Uploaded by Андрей Жулин

Analytical modeling and assessment of cyber resilience on the base of stochastic networks сonversion

advertisement
Analytical modeling and assessment
of cyber resilience
on the base of stochastic networks conversion
Igor Kotenko
St. Petersburg Institute for Informatics and
Automation of Russian Academy of Sciences
(SPIIRAS)
Saint-Petersburg, Russia
[email protected]
Igor Saenko
St. Petersburg Institute for Informatics and
Automation of Russian Academy of Sciences
(SPIIRAS)
Saint-Petersburg, Russia
[email protected]
of ensuring cyber resilience in the conditions of cyber attacks
and other negative impacts as planning, preparation, detection,
countermeasure generation and restoration [4] are considered.
The approach considered in the paper follows these
principles. However, it has some peculiar properties. As the
indicator allowing one to estimate the critical functionality of
computer networks taking into account the priority of
communication services, we suggest to use the coefficient of
serviceability. This indicator is calculated through the similar
indicators applied to the communication directions and to the
routes existing between critical network nodes. The
communication direction is understood as a set of various
routes used for information transmission from a source to
a recipient. At the same time, the analytical models of the
attacks, formed by means of the method offered in the paper,
cover all stages of ensuring the cyber resilience. These models
consider functioning of network at the initial stage of the cyber
attack (scanning of network), at the stages of its realization and
detection and at the stage of counteraction against the attack
and to the network recovery. The stage of planning is
considered indirectly by the analysis of the calculated estimates
to choose the most acceptable option of the network creation.
The offered approach is based on creating and analyzing
the analytical models of cyber attacks and countermeasures.
The modeling results are the distribution function of the time
and the average time for implementation of cyber attacks.
These estimates are used to find the indicators of cyber
resilience of the network. Creation of the analytical models of
cyber attacks is based on the method of stochastic networks
conversion [5]. This method differs in high precision and
stability of the received decisions. It was well proved for
modeling of multi-step stochastic processes for different
applications.
The considered approach was developed in relation to
modeling of computer attacks in our previous works [6,7]
where on its basis some of the most widespread attacks were
described and analyzed. In this paper, this approach is further
developed. The model for a rather popular attack "Network
traffic analysis" is offered. Such model received a detailed
experimental evaluation. This attack is an example of the
Abstract— In the paper the term cyber resilience is
interpreted as the stability of computer networks or systems
operating under impact of cyber attacks and other negative
impacts, including influence of inappropriate, dubious and
harmful information. We consider an approach for construction
of analytical models of cyber attacks and negative impacts based
on the stochastic networks conversion. This approach has high
accuracy and stability of the decisions and has worked well for
modeling multi-stage stochastic processes of different nature. The
result of the modeling is the distribution function of the time and
the average time for implementation of cyber attacks. We also
build analytical models for implementation of countermeasures,
and integrate them with the analytical models of cyber. As the
result the integrated analytical model of the behavior of
computer networks under conditions of cyber actions is formed.
They allow one to estimate and to choose the most effective
countermeasures. These estimates are then used to find the
indicators of cyber resilience. The results of experimental
evaluation of cyber resilience of computer networks and
discussion are given.
Keywords—cyber security, cyber attacks, attack modeling, cyber
resilience, stochastic networks
I. INTRODUCTION
The modern state of information and telecommunication
technologies is characterized by increase of security threats for
computer networks and systems, the most dangerous of which
are cyber attacks. Possible results of the impact of cyber
attacks against computer networks and systems are
unauthorized access, blocking the control information,
intrusion of inappropriate, dubious and harmful information,
violating the established regulations on information collecting,
processing and transferring, failures in computer network,
compromise of the transferred or obtained information, etc.
Thus cyber attacks and ability to counteract them are the key
factors defining the resilience of computer networks. The
ability of computer networks to maintain the acceptable service
level in the conditions of malfunctions and violations in a
normal operating mode is considered as cyber resilience [1, 2].
For its assessment it is necessary to define the corresponding
indicators of cyber resilience [3]. At the same time such stages
978-1-5386-7030-9/18/$31.00 ©2018 IEEE
Oleg Lauta
St. Petersburg Institute for Informatics and
Automation of Russian Academy of Sciences
(SPIIRAS)
Saint-Petersburg, Russia
[email protected]
1
attack of passive type which does not destroy the network, but
reveals the important information the malefactor can use for
carrying out more serious attacks subsequently. Besides, we
offer the model describing the attack countermeasures based on
anti-virus protection. Using these models, the cyber resilience
of computer network in the conditions of cyber attacks and
implementation of countermeasures is assessed.
The theoretical contribution of the paper consists in further
development of methods for analytical modeling of cyber
attacks and countermeasures and in their application for cyber
resilience assessment as very important property of computer
network or system. The novelty of the results is defined by use
of the method of stochastic networks conversion for analytical
modeling of processes of joint realization of cyber attacks and
countermeasures.
The authors believe that this approach is also applicable to
the construction of systems to protect against inappropriate,
dubious and harmful information [8].
The structure of the paper is as follows. In section 2 the
review of related work is given. Section 3 considers the
mathematical bases of analytical modeling of cyber attacks by
method of stochastic networks conversion and assessment of
cyber resilience of computer networks. Section 4 contains the
results of analytical modeling. The results of experimental
assessment of cyber resilience of computer networks are given
in section 5. Section 6 contains the main conclusions and the
directions of further research.
