 (2017)

    MathSciNet  Article  Google Scholar 

  11. 11.

    Lippmann, R.P., Ingols, K.W.: An annotated review of past papers on attack graphs, No. PR-IA-1, Massachusetts Inst of Tech Lexington Lincoln Lab (2005)

  12. 12.

    Garg, U., et al.: Empirical analysis of attack graphs for mitigating critical paths and vulnerabilities. Comput. Security 77, 349–359 (2018)

    Article  Google Scholar 

  13. 13.

    Kaynar, K.: A taxonomy for attack graph generation and usage in network security. J. Inform. Security Appl. 29, 27–56 (2016)

    Google Scholar 

  14. 14.

    He, W., et al.: Unknown vulnerability risk assessment based on directed graph models: a survey. IEEE Access 7, 168201–168225 (2019)

    Article  Google Scholar 

  15. 15.

    Cheng, P., et al.: Aggregating CVSS base scores for semantics-rich network security metrics, In 2012 IEEE 31st Symposium on Reliable Distributed Systems, IEEE, New York (2012)

  16. 16.

    Wang, C., et al.: A novel comprehensive network security assessment approach, In 2011 IEEE International Conference on Communications (ICC), IEEE, New York (2011)

  17. 17.

    Wang, S., et al.: Exploring attack graph for cost-benefit security hardening: a probabilistic approach. Comput. Security 32, 158–169 (2013)

    Article  Google Scholar 

  18. 18.

    Wang, L., et al.: An attack graph-based probabilistic security metric, In IFIP Annual Conference on Data and Applications Security and Privacy, pp. 283–296. Springer, Berlin, Heidelberg (2008)

  19. 19.

    Ghosh, N., Ghosh, S.K.: An approach for security assessment of network configurations using attack graph, In 2009 First International Conference on Networks Communications, pp. 283–288. IEEE, New York (2009)

  20. 20.

    Noel, S., et al.: Measuring security risk of networks using attack graphs. Int. J. Next Gen. Comput. 1(1), 135–147 (2010)

    Google Scholar 

  21. 21.

    Frigault, M., Wang, L.: Measuring network security using Bayesian network-based attack graphs, In 2008 32nd Annual IEEE International Computer Software and Applications Conference, pp. 698–703. IEEE, New York (2008)

  22. 22.

    Kondakci, S.: Network security risk assessment using Bayesian belief networks, In 2010 IEEE Second International Conference on Social Computing, pp. 952–960. IEEE, New York(2010)

  23. 23.

    Xie, P., et al.: Using Bayesian networks for cyber security analysis, In 2010 IEEE/IFIP International Conference on Dependable Systems & Networks (DSN), pp. 211–220. IEEE, New York (2010)

  24. 24.

    Feng, N., et al.: A security risk analysis model for information systems: causal relationships of risk factors and vulnerability propagation analysis. Inform. Sci. 256, 57–73 (2014)

    Article  Google Scholar 

  25. 25.

    Le, A., et al.: Incorporating FAIR into bayesian network for numerical assessment of loss event frequencies of smart grid cyber threats. Mobile Networks Appl.24(5), 1713–1721 (2019)

    Article  Google Scholar 

  26. 26.

    Wang, J., et al.: A Bayesian network approach for cybersecurity risk assessment implementing and extending the FAIR model, Computers Security 89, 101659

  27. 27.

    Frigault, M., et al.: Measuring the overall network security by combining cvss scores based on attack graphs and Bayesian networks, in Network Security Metrics, pp. 1–23. Springer, Cham (2017)

    Google Scholar 

  28. 28.

    Noel, S., Jajodia, S.: A suite of metrics for network attack graph analytics, in network security metrics, pp. 141–176. Springer, Cham (2017)

    Google Scholar 

  29. 29.

    Norman, T.L.: Risk analysis and security countermeasure selection, 2nd edn. CRC Press, Cleveland (2015)

    Google Scholar 

  30. 30.

    Wheeler, E.: Security risk management: building an information security risk management program from the Ground Up, 1st edn. Elsevier, Amsterdam (2011)

    Google Scholar 

  31. 31.

    Russell, S.J., Norvig, P.: Artificial intelligence: a modern approach, 4th edn. Pearson Education Limited, Malaysia (2020)

    Google Scholar 

  32. 32.

    Koller, D., Friedman, N., Bach, F.: Probabilistic graphical models: principles and techniques, 1st edition, MIT press, Cambridge (2009)

    Google Scholar 

  33. 33.

    Ahmed, M.S., et al.: Objective risk evaluation for automated security management. J. Network Syst. Manag. 19(3), 343–366 (2011)

    Article  Google Scholar 

  34. 34.

    Alali, M., et al.: Improving risk assessment model of cyber security using fuzzy logic inference system. Comput. Security 74, 323–339 (2018)

    Article  Google Scholar 

  35. 35.

