Advertisement

Telecommunications Networks Risk Assessment with Bayesian Networks

  • Marcin Szpyrka
  • Bartosz Jasiul
  • Konrad Wrona
  • Filip Dziedzic
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8104)

Abstract

We propose a solution which provides a system operator with valuation of security risk introduced by various components of the communication and information system. This risk signature of the system enables the operator to make an informed decision about which network elements shall be used in order to provide a service requested by the user while minimising security risk related to service execution. In considered scenario transmitted data can be intercepted, modified or dropped by an attacker. Each network component and path can be potentially used to compromise information, since an adversary is able to utilise various vulnerabilities of network elements in order to perform an attack. The impact and probability of such successful attacks can be assessed by analysing the severity of the vulnerabilities and the difficulty of exploiting them, including the required equipment and knowledge. In consequence, each possible service work-flow can be assigned a security risk signature.

Keywords

telecommunications networks risk assessment Bayesian networks 

References

  1. 1.
    CCTA Risk Analysis and Management Method, http://www.cramm.com/
  2. 2.
    Common Vulnerabilities and Exposures, http://cve.mitre.org/
  3. 3.
    EAR/Pilar - Risk Analysis Environment, https://www.ccn-cert.cni.es/
  4. 4.
    MEHARI - Method for Harmonized Analysis of Risk, http://www.clusif.asso.fr/
  5. 5.
  6. 6.
    National Vulnerability Database, http://nvd.nist.gov/
  7. 7.
  8. 8.
  9. 9.
    Agence nationale de la sécurité des systèmes d’information: Expression des Besoins et Identification des Objectifs de Sécurité (EBIOS) (2010)Google Scholar
  10. 10.
    Alberts, C.J., Behrens, S.G., Pethia, R.D., Wilson, W.R.: Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Framework, version 1.0 (1999)Google Scholar
  11. 11.
    Apiecionek, Ł., Romantowski, M., Śliwa, J., Jasiul, B., Goniacz, R.: Safe exchange of information for civil-military operations. In: Military Communications and Information Technology: A Comprehensive Approach Enabler, pp. 39–50. WAT Publishing (2010)Google Scholar
  12. 12.
    Barber, D.: Bayesian Reasoning and Machine Learning. Cambrdge University Press (2013)Google Scholar
  13. 13.
    Bursztein, E., Mitchell, J.C.: Using strategy objectives for network security analysis. In: Bao, F., Yung, M., Lin, D., Jing, J. (eds.) Inscrypt 2009. LNCS, vol. 6151, pp. 337–349. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  14. 14.
    Darwiche, A.: Modeling and reasoning with Bayesian networks. Cambridge Univ. (2009)Google Scholar
  15. 15.
    Domingo, A., Wietgrefe, H.: A NNEC-compliant approach for a Future Mission Network. In: Proc. of the Military Communications Conference, MILCOM (2012)Google Scholar
  16. 16.
    Hu, V.C., Ferraiolo, D., Kuhn, R., Friedman, A.R., Lang, A.J., Cogdell, M.M., Schnitzer, A., Sandlin, K., Miller, R., Scarfone, K.: Guide to Attribute Based Access Control Definition and Considerations, Draft. NIST Special Publication 800-162, Gaithersburg (2013)Google Scholar
  17. 17.
    Ingols, K., Lippmann, R., Piwowarski, K.: Practical attack graph generation for network defense. In: Proc. of ACSAC Conf. 2006, pp. 121–130. IEEE Computer Society (2006)Google Scholar
  18. 18.
    ISO/IEC: ISO/IEC 27001:2005 Information technology – Security techniques – Information security management systems – Requirements (2008)Google Scholar
  19. 19.
    Kjaerulff, U., Madsen, A.: Bayesian Networks and Influence Diagrams: A Guide to Construction and Analysis. Springer (2008)Google Scholar
  20. 20.
