ABSTRACT

Security measures for a computer network system can be enhanced with better understanding the vulnerabilities and their behavior over the time. It is observed that the effects of vulnerabilities vary with the time over their life cycle. In the present study, we have presented a new methodology to assess the magnitude of the risk of a vulnerability as a “Risk Rank”. To derive this new methodology well known Markovian approach with a transition probability matrix is used including relevant risk factors for discovered and recorded vulnerabilities. However, in addition to observing the risk factor for each vulnerability individually we have introduced the concept of ranking vulnerabilities at a particular time taking a similar approach to Google Page Rank Algorithm. New methodology is exemplified using a simple model of computer network with three recorded vulnerabilities with their CVSS scores.

Keywords:

Markov Chain, Vulnerability, Non Homogeneous Risk Analysis, Network Security, Google Page Rank

1. Introduction

A network system could have numerous vulnerabilities. We understand the process of generating vulnerabilities is highly stochastic and outcomes are hard to predict. Similarly the behaviors of attacks and attackers also have higher level of unpredictability. When considering a particular system based on the discovered vulnerabilities the analysis must consider the dynamic nature of the effect of vulnerabilities over time. As we observed in our previous researches [1] [2] [3] [4] [5] , effect of the vulnerabilities vary with the time over their life cycle. Therefore, for a particular system, the most threatening vulnerability [6] [7] [8] at time t₁ might not be the same at time t₂. Hence, it would be very useful to have analytical models to observe the behavior of the rank of vulnerabilities based on the magnitude of the threat with respect to time for a given network system.

Such ranking distribution over time would empower the defenders by giving the priority directions to attend on fixing vulnerabilities. In this paper we attempt to address this need.

In Section 2, the methodology of this new ranking approach is discussed with relevant introductions to Google Page Rank Algorithm and the Risk Rank Algorithm presented in this study. Section 3 illustrates the application of the proposed methodology with a model example step by step. Section 4 discusses the resulting risk ranks for vulnerabilities and their behavior over time. In Section 5, contributions of the study and conclusions are summarized.

2. Methodology

2.1. Google Page Rank Algorithm

This section provides a background for our quantitative analysis of risk rank algorithm method. Ranking web pages is an important function of an internet search engine [9] [10] . Google Page Rank Algorithm [11] is one of the most accurate and efficient page ranking methods in use. Methodology behind this algorithm will be briefly discussed below.

Output of this algorithm gives a probability distribution which is used to represent the likelihood that a person randomly clicking on links will arrive at any particular page. Using this method we can rank the likelihood of clicking on any web link. This can be calculated for any number of web links. In this algorithm, the sum of the page rank values of all the considered web links is equal to be one and it is assumed that the probability of selecting a web page initially is equal for any available option.

Google page rank algorithm simulates the clicking behavior of a web link in two ways. First is to visit a web link via an incoming link to the current web page and second way is to pick a web page randomly. Google page rank theory holds that any surfer who is randomly clicking on web links will eventually stop clicking. At any of these stages, a damping factor d is the probability that the web surfer will continue surfing. Many researches have tested various damping factors but in generally it is assumed that the damping factor will be set around 0.85.

Let $p_t\left(v\right)$ be the probability of visiting web page v at time t and v be a set of all web pages under consideration. Here $out\left(v\right)$ represents the set of web pages in v with an outgoing link from v, and $in\left(v\right)$ represents the set of incoming link to v. The page rank computation can be viewed as a Markov process whose states are pages and the links between pages represent state transitions. This computation is given in the Equation (1) below.

$P_{t+1}=\left(1-d\right)\ast {\displaystyle {\sum }_{\forall u\in V}\frac{P_t\left(u\right)}{\left|V\right|}}+d\ast {\displaystyle {\sum }_{\forall u\in in\left(v\right)}\frac{P_t\left(u\right)}{\left|out\left(u\right)\right|}}$ (1)

Let, $\left|V\right|$ be the number of pages considered. Surfer will stop clicking on any link with probability 1 − d. Since there are $\left|V\right|$ number of pages and probability of visiting v from any page is equally likely, the probability for each case is equal to $\frac{1}{\left|V\right|}$ .

Here $d\ast {\displaystyle {\sum }_{\forall u\in in\left(v\right)}\frac{P_t\left(u\right)}{\left|out\left(u\right)\right|}}$ represents the case when the surfer continues clicking links with probability d and goes to page v at time t + 1 from page u that has an incoming link to v.

Initially at t = 0, each page has the same ranking value probability which is equal to $\frac{1}{\left|V\right|}$ . Then iterations are executed over time until the stability is achieved. Once the probability distribution for each page becomes stable, considering high to low probabilities ranks are assigned.