The known approaches to assessment of resilience of
computer networks and systems can be divided into two
groups: analytical and simulation-based.
It is possible to refer the approaches based on the following
mathematical basis to the first group: probabilistic graphs [14];
Markov models [15, 16]; some kinds of stochastic networks, in
particular,
generative
stochastic
networks
[17,18].
A disadvantage of the analytical models based on probabilistic
graphs is the impossibility of receiving with their help the
distribution functions of time for realization of cyber attacks of
any type [14]. This results from the fact that in them only the
main theorems of probability theory (the theorems of addition
and product of probabilities) are used. The approaches using
Markov models [15,16] do not have this drawback. However,
their application is extremely difficult for computer networks
of large dimension due to the complexity of forming the set of
possible security states and transitions between them. The
results received by means of generative stochastic networks
[17,18] did not concern the modeling of cyber attacks.
However, they confirmed the high effectiveness of the use of
stochastic networks as a modeling tool used to assess cyber
resistance.
The following mathematical theories are used in various
approaches to the analysis of the cyber attacks based on
simulation: queuing networks [19,20]; attack graphs [21];
logical models, in particular, situation calculus [22]. The
frameworks based on application of queuing networks [19,20]
assume that service requests are received a priori by known
distribution laws. However, in practice these laws are not
known. In the system based on attack graphs [21] it is possible
to predict the directions of further actions of the malefactor.
However, this system does not allow receiving the distribution
functions for attack realization time and does not allocate the
communication directions and routes in networks. As a result,
the assessment of cyber resilience becomes difficult. In the
simulator based on a situation calculus [22] the goal-directed
procedure invocations are realized that allows one to imitate
intelligent attackers. At the same time, the library of attack
scenarios is used. However, there is no possibility of finding
the distribution functions for the cyber attack realization time.
For this reason the application of this tool for cyber resilience
assessment on the offered critical functionality indicator leads
to the low accuracy of such assessment.
Thus, from the analysis of related works it is possible to
draw the following conclusions. First, stochastic analytical
modeling has the great opportunities necessary for
development of countermeasures in the modern cyber security
systems. Secondly, stochastic models have to be applicable for
modeling of cyber attacks and countermeasures. Thirdly, the
approaches considered above not fully meet these
requirements. The offered method of stochastic networks
conversion allows eliminating this shortcoming.
II. RELATED WORK
Traditional definition for resilience of various systems is
stated in [9]. According to this definition, resilience of a system
is perceived as its ability to plan and prepare for, absorb,
respond to, and recover from disasters and adapt to new
conditions. In many works, for example, in [10-12], it is shown
how this definition is considered in research works on
resilience of systems of various nature.
However for computer networks, considering their role in
information infrastructures as the key systems providing
exchange of information with necessary quality, this
understanding of resilience demanded further development.
Linkov et al., when considering the resilience of a computer
network, suggested to consider its critical functionality. The
critical functionality is defined as an indicator of system
performance, which is introduced to derive an integrated
measure of resilience [13]. An example of the indicator
considering critical functionality is the percentage of nodes that
are functioning [4]. However, this indicator does not consider
importance of particular nodes and their influence on
achievement of the general mission of the network.
In our work, the idea of critical functionality has been
further developed in connection with large-scale computer
networks, in which the main purpose is the transfer of
information between remote subscribers. The coefficient of
serviceability, offered in the paper as a critical functionality,
shows in general the ability of a network to function according
to its purpose under the impact of cyber attacks during the total
network operation time.
III. MATHEMATICAL FOUNDATIONS
A. Method of stochastic networks conversion
The essence of the offered method consists in representation
of an attack in the form of a stochastic network, replacement of
2
a set of elementary branches of the network by one equivalent
branch, definition of equivalent function and calculation on its
basis of the initial moments and the distribution function of the
random execution time of the attack.
By a stochastic network we mean a set of interconnected
vertices and branches (elementary processes), the connection
of which corresponds to the algorithm for implementing the
attack [23].
The time of realization of branches has a priori given
probabilistic distribution, average value and dispersion.
The network has a bipolar appearance and consists from
entrance, intermediate and output vertexes. Vertexes define
conditions, and branches – times of performance of elementary
processes. Each intermediate vertex performs entrance and
output functions.
The entrance function defines a logical condition under
which an elementary process will be executed. The output
function determines which of the operations, following the
vertex, will be executed. The entrance vertex performs only the
previous output function, and output – only the entrance
function. For each branch the transfer function, playing a role
of a conditional characteristic function, is defined. It represents
Laplace transform [24] of probability density function (PDF)
for time of realization of an elementary process.
Reduction of a stochastic network to one equivalent branch
and formation of an equivalent function is carried out by the
topological conversion of the network. For this purpose in the
network 3 kinds of paths are allocated. These paths are
consecutive, parallel and loop-shaped paths. Then equivalent
functions are defined for these paths. Every path comes down
to one branch.
A loop is a connected closed sequence of oriented branches
of a stochastic network, each vertex of which is common to
exactly two branches or a branch connecting the vertex to
itself. Equivalent function of a loop of k-th order is as follows
[25]:
distribution function of the time for the attack implementation
is denoted by G(t), then the equivalent function g(s) is
calculated as follows [24]:


