The present invention relates to cyber threats and methods for assessing their risk.
Risk assessments are used to identify, estimate, and prioritize risk organizational operations, organizational assets, personnel, other organizations, and the nation as a whole that depend on the operation and use of information systems. The basis of risk assessments is to notify executive functions and risk responders by pointing to threats, vulnerabilities (inside and outside), and impacts that might be posed by these threats and vulnerabilities. Furthermore, it can compute the likelihood of that impact might occur. However, risk assessment metrics are either assigned as qualitative (low, medium, high severity levels that are assigned for the likelihood) or semi-quantitative (probability values). The present invention provides a quantitative method to assess cyber risk. The Quantitative Risk assessment uses a classical Bayesian estimate. An apriori estimate is based on a Poisson Random arrival probability, and an Exponential Probability Distributions for Detection, Control, and Exploitation, all based on prior history. An aposteriori estimate provides an assessment of risk based on current events in the network and uses the Viterbi algorithm and Baum Welch Algorithm, the underlying foundations of the Hidden Markov Model (HMM), to provide a Network Risk Assessment model that infer an attack's probability. The apriori and aposteriori are then combined to provide an effective quantitative measure of cyber risk in real-time.
Accordingly, there is provided according to the invention a method for quantitatively assessing risk of a computer network to loss from cyber-attack, comprising the steps of: developing apriori estimates of risk based on historical network data; developing aposteriori estimates of risk based on current network data; combining apriori estimates and aposteriori estimates of risk into a real time estimate for the network; wherein said developing apriori estimates and developing aposteriori estimates and combining apriori estimates and aposteriori estimates are executed on one or more computer processors according to computer readable instructions stored on non-transient computer storage media.
There is further provided according to the invention a method for quantitatively assessing risk of a computer network to loss from cyber-attack, comprising the steps of: developing an apriori probability model to attack arrival, success, control, and exploitation using Bayesian methods and historical data; monitoring network packet data on said computer network; generating a current (aposteriori) network risk assessment using a Hidden Markov Model based on said network packet data; populating and updating apriori and aposteriori risk probability matrices with
A, the probability of attack present in time TA
W, the probability of attack success in time TW
E, the probability exploitation in time TE.
based on data from said Hidden Markov Model; and estimating a risk of loss from said apriori and aposteriori risk probability matrices using the formula: Estimated Risk=Σips(i)Loss(τ)i, wherein said developing, monitoring, generating, populating and updating, and estimating steps are executed on one or more computer processors according to computer readable instructions stored on non-transient computer storage media.
The foregoing summary, as well as the following detailed description of the preferred invention, will be better understood when read in conjunction with the appended drawings. For the purpose of illustrating the invention, they are shown in the drawings embodiments which are presently preferred. It should be understood, however, that the invention is not limited to the precise arrangements and instrumentalities shown. In the drawings:
Poisson Random Arrival Process.
The quantitative risk model of the invention is shown in
Attack Model. In a network, cyber-attacks are considered random processes with a Poisson probability density function (“pdf”). For a specified time-interval (τ), the probability of k occurrences of attack i is given by:
where λi is the average arrival rate of k occurrences of attack i over τ.
Vulnerability Model. The success of an attack depends on the vulnerability in the system and its ability to avoid detection. An exponential probability distribution function is a good representative of detection over a period τ.
p
d=λ2eλ
where λ2 represents the average time for detection, and τ is the time it takes (attack or detection).
Control Model. This models how much time it takes to put network security control in place after detection of a successful attack. The probability of penetration detection is used to model the network security control and exponential probability distribution function and is a good representative.
p
d=λ3eλ
where λ3 represents the average time to control attack.
Impact Model. Successful penetrations cause damage to the organization's data and loss of service. Here the impact of the penetration is a tangible loss limited by the net worth ($NW) of the enterprise. The magnitude of the loss due to attack i is assumed to be proportional to the total penetration time (τp) which exponentially approaches the net worth.
Lossi(τ)=(1−e−λ
where λ4 represents the time constant for dissipation of assets from the enterprise network.
Risk. Based on the foregoing layers, the risk to a network of cyber-attacks is computed as an accumulation of costs and their associated probabilities.
Risk=Σips(i)Loss(τ)i
where ps is the probability of success of an attack ps=1−pd.
Hidden Markov Model.
Turning to the HMM aspect of the invention, the HMM consists of a set of N distinct “hidden” states of the Markov process Q={q1, q2, . . . , qN,} and a set of M observable symbols per State={v1, v2, . . . , vM,}. The overall HMM model is defined as follows with qt and ot denoting the state and observation symbol at time t, respectively.
The HMM is specified by a set of parameters (A, B, Π):
A new feature vector is constructed from the Layer 1 HMMs probable sequence of states. This statistical feature can be considered as a new data matrix VQ that can be applied and a new sequence of observations will be created from the Layer 2 HMM.
The feature vector is constructed as follows:
The Viterbi algorithm finds the best probable path (P) via the model that has the maximal probability given an observed sequence. In other words, the estimated states sequence presents a “most likely” explanation for the observation sequence, given the HMM model parameters. The states in the HMM represent the presence of attacks in the network based on current network traffic, and associated probabilities. This represents useful estimates of the immediate status of the network but does not have the context to estimate the actual risk of the network.
Poisson and HMM, Combined.