2.2. Risk Rank Algorithm

By developing the concept applied in Google Page Rank Algorithm here we introduce a ranking method for risk of vulnerabilities [10] [11] [12] [13] [14] in a network system.

To estimate the probabilities in Risk Rank Algorithm Markov model techniques can be applied similarly as in Google Page Rank Algorithm [11] . However there is a difference between web surfing behavior and Cyber security attacking behavior. A web surfing user can randomly select a web page but in cyberattacks an attacker doesn’t have the same freedom. In web surfing user can arrive at any web page in one single step by using its URL. But attacker has many restrictions. In computer network system an attacker doesn’t have the access to all vulnerabilities in the network system. To achieve attacker’s target state he must exploits several vulnerabilities in a particular order and enters in to the target system.

In the attacking process an attacker has two options. He can either continue or quit from his current path. If it is too difficult for him to achieve his goal state he can quit on the current path and try an alternative path by starting over from one of the set of initial states. Base on these assumptions here we propose our model to calculate the probability distribution of a given security attack model.

To obtain the risk rank [15] [16] [17] [18] we used the risk factor $R\left(v\left(t\right)\right)$ [2] [3] of each vulnerability at each state and calculated normalized risk factor matrix A(V, R) for the attack network system by using $\phi \left(u,v\right)$ transition probabilities from state u to v. Thus, we can calculate transition probabilities using the equation $\phi \left(u,v\right)=\frac{R\left(v\left(t\right)\right)}{{{\displaystyle \sum }}_{\forall w\in out(u)}R\left(w\left(t\right)\right)}$ .

Let P_k(v) be the probability of exploiting state at time k and V be a set of all states under consideration. Here $out\left(v\right)$ represents the set of states in V with an outgoing link from v, and $in\left(v\right)$ represents the set of incoming link to v. The Risk rank computation can be viewed as a Markov process [1] [19] whose state are vulnerabilities and the links between vulnerabilities represent state transitions. This computation is given in the Equation (2) below.

$P_{k+1}\left(v\right)=\{\begin{array}{l}d\ast {\displaystyle {\sum }_{\forall u\in in\left(v\right)}{P}_k\left(u\right)}\ast \phi \left(u,v\right)+\frac{\left(1-d\right)}{\left|I\right|},\text{if}v\text{is}\text{an}\text{intial}\text{state}\\ d\ast {\displaystyle {\sum }_{\forall u\in in\left(v\right)}{P}_k\left(u\right)}\ast \phi \left(u,v\right),\text{if}v\text{isnotanintialstate}\end{array}$ (2)

Let |I| be the number of initial states and attacker will stop his current path with probability 1 − d. Since there are |V| numbers of states and probability of exploiting v from any other state is equally likely, the probability for each case is $\frac{1}{\left|V\right|}$ .

Here in Equation (2) $d\ast {\displaystyle {\sum }_{\forall u\in in\left(v\right)}{P}_k\left(u\right)}\ast \phi \left(u,v\right)$ represents the case when the attacker continues his current path with probability d and attack to state v at time t + 1 from state u that has an incoming link to vulnerability v.

Initially at t = 0 each state has the same ranking value which is equal to $\frac{1}{\left|V\right|}$ . Then computing iterations over time the stability is achieved. Once the probability distribution for each state become stable, ranks are assigned to each vulnerability [20] [21] [22] .

This procedure is illustrated by the following schematic diagram given in Figure 1.3. Illustration of Applying of the Risk Rank AlgorithmTo illustrate the proposed analytical approach model that we have developed as discussed above, we considered a Network Topology [1] [4] , given by Figure 2.

The computer network consists of two service hosts IP 1, IP 2 and an attackers workstation. Attacker is connecting to each of the servers via a central router. In the server IP 1 the vulnerability is labeled as CVE 2016-3230 and shall denote as V₁. In the server IP 2 there are two recognized vulnerabilities, which are labeled as CVE 2016-2832 and CVE 2016-0911. Let’s denote them as V₂ and V₃, respectively.

We proceed to use the CVSS score [12] [13] of the above vulnerabilities in our analysis.

The exploitability score (e(v) in Figure 2) and Risk Factor R(vj(t)) of each vulnerabilities as given in Table 1.

For example we can calculate the Risk Factor of V₁ as follows.

