^{1}

^{*}

^{2}

^{3}

Security measures for a computer network system can be enhanced with better understanding the vulnerabilities and their behavior over the time. It is observed that the effects of vulnerabilities vary with the time over their life cycle. In the present study, we have presented a new methodology to assess the magnitude of the risk of a vulnerability as a “Risk Rank”. To derive this new methodology well known Markovian approach with a transition probability matrix is used including relevant risk factors for discovered and recorded vulnerabilities. However, in addition to observing the risk factor for each vulnerability individually we have introduced the concept of ranking vulnerabilities at a particular time taking a similar approach to Google Page Rank Algorithm. New methodology is exemplified using a simple model of computer network with three recorded vulnerabilities with their CVSS scores.

A network system could have numerous vulnerabilities. We understand the process of generating vulnerabilities is highly stochastic and outcomes are hard to predict. Similarly the behaviors of attacks and attackers also have higher level of unpredictability. When considering a particular system based on the discovered vulnerabilities the analysis must consider the dynamic nature of the effect of vulnerabilities over time. As we observed in our previous researches [_{1} might not be the same at time t_{2}. Hence, it would be very useful to have analytical models to observe the behavior of the rank of vulnerabilities based on the magnitude of the threat with respect to time for a given network system.

Such ranking distribution over time would empower the defenders by giving the priority directions to attend on fixing vulnerabilities. In this paper we attempt to address this need.

In Section 2, the methodology of this new ranking approach is discussed with relevant introductions to Google Page Rank Algorithm and the Risk Rank Algorithm presented in this study. Section 3 illustrates the application of the proposed methodology with a model example step by step. Section 4 discusses the resulting risk ranks for vulnerabilities and their behavior over time. In Section 5, contributions of the study and conclusions are summarized.

This section provides a background for our quantitative analysis of risk rank algorithm method. Ranking web pages is an important function of an internet search engine [

Output of this algorithm gives a probability distribution which is used to represent the likelihood that a person randomly clicking on links will arrive at any particular page. Using this method we can rank the likelihood of clicking on any web link. This can be calculated for any number of web links. In this algorithm, the sum of the page rank values of all the considered web links is equal to be one and it is assumed that the probability of selecting a web page initially is equal for any available option.

Google page rank algorithm simulates the clicking behavior of a web link in two ways. First is to visit a web link via an incoming link to the current web page and second way is to pick a web page randomly. Google page rank theory holds that any surfer who is randomly clicking on web links will eventually stop clicking. At any of these stages, a damping factor d is the probability that the web surfer will continue surfing. Many researches have tested various damping factors but in generally it is assumed that the damping factor will be set around 0.85.

Let p t ( v ) be the probability of visiting web page v at time t and v be a set of all web pages under consideration. Here o u t ( v ) represents the set of web pages in v with an outgoing link from v, and i n ( v ) represents the set of incoming link to v. The page rank computation can be viewed as a Markov process whose states are pages and the links between pages represent state transitions. This computation is given in the Equation (1) below.

P t + 1 = ( 1 − d ) ∗ ∑ ∀ u ∈ V P t ( u ) | V | + d ∗ ∑ ∀ u ∈ i n ( v ) P t ( u ) | o u t ( u ) | (1)

Let, | V | be the number of pages considered. Surfer will stop clicking on any link with probability 1 − d. Since there are | V | number of pages and probability of visiting v from any page is equally likely, the probability for each case is equal to 1 | V | .

Here d ∗ ∑ ∀ u ∈ i n ( v ) P t ( u ) | o u t ( u ) | represents the case when the surfer continues clicking links with probability d and goes to page v at time t + 1 from page u that has an incoming link to v.

Initially at t = 0, each page has the same ranking value probability which is equal to 1 | V | . Then iterations are executed over time until the stability is achieved. Once the probability distribution for each page becomes stable, considering high to low probabilities ranks are assigned.

By developing the concept applied in Google Page Rank Algorithm here we introduce a ranking method for risk of vulnerabilities [

To estimate the probabilities in Risk Rank Algorithm Markov model techniques can be applied similarly as in Google Page Rank Algorithm [

In the attacking process an attacker has two options. He can either continue or quit from his current path. If it is too difficult for him to achieve his goal state he can quit on the current path and try an alternative path by starting over from one of the set of initial states. Base on these assumptions here we propose our model to calculate the probability distribution of a given security attack model.

