Network Risk Estimation: A Risk Estimation Paradigm for Cyber Networks

TL;DR

This paper introduces NRE, a probabilistic, data-driven risk estimation method for cyber networks that enhances real-time security assessment by modeling risk propagation and relationships among network components.

Contribution

It proposes a novel risk estimation framework that refines risk assessments using network data, improving visibility and robustness in dynamic cyber environments.

Findings

NRE effectively models risk propagation based on network data.

The method provides real-time risk estimates suitable for deployment.

NRE outperforms pure risk measurement approaches in descriptiveness.

Abstract

Cyber networks are fundamental to many organization's infrastructure, and the size of cyber networks is increasing rapidly. Risk measurement of the entities/endpoints that make up the network via available knowledge about possible threats has been the primary tool in cyber network security. However, the dynamic behavior of the entities and the sparsity of risk-measurable points are limiting factors for risk measurement strategies, which results in poor network visibility considering the volatility of cyber networks. This work proposes a new probabilistic risk estimation approach to network security, NRE, which operates on top of existing risk measurements. The proposed method NRE extracts relationships among system components from the network connection data, models risk propagation based on the learned relationships and refines the estimates whenever risk measurements are provided. In this work, (i) the risk estimation scheme is proposed, (ii) an application of quantitative risk estimates is devised, (iii) descriptiveness of the risk estimates are compared to a pure risk measurement alternative and (iv) low computational complexity of the proposed method is illustrated capable of real-time deployment. The proposed method, NRE, is ultimately a quantitative data-driven risk assessment tool that can be used to add security aspects to existing network functions, such as routing, and it provides a robust description of the network state in the presence of threats, capable of running in real-time.