$R\left(vj\left(t\right)\right)=Y\left(t\right)\times e(vj)$

$R\left(v1\left(t\right)\right)=\left[\mathrm{0.1917010.383521}\left(1/t\right)-0.00358\ln \left(\ln \left(t\right)\right)\right]\times 8$

and

$R\left(v1\left(9\right)\right)=1.702$

Although our proposed algorithm can be applied to any form of network system, for simplicity we will use our host centric attack graph model [1] [4] [23] introduced below to illustrate the process. The host centric attack graph is shown by Figure 3. Here, we consider that the attacker can reach the goal state only by exploiting V₃ vulnerability. The graph shows all the possible paths that are available for the attacker to reach the goal state.

Note that IP1,1 state represents vulnerability V₁ and states IP2,1 and IP2,2 represent vulnerabilities V₂ and V₃ respectively. Attacker can reach each state by exploiting the relevant Vulnerability.

In this methodology for the Host Centric Attack graph [24] [25] we can have the Adjacency Matrix as follows. Applying the information given in Table 1, the matrix A(V, R) can be obtained as follows, where we can find the transition probabilities from one state to another state.

$A=\left[\begin{array}{cccc}0& 0.76& 0.24& 0\\ 0& 0& 1& 0\\ 0& 0.83& 0& 0.17\\ 0& 0& 0& 1\end{array}\right]$

Applying this normalized risk matrix into Algorithm 1, we can obtain steady state probabilities for each state in the network which represent risk of being exploited [14] [15] . Results we obtained for each state are shown in Table 2.

Table 2 results are in the order of being exploited by attacker at time t. Order of vulnerabilities based on the rank we obtained is s₁, s₂, s₃, s₀. This result suggests that s₁ has the highest likelihood of being attacked. This means at time t, s₁ is the most vulnerable state. However according to Table 1 risk factor values for vulnerability v₁ is 1.702 which is higher than the risk factor values of vulnerabilities v₂ and v₃. Therefore it is reasonable to assume that reaching state s₁ from initial state s₀ (attacker’s state) by exploiting v₁ vulnerability is easier than reaching states s₂ and s₃. Therefore, the risk rank of the state s₁ is higher than other states.

4. Behavior of Risk Ranks over Time

In this section we extend our methodology to obtain the risk ranks of each attack state over time. Since our risk factor is a function of time, with the age of vulnerabilities the transition probability matrix with respect to the attack graph also varies. In our attack graph we consider dates according to Table 1 and therefore after each day, transition probabilities in the matrix vary.

Table 3 illustrates risk ranks obtained for the next 10 days using the new algorithm we proposed. As these results indicate “risk ranks” for vulnerabilities varies over time. For example at time t = 5 risk probabilities are 0.15, 0.2742,

0.2628 and 0.313 for each state s₀, s₁, s₂ and s₃ respectively. As Table 3 exemplifies with initial ranks state one (vulnerability, V₁) was most risky or vulnerable. But, after two days state s₃ (Vulnerability, V₃) becomes the most vulnerable, hence the most risky state and continue to be so afterwards. It should be noted that “State 0” is not a vulnerability but represents the attacker. Therefore it is at the last of the order of ranks always. It is interesting to see that s₃ (Vulnerability, V₃) initially was at the least risk level so in the last position of the risk levels among vulnerabilities, and then just after one day becomes more risky and reach the second in the rank and after two dates become the dominating risk factor in this particular computer network model.

So, application of this algorithm in more a generalized real life network model would give us with the similar observations with respect to time. According to this model example, network administrators and defending resources must be allocated to resolve s₃ (Vulnerability, V₃) at priority.

5. Conclusions

In this chapter a new Ranking Algorithm was introduced to rank the vulnerabilities in a particular computer network system. The methodology of well-known Google Page Rank Algorithm was used and we further developed it to fit a computer network environment. General assumptions used in Google Page Rank Algorithm with respect to the probability of selecting a particular web link were changed according to the probability distributions we obtained by normalized vulnerability scores in subject computer network system. Ranks were obtained for each vulnerability based on the likelihood of those vulnerabilities getting exploited.

We have further developed the algorithm so that the Distribution of Ranks of Vulnerabilities in the subject computer network system is given as a function of time. That is; using our new algorithm, a user (a network system administrator or a researcher) would be able to observe the behavior of the ranks of vulnerabilities with respect to time. This new methodology will greatly help relevant parties to make better decisions to protect network systems because at a particular time t, the algorithm will indicate which vulnerabilities are most vulnerable and needed immediate attention or priority.

Conflicts of Interest

The authors declare no conflicts of interest regarding the publication of this paper.

Cite this paper

Kaluarachchilage, P.K.H., Tsokos, C.P. and Rajasooriya, S.M. (2019) Nonhomogeneous Risk Rank Analysis Method for Security Network System. Int. J. Communications, Network and System Sciences, 12, 1-10. https://doi.org/10.4236/ijcns.2019.121001

References