g s   exp  st d G t  .

3
0
If the inverse Laplace transform [24] is applied to the
equivalent function of a certain process, the result of such
transform is the function of the PDF for execution time of this
process.
B. Assessment of cyber resilience of computer networks
As an indicator of the resilience of the computer network
when exposed to cyber attacks (or cyber resilience), it is
proposed to use the coefficient of serviceability (Ksa), which is
calculated as follows:

Ksa= Tcorrect / Ttotal,

where Tcorrect – a time of correct operation of the network
(without negative influence of attacks), Ttotal – a total time of
the network operation.
To determine Ksa of the whole network, at first it is
necessary to find the coefficients of serviceability for each
route in the conditions of attacks and impacts on these routes.
For these purposes the average downtime time and the
average time of correct network operation over a sufficiently
long period of time are calculated. As a result, the coefficient
of serviceability of the j-th route can be represented in the
following form:

K sa, j 
t n, j
t ent , j  t n, j  t CA, j  t cm , j
,
5
k

Qk s    Qi s  ,

where
i 1
entry into communication,
where Qi (s) ) is an equivalent function of the i-th loop of the
first order, defined as the product of the equivalent functions of
the branches within the loop.
Let us close conventionally the network's output to the
input. Then the network becomes closed. In this case to
determine the equivalent function of the original network we
can use a Mason's equation for closed graphs [25]:

K
H  1    1k Qk s   0 ,
t n, j – average time of transfer, t ent, j – average time of
t CA, j – average time of cyber
attack realization, t cm , j – average time on realization of
countermeasures on the route j.
As the information transmission route consists of several
communication intervals, the coefficient of serviceability
K ca _ CM , j of the composite route j is calculated as follows:
2

k 1
where K is the maximum order of the loops included in the
stochastic network.
Equivalent function allows one to define the first moments
of the random time for the attack implementation. If the
K sa _ CM , j 
Oj
 K sa, jl ,
6
l 1
where Oj is the total number of intervals in the route j; K sa , jl
is the coefficient of serviceability of the interval l on the route
j.
3
Coefficient of serviceability K sa _ D,i for communication
restarted for the average time trep with the time distribution
direction i may be defined by the following expression:

