advertisement

Analytical modeling and assessment of cyber resilience on the base of stochastic networks conversion Igor Kotenko St. Petersburg Institute for Informatics and Automation of Russian Academy of Sciences (SPIIRAS) Saint-Petersburg, Russia [email protected] Igor Saenko St. Petersburg Institute for Informatics and Automation of Russian Academy of Sciences (SPIIRAS) Saint-Petersburg, Russia [email protected] of ensuring cyber resilience in the conditions of cyber attacks and other negative impacts as planning, preparation, detection, countermeasure generation and restoration [4] are considered. The approach considered in the paper follows these principles. However, it has some peculiar properties. As the indicator allowing one to estimate the critical functionality of computer networks taking into account the priority of communication services, we suggest to use the coefficient of serviceability. This indicator is calculated through the similar indicators applied to the communication directions and to the routes existing between critical network nodes. The communication direction is understood as a set of various routes used for information transmission from a source to a recipient. At the same time, the analytical models of the attacks, formed by means of the method offered in the paper, cover all stages of ensuring the cyber resilience. These models consider functioning of network at the initial stage of the cyber attack (scanning of network), at the stages of its realization and detection and at the stage of counteraction against the attack and to the network recovery. The stage of planning is considered indirectly by the analysis of the calculated estimates to choose the most acceptable option of the network creation. The offered approach is based on creating and analyzing the analytical models of cyber attacks and countermeasures. The modeling results are the distribution function of the time and the average time for implementation of cyber attacks. These estimates are used to find the indicators of cyber resilience of the network. Creation of the analytical models of cyber attacks is based on the method of stochastic networks conversion [5]. This method differs in high precision and stability of the received decisions. It was well proved for modeling of multi-step stochastic processes for different applications. The considered approach was developed in relation to modeling of computer attacks in our previous works [6,7] where on its basis some of the most widespread attacks were described and analyzed. In this paper, this approach is further developed. The model for a rather popular attack "Network traffic analysis" is offered. Such model received a detailed experimental evaluation. This attack is an example of the Abstract— In the paper the term cyber resilience is interpreted as the stability of computer networks or systems operating under impact of cyber attacks and other negative impacts, including influence of inappropriate, dubious and harmful information. We consider an approach for construction of analytical models of cyber attacks and negative impacts based on the stochastic networks conversion. This approach has high accuracy and stability of the decisions and has worked well for modeling multi-stage stochastic processes of different nature. The result of the modeling is the distribution function of the time and the average time for implementation of cyber attacks. We also build analytical models for implementation of countermeasures, and integrate them with the analytical models of cyber. As the result the integrated analytical model of the behavior of computer networks under conditions of cyber actions is formed. They allow one to estimate and to choose the most effective countermeasures. These estimates are then used to find the indicators of cyber resilience. The results of experimental evaluation of cyber resilience of computer networks and discussion are given. Keywords—cyber security, cyber attacks, attack modeling, cyber resilience, stochastic networks I. INTRODUCTION The modern state of information and telecommunication technologies is characterized by increase of security threats for computer networks and systems, the most dangerous of which are cyber attacks. Possible results of the impact of cyber attacks against computer networks and systems are unauthorized access, blocking the control information, intrusion of inappropriate, dubious and harmful information, violating the established regulations on information collecting, processing and transferring, failures in computer network, compromise of the transferred or obtained information, etc. Thus cyber attacks and ability to counteract them are the key factors defining the resilience of