Advertisement

Towards Actionable Mission Impact Assessment in the Context of Cloud Computing

  • Xiaoyan Sun
  • Anoop Singhal
  • Peng Liu
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10359)

Abstract

Today’s cyber-attacks towards enterprise networks often undermine and even fail the mission assurance of victim networks. Mission cyber resilience (or active cyber defense) is critical to prevent or minimize negative consequences towards missions. Without effective mission impact assessment, mission cyber resilience cannot be really achieved. However, there is an overlooked gap between mission impact assessment and cyber resilience due to the non-mission-centric nature of current research. This gap is even widened in the context of cloud computing. The gap essentially accounts for the weakest link between missions and attack-resilient systems, and also explains why the existing impact analysis is not really actionable. This paper initiates efforts to bridge this gap, by developing a novel graphical model that interconnects the mission dependency graphs and cloud-level attack graphs. Our case study shows that the new cloud-applicable model is able to bridge the gap between mission impact assessment and cyber resilience. As a result, it can significantly improve the effectiveness of cyber resilience analysis of mission critical systems.

Notes

Acknowledgement

We thank the anonymous reviewers for their valuable comments. This work was supported by ARO W911NF-15-1-0576, ARO W911NF-13-1-0421 (MURI), CNS-1422594, NIETP CAE Cybersecurity Grant, and NIST 60NANB16D241.

Disclaimer

This paper is not subject to copyright in the United States. Commercial products are identified in order to adequately specify certain procedures. In no case does such identification imply recommendation or endorsement by the National Institute of Standards and Technology, nor does it imply that the identified products are necessarily the best available for the purpose.

References

  1. 1.
    Proceedings of DARPA Information Survivability Conference and Exposition, Anaheim, California, 12–14 June 2001, Volume I & Volume II (2001)Google Scholar
  2. 2.
    D’Amico, A., Buchanan, L., Goodall, J.: Mission impact of cyber events: scenarios and ontology to express the relationships between cyber assets, missions, and users. In: Proceedings of the 5th International Conference on Information Warfare and Security (2010)Google Scholar
  3. 3.
    Holsopple, J., Yang, S.J., Sudit, M.: Mission impact assessment for cyber warfare. Intelligent Methods for Cyber Warfare, vol. 563, pp. 239–266. Springer, Cham (2015)Google Scholar
  4. 4.
    Jakobson, G.: Mission cyber security situation assessment using impact dependency graphs. In: Information Fusion (FUSION) (2011)Google Scholar
  5. 5.
    Sawilla, R.E., Ou, X.: Identifying critical attack assets in dependency attack graphs. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 18–34. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-88313-5_2 CrossRefGoogle Scholar
  6. 6.
    Musman, S., Temin, A., Tanner, M., Fox, D., Pridemore, B.: Evaluating the Impact of Cyber Attacks on Missions. MITRE Corporation, Bedford (2009)Google Scholar
  7. 7.
    Yager, R.R.: On ordered weighted averaging aggregation operation in multicriteria decision making. IEEE Trans. Syst. Man Cybern. 18, 183–190 (1988)CrossRefzbMATHGoogle Scholar
  8. 8.
    Ou, X., Boyer, W.F., McQueen, M.A.: A scalable approach to attack graph generation. In: ACM CCS (2006)Google Scholar
  9. 9.
    Ou, X., Govindavajhala, S., Appel, A.W.: MulVAL: a logic-based network security analyzer. In: USENIX Security (2005)Google Scholar
  10. 10.
    Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.M.: Automated generation and analysis of attack graphs. In: Security and Privacy (S&P) (2002)Google Scholar
  11. 11.
    Ramakrishnan, C.R., Sekar, R.: Model-based analysis of configuration vulnerabilities. J. Comput. Secur. 10, 189–209 (2002)CrossRefGoogle Scholar
  12. 12.
    Phillips, C., Swiler, L.P.: A graph-based system for network-vulnerability analysis. In: Proceedings of Workshop on New Security Paradigms (1998)Google Scholar
  13. 13.
    Jajodia, S., Noel, S., O’Berry, B.: Topological analysis of network attack vulnerability. In: Kumar, V., Srivastava, J., Lazarevic, A. (eds.) Managing Cyber Threats. Massive Computing, vol. 5. Springer, USA (2005)CrossRefGoogle Scholar
  14. 14.
    Ammann, P., Wijesekera, D., Kaushik, S.: Scalable graph-based network vulnerability analysis. In: ACM CCS (2002)Google Scholar
  15. 15.
    Ingols, K., Lippmann, R., Piwowarski, K.: Practical attack graph generation for network defense. In: ACSAC (2006)Google Scholar
  16. 16.
    Sun, X., Dai, J., Singhal, A., Liu, P.: Inferring the stealthy bridges between enterprise network islands in cloud using cross-layer Bayesian networks. In: Tian, J., Jing, J., Srivatsa, M. (eds.) International Conference on Security and Privacy in Communication Networks. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol. 152. Springer, Cham (2015)CrossRefGoogle Scholar
  17. 17.
    Zhang, Y., et al.: Homealone: co-residency detection in the cloud via side-channel analysis. In: 2011 IEEE Symposium on Security and Privacy. IEEE (2011)Google Scholar
  18. 18.
    Ristenpart, T., et al.: Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In: Proceedings of the 16th ACM Conference on Computer and Communications Security. ACM (2009)Google Scholar
  19. 19.
    Younis, Y., Kifayat, K., Merabti, M.: Cache side-channel attacks in cloud computing. In: International Conference on Cloud Security Management (ICCSM) (2014)Google Scholar
  20. 20.
    Chen, X., Zhang, M., Mao, Z.M., Bahl, P.: Automating network application dependency discovery: experiences, limitations, and new solutions. In: Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation (OSDI) (2008)Google Scholar
  21. 21.
    Natarajan, A., Ning, P., Liu, Y., Jajodia, S., Hutchinson, S.E.: NSDMiner: automated discovery of network service dependencies. In: Proceeding of IEEE International Conference on Computer Communications (2012)Google Scholar
  22. 22.
    Peddycord III, B., Ning, P., Jajodia, S.: On the accurate identification of network service dependencies in distributed systems. In: USENIX Association Proceedings of the 26th International Conference on Large Installation System Administration: Strategies, Tools, and Techniques (2012)Google Scholar
  23. 23.

Copyright information

© IFIP International Federation for Information Processing 2017

Authors and Affiliations

  1. 1.California State UniversitySacramentoUSA
  2. 2.National Institute of Standards and TechnologyGaithersburgUSA
  3. 3.Pennsylvania State UniversityUniversity ParkUSA

Personalised recommendations