N

K sa _ D,i  K rel _ D,i  1   1  K sa _ CM , j
 j 1



 ,

function Z(t).
The stochastic network representing the stages of the attack
“Network traffic analysis” is depicted in Fig. 1.
7
z(s)
where Krel_D, i is the coefficient of connectivity of the
communication direction i considering roundabout routes. Its
value lies in the range from 0 to 1. The coefficient of
connectivity can be set by experts or be calculated. The
technique of its calculation is given in [6].
Given that the computer network consists of M
communication directions, the coefficient of serviceability of
the computer network Ksa in conditions of cyber attacks is
determined on the basis of the following expression:
M

K sa  K rel  1   1  K sa _ D,i
 i 1



 
w(s)
q(s)
1-Рn
d(s)
Рn
l(s)
Fig. 1. The stochastic network of the attack “Network traffic analysis”
The functions w(s), l(s), q(s), d(s) and z(s) which are at the
exit of vertexes of the stochastic network are equivalent
functions and calculated by application of Laplace
transformation to the functions W(t), L(t), Q(t), D(t) and Z(t),
respectively.
The equivalent function keeping distribution parameters
and logic of interaction of elementary stochastic processes in
the structure is a result of stochastic network conversion. It
allows one to define the first moments of the random time of
this attack implementation.
Let us pass to a closed stochastic network. For this purpose
we will connect its input and output. The result is outlined in
Fig. 2.

where K rel is the coefficient of the connectivity of the
network.
Thus, to define the coefficient of serviceability of
a computer network, at first it is required to determine the
probabilistic and time characteristics of the attacks and
countermeasures. In the next section we will give the examples
of finding of such characteristics.
z(s)
w(s)
q(s)
1-Рn
d(s)
Рn
l(s)
Qa(s)
IV. RESULTS OF ANALITICAL MODELING
As an example for analytical modeling of cyber attacks and
countermeasures we will choose the attack like “Network
traffic analysis” and a process of overcoming the anti-virus
system protection by a malefactor.
Fig. 2. Closed stochastic network of the attack “Network traffic analysis”
The first order loops are loops that do not contain other
loops and allow one to reach each vertex in the loop from any
other. The loop of k-th order is a set of k not connected loops of
the first order. Let us define all loops in Fig. 2.
First, let us define the loops of the first order. The total
number of such loops is equal to 2. The first loop of the first
order consists of the series-connected branches of w(s), q(s),
d(s), Pn, and l(s). The equivalent function for this loop has the
following form:
A. Model of the attack “Network traffic analysis”
The implementation of the attack “Network traffic
analysis” has the following stages:
 start of the network scanner for the average time t start
with the time distribution function W(t);
 determination of parameters of interception of the
traffic for the average time telem with the time
distribution function Q(t);

 interception of the traffic with the probability Рn for the
average time tOS with the time distribution function
D(t);
h1(s) = w(s)  q(s)  d (s)  Pn  l (s) .

The second loop of the first order consists of the following
series-connected branches: (1 – Pn), z(s), and q(s). Its
equivalent function is:
 the statistical analysis and preparation of the report for
the average time t ser with the time distribution function
L(t).

h2(s) = 1  Pn  z(s)  q(s) .

Applying the Mason's equation allows one to create the
equivalent function for the whole network. It will have the
following form:
At the same time, if information is not intercepted, then
with the probability (1 – Рn) the network scanner will be
4

h( s) 
w( s)  q( s)  d ( s)  Pn  l ( s) ,
R( s )
K

Pprot  1 

P
overcom,k
,

k 1
where R(s)  1  (1  Pп )  z(s)  l (s).
Using Laplace transform and Heaviside expansion theorem
[26], the integral function of distribution (IFD) of the time for
implementation of the cyber attack can be defined as follows:
where K is a quantity of security components which need to be
overcome; Povercom,k is the probability of overcoming security
component k by a malefactor.
In case of exponential approximation of distributions and
independence of the initial characteristics:
w  q  d  Pn  l  o  ( z  sk ) 1  exp  sk t  , 

 ( sk )
 sk
k 1
5
F (t )  

