research-article

Public Access

Optimal Defense Policies for Partially Observable Spreading Processes on Bayesian Attack Graphs

Authors:

Mohammad Rasouli,

Demosthenis TeneketzisAuthors Info & Claims

MTD '15: Proceedings of the Second ACM Workshop on Moving Target Defense

Pages 67 - 76

https://doi.org/10.1145/2808475.2808482

Published: 12 October 2015 Publication History

Abstract

The defense of computer networks from intruders is becoming a problem of great importance as networks and devices become increasingly connected. We develop an automated approach to defending a network against continuous attacks from intruders, using the notion of Bayesian attack graphs to describe how attackers combine and exploit system vulnerabilities in order to gain access and progress through a network. We assume that the attacker follows a probabilistic spreading process on the attack graph and that the defender can only partially observe the attacker's capabilities at any given time. This leads to the formulation of the defender's problem as a partially observable Markov decision process (POMDP). We define and compute optimal defender countermeasure policies, which describe the optimal countermeasure action to deploy given the current information.

References

[1]

P. Ammann, D. Wijesekera, and S. Kaushik. Scalable, graph-based network vulnerability analysis. In Proceedings of the 9th ACM Conference on Computer and Communications Security, pages 217--224. ACM, 2002.

Digital Library

[2]

K. J. Astrom. Optimal control of Markov processes with incomplete state information. Journal of Mathematical Analysis and Applications, 10(1):174, 1965.

[3]

L. Carin, G. Cybenko, and J. Hughes. Cybersecurity strategies: The QuERIES methodology. Computer, 41(8):20--26, 2008.

Digital Library

[4]

T. Cassandra. pomdp-solve: POMDP solver software, v5.4, 2003--2015. {Online; accessed 2-March-2015}.

[5]

Department of Homeland Security. Moving target defense. {Online; accessed 19-April-2015}.

[6]

Department of Homeland Security. Industrial control systems cyber emergency response team (ICS-CERT) year in review, 2014. {Online; accessed 10-April-2015}.

[7]

M. Frigault and L. Wang. Measuring network security using bayesian network-based attack graphs. In Computer Software and Applications, 2008. COMPSAC '08. 32nd Annual IEEE International, pages 698--703, July 2008.

Digital Library

[8]

M. Frigault, L. Wang, A. Singhal, and S. Jajodia. Measuring network security using dynamic bayesian network. In Proceedings of the 4th ACM workshop on Quality of protection, pages 23--30. ACM, 2008.

Digital Library

[9]

A. Gehani and G. Kedem. Rheostat: Real-time risk management. In Recent Advances in Intrusion Detection, pages 296--314. Springer, 2004.

[10]

K. Ingols, M. Chu, R. Lippmann, S. Webster, and S. Boyer. Modeling modern network attacks and countermeasures using attack graphs. In Computer Security Applications Conference, 2009. ACSAC'09. Annual, pages 117--126. IEEE, 2009.

Digital Library

[11]

S. Jajodia and S. Noel. Topological vulnerability analysis. In Cyber Situational Awareness, pages 139--154. Springer, 2010.

[12]

S. Jajodia, S. Noel, P. Kalapa, M. Albanese, and J. Williams. Cauldron mission-centric cyber situational awareness with defense in depth. In Military Communications Conference, 2011-MILCOM 2011, pages 1339--1344. IEEE, 2011.

[13]

B. Kordy, L. Piètre-Cambacédès, and P. Schweitzer. DAG-based attack and defense modeling: Don't miss the forest for the attack trees. Computer Science Review, 13:1--38, 2014.

Digital Library

[14]

P. R. Kumar and P. Varaiya. Stochastic systems: Estimation, identification, and adaptive control. Prentice Hall Englewood Cliffs, NJ, 1986.

Digital Library

[15]

R. P. Lippmann and K. W. Ingols. An annotated review of past papers on attack graphs. Technical report, DTIC Document, 2005.

[16]

J. Liu, F. R. Yu, C. H. Lung, and H. Tang. Optimal combined intrusion detection and biometric-based continuous authentication in high security mobile ad hoc networks. Wireless Communications, IEEE Transactions on, 8(2):806--815, 2009.

Digital Library

[17]

Y. Liu and H. Man. Network vulnerability assessment using bayesian networks. In Defense and Security, pages 61--71. International Society for Optics and Photonics, 2005.