computer networks. The ability of computer networks to maintain the acceptable service level in the conditions of malfunctions and violations in a normal operating mode is considered as cyber resilience [1, 2]. For its assessment it is necessary to define the corresponding indicators of cyber resilience [3]. At the same time such stages 978-1-5386-7030-9/18/$31.00 ©2018 IEEE Oleg Lauta St. Petersburg Institute for Informatics and Automation of Russian Academy of Sciences (SPIIRAS) Saint-Petersburg, Russia [email protected] 1 attack of passive type which does not destroy the network, but reveals the important information the malefactor can use for carrying out more serious attacks subsequently. Besides, we offer the model describing the attack countermeasures based on anti-virus protection. Using these models, the cyber resilience of computer network in the conditions of cyber attacks and implementation of countermeasures is assessed. The theoretical contribution of the paper consists in further development of methods for analytical modeling of cyber attacks and countermeasures and in their application for cyber resilience assessment as very important property of computer network or system. The novelty of the results is defined by use of the method of stochastic networks conversion for analytical modeling of processes of joint realization of cyber attacks and countermeasures. The authors believe that this approach is also applicable to the construction of systems to protect against inappropriate, dubious and harmful information [8]. The structure of the paper is as follows. In section 2 the review of related work is given. Section 3 considers the mathematical bases of analytical modeling of cyber attacks by method of stochastic networks conversion and assessment of cyber resilience of computer networks. Section 4 contains the results of analytical modeling. The results of experimental assessment of cyber resilience of computer networks are given in section 5. Section 6 contains the main conclusions and the directions of further research. The known approaches to assessment of resilience of computer networks and systems can be divided into two groups: analytical and simulation-based. It is possible to refer the approaches based on the following mathematical basis to the first group: probabilistic graphs [14]; Markov models [15, 16]; some kinds of stochastic networks, in particular, generative stochastic networks [17,18]. A disadvantage of the analytical models based on probabilistic graphs is the impossibility of receiving with their help the distribution functions of time for realization of cyber attacks of any type [14]. This results from the fact that in them only the main theorems of probability theory (the theorems of addition and product of probabilities) are used. The approaches using Markov models [15,16] do not have this drawback. However, their application is extremely difficult for computer networks of large dimension due to the complexity of forming the set of possible security states and transitions between them. The results received by means of generative stochastic networks [17,18] did not concern the modeling of cyber attacks. However, they confirmed the high effectiveness of the use of stochastic networks as a modeling tool used to assess cyber resistance. The following mathematical theories are used in various approaches to the analysis of the cyber attacks based on simulation: queuing networks [19,20]; attack graphs [21]; logical models, in particular, situation calculus [22]. The frameworks based on application of queuing networks [19,20] assume that service requests are received a priori by known distribution laws. However, in practice these laws are not known. In the system based on attack graphs [21] it is possible to predict the directions of further actions of the malefactor. However, this system does not allow receiving the distribution functions for attack realization time and does not allocate the communication directions and routes in networks. As a result, the assessment of cyber resilience becomes difficult. In the simulator based on a situation calculus [22] the goal-directed procedure invocations are realized that allows one to imitate intelligent attackers. At the same time, the library of attack scenarios is used. However, there is no possibility of finding the distribution functions for the cyber attack realization time. For this reason the application of this tool for cyber resilience assessment on the offered critical functionality indicator leads to the low accuracy of such assessment. Thus, from the analysis of related works it is possible to draw the following conclusions. First, stochastic analytical modeling has the great opportunities necessary