Povercom,k 

where  ( sk ) is a conditional denotation of the polynomial in
t f ,k
t f ,k  t ov,k
,

the denominator; sk – decomposition of poles; w  1 t start ;
where t f ,k – an average time between adjacent changes of
l  1 telem ; q  1 tOS ; d  1 t ser ; z  1 t rep .
parameters of a security component k, t ov,k – an average time
The polynomial  ( sk ) has the following form:
of overcoming this security component.
To find t f ,k and t ov,k we will construct a reference model
  (sk )  (w  s)  (d  s)  (m  s) [(l  s)  ( z  s)  (1  Pп )  z  l ].


for the process of overcoming the security component s by
a malefactor. As an example, we will consider a process of
infection of a computer on which the system of virus protection
is installed.
An implementation of this attack has the following stages:
 receiving on the port of the computer a packet of the
message infected with a malicious code for the average
time tinfect with a the time distribution function W(t);
The average time T for implementation of the cyber attack
is defined as follows:
w  q  d  Pn  l  o  ( z  sk )
1 .

2

(
s
)
k 1
 sk 
k

5
T 

 defragmentation of this packet by the network interface
card of the computer for the average time t defrag with
The values of equivalent functions and time distribution
functions for each stage of the cyber attack “Network traffic
analysis” are presented in Table 1.
TABLE I.
Stage #
1
2
3
4
5
the time distribution function Q(t);
 start of the scanner of the anti-virus system and check
with its help in the random access memory of the
computer of this packet for the average time t check with
the time distribution function D(t);
FUNCTIONS TO ESTIMATE THE DURATION
OF THE CYBER ATTACK STAGES
Equivalent function
Time distribution functions
w
ws  
w s
l
l s  
ls
q
qs  
qs
W t   1  exp wt 
d
d s
z
z s  
zs
Dt   1  exp dt 
d s  
 overcoming by the malicious code with the probability
of PI of the anti-virus system for the average time t over
with the time distribution function L(t);
Lt   1  exp lt 
Qt   1  exp qt 
 computer infection for the average time tblock with the
time distribution function O(t).
With probability (1 – Рn), the attack will be restarted for the
average time t rep with the time distribution function Z(t). The
Z t   1  exp  zt 
stochastic network for this process is outlined in Fig. 3.
B. The model of the cyber attack counteraction
The model of cyber attack counteraction is considered as a
process of overcoming the available security components by
a malefactor. The security component is overcome if the time
of its overcoming is less than time between adjacent changes of
parameters.
Then the probability of computer network protection from
impact of cyber attacks is defined as
w(s)
q(s)
d(s)
l(s)
PI
o(s)
1-Pn
z(s)
Fig. 3. A stochastic network of the attack against the computer with an
installed virus protection system
5
The procedure of calculating, in essence, is similar to
calculations for the previous attack. Therefore directly we will
give estimated expressions for the IFD and the average time of
the attack implementation.
The IFD F(t) and the average time of the attack
implementation will be as follows:
analysis” requires 300 minutes with the probability Pn = 0.1
and 25 minutes in case of Pn = 0.9. These dependences allow
us to estimate the influence of probability of finding of the
active network elements, types of operating systems and
services (in a time, not exceeding the set time) on the attack
implementation time distribution function. It is visible that the
increase in Pn reduces the average time of the attack
implementation. However, in the process of increasing Pn the
value of influence on the IFD F(t) decreases. When Pn
overcomes the value 0.5, this influence is negligible. The
average time of the cyber attack implementation also depends
on the probability Pn. In case Pn exceeds 0.5 the average time
of this attack implementation increases not really strongly. It
changes from 25 (in case of Pn = 0.9) up to 50 minutes (in case
of Pn = 0.5). If the probability Pn < 0.5 and it decreases further,
then the average time of the attack implementation begins to
increase significantly, reaching the value of 300 minutes in
case of Pn = 0.1. It means that in case of small value of Pn the
malefactor cannot correctly reveal vulnerability the first time.
He should fulfill the scanning operation repeatedly. The
smaller the probability Pn, the more repetitions are required and
the greater the average time to implement the attack.
w  q  d  l  Pn  o  ( z  sk ) 1  exp  sk t  , 

 ( sk )
 sk
k 1
6
F (t )  

w  q  d  Pn  l  o  ( z  sk )
1 .