The combination of the above-described methodologies considers four stages of an attack: Attack (A), Weakness (W), Control (C) and Exploit (E). The following random variables are assigned:
A is probability of attack present in time TA
W is the probability of attack success in time TW
E is the probability exploitation in time TE.
Bayes theorem (also “Bayes rule”) is applied to the joint pdf P(A, W,
P(E)=P(E|AW
P(AW
P(AW)=P(W|A)P(A)
Combining the above equations provides an overall probability of exploitation as:
P(E)=P(E|AW
An expression for each one of these probabilities for each of N possible attacks P(Ak), the probability of one or more attacks present. Assuming a Poisson pdf of the attacks, the probability of k events in time τ1 with λ1 being the average events in τ1 is chosen as a constant one or more events is equal to 1−P(k=0)
P(An)=1−e−λ
P(Wn|An) is the probability that a weakness Wn will be compromised given the presence of An in an interval T2. Assume this random variable has an exponential pdf:
P
τ
(Wn|An)=∫0τ
where τ2 is a convenient interval, for example, 1 day. Pτ
P
τ
(Wn|A)=∫0τ
Pn (
P
τ
(
Finally,
P
n,τ
(E)=P(E|AnWn
Combining a set of equations:
P
n,τ
(E)=(1−e−λ
Next, a Risk Probability matrix based on probabilities 0 with attacks n=1, 2, . . . , N possible known attacks of interest shown below.
Apriori Risk. In the absence of specific events, this represents an apriori state of the network where the λ's and T's in previous equations are set to some ambient condition from which a risk measure might be computed. This risk measure might follow from prior data, evaluations, practices, and certifications the network may have been awarded.
Aposteriori Risk. Now imagine that events dictate a change in the risk of the network. Say that some new vulnerability, N+1, is discovered. Perhaps a zero-day vulnerability. This particular vulnerability will have its own set of λ's and T's which reflect the increased vulnerabilities of the network. Weaknesses are present at 100% for some time interval and detection and control are absent. This new vulnerability might then significantly increase the risk of the network for some interval of time. This risk measure is the aposteriori risk given the presence of the new event.
The addition of an Intrusion Detection System (IDS) with an HMM engine can detect an attack and provides a confidence level (probability). Depending on the attack and the location of the IDS in the network, the P(E) for each attack is modified by modification of the Risk/Attack matrix. The next step is to map the assortment of attacks and locations in the network into a revised Risk/Attack matrix.
Consider, for example, the detection of a reverse (outbound) channel (Ak) to a non-approved IP address. Ak is one of the known N attacks. This would change the risk matrix by replacing the apriori risk values with updated values as
P
k(A)=Hk,Pk(W)=Hk,Pk(
This specific event would say that the attack was both present and successful, but not yet controlled. If the IDS was internal the router firewall could block this with some probability. Where Hn corresponds to the confidence level of the HMI detection and forces P(Wk)=Hn. An attack detected matrix is shown below.
At this point, the residual risk will shoot up where only the exploit time constant affects the risk.
Combining Multiple Attacks. In the case of (N) multiple attack elements and associated P(En), n=1, 2, . . . , N, the overall risk depends on all of the attacks being managed. The probability of all N attacks being managed is the probability P(E1)∩P(E2)∩ . . . ∩P(En). The probability they are managed for any En is 1−P(En). Thus, the joint probability they are all managed is given by
And the probability they are not managed is
where this is the probability that N attacks lead to a successful exploit. Note that any one P(En) approaching 1 then sets P(E) going to 1. Likewise, note that as the number of attacks grows large, the P(E) tends toward 1.
Risk Estimate. The risk estimate follows from the apriori and aposteriori risk probability matrices and the risk calculation above, Risk=Σi ps(i)Loss(τ)i, as shown in
Risk Measurement Monte-Carlo Simulation. The risk model that uses HIVIM-side information is based on the MATLAB code used for the risk model.
HMM-Side Information-Monte Carlo Simulation. Using Monte Carlo simulation, attacks will have a Poisson probability distribution. These attacks then are filtered through a detection process. An exponential probability distribution characterizes the probability of detecting that attack. At the detection layer, some of these attacks will be detected, in which case they do not proceed. There is also an expectation that there is an exponential probability distribution, that over time, an attack that is present will penetrate. Thus, this third stage models the penetration of an attack.
The last stage is to see if there could be a control of that attack. Again, an exponential probability distribution characterizes the behavior of a control function, so the longer the time, the more likely it will be controlled. The output of this is some aggregate measure of risk, which we do not show here.
On the right side of
This is done in two places, one is to present to actually indicate the presence of an attack (
When an event occurs, the event is smoothened out, so it is distributed over time. The revised threshold is the blending of the HMM with the background level. The result is an exponential function that provides an exaggerated threshold over time showing the probability function, see
The Hidden Markov Model penetration probabilities generated for the penetration events are depicted in
It will be appreciated by those skilled in the art that changes could be made to the preferred embodiments described above without departing from the inventive concept thereof. It is understood, therefore, that this invention is not limited to the particular embodiments disclosed, but it is intended to cover modifications within the spirit and scope of the present invention as outlined in the present disclosure and defined according to the broadest reasonable reading of the claims that follow, read in light of the present specification.
Number | Date | Country | |
---|---|---|---|
63304256 | Jan 2022 | US |