for development of countermeasures in the modern cyber security systems. Secondly, stochastic models have to be applicable for modeling of cyber attacks and countermeasures. Thirdly, the approaches considered above not fully meet these requirements. The offered method of stochastic networks conversion allows eliminating this shortcoming. II. RELATED WORK Traditional definition for resilience of various systems is stated in [9]. According to this definition, resilience of a system is perceived as its ability to plan and prepare for, absorb, respond to, and recover from disasters and adapt to new conditions. In many works, for example, in [10-12], it is shown how this definition is considered in research works on resilience of systems of various nature. However for computer networks, considering their role in information infrastructures as the key systems providing exchange of information with necessary quality, this understanding of resilience demanded further development. Linkov et al., when considering the resilience of a computer network, suggested to consider its critical functionality. The critical functionality is defined as an indicator of system performance, which is introduced to derive an integrated measure of resilience [13]. An example of the indicator considering critical functionality is the percentage of nodes that are functioning [4]. However, this indicator does not consider importance of particular nodes and their influence on achievement of the general mission of the network. In our work, the idea of critical functionality has been further developed in connection with large-scale computer networks, in which the main purpose is the transfer of information between remote subscribers. The coefficient of serviceability, offered in the paper as a critical functionality, shows in general the ability of a network to function according to its purpose under the impact of cyber attacks during the total network operation time. III. MATHEMATICAL FOUNDATIONS A. Method of stochastic networks conversion The essence of the offered method consists in representation of an attack in the form of a stochastic network, replacement of 2 a set of elementary branches of the network by one equivalent branch, definition of equivalent function and calculation on its basis of the initial moments and the distribution function of the random execution time of the attack. By a stochastic network we mean a set of interconnected vertices and branches (elementary processes), the connection of which corresponds to the algorithm for implementing the attack [23]. The time of realization of branches has a priori given probabilistic distribution, average value and dispersion. The network has a bipolar appearance and consists from entrance, intermediate and output vertexes. Vertexes define conditions, and branches – times of performance of elementary processes. Each intermediate vertex performs entrance and output functions. The entrance function defines a logical condition under which an elementary process will be executed. The output function determines which of the operations, following the vertex, will be executed. The entrance vertex performs only the previous output function, and output – only the entrance function. For each branch the transfer function, playing a role of a conditional characteristic function, is defined. It represents Laplace transform [24] of probability density function (PDF) for time of realization of an elementary process. Reduction of a stochastic network to one equivalent branch and formation of an equivalent function is carried out by the topological conversion of the network. For this purpose in the network 3 kinds of paths are allocated. These paths are consecutive, parallel and loop-shaped paths. Then equivalent functions are defined for these paths. Every path comes down to one branch. A loop is a connected closed sequence of oriented branches of a stochastic network, each vertex of which is common to exactly two branches or a branch connecting the vertex to itself. Equivalent function of a loop of k-th order is as follows [25]: distribution function of the time for the attack implementation is denoted by G(t), then the equivalent function g(s) is calculated as follows [24]: g s exp st d G t . 