2
 ( sk )
k 1
 sk 

5
T 
V.
6
EXPEREMENTAL RESULTS
A. Assessment of the attack implementation time
The results of calculations of F(t) and T for the attack
“Network traffic analysis” are represented in the form of
dependences in Fig. 4.
a)
B. Assessment of the time of cyber attack counteraction
The results of calculating the probabilistic and temporal
characteristics of the attack counteraction process are provided
in Fig. 5. As input data the following values are used:
tinf ect
= 0.1 min,
t defrag
= 0.1 min,
t check
= 1 min,
tover = 0.1 min, tblock = 0.1 min, trep = 1 min, Pn = 0.1,…,0.9.
a)
t, min
b)
tCA,
min
t, min
b)
tov,k,
min
Fig. 4. Probabilistic and temporal characteristics of the cyber attacks like
“Network traffic analysis” (a – dependence of the IFD on thr cyber attack
implementation time; b – dependence of the average time of the cyber attack
implementation on the probability Pn)
As input data we use the following values of the average
time of this attack and the transition probability: t start = 2 min,
Pn
telem = 2 min, tOS = 30 min, t ser = 4 min, t rep = 1 min,
Pn = 0.1,…,0.9.
The analysis of the dependences in Fig. 4-a and Fig. 4-b
shows that the implementation of the attack “Network traffic
Fig. 5. Probabilistic and temporal characteristics of the cyber attacks against
the computer with the installed system of virus protection (a – dependence of
the IFD on the cyber attack implementation time; b – dependence of the
average time of the cyber attack implementation on the probability Pn)
6
The analysis of dependences in Fig. 5-a and Fig. 5-b shows
that on the computer with the installed virus protection system
the implementation of the cyber attack with the probability Pn
= 0.1 requires 25 minutes and 8 minutes in case of Pn = 0.9. At
the same time the reduction in probability Pn to 0.6 does not
lead to essential increase in the time of the attack
implementation. Since value 0.6, the reduction of Pn has
significant effect on the increase in time of the attack
implementation which increases finally almost by 4 times.
It is visible that increase in Pn reduces the average time of
the cyber attack implementation. However, in the process of
increasing Pn the level of influence on the IDF F(t) decreases.
When Pn overcomes the value 0.3 then this influence is
negligible.
Using the results of calculating the average time of the
cyber attack implementation, using (14), it is possible to define
the probability of overcoming the anti-virus system by
a malefactor. Taking into account that updating of the database
of signatures is made once a day (1440 min) and Pn = 0.9, the
above specified probability is equal
1440
Povercom 
 0.99.
1440  8
Quantity of
communication directions
routes
Fig. 6. Dependences of the coefficient of the network serviceability on the
quantity of routes and communication directions
min
min
min
min
C. Cyber resilience assessment
The coefficient of the network serviceability in the
conditions of cyber attacks was calculated on the structure of
the extensive computer network including 1000 personal
computers, 50 switches, 15 routers and 20 servers.
At first the features of probabilistic and temporal
characteristics was verified on the simulation testbed. The
testbed included the following modules: (1) data input module;
(2) modules for generation of the attack stage duration;
(3) manager. The input data module set the values of average
times for the attack implementation stages. Generation
modules, using the random numbers generator, formed the
times to implement the attack stages. The manager formed
a random value for the time of the entire attack implementation
based on the values, received on the outputs of generation
modules, and the probability Pn.
Using these probabilistic and temporal characteristics, the
dependences of the coefficient of the network serviceability on
the quantity of routes, provided in Fig. 6 and Fig. 7, were
received. As input data the following values were used:
t ent = 3 min; t tr = 1 min; t de = 2 min; t re = 10 min; tCA =
13 min.
The received dependences allow us to define the rational
range of quantity of required routes in case of cyber attacks.
From Fig. 6 and Fig. 7 it is visible that the more the number of
communication directions in the computer network, the higher