    Lagadec, P., Dandurand, L., Bouillon, E., Wrona, K., Torrente, S.: Cyber Defence Situational Awareness and Dynamic Risk Assessment. In: NATO Research and Technology Organisation Symposium on Information Assurance and Cyber Defence, Tallin, Estonia (2010)Google Scholar
  21. 21.
    Lauritzen, S., Spiegelhalter, D.J.: Local computations with probabilities on graphical structures and their application to expert systems. Journal of the Royal Statistical Society series B 50, 157–224 (1988)MathSciNetzbMATHGoogle Scholar
  22. 22.
    Matousek, P., Ráb, J., Rysavy, O., Svéda, M.: A Formal Model for Network-Wide Security Analysis. In: Proceedings of the 15th Annual IEEE International Conference and Workshop on the Engineering of Computer Based Systems, pp. 171–181. IEEE Comp. Soc. (2008)Google Scholar
  23. 23.
    McGraw, R.: Risk-adaptable access control (radac). In: NIST Privilege (Access) Management Workshop (2009)Google Scholar
  24. 24.
    Ministerio de Administraciones Públicas: MAGERIT version 2, Methodology for Information Systems Risk Analysis and Management, Book I The Method (2006)Google Scholar
  25. 25.
    Nalepa, G.J., Ligęza, A.: Designing reliable Web security systems using rule-based systems approach. In: Menasalvas, E., Segovia, J., Szczepaniak, P.S. (eds.) AWIC 2003. LNCS (LNAI), vol. 2663, pp. 124–133. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  26. 26.
    Nalepa, G.J., Ligęza, A., Kaczor, K.: Formalization and modeling of rules using the XTT2 method. International Journal on Artificial Intelligence Tools 20(6), 1107–1125 (2011)CrossRefGoogle Scholar
  27. 27.
    OASIS: eXtensible Access Control Markup Language ver. 3.0. Tech. Rep. (August 2010)Google Scholar
  28. 28.
    Ou, X., Govindavajhala, S., Appel, A.: MulVAL: A logic-based network security analyzer. In: Proc. of 14th USENIX Security Symposium, Baltimore, Maryland, USA (2005)Google Scholar
  29. 29.
    Schneier, B.: Attack trees: Modeling security threats. Dr. Dobbs’ Journal (1999)Google Scholar
  30. 30.
    Sliwa, J., Gleba, K., Chmiel, W., Szwed, P., Glowacz, A.: IOEM - Ontology Engineering Methodology for Large Systems. In: Jędrzejowicz, P., Nguyen, N.T., Hoang, K. (eds.) ICCCI 2011, Part I. LNCS, vol. 6922, pp. 602–611. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  31. 31.
    Szpyrka, M.: Analysis of VME-Bus communication protocol – RTCP-net approach. Real-Time Systems 35(1), 91–108 (2007)CrossRefzbMATHGoogle Scholar
  32. 32.
    Szpyrka, M.: Design and analysis of rule-based systems with Adder Designer. In: Cotta, C., Reich, S., Schaefer, R., Ligéza, A. (eds.) Knowledge-Driven Computing. SCI, vol. 102, pp. 255–271. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  33. 33.
    Szpyrka, M.: Exclusion rule-based systems – case study. In: International Multiconference on Computer Science and Information Technology, Wisła, Poland, vol. 3, pp. 237–242 (2008)Google Scholar
  34. 34.
    Szpyrka, M., Szmuc, T.: Decision tables in Petri net models. In: Kryszkiewicz, M., Peters, J.F., Rybiński, H., Skowron, A. (eds.) RSEISP 2007. LNCS (LNAI), vol. 4585, pp. 648–657. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  35. 35.
    Wrona, K., Hallingstad, G.: Real-time automated risk assessment in protected core networking. Telecommunication Systems 45(2-3), 205–214 (2010)CrossRefGoogle Scholar
  36. 36.
    Wrona, K., Hallingstad, G.: Controlled information sharing in NATO operations. In: IEEE Military Communications Conference (MILCOM), pp. 1285–1290. IEEE (2011)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2013

Authors and Affiliations

  • Marcin Szpyrka
    • 1
  • Bartosz Jasiul
    • 2
  • Konrad Wrona
    • 3
  • Filip Dziedzic
    • 1
  1. 1.Department of Applied Computer ScienceAGH University of Science and TechnologyKrakówPoland
  2. 2.Military Communication InstituteZegrzePoland
  3. 3.NATO Communications and Information AgencyDen HaagThe Netherlands

Personalised recommendations