Document Type : Research Article


Data and Communication Security Lab., Computer Dept., Ferdowsi University of Mashhad, Iran.


In security risk management of computer networks, some challenges are more serious in large networks. Specifying and estimating risks is largely dependent on the knowledge of security experts. In this paper, a framework for security risk estimation is proposed to address this issue. It represents the security knowledge required for security risk estimation and utilizes current security metrics and vulnerability databases. This framework is a major step towards automating the process of security risk estimation so that a network administrator can estimate the risk of the network with less expertise and effort. As a case study, the proposed framework is applied to a sample network to show its applicability and usability in operational environments. The comparison of results with two existing methods showed the validity of the estimations given by the proposed framework.


Main Subjects

[1] X. Li, M. Li, and H. Wang. Research on Network Security Risk Assessment Method Based on Bayesian Reasoning. In 2019 IEEE 9th International Conference on Electronics Information and Emergency Communication (ICEIEC), pages 1--7. IEEE, 2019. [ bib | DOI ]
[2] B. Karabacak and I. Sogukpinar. ISRAM: information security risk analysis method. Computers & Security, 24(2):147--159, 2005. [ bib | DOI ]
[3] P. Saripalli and B. Walters. Quirc: A quantitative impact and risk assessment framework for cloud security. In 2010 IEEE 3rd international conference on cloud computing, pages 280--288. IEEE, 2010. [ bib | DOI ]
[4] CWE. Forum of Incident Response and Security, Common Vulnerability Scoring System v3.1., Date Accessed: December 10, 2019. [ bib ]
[5] CWE. Forum of Incident Response and Security, Common Weakness Scoring System v1.0.1., Date Accessed: December 10, 2019. [ bib ]
[6] A. Mukhopadhyay, S. Chatterjee, K. K. Bagchi, P. J. Kirs, and G. K. Shukla. Cyber risk assessment and mitigation (CRAM) framework using logit and probit models for cyber insurance. Information Systems Frontiers, 21(5):997–1018, 2019. [ bib | DOI ]
[7] S. Kabir and Y. Papadopoulos. Applications of Bayesian networks and Petri nets in safety, reliability, and risk assessments: A review. Safety science, 115:154--175, 2019. [ bib | DOI ]
[8] N. Poolsappasit, R. Dewri, and I. Ray. Dynamic security risk management using bayesian attack graphs. IEEE Transactions on Dependable and Secure Computing, 9(1):61 -- 74, 2011. [ bib | DOI ]
[9] B. Kordy, M. Pouly, and P. Schweitzer. Probabilistic reasoning with graphical security models. Information sciences, 342:111--131, 2016. [ bib | DOI ]
[10] M. Khosravi-Farmad, R. Rezaee, A. Harati, and A. G. Bafghi. Network security risk mitigation using Bayesian decision networks. In 2014 4th International Conference on Computer and Knowledge Engineering (ICCKE), pages 267--272. IEEE, 2014. [ bib | DOI ]
[11] M. Khosravi-Farmad, R. Rezaee, and A. G. Bafghi. Considering temporal and environmental characteristics of vulnerabilities in network security risk assessment. In 2014 11th International ISC Conference on Information Security and Cryptology, pages 186--191. IEEE, 2014. [ bib | DOI ]
[12] T. Sommestad, M. Ekstedt, and H. Holm. The cyber security modeling language: A tool for assessing the vulnerability of enterprise system architectures. IEEE Systems Journal, 7(3):363--373, 2012. [ bib | DOI ]
[13] H. Holm, K. Shahzad, M. Buschle, and M. Ekstedt. P2CySeMoL: Predictive, Probabilistic Cyber Security Modeling Language. IEEE Transactions on Dependable and Secure Computing, 12(6):626 -- 639, 2014. [ bib | DOI ]
[14] P. Ammann, D. Wijesekera, and S. Kaushik. Scalable, graph-based network vulnerability analysis. In Proceedings of the 9th ACM Conference on Computer and Communications Security, pages 217--224, 2014. [ bib | DOI ]
[15] R. Rezaee, A. G. Bafghi, and M. Khosravi-Farmad. A threat risk estimation model for computer network security. In 2016 6th International Conference on Computer and Knowledge Engineering (ICCKE), pages 223--228. IEEE, 2016. [ bib | DOI ]
[16] S. H. Houmb, V. N. Franqueira, and E. A. Engum. Quantifying security risk level from CVSS estimates of frequency and impact. Journal of Systems and Software, 83(9):1622--1634, 2010. [ bib | DOI ]
[17] J. Zhou, G. Reniers, and L. Zhang. Petri-net based attack time analysis in the context of chemical process security. Computers & Chemical Engineering, 130:106546, 2019. [ bib | DOI ]
[18] X. Zhang and D. Zhang. Quantitative Risk Assessment of Cyber Physical Power System Using Bayesian Based on Petri Net. In 2018 5th IEEE International Conference on Cloud Computing and Intelligence Systems (CCIS), pages 988--992. IEEE, 2018. [ bib | DOI ]