its cyber resilience. It is fair, as in case of a large number of the
communication directions, the failures of one and even several
of them do not lead to complete miss of the network
operability.
On the other hand, the cyber resilience of the network has
the maximum value when using for information transfer from 2
to 5 routes, depending on the quantity of communication
directions in the computer network.
routes
Fig. 7. Dependences of the coefficient of the network serviceability on the
quantity of routes and communication entrance time
It is explained by the opportunity to create bypass routes
along which data transfer will be carried out in the network in
case of failure of the main routes.
However, further increase in quantity of routes leads to
reduction in cyber resilience. This unexpected result is
explained by the fact that the malefactor can use additional
routes for the mercenary purposes that will lead to increase in
activity of cyber attacks. At the same time, it should be noted
that the reduction in cyber resilience of the network in case of
rather large number of routes demonstrates the need of
transition from the distributed structure of the computer
network to structure like “star”.
Besides, from Fig. 7 it is visible that the coefficient of
serviceability accepts the maximum value in case of the
network means having the greatest efficiency. In other words,
communication means with big communication entrance time
reduce cyber resilience as this increases the time spent on the
route and the route as a whole in a faulty state.
Thus, the given experimental data confirm reliability and
validity of the offered method and a possibility of its use for
cyber resilience assessment on the computer networks in which
a defining role is played by communication services.
VI.
CONCLUSION
The paper offers the new approach to analytical modeling
of cyber attacks based on a method of stochastic networks
conversion. The essence of this approach consists in replacing
7
[7]
the set of elementary branches of a stochastic network by one
equivalent branch with the subsequent definition of the
equivalent function of the network as well as the initial
moments and the distribution function of the random time of
the cyber attack implementation.
The experimental check of the offered approach is made for
the models of the cyber attack “Network traffic analysis” and
the cyber attack against the computer with the virus protection
system installed.
The offered method of assessment of cyber resilience of
computer networks allows us to define the indicators
characterizing it and to justify its steadiest structure as well as
to justify the requirements for the frequency of changing the
parameters of protective equipment. Application of analytical
models of cyber attacks and the method of stochastic networks
conversion allows us to calculate probable time response
characteristics of the known attacks. These characteristics are
input data for assessment of threats and justification of the
requirements for network security.
Defining the further research directions, it is necessary to
mark that in the offered approach we accepted the restriction
according to which new cyber attack begins after detection
previous one and elimination of consequences of its
implementation. Such case occurs when the computer network
is influenced only by one malefactor. It should be considered
as a special case of implementation of cyber attacks. In reality,
there can be quite a lot of attackers at the same time. Cyber
attacks, activated by them, can overlap. Taking into account
the case of massive cyber attacks is the main direction of
further research.
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
ACKNOWLEDGMENT
[17]
This work is performed by the grant of RSF #18-11-00302
in SPIIRAS.
[18]
REFERENCES
[1]
[2]
[3]
[4]
[5]
[6]
J.P.G. Sterbenz, E.K. Çetinkaya, M.A. Hameed, A.Jabbar, J.P. Rohrer,
“Modelling and Analysis of Network Resilience (invited paper)”, in The
Third IEEE International Conference on Communication Systems and
Networks (COMSNETS),Bangalore, India, January 2011, pp. 1–10.
J.P.G. Sterbenz, D. Hutchison, E. Çetinkaya, A. Jabbar, J.P. Rohrer, M.
Schöller, P. Smith, “Resilience and Survivability in Communication
Networks: Strategies, Principles, and Survey of Disciplines”, in
