A Threat Computation Model using a Markov Chain and Common Vulnerability Scoring System and its Application to Cloud Security
Main Article Content
Keywords
Security threats, quantitative security metrics, cloud threats, Markov Chain, Common Vulnerability Scoring System
Abstract
Securing cyber infrastructures has become critical because they are increasingly exposed to attackers while accommodating a huge number of IoT devices and supporting numerous sophisticated emerging applications. Security metrics are essential for assessing the security risks and making effective decisions concerning system security. Many security metrics rely on mathematical models, but are mainly based on empirical data, qualitative methods, or compliance checking, and this renders the outcome far from satisfactory. Computing the probability of an attack, or more precisely a threat that materialises into an attack, forms an essential basis for a quantitative security metric. This paper proposes a novel approach to compute the probability distribution of cloud security threats based on a Markov chain and Common Vulnerability Scoring System. Moreover, the paper introduces the method to estimate the probability of security attacks. The use of the new security threat model and its computation is demonstrated through their application to estimating the probabilities of cloud threats and types of attacks.
Downloads
References
Almasizadeh, J., & Azgomi, M. A. (2013). A stochastic model of attack process for the evaluation of security metrics. Computer Networks, 57(10), 2159-2180.
Anderson, B., Quist, D., Neil, J., Storlie, C., & Lane, T. (2011). Graph-based malware detection using dynamic analysis. Journal in Computer Virology, 7(4), 247-258.
Aroms, E. (2012). Risk Management Guide for Information Technology Systems. NIST Special Publication 800-30.
Bar, A., Shapira, B., Rokach, L., & Unger, M. (2016). Identifying Attack Propagation Patterns in Honeypots Using Markov Chains Modeling and Complex Networks Analysis. Paper presented at the 2016 IEEE International Conference on Software Science, Technology and Engineering (SWSTE).
CIS [Center for Internet Security]. (2010). The CIS security metrics. Available at http://www.itsecure.hu/library/image/CIS_Security_Metrics-Quick_Start_Guide_v1.0.0.pdf
Cloud Security Alliance. (2016). The Treacherous Twelve - Cloud Computing Top Threats in 2016. From https://downloads.cloudsecurityalliance.org/assets/research/top-threats/Treacherous-12_Cloud-Computing_Top-Threats.pdf
Ghayvat, H., Mukhopadhyay, S., Liu, J., Babu, A., Alahi, M. E. E., & Gui, X. (2015). Internet of things for smart homes and buildings. Australian Journal of Telecommunications and the Digital Economy, 3(4).
Hashizume, K., Rosado, D. G., Fernández-Medina, E., & Fernandez, E. B. (2013). An analysis of security issues for cloud computing. Journal of Internet Services and Applications, 4(1), 5.
Hoang, D. (2015). Software Defined Networking? Shaping up for the next disruptive step? Australian Journal of Telecommunications and the Digital Economy, 3(4).
Hoang, D. B., & Farahmandian, S. (2017). Security of Software-Defined Infrastructures with SDN, NFV, and Cloud Computing Technologies. In S. Y. Zhu, S. Scott-Hayward, L. Jacquin, & R. Hill (Eds.), Guide to Security in SDN and NFV: Challenges, Opportunities, and Applications (pp. 3-32). Cham: Springer International Publishing.
Hu, Q., Asghar, M. R., & Brownlee, N. (2017). Evaluating network intrusion detection systems for high-speed networks. Paper presented at the 2017 27th International Telecommunication Networks and Applications Conference (ITNAC).
Huang, K., Zhou, C., Tian, Y.-C., Tu, W., & Peng, Y. (2017). Application of Bayesian network to data-driven cyber-security risk assessment in SCADA networks. Paper presented at the 2017 27th International Telecommunication Networks and Applications Conference (ITNAC).
Jha, S., Sheyner, O., & Wing, J. (2002). Two formal analyses of attack graphs. Proceedings. 15th IEEE Computer Security Foundations Workshop, 2002.
Jouini, M., & Rabai, L. B. A. (2015). Mean Failure Cost Extension Model towards Security Threats Assessment: A Cloud Computing Case Study. Journal of Computers, 10(3), 184-194.
Le, N. T., & Hoang, D. B. (2017). Cloud Maturity Model and metrics framework for cyber cloud security. Scalable Computing: Practice and Experience, 4, 277-290.
Li, X., Parker, P., & Xu, S. (2011). A stochastic model for quantitative security analyses of networked systems. IEEE Transactions on Dependable and Secure Computing, 8(1), 28-43.
Madan, B. B., Goševa-Popstojanova, K., Vaidyanathan, K., & Trivedi, K. S. (2004). A method for modeling and quantifying the security attributes of intrusion tolerant systems. Performance Evaluation, 56(1), 167-186.
NIST. (2018). National Vulnerability Database. Available at https://nvd.nist.gov/
Patcha, A., & Park, J.-M. (2007). An overview of anomaly detection techniques: Existing solutions and latest technological trends. Computer Networks, 51(12), 3448-3470. doi: https://doi.org/10.1016/j.comnet.2007.02.001
Patel, S., & Zaveri, J. (2010). A risk-assessment model for cyber attacks on information systems. Journal of Computers, 5(3), 352-359.
Ramos, A., Lazar, M., Holanda Filho, R., & Rodrigues, J. J. (2017). Model-Based Quantitative Network Security Metrics: A Survey. IEEE Communications Surveys & Tutorials, 19(4), 2704-2734.
Ristenpart, T., Tromer, E., Shacham, H., & Savage, S. (2009). Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. Proceedings of the 16th ACM conference on Computer and communications security.
Ross, S. M. (2014). Introduction to probability models. Academic press.
Singh, A., & Shrivastava, D. M. (2012). Overview of attacks on cloud computing. International Journal of Engineering and Innovative Technology (IJEIT), 1(4).
Taylor, C. (2019). Probability of the Union of Three or More Sets. Retrieved March 5, 2019, from https://www.thoughtco.com/probability-union-of-three-sets-more-3126263
Thomson, W. (1889). Lord Kelvin: Electrical units of measurement. Popular lectures and addresses. Macmillan, London.
Article Sidebar
Article Details
Copyright Telecommunications Association Inc.
Ngoc Thuy Le, University of Technology Sydney
Ngoc T. Le is a PhD student in the Faculty of Engineering and IT, University of Technology Sydney, Australia. He received the B.S degree in IT systems in 2005 and the master degree in 2010 from Vietnam National University, Hanoi, Vietnam. His research interests include cloud computing security, cyber security metrics, security risk, and Security capability maturity models. He has published several papers in international journals and conferences.
Doan B. Hoang, University of Technology Sydney, Faculty of Engineering & IT Virtual Infrastructure and Cyber Security (VICS)
Doan B. Hoang is a Professor in the School of Electrical and Data Engineering, Faculty of Engineering and Information Technology, University of Technology Sydney (UTS). He leads the Virtualized Infrastructures and Cyber Security (VICS) research group and is a Research Associate of the Open Networking Foundation (ONF). His current research interests include: Optimization of Software-defined infrastructures (Cloud, SDN, NFV and IoT) and services, Security capability maturity models and metrics for Cyber Security, IoT security architecture and trust assessment, and IT models for Assistive Healthcare. Professor Hoang has published over 230 research papers. Before UTS, he was with Basser Department of Computer Science, University of Sydney. He held various visiting positions: Visiting Professorships at the University of California, Berkeley; Nortel Networks Technology Centre in Santa Clara, the University of Waterloo, Carlos III University of Madrid, and Nanyang Technological University, Lund University, POSTECH University-South Korea.