3 0 If the inverse Laplace transform [24] is applied to the equivalent function of a certain process, the result of such transform is the function of the PDF for execution time of this process. B. Assessment of cyber resilience of computer networks As an indicator of the resilience of the computer network when exposed to cyber attacks (or cyber resilience), it is proposed to use the coefficient of serviceability (Ksa), which is calculated as follows: Ksa= Tcorrect / Ttotal, where Tcorrect – a time of correct operation of the network (without negative influence of attacks), Ttotal – a total time of the network operation. To determine Ksa of the whole network, at first it is necessary to find the coefficients of serviceability for each route in the conditions of attacks and impacts on these routes. For these purposes the average downtime time and the average time of correct network operation over a sufficiently long period of time are calculated. As a result, the coefficient of serviceability of the j-th route can be represented in the following form: K sa, j t n, j t ent , j t n, j t CA, j t cm , j , 5 k Qk s Qi s , where i 1 entry into communication, where Qi (s) ) is an equivalent function of the i-th loop of the first order, defined as the product of the equivalent functions of the branches within the loop. Let us close conventionally the network's output to the input. Then the network becomes closed. In this case to determine the equivalent function of the original network we can use a Mason's equation for closed graphs [25]: K H 1 1k Qk s 0 , t n, j – average time of transfer, t ent, j – average time of t CA, j – average time of cyber attack realization, t cm , j – average time on realization of countermeasures on the route j. As the information transmission route consists of several communication intervals, the coefficient of serviceability K ca _ CM , j of the composite route j is calculated as follows: 2 k 1 where K is the maximum order of the loops included in the stochastic network. Equivalent function allows one to define the first moments of the random time for the attack implementation. If the K sa _ CM , j Oj K sa, jl , 6 l 1 where Oj is the total number of intervals in the route j; K sa , jl is the coefficient of serviceability of the interval l on the route j. 3 Coefficient of serviceability K sa _ D,i for communication restarted for the average time trep with the time distribution direction i may be defined by the following expression: N K sa _ D,i K rel _ D,i 1 1 K sa _ CM , j j 1 , function Z(t). The stochastic network representing the stages of the attack “Network traffic analysis” is depicted in Fig. 1. 7 z(s) where Krel_D, i is the coefficient of connectivity of the communication direction i considering roundabout routes. Its value lies in the range from 0 to 1. The coefficient of connectivity can be set by experts or be calculated. The technique of its calculation is given in [6]. Given that the computer network consists of M communication directions, the coefficient of serviceability of the computer network Ksa in conditions of cyber attacks is determined on the basis of the following expression: M K sa K rel 1 1 K sa _ D,i i 1 w(s) q(s) 1-Рn d(s) Рn l(s) Fig. 1. The stochastic network of the attack “Network traffic analysis” The functions w(s), l(s), q(s), d(s) and z(s) which are at the exit of vertexes of the stochastic network are equivalent functions and calculated by application of Laplace transformation to the functions W(t), L(t), Q(t), D(t) and Z(t), respectively. The equivalent function keeping distribution parameters and logic of interaction of elementary stochastic processes in the structure is a result of stochastic network conversion. It allows one to define the first moments of the random time of this attack implementation. Let us pass to a closed stochastic network. For this purpose we will connect its input and output. The result is outlined in Fig. 2. where K rel is the coefficient of the connectivity of the network. Thus, to define the coefficient of serviceability of a computer network, at first it is required to determine the probabilistic and time characteristics of the attacks and countermeasures. In the next section we will give the examples of finding of such characteristics. z(s) w(s) q(s) 1-Рn d(s) Рn l(s) Qa(s) IV. RESULTS OF ANALITICAL MODELING As an example for analytical modeling of cyber attacks and countermeasures we will choose the attack like “Network traffic analysis” and a process of overcoming the anti-virus system protection by a malefactor. Fig. 2. Closed stochastic network of the attack “Network traffic analysis” The first order loops are loops that do not contain other loops and allow one to reach each vertex in the loop from any other. The loop of k-th order is a set of k not connected loops of the first order. Let us define all loops in Fig. 2. First, let us define the loops of the first order. The total number of such loops is equal to 2. The first loop of the first order consists of the series-connected branches of w(s), q(s), d(s), Pn, and l(s). The equivalent function for this loop has the following form: A. Model of the attack “Network traffic analysis” The implementation of