To obtain the risk rank [

Let P_{k}(v) be the probability of exploiting state at time k and V be a set of all states under consideration. Here o u t ( v ) represents the set of states in V with an outgoing link from v, and i n ( v ) represents the set of incoming link to v. The Risk rank computation can be viewed as a Markov process [

P k + 1 ( v ) = { d ∗ ∑ ∀ u ∈ i n ( v ) P k ( u ) ∗ φ ( u , v ) + ( 1 − d ) | I | , if v is an intial state d ∗ ∑ ∀ u ∈ i n ( v ) P k ( u ) ∗ φ ( u , v ) , if v isnotanintialstate (2)

Let |I| be the number of initial states and attacker will stop his current path with probability 1 − d. Since there are |V| numbers of states and probability of exploiting v from any other state is equally likely, the probability for each case is 1 | V | .

Here in Equation (2) d ∗ ∑ ∀ u ∈ i n ( v ) P k ( u ) ∗ φ ( u , v ) represents the case when the attacker continues his current path with probability d and attack to state v at time t + 1 from state u that has an incoming link to vulnerability v.

Initially at t = 0 each state has the same ranking value which is equal to 1 | V | . Then computing iterations over time the stability is achieved. Once the probability distribution for each state become stable, ranks are assigned to each vulnerability [

This procedure is illustrated by the following schematic diagram given in

The computer network consists of two service hosts IP 1, IP 2 and an attackers workstation. Attacker is connecting to each of the servers via a central router. In the server IP 1 the vulnerability is labeled as CVE 2016-3230 and shall denote as V_{1}. In the server IP 2 there are two recognized vulnerabilities, which are labeled as CVE 2016-2832 and CVE 2016-0911. Let’s denote them as V_{2} and V_{3}, respectively.

We proceed to use the CVSS score [

The exploitability score (e(v) in

For example we can calculate the Risk Factor of V_{1} as follows.

R ( v j ( t ) ) = Y ( t ) × e (vj)

R ( v 1 ( t ) ) = [ 0.1917010.383521 ( 1 / t ) − 0.00358 ln ( ln ( t ) ) ] × 8

and

R ( v 1 ( 9 ) ) = 1.702

Although our proposed algorithm can be applied to any form of network system, for simplicity we will use our host centric attack graph model [_{3} vulnerability. The graph shows all the possible paths that are available for the attacker to reach the goal state.

Note that IP1,1 state represents vulnerability V_{1} and states IP2,1 and IP2,2 represent vulnerabilities V_{2} and V_{3} respectively. Attacker can reach each state by exploiting the relevant Vulnerability.

In this methodology for the Host Centric Attack graph [

Vulnerability | Published date | CVSS score | e(vj) | (tj) | R(vj(t)) |
---|---|---|---|---|---|

V_{1} (CVE 2016-3230) | 6/15/2016 | 9 (High) | 8 | 9 | 1.702 |

V_{2} (CVE 2016-2832) | 6/13/2016 | 4.3 (Medium) | 2.8 | 11 | 0.3667 |

V_{3} (CVE 2016-0911) | 6/19/2016 | 1.9 (Low) | 3.4 | 5 | 0.2474 |

A = [ 0 0.76 0.24 0 0 0 1 0 0 0.83 0 0.17 0 0 0 1 ]

Applying this normalized risk matrix into Algorithm 1, we can obtain steady state probabilities for each state in the network which represent risk of being exploited [

_{1}, s_{2}, s_{3}, s_{0}. This result suggests that s_{1} has the highest likelihood of being attacked. This means at time t, s_{1} is the most vulnerable state. However according to _{1} is 1.702 which is higher than the risk factor values of vulnerabilities v_{2} and v_{3}. Therefore it is reasonable to assume that reaching state s_{1} from initial state s_{0} (attacker’s state) by exploiting v_{1} vulnerability is easier than reaching states s_{2} and s_{3}. Therefore, the risk rank of the state s_{1} is higher than other states.