[18]

D. López, O. Pastor, and L. García Villalba. Dynamic risk assessment in information systems: state-of-the-art. In Proceedings of the 6th International Conference on Information Technology, Amman, pages 8--10, 2013.

[19]

C. Mu, X. Li, H. Huang, and S. Tian. Online risk assessment of intrusion scenarios using DS evidence theory. In Computer Security-ESORICS 2008, pages 35--48. Springer, 2008.

Digital Library

[20]

C. Mu and Y. Li. An intrusion response decision-making model based on hierarchical task network planning. Expert systems with applications, 37(3):2465--2472, 2010.

Digital Library

[21]

X. Ou, W. F. Boyer, and M. A. McQueen. A scalable approach to attack graph generation. In Proceedings of the 13th ACM conference on Computer and communications security, pages 336--345. ACM, 2006.

Digital Library

[22]

N. Poolsappasit, R. Dewri, and I. Ray. Dynamic security risk management using bayesian attack graphs. Dependable and Secure Computing, IEEE Transactions on, 9(1):61--74, 2012.

Digital Library

[23]

C. Sarraute, O. Buffet, and J. Hoffmann. POMDPs make better hackers: Accounting for uncertainty in penetration testing. arXiv preprint arXiv:1307.8182, 2013.

Digital Library

[24]

B. Schneier. Attack trees. Dr. Dobb's journal, 24(12):21--29, 1999.

[25]

A. Shameli-Sendi, N. Ezzati-Jivan, M. Jabbarifar, and M. Dagenais. Intrusion response systems: survey and taxonomy. Int. J. Comput. Sci. Netw. Secur, 12(1):1--14, 2012.

[26]

V. Shandilya, C. B. Simmons, and S. Shiva. Use of attack graphs in security systems. Journal of Computer Networks and Communications, 2014.

[27]

N. Stakhanova, S. Basu, and J. Wong. A taxonomy of intrusion response systems. International Journal of Information and Computer Security, 1(1--2):169--184, 2007.

Digital Library

[28]

P. Xie, J. H. Li, X. Ou, P. Liu, and R. Levy. Using bayesian networks for cyber security analysis. In Dependable Systems and Networks (DSN), 2010 IEEE/IFIP International Conference on, pages 211--220. IEEE, 2010.

[29]

L. Yu and R. R. Brooks. Applying pomdp to moving target optimization. In Proceedings of the Eighth Annual Cyber Security and Information Intelligence Research Workshop, page 49. ACM, 2013.

Digital Library

[30]

Y. Zhang, X. Fan, Z. Xue, and H. Xu. Two stochastic models for security evaluation based on attack graph. In Young Computer Scientists, 2008. ICYCS 2008. The 9th International Conference for, pages 2198--2203. IEEE, 2008.

Digital Library

Cited By

Wang YWellman MDastani MSichman JAlechina NDignum V(2024)Generalized Response Objectives for Strategy Exploration in Empirical Game-Theoretic AnalysisProceedings of the 23rd International Conference on Autonomous Agents and Multiagent Systems10.5555/3635637.3663052(1892-1900)Online publication date: 6-May-2024
https://dl.acm.org/doi/10.5555/3635637.3663052
Hammar KStadler R(2024)Learning Near-Optimal Intrusion Responses Against Dynamic AttackersIEEE Transactions on Network and Service Management10.1109/TNSM.2023.329341321:1(1158-1177)Online publication date: Mar-2024
https://doi.org/10.1109/TNSM.2023.3293413
Kim YDán GZhu Q(2024)Human-in-the-Loop Cyber Intrusion Detection Using Active LearningIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.343464719(8658-8672)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3434647
Show More Cited By

Index Terms

Optimal Defense Policies for Partially Observable Spreading Processes on Bayesian Attack Graphs

Recommendations

Online Algorithms for Adaptive Cyber Defense on Bayesian Attack Graphs
MTD '17: Proceedings of the 2017 Workshop on Moving Target Defense