the attack “Network traffic analysis” has the following stages: start of the network scanner for the average time t start with the time distribution function W(t); determination of parameters of interception of the traffic for the average time telem with the time distribution function Q(t); interception of the traffic with the probability Рn for the average time tOS with the time distribution function D(t); h1(s) = w(s) q(s) d (s) Pn l (s) . The second loop of the first order consists of the following series-connected branches: (1 – Pn), z(s), and q(s). Its equivalent function is: the statistical analysis and preparation of the report for the average time t ser with the time distribution function L(t). h2(s) = 1 Pn z(s) q(s) . Applying the Mason's equation allows one to create the equivalent function for the whole network. It will have the following form: At the same time, if information is not intercepted, then with the probability (1 – Рn) the network scanner will be 4 h( s) w( s) q( s) d ( s) Pn l ( s) , R( s ) K Pprot 1 P overcom,k , k 1 where R(s) 1 (1 Pп ) z(s) l (s). Using Laplace transform and Heaviside expansion theorem [26], the integral function of distribution (IFD) of the time for implementation of the cyber attack can be defined as follows: where K is a quantity of security components which need to be overcome; Povercom,k is the probability of overcoming security component k by a malefactor. In case of exponential approximation of distributions and independence of the initial characteristics: w q d Pn l o ( z sk ) 1 exp sk t , ( sk ) sk k 1 5 F (t ) Povercom,k where ( sk ) is a conditional denotation of the polynomial in t f ,k t f ,k t ov,k , the denominator; sk – decomposition of poles; w 1 t start ; where t f ,k – an average time between adjacent changes of l 1 telem ; q 1 tOS ; d 1 t ser ; z 1 t rep . parameters of a security component k, t ov,k – an average time The polynomial ( sk ) has the following form: of overcoming this security component. To find t f ,k and t ov,k we will construct a reference model (sk ) (w s) (d s) (m s) [(l s) ( z s) (1 Pп ) z l ]. for the process of overcoming the security component s by a malefactor. As an example, we will consider a process of infection of a computer on which the system of virus protection is installed. An implementation of this attack has the following stages: receiving on the port of the computer a packet of the message infected with a malicious code for the average time tinfect with a the time distribution function W(t); The average time T for implementation of the cyber attack is defined as follows: w q d Pn l o ( z sk ) 1 . 2 ( s ) k 1 sk k 5 T defragmentation of this packet by the network interface card of the computer for the average time t defrag with The values of equivalent functions and time distribution functions for each stage of the cyber attack “Network traffic analysis” are presented in Table 1. TABLE I. Stage # 1 2 3 4 5 the time distribution function Q(t); start of the scanner of the anti-virus system and check with its help in the random access memory of the computer of this packet for the average time t check with the time distribution function D(t); FUNCTIONS TO ESTIMATE THE DURATION OF THE CYBER ATTACK STAGES Equivalent function Time distribution functions w ws w s l l s ls q qs qs W t 1 exp wt d d s z z s zs Dt 1 exp dt d s overcoming by the malicious code with the probability of PI of the anti-virus system for the average time t over with the time distribution function L(t); Lt 1 exp lt Qt 1 exp qt computer infection for the average time tblock with the time distribution function O(t). With probability (1 – Рn), the attack will be restarted for the average time t rep with the time distribution function Z(t). The Z t 1 exp zt stochastic network for this process is outlined in Fig. 3. B. The model of the cyber attack counteraction The model of cyber attack counteraction is considered as a process of overcoming the available security components by a malefactor. The security component is overcome if the time of its overcoming is less than time between adjacent changes of parameters. Then the probability of computer network protection from impact of cyber attacks is defined as w(s) q(s) d(s) l(s) PI o(s) 1-Pn z(s) Fig. 3. A stochastic network of the attack against the computer with an installed virus protection system 5 The procedure of calculating, in essence, is similar to calculations for the previous attack. Therefore directly we will give estimated expressions for the IFD and the average time of the attack implementation. The IFD F(t) and the average time of the attack implementation will be as follows: analysis” requires 300 minutes with the probability Pn = 0.1 and 25 minutes in case of Pn = 0.9. These dependences allow us to estimate the influence of probability of finding of the active network elements, types of operating systems and services (in a time, not exceeding the set time) on the attack implementation time distribution function. It is visible that the increase in Pn reduces the average time of the attack implementation. However, in the process of increasing Pn the value of influence on the IFD F(t) decreases. When Pn overcomes the value 0.5, this influence is negligible. The average time of the cyber attack implementation also depends on the probability Pn. In case Pn exceeds 0.5 the average time of this attack implementation increases not really strongly. It changes from 25 (in case of Pn = 0.9) up to 50 minutes (in case of Pn = 0.5). If the probability Pn < 0.5 and it decreases further, then the average time of the attack implementation begins to increase significantly, reaching the value of 300 minutes in case of Pn = 0.1. It means that in case of small value of Pn the malefactor cannot correctly reveal vulnerability the first time. He should fulfill the scanning operation repeatedly. The smaller the probability Pn, the more repetitions are required and the greater the average time to implement the attack. w q d l Pn o ( z sk ) 1 exp sk t , ( sk ) sk k 1 6 F (t ) w q d Pn l o ( z sk ) 1 . 2 ( sk ) k 1 sk 5 T V. 6 EXPEREMENTAL RESULTS A. Assessment of the attack implementation time The results of calculations of F(t) and T for the attack “Network traffic analysis” are represented in the form of dependences in Fig. 4. a) B. Assessment of the time of cyber attack counteraction The results of calculating the probabilistic and temporal characteristics of the attack counteraction process are provided in Fig. 5. As input data the following values are used: tinf ect = 0.1 min, t defrag = 0.1 min, t check = 1 min, tover = 0.1 min, tblock = 0.1 min, trep = 1 min, Pn = 0.1,…,0.9. a) t, min b) tCA, min t, min b) tov,k, min Fig. 4. Probabilistic and temporal characteristics of the cyber attacks like “Network traffic analysis” (a – dependence of the IFD on thr cyber attack implementation time; b – dependence of the average time of the cyber attack implementation on the probability Pn) As input data we use the following values of the average time of this attack and the transition probability: t start = 2 min, Pn telem = 2 min, tOS = 30 min, t ser = 4 min, t rep = 1 min, Pn = 0.1,…,0.9. The analysis of the dependences in Fig. 4-a and Fig. 4-b shows that the implementation of the attack “Network traffic Fig. 5. Probabilistic and temporal characteristics of the cyber attacks against the computer with the installed system of virus protection (a – dependence of the IFD on the cyber attack implementation time; b – dependence of the average time of the cyber attack implementation on the probability Pn) 6 The analysis of dependences in Fig. 5-a and Fig. 5-b shows that on the computer with the installed virus protection system the implementation of the cyber attack with the probability Pn = 0.1 requires 25 minutes and 8 minutes in case of Pn = 0.9. At the same time the reduction in probability Pn to 0.6 does not lead to essential increase in the time of the attack implementation. Since value 0.6, the reduction of Pn has significant effect on the increase in time of the attack implementation which increases finally almost by 4 times. It is visible that increase in Pn reduces the average time of the cyber attack implementation. However, in the process of increasing Pn the level of influence on the IDF F(t) decreases. When Pn overcomes the value 0.3 then this influence is negligible. Using the results of calculating the average time of the cyber attack implementation, using (14), it is possible to define the probability of overcoming the anti-virus system by a malefactor. Taking into account that updating of the database of signatures is made once a day (1440 min) and Pn = 0.9, the above specified probability is equal 1440 Povercom 0.99. 1440 8 Quantity of communication directions routes Fig. 6. Dependences of the coefficient of the network serviceability on the quantity of routes and communication directions min min min min C. Cyber resilience assessment The coefficient of the network serviceability in the conditions of cyber attacks was calculated on the structure of the extensive computer network including 1000 personal computers, 50 switches, 15 routers and 20 servers. At first the features of probabilistic and temporal characteristics was verified on the simulation testbed. The testbed included the following modules: (1) data input module; (2) modules for generation of the attack stage duration; (3) manager. The input data module set the values of average times for