In this section we extend our methodology to obtain the risk ranks of each attack state over time. Since our risk factor is a function of time, with the age of vulnerabilities the transition probability matrix with respect to the attack graph also varies. In our attack graph we consider dates according to

States | Rank probability | Rank |
---|---|---|

s_{0} | 0.15 | 4 |

s_{1} | 0.293669 | 1 |

s_{2} | 0.279731 | 2 |

s_{3} | 0.2766 | 3 |

Time | S_{0} | S_{1} | S_{2} | S_{3} | Rank state by highest risk |
---|---|---|---|---|---|

1 | 0.15 | 0.293669 | 0.279731 | 0.2766 | S_{1}, S_{2}, S_{3}, S_{0} |

2 | 0.15 | 0.2926 | 0.2723 | 0.2851 | S_{1}, S_{3}, S_{2}, S_{0} |

3 | 0.15 | 0.2799 | 0.2678 | 0.3023 | S_{3}, S_{1}, S_{2}, S_{0} |

4 | 0.15 | 0.2766 | 0.2648 | 0.3086 | S_{3}, S_{1}, S_{2}, S_{0} |

5 | 0.15 | 0.2742 | 0.2628 | 0.313 | S_{3}, S_{1}, S_{2}, S_{0} |

6 | 0.15 | 0.2725 | 0.2612 | 0.3163 | S_{3}, S_{1}, S_{2}, S_{0} |

7 | 0.15 | 0.2712 | 0.2601 | 0.3187 | S_{3}, S_{1}, S_{2}, S_{0} |

8 | 0.15 | 0.2702 | 0.2592 | 0.3206 | S_{3}, S_{1}, S_{2,} S_{0} |

9 | 0.15 | 0.2694 | 0.2585 | 0.3221 | S_{3}, S_{1}, S_{2}, S_{0} |

10 | 0.15 | 0.2688 | 0.2579 | 0.3233 | S_{3}, S_{1}, S_{2}, S_{0} |

0.2628 and 0.313 for each state s_{0}, s_{1}, s_{2} and s_{3} respectively. As _{1}) was most risky or vulnerable. But, after two days state s_{3} (Vulnerability, V_{3}) becomes the most vulnerable, hence the most risky state and continue to be so afterwards. It should be noted that “State 0” is not a vulnerability but represents the attacker. Therefore it is at the last of the order of ranks always. It is interesting to see that s_{3} (Vulnerability, V_{3}) initially was at the least risk level so in the last position of the risk levels among vulnerabilities, and then just after one day becomes more risky and reach the second in the rank and after two dates become the dominating risk factor in this particular computer network model.

So, application of this algorithm in more a generalized real life network model would give us with the similar observations with respect to time. According to this model example, network administrators and defending resources must be allocated to resolve s_{3} (Vulnerability, V_{3}) at priority.

In this chapter a new Ranking Algorithm was introduced to rank the vulnerabilities in a particular computer network system. The methodology of well-known Google Page Rank Algorithm was used and we further developed it to fit a computer network environment. General assumptions used in Google Page Rank Algorithm with respect to the probability of selecting a particular web link were changed according to the probability distributions we obtained by normalized vulnerability scores in subject computer network system. Ranks were obtained for each vulnerability based on the likelihood of those vulnerabilities getting exploited.

We have further developed the algorithm so that the Distribution of Ranks of Vulnerabilities in the subject computer network system is given as a function of time. That is; using our new algorithm, a user (a network system administrator or a researcher) would be able to observe the behavior of the ranks of vulnerabilities with respect to time. This new methodology will greatly help relevant parties to make better decisions to protect network systems because at a particular time t, the algorithm will indicate which vulnerabilities are most vulnerable and needed immediate attention or priority.

The authors declare no conflicts of interest regarding the publication of this paper.

Kaluarachchilage, P.K.H., Tsokos, C.P. and Rajasooriya, S.M. (2019) Nonhomogeneous Risk Rank Analysis Method for Security Network System. Int. J. Communications, Network and System Sciences, 12, 1-10. https://doi.org/10.4236/ijcns.2019.121001