Visible to the public Cyclic Bayesian Attack Graphs: A Systematic Computational Approach

TitleCyclic Bayesian Attack Graphs: A Systematic Computational Approach
Publication TypeConference Paper
Year of Publication2020
AuthorsMatthews, I., Mace, J., Soudjani, S., Moorsel, A. van
Conference Name2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)
Date Publisheddec
KeywordsAttack Graphs, Bayes methods, Bayesian networks, belief networks, Cyber-physical systems, probabilistic graphical models, pubcrawl, Resiliency, Scalability, security, security risk assessment, Software, Software algorithms, Systematics, Topology, vulnerabilities
AbstractAttack graphs are commonly used to analyse the security of medium-sized to large networks. Based on a scan of the network and likelihood information of vulnerabilities, attack graphs can be transformed into Bayesian Attack Graphs (BAGs). These BAGs are used to evaluate how security controls affect a network and how changes in topology affect security. A challenge with these automatically generated BAGs is that cycles arise naturally, which make it impossible to use Bayesian network theory to calculate state probabilities. In this paper we provide a systematic approach to analyse and perform computations over cyclic Bayesian attack graphs. We present an interpretation of Bayesian attack graphs based on combinational logic circuits, which facilitates an intuitively attractive systematic treatment of cycles. We prove properties of the associated logic circuit and present an algorithm that computes state probabilities without altering the attack graphs (e.g., remove an arc to remove a cycle). Moreover, our algorithm deals seamlessly with any cycle without the need to identify their type. A set of experiments demonstrates the scalability of the algorithm on computer networks with hundreds of machines, each with multiple vulnerabilities.
DOI10.1109/TrustCom50675.2020.00030
Citation Keymatthews_cyclic_2020