Emerging zero-day vulnerabilities in information and communications technology systems make cyber defenses very challenging. In particular, the defender faces uncertainties of; e.g., system states and the locations and the impacts of vulnerabilities. In ...
Moving Target Defense Against Injection Attacks
Algorithms and Architectures for Parallel Processing
Abstract
With the development of network technology, web services become more convenient and popular. However, web services are also facing serious security threats, especially SQL injection attack(SQLIA). Due to the diversity of attack techniques and the ...
Automated benchmark network diversification for realistic attack simulation with application to moving target defense
Abstract
With numbers of exploitable vulnerabilities and attacks on networks constantly increasing, it is important to employ defensive techniques to protect one’s systems. A wide range of defenses are available and new paradigms such as Moving Target ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

MTD '15: Proceedings of the Second ACM Workshop on Moving Target Defense

October 2015

114 pages

ISBN:9781450338233

DOI:10.1145/2808475

Program Chairs:
George Cybenko
Dartmouth College, USA
,
Dijiang Huang
Arizona State University, USA

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 October 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

CCS'15

Sponsor:

SIGSAC

CCS'15: The 22nd ACM Conference on Computer and Communications Security

October 12, 2015

Colorado, Denver, USA

Acceptance Rates

MTD '15 Paper Acceptance Rate 8 of 19 submissions, 42%;

Overall Acceptance Rate 40 of 92 submissions, 43%

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

63
Total Citations
View Citations
1,241
Total Downloads

Downloads (Last 12 months)215
Downloads (Last 6 weeks)28

Reflects downloads up to 24 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Wang YWellman MDastani MSichman JAlechina NDignum V(2024)Generalized Response Objectives for Strategy Exploration in Empirical Game-Theoretic AnalysisProceedings of the 23rd International Conference on Autonomous Agents and Multiagent Systems10.5555/3635637.3663052(1892-1900)Online publication date: 6-May-2024
https://dl.acm.org/doi/10.5555/3635637.3663052
Hammar KStadler R(2024)Learning Near-Optimal Intrusion Responses Against Dynamic AttackersIEEE Transactions on Network and Service Management10.1109/TNSM.2023.329341321:1(1158-1177)Online publication date: Mar-2024
https://doi.org/10.1109/TNSM.2023.3293413
Kim YDán GZhu Q(2024)Human-in-the-Loop Cyber Intrusion Detection Using Active LearningIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.343464719(8658-8672)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3434647
Ozkan-Okay MAkin EAslan ÖKosunalp SIliev TStoyanov IBeloev I(2024)A Comprehensive Survey: Evaluating the Efficiency of Artificial Intelligence and Machine Learning Techniques on Cyber Security SolutionsIEEE Access10.1109/ACCESS.2024.335554712(12229-12256)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3355547
Kazeminajafabadi AImani M(2024)Optimal Joint Defense and Monitoring for Networks Security under Uncertainty: A POMDP-Based ApproachIET Information Security10.1049/2024/79667132024(1-20)Online publication date: 27-May-2024
https://doi.org/10.1049/2024/7966713
Liu YGuo YRanjan RChen D(2024)Optimization of mitigation deployment using deep reinforcement learning over an enhanced ATT &CKComputing10.1007/s00607-024-01344-4Online publication date: 6-Sep-2024
https://doi.org/10.1007/s00607-024-01344-4
Cai WChen HChen HLiu F(2024)Optimal Defense Strategy for Multi-agents Using Value Decomposition NetworksAdvanced Intelligent Computing Technology and Applications10.1007/978-981-97-5581-3_41(504-516)Online publication date: 1-Aug-2024
https://doi.org/10.1007/978-981-97-5581-3_41
Yang JYang MHan WZhang J(2024)A Survey on Attack GraphNetwork Simulation and Evaluation10.1007/978-981-97-4522-7_3(36-52)Online publication date: 2-Aug-2024
https://doi.org/10.1007/978-981-97-4522-7_3
Yang MYang JHan WZhang J(2024)A Cybersecurity Evaluation Oriented Attack Scheme Generation SystemNetwork Simulation and Evaluation10.1007/978-981-97-4519-7_24(336-350)Online publication date: 2-Aug-2024
https://doi.org/10.1007/978-981-97-4519-7_24
Holm HReuben J(2024)Evaluation of a Red Team Automation Tool in Live Cyber Defence ExercisesICT Systems Security and Privacy Protection10.1007/978-3-031-56326-3_13(177-190)Online publication date: 24-Apr-2024
https://doi.org/10.1007/978-3-031-56326-3_13
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents