Any computer system with known vulnerabilities can be presented using attack graphs. An attacker generally has a mission to reach a goal state that he expects to achieve. Expected Path Length (EPL)[1] in the context of an attack graph describes the length or number of steps that the attacker has to take in achieving the goal state. However, EPL varies and it is based on the “state of vulnerabilities” [2][3] in a given computer system. Any vulnerability throughout its life cycle passes through several stages that we identify as “states of the vulnerability life cycle” [2][3]. In our previous studies we have developed mathematical models using Markovian theory to estimate the probability of a given vulnerability being in a particular state of its life cycle. There, we have considered a typical model of a computer network system with two computers subject to three vulnerabilities, and developed a method driven by an algorithm to estimate the EPL of this network system as a function of time. This approach is important because it allows us to monitor a computer system during the process of being exploited. Proposed non-homogeneous model in this study estimates the behavior of the EPL as a function of time and therefore act as an index of the risk associated with the network system getting exploited.
References
[1]
Kaluarachchi, P.K., Tsokos, C.P. and Rajasooriya, S.M. (2016) Cybersecurity: A Statistical Predictive Model for the Expected Path Length. Journal of information Security, 7, 112-128. https://doi.org/10.4236/jis.2016.73008
[2]
Rajasooriya, S.M., Tsokos, C.P. and Kaluarachchi, P.K. (2016) Stochastic Modelling of Vulnerability Life Cycle and Security Risk Evaluation. Journal of information Security, 7, 269-279. https://doi.org/10.4236/jis.2016.74022
[3]
Rajasooriya, S.M., Tsokos, C.P. and Kaluarachchi, P.K. (2017) Cybersecurity: Nonlinear Stochastic models for Predicting the Exploitability. Journal of information Security, 8, 125-140. https://doi.org/10.4236/jis.2017.82009
[4]
2016 U.S Government Cybersecurity Report.
https://cdn2.hubspot.net/hubfs/533449/SecurityScorecard_2016_Govt_Cybersecurity_Report.pdf
[5]
Symantec, Internet Security Threat Report 2016-Volume 21.
https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-en.pdf
[6]
NVD, National Vulnerability Database. http://nvd.nist.gov/
[7]
Kijsanayothin, P. (2010) Network Security Modeling with Intelligent and Complexity Analysis. Ph.D. Dissertation, Texas Tech University, Lubbock, Texas, U.S.
[8]
Schiffman, M. Common Vulnerability Scoring System (CVSS).
http://www.first.org/cvss/
[9]
CVE Details. http://www.cvedetails.com/
[10]
Frei, S. (2009) Security Econometrics: The Dynamics of (IN) Security, Ph.D. Dissertation at ETH Zurich.
[11]
Joh, H. and Malaiya, Y.K. (2010) A Framework for Software Security Risk Evaluation Using the Vulnerability Lifecycle and CVSS Metrics, Proc. International Workshop on Risk and Trust in Extended Enterprises, November 2010, 430-434.
[12]
Alhazmi, O.H., Malaiya, Y.K. and Ray, I. (2007) Measuring, Analyzing and Predicting Security Vulnerabilities in Software Systems. Computers and Security Journal, 26, 219-228. https://doi.org/10.1016/j.cose.2006.10.002
[13]
Alhazmi, O.H. and Malaiya, Y.K. (2008) Application of Vulnerability Discovery Models to Major Operating Systems. IEEE Transactions on Reliability, 57, 14-22.
https://doi.org/10.1109/TR.2008.916872
[14]
Alhazmi, O.H. and Malaiya, Y.K. (2005) Modeling the Vulnerability Discovery Process. Proceedings of 16th International Symposium on Software Reliability Engineering, Chicago, 8-11 November 2005, 129-138.
https://doi.org/10.1109/ISSRE.2005.30
[15]
Lawler, G.F. (2006) Introduction to Stochastic processes. 2nd Edition, Chapman and Hall/CRC Taylor and Francis Group, London, New York.
[16]
Noel, S., Jacobs, M., Kalapa, P. and Jajodia, S. (2005) Multiple Coordinated Views for Network Attack Graphs. Proceedings of the IEEE Workshops on Visualization for Computer Security, Minneapolis, October 2005, 99-106.
[17]
Mehta, V., Bartzis, C., Zhu, H., Clarke, E.M. and Wing, J.M. (2006) Ranking Attack Graphs. In: Zamboni, D. and Krugel, C., Eds., Recent Advances in Intrusion Detection, Volume 4219 of Lecture Notes in Computer Science, Springer, Berlin, 127-144.
[18]
Abraham, S. and Nair, S. (2014) Cyber Security Analytics: A Stochastic Model for Security Quantification using Absorbing Markov Chains. Journal of Communications, 9, 899-907. https://doi.org/10.12720/jcm.9.12.899-907
[19]
Jajodia, S. and Noel, S. (2005) Advanced Cyber Attack Modeling, Analysis, and Visualization. 14th USENIX Security Symposium, Technical Report 2010, George Mason University, Fairfax.
[20]
Wang, L., Singhal, A. and Jajodia, S. (2007) Measuring Overall Security of Network Configurations using Attack Graphs. Data and Applications Security, 21, 98-112.
https://doi.org/10.1007/978-3-540-73538-0_9
[21]
Wang, L., Islam, T., Long, T., Singhal, A. and Jajodia, S. (2008) An Attack Graph-Based Probabilistic Security Metric. DAS 2008, LNCS 5094, 283-296.
