Related Work
2.1 Security Assessment in terms of External Attacks
In most situations, an adversary has no access to a victim system. The at-tacker needs to start attacking without a given privilege. He may try to gather useful information by external exploration and to exploit vulnerabil-ities to gain a privilege illicitly. Attack graph-based methods assess cyber security based on analyzing potential or possible attack paths existing in a network. AHP-based methods focus on modeling security risk yielded by multifarious factors, including various kinds of attacks, system configura-tions, and so on.
2.1.1 Attack Graph-Based Assessment Methods
Traditionally, tree-based analyses such as event-tree analysis and fault-tree analysis are used in a quantitative risk assessment [24, 25]. The event-tree analysis produces a sequence of outcomes which may arise after the occur-rence of a selected initiating event. In the fault-tree analysis, an undesired event is assigned as the root of a fault tree. Administrators deduce bottom events that may trigger the undesired event from top to down, and build a fault tree composed of the events. By traversing the event tree or the fault tree, we can ascertain the probability of occurrence of an undesired event.
Both event-tree and fault-tree analyses, while useful, are less than satisfac-tory since they are not appropriate for assessing risk resulting from multiple criteria. That is because an administrator can select only one undesired event (initiating event) when build up a fault tree (an event tree). Therefore, the risk value deduced from the tree concerns a single criteria simply.
To improve the deficiencies of the tree-based methods, in 1999 Phillips et al. proposed an approach to modeling network risk based on an attack graph [2], which draws paths that may lead to an unexpected state of a net-work from various initial states. A node in a graph indicates a system state, and an edge is an action of transition from one state to another. An attack graph is generally developed with attack templates, system configurations and attack capabilities [2, 26, 27]. Attack templates mainly describe the pre and post conditions of attacks. The conditions may contain the information of user level, vulnerabilities, capabilities, etc. System configurations indicate the details of the network system. A configuration file should have the
fol-lowing information: machine type, operating system, ports opened, services, network type, and so on. In an attack graph, attack capabilities can be rep-resented as the initial states. The attack capabilities are one of the factors leading to the probability of success of an attack.
Since attack graphs can provide thoroughly possible attack paths within a network, many researchers and professionals have proposed attack graph-based network security measures. Wang et al. [7, 6] presented a generic framework which considers disjunctive and conjunctive dependency relation-ship between exploits in an attack graph. An attack resistance metric has been proposed to calculate and compare the security of different network con-figurations based on the generic framework. In [4], Mehta et al. presented two algorithms of ranking attack graphs to determine the probability of an attacker reaching the goal states. The first algorithm is similar to Google’s PageRank algorithm to determine the importance of webpages on the World Wide Web [28]. The authors modified Google’s algorithm to find out the probability to reach a certain system state from the initial state. The second algorithm ranks individual states of an attack graph in a random simulation that the transition probability from state si to sj equals the reciprocal of the number of successors of the state si.
[3] and [26] presented an analysis method of determining a minimal set of attacks that need to be prevented, otherwise the goal state will be reached.
They also explained how to interpret an attack graph as a Markov Deci-sion Process to perform quantitative reliability analysis. A number of re-searchers have proposed risk assessment and security analysis methods based on Bayesian network-based attack graphs [8, 29, 30]. Bayesian networks
en-able system administrators to determine the probability of a particular attack being executed from a given initial system state according to the conditional dependencies among passed states. Dantu et al. [31, 32] also used a Bayesian network-based attack graph for security risk management. The authors inte-grated behavior-based profiles with the Bayesian network-based attack graph to estimate the risk level based on an attacker’s behavior.
The attack graph-based methods are widely used in network security analysis and assessment since an attack graph provides elaborate information about attacks which exploit vulnerabilities existing in a network. However, generation of an attack graph requires high time complexity. In [33], Ou et al. pointed out the complexity of the attack graph generation algorithm of Ammann et al. [34] is O(N6) in terms of network size. Ou’s algorithm has O(N2) complexity under the assumption of constant table look-up time.
In 2005, Ammann et al. [35] proposed an algorithm to track only “good”
attack paths, instead of all possible attack paths. The algorithmic complexity is polynomial in the size of the network.
According to the discussion in the literature, complexity of generating an attack graph is a critical issue for the attack graph-based assessment methods.
To assess security of a dynamic network environment, redrawing the whole attack graph is required because the paths of an attack graph are tightly dependent on the exploited vulnerabilities and on the nodes. Periodically redrawing an attack graph of a dynamic network, like wireless networks, could lead to a heavy load because topologies and configurations usually change in high frequency.
2.1.2 AHP-Based Assessment Methods
The AHP is a structured approach for solving decision-making problems. It is appropriate for complex decisions which involve various decision elements that are difficult to quantify. The AHP contains the steps in developing a hierarchy of decision elements and constructing the relationship between the elements. A weight is set for each element as the representation of the relationship. The AHP has been applied for many realms, including network risk assessment [9, 10, 11, 12, 13].
Wang and Zeng [12] presented a method of assessing information security risk based on the AHP. They quantified the security risk by integrating the AHP with the fuzzy mathematics and the artificial neural network. Zhang et al. [13] proposed an AHP-based risk assessment method for information secu-rity. They adopted a group decision making method to combine the assessing results from individual experts. [12] and [13] concentrate on the design of the methodology and does not mention much about the development of the risk model upon the AHP.
In [9, 10, 11], Zhao et al. constructed 3-layer hierarchical structures based on the AHP to model wireless network risk. The top layer of their structure is the goal of the risk assessment. The middle layer introduces the rules for weighting the risk factors with the aspects of probability, impact severity, and uncontrollability. The combination of these factors leads to a potential risk value of the network. Illegal actions and system faults which may influence the above elements are listed in the bottom layer. In [9], the entropy theory was introduced to determine the coherence of expert experiences. In 2007,
Zhao et al. extended their previous risk assessment method, which was pro-posed in 2005 [9], by including mobile IP security and wireless interferences in the bottom layer to assess security risk of a wireless network [11].
Compared to the attack graph-based methods, the AHP-based methods require lower time complexity to generate a network risk model. Thus, the AHP could be a convincing candidate basis for modeling and assessing secu-rity of a wireless network with changing configurations and dynamic topolo-gies. Moreover, these hierarchical structures, composed of critical elements for the wireless network risk assessment, are useful to systematically mea-sure network security. However, the existing work ([9], [10] and [11]) simply discusses how the risk factors affect network security without considering the impacts resulting from the practical configurations and network topologies.
Because incorrect configuration is the main reason for system vulnerabil-ity for both wired and wireless networks, the existing 3-layer structures are deficient in modeling network risk.