    Dai, F., et al.: Exploring risk flow attack graph for security risk assessment. IET Infor. Security 9(6), 344–353 (2015)

    Article  Google Scholar 

  36. 36.

    Wangen, G., et al.: A framework for estimating information security risk assessment method completeness. Int. J. Inform. Security 17(6), 681–699 (2018)

    Article  Google Scholar 

  37. 37.

    Rusek, K., et al.: Effective risk assessment in resilient communication networks. J. Network Syst. Manag. 24(3), 491–515 (2016)

    Article  Google Scholar 

  38. 38.

    Awan, M.S.K., et al.: Identifying cyber risk hotspots: a framework for measuring temporal variance in computer network risk. Comput. Security 57, 31–46 (2016)

    Article  Google Scholar 

  39. 39.

    Nespoli, P., et al.: Optimal countermeasures selection against cyber attacks: a comprehensive survey on reaction frameworks. IEEE Commun. Surveys Tutorials 20(2), 1361–1396 (2018)

    MathSciNet  Article  Google Scholar 

  40. 40.

    Gehani, A., Kedem, G.: Rheostat Real Time Risk Manag. In: international workshop on recent advances in intrusion detection, pp. 296–314. Springer, Berlin, Heidelberg (2004)

    Google Scholar 

  41. 41.

    Dabbebi, O., et al.: An online risk management strategy for VoIP enterprise infrastructures. J. Network Syst. Manag. 23(1), 137–162 (2015)

    Article  Google Scholar 

  42. 42.

    Noel, S., et al.: Efficient minimum-cost network hardening via exploit dependency graphs. In 19th Annual Computer Security Applications Conference Proceedings, IEEE, New York. pp. 86–95 (2003)

  43. 43.

    Jha, S., et al.: Two formal analyses of attack graphs. In Proceedings 15th IEEE Computer Security Foundations Workshop, CSFW-15, IEEE, New York. pp. 49–63 (2002)

  44. 44.

    Dewri, R., et al.: Optimal security hardening using multi-objective optimization on attack tree models of networks, In Proceedings of the 14th ACM conference on computer and communications security, ACM. pp. 204–213, (2007)

  45. 45.

    Khosravi-Farmad, M., et al.: Network security risk mitigation using Bayesian decision networks, In 2014 4th International Conference on Computer and Knowledge Engineering (ICCKE), IEEE. pp. 267–272 (2014)

  46. 46.

    Liu, S. C., Liu, Y.: Network security risk assessment method based on HMM and attack graph model, In 2016 17th IEEE/ACIS International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing (SNPD), IEEE, New York. pp. 517–522 (2016)

  47. 47.

    Nessus Vulnerability Scanner. http://www.tenable.com/products/nessus-vulnerability-scanner

  48. 48.

    OpenVAS, Open Vulnerability Assessment System. http://www.openvas.org/

  49. 49.

    Retina Network Security Vulnerability Scanner. https://www.beyondtrust.com/products/retina-network-security-scanner/

  50. 50.

    NIST. US National vulnerability database (NVD). https://nvd.nist.gov/

  51. 51.

    Common Vulnerabilities and Exposures (CVE). https://cve.mitre.org/

  52. 52.

    Nmap, The Network Mapper. https://nmap.org/

  53. 53.

    Ou, X., et al., MulVAL: A Logic-based Network Security Analyzer, In USENIX Security Symposium, pp. 113–128 2005

  54. 54.

    Khosravi-Farmad, M., et al.: Considering temporal and environmental characteristics of vulnerabilities in network security risk assessment, In 2014 11th International ISC Conference on Information Security and Cryptology, IEEE. pp. 186–191 (2014)

  55. 55.

    GeNIe Modeler, BayesFusion, LLC. https://www.bayesfusion.com/

  56. 56.

    ben Othmane, L., et al.: Incorporating attacker capabilities in risk estimation and mitigation., Computers Security 51, pp. 41–61 (2015)

  57. 57.

    Holm, H., et al.: An expert-based investigation of the common vulnerability scoring system. Comput. Security 53, 18–30 (2015)

    Article  Google Scholar 

Download references

Author information

Affiliations

Authors

Corresponding author

Correspondence to Abbas Ghaemi-Bafghi.

Ethics declarations

Conflict of Interest

Authors declare that they have no conflict of interest.

Ethical Approval

This article does not contain any studies with animals performed by any of the authors.

Informed Consent

Informed consent was obtained from all individual participants included in the study.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Khosravi-Farmad, M., Ghaemi-Bafghi, A. Bayesian Decision Network-Based Security Risk Management Framework. J Netw Syst Manage 28, 1794–1819 (2020). https://doi.org/10.1007/s10922-020-09558-5

Download citation

Keywords

  • Risk assessment
  • Risk mitigation
  • Risk management framework
  • Cost-benefit analysis
  • Decision making
  • Bayesian decision network