the attack implementation stages. Generation modules, using the random numbers generator, formed the times to implement the attack stages. The manager formed a random value for the time of the entire attack implementation based on the values, received on the outputs of generation modules, and the probability Pn. Using these probabilistic and temporal characteristics, the dependences of the coefficient of the network serviceability on the quantity of routes, provided in Fig. 6 and Fig. 7, were received. As input data the following values were used: t ent = 3 min; t tr = 1 min; t de = 2 min; t re = 10 min; tCA = 13 min. The received dependences allow us to define the rational range of quantity of required routes in case of cyber attacks. From Fig. 6 and Fig. 7 it is visible that the more the number of communication directions in the computer network, the higher its cyber resilience. It is fair, as in case of a large number of the communication directions, the failures of one and even several of them do not lead to complete miss of the network operability. On the other hand, the cyber resilience of the network has the maximum value when using for information transfer from 2 to 5 routes, depending on the quantity of communication directions in the computer network. routes Fig. 7. Dependences of the coefficient of the network serviceability on the quantity of routes and communication entrance time It is explained by the opportunity to create bypass routes along which data transfer will be carried out in the network in case of failure of the main routes. However, further increase in quantity of routes leads to reduction in cyber resilience. This unexpected result is explained by the fact that the malefactor can use additional routes for the mercenary purposes that will lead to increase in activity of cyber attacks. At the same time, it should be noted that the reduction in cyber resilience of the network in case of rather large number of routes demonstrates the need of transition from the distributed structure of the computer network to structure like “star”. Besides, from Fig. 7 it is visible that the coefficient of serviceability accepts the maximum value in case of the network means having the greatest efficiency. In other words, communication means with big communication entrance time reduce cyber resilience as this increases the time spent on the route and the route as a whole in a faulty state. Thus, the given experimental data confirm reliability and validity of the offered method and a possibility of its use for cyber resilience assessment on the computer networks in which a defining role is played by communication services. VI. CONCLUSION The paper offers the new approach to analytical modeling of cyber attacks based on a method of stochastic networks conversion. The essence of this approach consists in replacing 7 [7] the set of elementary branches of a stochastic network by one equivalent branch with the subsequent definition of the equivalent function of the network as well as the initial moments and the distribution function of the random time of the cyber attack implementation. The experimental check of the offered approach is made for the models of the cyber attack “Network traffic analysis” and the cyber attack against the computer with the virus protection system installed. The offered method of assessment of cyber resilience of computer networks allows us to define the indicators characterizing it and to justify its steadiest structure as well as to justify the requirements for the frequency of changing the parameters of protective equipment. Application of analytical models of cyber attacks and the method of stochastic networks conversion allows us to calculate probable time response characteristics of the known attacks. These characteristics are input data for assessment of threats and justification of the requirements for network security. Defining the further research directions, it is necessary to mark that in the offered approach we accepted the restriction according to which new cyber attack begins after detection previous one and elimination of consequences of its implementation. Such case occurs when the computer network is influenced only by one malefactor. It should be considered as a special case of implementation of cyber attacks. In reality, there can be quite a lot of attackers at the same time. Cyber attacks, activated by them, can overlap. Taking into account the case of massive cyber attacks is the main direction of further research. [8] [9] [10] [11] [12] [13] [14] [15] [16] ACKNOWLEDGMENT [17] This work is performed by the grant of RSF #18-11-00302 in SPIIRAS. [18] REFERENCES [1] [2] [3] [4] [5] [6] J.P.G. Sterbenz, E.K. Çetinkaya, M.A. Hameed, A.Jabbar, J.P. Rohrer, “Modelling