Computer Networks: Special Issue on Resilient and Survivable
Networks (COMNET), 54(8), June 2010, pp.1245–1265.
P. Smith, D. Hutchison, J.P.G. Sterbenz, M. Schöller, A. Fessi, M.
Karaliopoulos, Ch. Lac, B. Plattner, "Network resilience: a systematic
approach", in IEEE Communications Magazine, 49(7), 2011, pp. 88–97.
A.A. Ganin, E. Massaro, A. Gutfrain, N. Steen, J.M. Keisler, A. Kott, R.
Mangoubi, and I. Linkov, Operational resilience: Concepts, design and
analysis, in Scientific Reports, August 2015. DOI: 10.1038/srep19540.
F. Kelly, E. Yudovina, Stochastic Networks, Cambridge University
Press, 2014.
I. Kotenko, I. Saenko, O. Lauta, ”Modeling the Impact of Cyber
Attacks” in Cyber Resilience of Systems and Networks, Risk, Systems
and Decisions, Chapter7, A. Kott and I. Linkov, Eds. Springer, 2019,
pp.135–169. DOI: 10.1007/978-3-319-77492-3_7
[19]
[20]
[21]
[22]
[23]
[24]
[25]
[26]
8
I. Kotenko, I. Saenko, O. Lauta, M. Kocinyak, ”Assessment of computer
network resilience under impact of cyber attacks on the basis of
stochastic networks conversion”, in Communications in Computer and
Information Science, vol. 797. Springer, 2018, pp.107–117. DOI:
10.1007/978-981-10-7850-7_10.
I. Kotenko, I. Saenko, A. Chechulin, “Protection against information in
eSociety: using Data Mining methods to counteract unwanted and
malicious data”, in Communications in Computer and Information
Science (CCIS), 745, 2017, pp.170-184. https://doi.org/10.1007/978-3319-69784-0_15.
Disaster Resilience: a National Imperative, National Academies Press,
2012.
http://resilience.abag.ca.gov/wpcontent/documents/resilience/toolkit/Disaster%20Recovery_A%20Natio
nal%20Imperative%20Exec%20Summary.pdf
J. Park, T.P. Seager, P.S.C. Rao, M. Convertino, I. Linkov, “Integrating
risk and resilience approaches to catastrophe management in engineering
systems: perspective”, in Risk Anal., 33, 2013, pp. 356–367.
W. Jansen, Directions in Security Metrics Research, National Institute of
Standards
and
Technology,
2009.
http://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7564.pdf
N. Bartol, B. Bates, K. M. Goertzel, T. Winograd, Measuring Cyber
Security and Information Assurance, Information Assurance Technology
Analysis
Center,
2009.
https://www.csiac.org/wpcontent/uploads/2016/02/cybersecurity.pdf
P.Bocchini, D.M. Frangopol, T. Ummenhofer, T. Zinke, “Resilience and
sustainability of civil infrastructure: toward a unified approach”, in J.
Infrastruct. Syst., 20, 2014.
N. Matlof, “From Algorithms to Z-Scores: Probabilistic and Statistical
Modeling
in
Computer
Science”,
htttp://heather.cs.ucdavis.edu/probstatbook
D. Dudorov, D. Stupples, M. Newby, “Probability Analysis of Cyber
Attack Paths against Business and Commercial Enterprise Systems”, in
2013 European Intelligence and Security Informatics Conference, 2013,
pp.38–44.
S. Abraham, S. Nair, “A Predictive Framework for Cyber Security
Analytics Using Attack Graphs” in International Journal of Computer
Networks & Communications (IJCNC), 7(1), 2015, pp. 1-17.
M. Zöhrer, F. Pernkopf, “General Stochastic Networks for
Classification”, in Advances in Neural Information Processing Systems
27, 2014, pp. 2015–2023.
Y. Bengio, E. Thibodeau-Laufer, G. Alain, J. Yosinski, “Deep
Generative Stochastic Networks Trainable by Backprop”, 2014.
http://arxiv.org/abs/1306.1091
OPNET Technologies, Inc.” http://www.opnet.com/
S.P. Ahuja, “COMNET III: A Network Simulation Laboratory
Environment For A Course In Communications Networks”, in 28th
Annual Frontiers in Education Conference (FIE '98), 1998, vol.3, pp.
1085–1088.
I. Kotenko, A. Chechulin, “A Cyber Attack Modeling and Impact
Assessment Framework”, in Proc. of the 5th IEEE International
Conference on Cyber Conflict (CyCon), 2013, pp. 1– 24.
R.P. Goldman, “A Stochastic Model for Intrusions”, in Recent Advances
in Intrusion Detection. Proc. of the 5th International Symposium (RAID
2002), 2002, pp. 199-218.
R.F. Serfozo, Introduction to Stochastic Networks, Applications of
Mathematics, vol. 44, Springer-Verlag, 1999.
J. Williams, Laplace Transforms, Problem Solvers, George Allen &
Unwin, 1973.
D.T. Phillips, A. Garsia-Diaz. Fundamentals of Network Analysis,
Prentice-Hall, Englewood Cliffs, NJ, 1981.
S.S. Petrova, Heaviside and the development of the symbolic calculus,
Archive for History of Exact Sciences, 37(1), 1987, pp. 1–23.