[19] D. Pramod and S. V. Bharathi. Developing an Information Security Risk Taxonomy and an Assessment Model using Fuzzy Petri Nets. Journal of Cases on Information Technology (JCIT), 20(3):48--69, 2018. [ bib | DOI ]
[20] S. Lee, S. Kim, K. Choi, and T. Shon. Game theory-based security vulnerability quantification for social internet of things. Future Generation Computer Systems, 82:752--760, 2018. [ bib | DOI ]
[21] S. Musman and A. Turner. A game theoretic approach to cyber security risk management. The Journal of Defense Modeling and Simulation, 15(2):127--146, 2018. [ bib | DOI ]
[22] S. Yang, Y. Zhang, and C. Wu. Attack-Defense Quantification Based On Game-Theory. arXiv preprint arXiv:1902.10439, 2019. [ bib | DOI ]
[23] Y. Yang, B. Che, Y. Zeng, Y. Cheng, and C. Li. MAIAD: a multistage asymmetric information attack and defense model based on evolutionary game theory. Symmetry, 11(2):215, 2019. [ bib | DOI ]
[24] K. Zhang. Analysis method based on rough attack-defense Bayes game model. International Journal of Security and Its Applications, 9(1):109--118, 2015. [ bib | DOI ]
[25] T. Sommestad, M. Ekstedt, and P. Johnson. Combining defense graphs and enterprise architecture models for security analysis. In 2008 12th International IEEE Enterprise Distributed Object Computing Conference, pages 349--355. IEEE, 2008. [ bib | DOI ]
[26] V. Lisy and R. Píbil. Computing optimal attack strategies using unconstrained influence diagrams. In Pacific-Asia Workshop on Intelligence and Security Informatics, pages 38--46. Springer, 2008. [ bib | DOI ]
[27] A. Laszka, M. Felegyhazi, and L. Buttyan. A survey of interdependent information security games. ACM Computing Surveys (CSUR), 47(2):1--38, 2014. [ bib | DOI ]
[28] A. R. Hota and S. Sundaram. Interdependent security games under behavioral probability weighting. In International Conference on Decision and Game Theory for Security, pages 150--169. Springer, 2015. [ bib | DOI ]
[29] S. Amin, G. Schwartz A, and S. S. Sastry. Security of interdependent and identical networked control systems. Automatica, 49(1):186--192, 2013. [ bib | DOI ]
[30] M. Abdallah, P. Naghizadeh, A. R. Hota, T. Cason, S. Bagchi, and S. Sundaram. Behavioral and Game-Theoretic Security Investments in Interdependent Systems Modeled by Attack Graphs. arXiv preprint arXiv:2001.03213, 2020. [ bib | DOI ]
[31] S. A. Hasheminasab, B. Tork Ladani, and T. Alpcan. Interdependent Security Game Design over Constrained Linear Influence Networks. ISeCure-The ISC International Journal of Information Security, 11(2):95--111, 2019. [ bib | DOI ]
[32] W. Shang, T. Gong, C. Chen, J. Hou, and P. Zeng. Information Security Risk Assessment Method for Ship Control System Based on Fuzzy Sets and Attack Trees. Security and Communication Networks, 2019. [ bib | DOI ]
[33] A. T. Al Ghazo, M. Ibrahim, H. Ren, and R. Kumar. A2G2V: Automatic Attack Graph Generation and Visualization and Its Applications to Computer and SCADA Networks. IEEE Transactions on Systems, Man, and Cybernetics: Systems, pages 1 -- 11, 2019. [ bib | DOI ]
[34] M. Albanese, S. Jajodia, and S. Noel. Time-efficient and cost-effective network hardening using attack graphs. In IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012), pages 1--12. IEEE, 2012. [ bib | DOI ]
[35] S. Zhang and S. Song. A novel attack graph posterior inference model based on bayesian network. Journal of Information Security, 2(1):8--27, 2011. [ bib | DOI ]
[36] T. Sommestad, M. Ekstedt, and P. Johnson. A probabilistic relational model for security risk analysis. Computers & security, 29(6):659--679, 2010. [ bib | DOI ]
[37] S. Russell and P. Norvig. Artificial Intelligence: A Modern Approach. Prentice Hall Press, 2009. [ bib | DOI ]
[38] K. Zhou, A. Martin, and Q. Pan. The belief noisy-or model applied to network reliability analysis. International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems, 24(06):937--960, 2016. [ bib | DOI ]
[39] J. Sembiring, M. Ramadhan, Y. S. Gondokaryono, and A. A. Arman. Network security risk analysis using improved MulVAL Bayesian attack graphs. International Journal on Electrical Engineering and Informatics, 7(4), 2015. [ bib | DOI ]
[40] G. S. Bopche and B. M. Mehtre. Attack graph generation, visualization and analysis: issues and challenges. In International Symposium on Security in Computing and Communication, pages 379--390. Springer, 2014. [ bib | DOI ]
[41] G. Stoneburner, A. Goguen, and A. Feringa. Risk management guide for information technology systems. Nist special publication, 2002. [ bib ]
[42] R. S. Ross. Managing information security risk. Nist special publication, 2011. [ bib ]
[43] CCMB. Common Criteria for Information Technology Security Evaluation, ISO/IEC 15408, Version 3.1. 2017. Common Criteria, 2017. [ bib ]
[44] NIST. National Vulnerability Database., Date Accessed: June 9, 2020. [ bib ]
[45] CVE. CVE Reference Map for Source OSVDB., Date Accessed: June 9, 2020. [ bib ]