and Analysis of Network Resilience (invited paper)”, in The Third IEEE International Conference on Communication Systems and Networks (COMSNETS),Bangalore, India, January 2011, pp. 1–10. J.P.G. Sterbenz, D. Hutchison, E. Çetinkaya, A. Jabbar, J.P. Rohrer, M. Schöller, P. Smith, “Resilience and Survivability in Communication Networks: Strategies, Principles, and Survey of Disciplines”, in Computer Networks: Special Issue on Resilient and Survivable Networks (COMNET), 54(8), June 2010, pp.1245–1265. P. Smith, D. Hutchison, J.P.G. Sterbenz, M. Schöller, A. Fessi, M. Karaliopoulos, Ch. Lac, B. Plattner, "Network resilience: a systematic approach", in IEEE Communications Magazine, 49(7), 2011, pp. 88–97. A.A. Ganin, E. Massaro, A. Gutfrain, N. Steen, J.M. Keisler, A. Kott, R. Mangoubi, and I. Linkov, Operational resilience: Concepts, design and analysis, in Scientific Reports, August 2015. DOI: 10.1038/srep19540. F. Kelly, E. Yudovina, Stochastic Networks, Cambridge University Press, 2014. I. Kotenko, I. Saenko, O. Lauta, ”Modeling the Impact of Cyber Attacks” in Cyber Resilience of Systems and Networks, Risk, Systems and Decisions, Chapter7, A. Kott and I. Linkov, Eds. Springer, 2019, pp.135–169. DOI: 10.1007/978-3-319-77492-3_7 [19] [20] [21] [22] [23] [24] [25] [26] 8 I. Kotenko, I. Saenko, O. Lauta, M. Kocinyak, ”Assessment of computer network resilience under impact of cyber attacks on the basis of stochastic networks conversion”, in Communications in Computer and Information Science, vol. 797. Springer, 2018, pp.107–117. DOI: 10.1007/978-981-10-7850-7_10. I. Kotenko, I. Saenko, A. Chechulin, “Protection against information in eSociety: using Data Mining methods to counteract unwanted and malicious data”, in Communications in Computer and Information Science (CCIS), 745, 2017, pp.170-184. https://doi.org/10.1007/978-3319-69784-0_15. Disaster Resilience: a National Imperative, National Academies Press, 2012. http://resilience.abag.ca.gov/wpcontent/documents/resilience/toolkit/Disaster%20Recovery_A%20Natio nal%20Imperative%20Exec%20Summary.pdf J. Park, T.P. Seager, P.S.C. Rao, M. Convertino, I. Linkov, “Integrating risk and resilience approaches to catastrophe management in engineering systems: perspective”, in Risk Anal., 33, 2013, pp. 356–367. W. Jansen, Directions in Security Metrics Research, National Institute of Standards and Technology, 2009. http://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7564.pdf N. Bartol, B. Bates, K. M. Goertzel, T. Winograd, Measuring Cyber Security and Information Assurance, Information Assurance Technology Analysis Center, 2009. https://www.csiac.org/wpcontent/uploads/2016/02/cybersecurity.pdf P.Bocchini, D.M. Frangopol, T. Ummenhofer, T. Zinke, “Resilience and sustainability of civil infrastructure: toward a unified approach”, in J. Infrastruct. Syst., 20, 2014. N. Matlof, “From Algorithms to Z-Scores: Probabilistic and Statistical Modeling in Computer Science”, htttp://heather.cs.ucdavis.edu/probstatbook D. Dudorov, D. Stupples, M. Newby, “Probability Analysis of Cyber Attack Paths against Business and Commercial Enterprise Systems”, in 2013 European Intelligence and Security Informatics Conference, 2013, pp.38–44. S. Abraham, S. Nair, “A Predictive Framework for Cyber Security Analytics Using Attack Graphs” in International Journal of Computer Networks & Communications (IJCNC), 7(1), 2015, pp. 1-17. M. Zöhrer, F. Pernkopf, “General Stochastic Networks for Classification”, in Advances in Neural Information Processing Systems 27, 2014, pp. 2015–2023. Y. Bengio, E. Thibodeau-Laufer, G. Alain, J. Yosinski, “Deep Generative Stochastic Networks Trainable by Backprop”, 2014. http://arxiv.org/abs/1306.1091 OPNET Technologies, Inc.” http://www.opnet.com/ S.P. Ahuja, “COMNET III: A Network Simulation Laboratory Environment For A Course In Communications Networks”, in 28th Annual Frontiers in Education Conference (FIE '98), 1998, vol.3, pp. 1085–1088. I. Kotenko, A. Chechulin, “A Cyber Attack Modeling and Impact Assessment Framework”, in Proc. of the 5th IEEE International Conference on Cyber Conflict (CyCon), 2013, pp. 1– 24. R.P. Goldman, “A Stochastic Model for Intrusions”, in Recent Advances in Intrusion Detection. Proc. of the 5th International Symposium (RAID 2002), 2002, pp. 199-218. R.F. Serfozo, Introduction to Stochastic Networks, Applications of Mathematics, vol. 44, Springer-Verlag, 1999. J. Williams, Laplace Transforms, Problem Solvers, George Allen & Unwin, 1973. D.T. Phillips, A. Garsia-Diaz. Fundamentals of Network Analysis, Prentice-Hall, Englewood Cliffs, NJ, 1981. S.S. Petrova, Heaviside and the development of the symbolic calculus, Archive for History of Exact Sciences, 37(1), 1987, pp. 1–23.