Predictive Cyber-security Analytics Framework: A non-homogenous Markov model for Security Quantification

TL;DR

This paper introduces a stochastic, non-homogeneous Markov model using attack graphs and vulnerability lifecycle data to quantitatively assess and predict enterprise security risks over time.

Contribution

It presents a novel temporal attack graph analysis framework that incorporates vulnerability age and lifecycle models for dynamic security risk quantification.

Findings

Model effectively captures security state variations over time.

Incorporates vulnerability lifecycle data for improved risk prediction.

Provides a quantitative measure of security evolution.

Abstract

Numerous security metrics have been proposed in the past for protecting computer networks. However we still lack effective techniques to accurately measure the predictive security risk of an enterprise taking into account the dynamic attributes associated with vulnerabilities that can change over time. In this paper we present a stochastic security framework for obtaining quantitative measures of security using attack graphs. Our model is novel as existing research in attack graph analysis do not consider the temporal aspects associated with the vulnerabilities, such as the availability of exploits and patches which can affect the overall network security based on how the vulnerabilities are interconnected and leveraged to compromise the system. Gaining a better understanding of the relationship between vulnerabilities and their lifecycle events can provide security practitioners a better understanding of their state of security. In order to have a more realistic representation of how the security state of the network would vary over time, a nonhomogeneous model is developed which incorporates a time dependent covariate, namely the vulnerability age. The daily transition-probability matrices are estimated using Frei's Vulnerability Lifecycle model. We also leverage the trusted CVSS metric domain to analyze how the total exploitability and impact measures evolve over a time period for a given network.