Security and Communication Networks

Volume 2018, Article ID 3652170, 11 pages

https://doi.org/10.1155/2018/3652170

## An Approach for Internal Network Security Metric Based on Attack Probability

^{1}Beijing Key Laboratory of Software Security Engineering Technique, Beijing Institute of Technology, 5 South Zhongguancun Street, Haidian District, Beijing 100081, China^{2}State Grid Jibei Information & Telecommunication Company, Beijing 100053, China

Correspondence should be addressed to Jingfeng Xue; nc.ude.tib@fjeux

Received 2 November 2017; Revised 10 February 2018; Accepted 15 March 2018; Published 24 April 2018

Academic Editor: Zheng Yan

Copyright © 2018 Chun Shan et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

A network security metric may provide quantifiable evidence to assist security practitioners in securing computer networks. However, research on security metrics based on attack graph is not applicable to the characteristics of internal attack; therefore we propose an internal network security metric method based on attack probability. Our approach has the following benefits: it provides the method of attack graph simplification with monitoring event node which could solve the attack graph exponential growth with the network size, while undermining the disguise of internal attacks and improving the efficiency of the entire method; the method of attack probability calculation based on simplified attack graph can simplify the complexity of internal attacks and improve the accuracy of the approach.

#### 1. Introduction

With the rapid development of network and information technology, the role of information system in enterprise becomes more and more important. At the same time, the number of attacks from internal network has also increased. Therefore, it is necessary to build an effective security metric technology for the internal network.

According to the definition and analysis of internal attacks provided by Computer Emergency Response Team (CERT) [1], the internal attacks have the transparency to defense intercepts, such as access control or firewalls. Internal attacks also have the camouflage system privileges, high risk to access the core confidential resources easily, and the complexity of gradual attacks. The security metric as a proactive defense technology, whose role is actively analyzing and evaluating what is existing in the current security risks or potential security risks before the attacks. When the attack action occurred, the security metric method needs to analyze and assess the threat of attack incidents, then predict the attack paths, and take appropriate measures to defend [2].

The analysis method in network security can be divided into two types: one is the unknown vulnerabilities in a network, mainly considering the prevention measures; the other one is the known vulnerabilities in a network, repairing the weak parts of the network and improving the security of the whole network. As for the unknown vulnerabilities, the information security experts have already carried out a lot of research; the main methods are as follows:(i)Analysis protocol vulnerabilities, such as ARP address resolution protocol: researchers try to find out the protocol vulnerabilities, sum up the vulnerability in some areas, give the solutions for the lack of agreement, and achieve the purpose of prevention.(ii)Analyze the source code of the software: mistakes are unavoidable when programming, such as buffer overflow vulnerabilities. By studying some important codes, researchers take necessary precautions against possible errors and give patches of software, so as to improve the overall safety of software.

Although these methods are effective, they are very abstract and not easy to implement, and the results are relatively few. But if we start from the known network security vulnerabilities, it is relatively easy, for example, all kinds of graph theory based model checking methods, such as attack graph. The attack graph is a kind of graph theory method to judge the network security by studying the nodes and the relationship between nodes in the network. By building the actual network into a theoretical graph theory model, the attack graph can give us many places to think deeply, sometimes with unexpected results. For example, constructing a model from the known aspects to simplify or idealize the actual elements allows us to focus on the most important or important aspects of cybersecurity, ignoring the secondary and quickly determining the security of the network. The attack graph model has great advantages over other assessment models, becoming one of the most widely used and most studied security metrics models.

Although the attack graph can visually indicate the origin and destination of the network attack, it cannot quantitatively describe the network security. In order to conduct quantitative analysis of the possibility of attacks, we introduce the cumulative reachable probability for each node. Above all, we proposed an internal network security metric method based on attack probability to solve the problem of the existing security metrics with attack graph for the internal network.

#### 2. Related Work

The numerous existing researches on network security metrics based on attack graph mainly focus on the representation of attack graph models, the metrics of indicators, and the conclusions of network security metric. Those early researchers conducted research mainly including the following aspects.

The representation of attack graph models. Xie et al. [3] firstly explored three sources of uncertainty in the attack graph, but the attack graph model they established is carrying on probability derivation only when the attack behaviors are determined, resulting in the fact that the probability of uncertainty testing data is not calculated in the final derivation process. Wang et al. [4] proposed the probabilistic attribute description of the attack graph based on the probability of attacks and the cost of the network deployments, using the method of cumulative reachable probability to evaluate the safety of the whole network, but they did not take into account the impacts of other uncertain factors.

The metrics of indicators: Li et al. [5] used CVSS to evaluate vulnerabilities and proposed a general approach for the network security metrics based on vulnerabilities, but they only considered the probability of a single vulnerability node, while ignoring the vulnerability of the vulnerability node in the whole system, especially the indicators between the vulnerability nodes.

The conclusions of network security metric: in terms of attack probability calculation, Wang et al. [6] use Bayesian network algorithm to calculate the risk probability for internal nodes and quantify the node variables, the node variable values, and the conditional probability distribution. Based on the improved likelihood weighting algorithm, the calculation of Bayesian network node parameter is more convenient; the internal threat forecast also is more accurate. However, this approach did not take into account the vulnerability of their own indicators. Zhang et al. [7] proposed satisfying the temporal order of attack evidence, using the Bayesian network algorithm to analyze the security for all attack paths. However, the probability confidence of nodes in the attack graph is complicated and lacks mathematical theory, and the computational model is also too complicated to work efficiently.

We proposed an internal network security metric of the attack probability based on the attack graph model [8] in this paper. Because of the internal attacks’ characteristics of camouflage and complexity, we decided to add the monitoring event node and the key-value pair in the attack graph. Compared with other security metrics, our internal network security metric improved the efficiency and the accuracy obviously with the help of attack graph simplification method and cumulative reachable probability calculation method.

#### 3. An Approach for Internal Network Security Metric Based on Attack Probability

##### 3.1. Method Overview

In order to understand the characteristics and the occurrence environment for the internal attacks, first of all, according to the original attack graph and the attack evidence provided by the security monitoring system, we could get the temporal difference relationship of the monitoring event nodes and simplify the attack graph with the temporal difference relationship. Second, we divide the simplified attack graph into key-value pairs and then calculate the probability of the key-value pairs. Third, we calculate the cumulative reachable probability by the method of attack probability calculation we proposed. Finally, the quantitative evaluation of the current internal network is represented by the cumulative reachable probability of target node. The specific steps are shown in Figure 1.