Elena Doynikova

Security Assessment of Computer Networks Based on Attack Graphs and Security Events

Security assessment is an important task for operation of modern computer networks. The paper suggests the security assessment technique based on attack graphs which can be implemented in contemporary SIEM systems. It is based on the security metrics taxonomy and different techniques for calculation of security metrics according to the data about current events. Proposed metrics form the basis for security awareness and reflect current security situation, including development of attacks, attacks sources and targets, attackers’ characteristics. The technique suggested is demonstrated on a case study.

Security Analysis of Information Systems Taking into Account Social Engineering Attacks

The paper suggests an attack trees based approach to security analysis of information systems. The approach considers both software-technical and social engineering attacks. It extends the approach to network security analysis based on software-technical attacks which was suggested earlier by the authors of this paper. The main difference is in generalizing the suggested approach for information systems and in use of different conceptions, models and frameworks related to social-engineering attacks. In particular, we define conceptions of legitimate users and control areas. Besides, social-engineering attacks and attacks that require physical access to control areas are included to the attack trees used for security analysis. The paper also describes a security analysis toolkit based on the approach suggested and experiments with it to define the security level of information system.

The Ontology of Metrics for Security Evaluation and Decision Support in SIEM Systems

Analysis of computer network security is a serious challenge. Many security metrics has been proposed for this purpose, but their effective use for rapid and reliable security evaluation and generation of countermeasures in SIEM systems remains an important problem. The use of ontologies for security information representation in SIEM systems contributes largely to the success of this task. However, most of works on ontological security data representation does not take into account the ontologies of security metrics. This paper proposes a new approach on using security metrics which is based on their ontological representation and serves for comprehensive security evaluation and subsequent countermeasure generation. The novelty of the proposed approach is that ontology of security metrics is viewed as a core component of a countermeasure decision support system. The proposed solutions are tested on a specific example.

Dynamical Calculation of Security Metrics for Countermeasure Selection in Computer Networks

The paper considers the issue of countermeasures selection for ongoing computer network attacks. The suggested technique is based on the countermeasure model that was defined on the base of the open standards, the family of interrelated security metrics and the security analysis technique based on attack graphs and service dependencies. The technique was implemented in a security assessment and countermeasure selection system. This technique was validated on case studies. It is applicable for security information and event management systems.

Countermeasure Selection Based on the Attack and Service Dependency Graphs for Security Incident Management

The paper suggests an approach to countermeasure selection that is based on the application of quantitative risk metrics. The approach incorporates several techniques. These techniques differ for the static and dynamic modes of operation of the security analysis and countermeasure selection component. The techniques consider available input data on the network security state. The approach is based on the application of open standards for unified specification of security data, application of attack graphs and service dependency graphs to calculate different security metrics, and takes into account events and information from security information and events management (SIEM) systems.

CVSS-based Probabilistic Risk Assessment for Cyber Situational Awareness and Countermeasure Selection

The paper suggests several techniques for computer network risk assessment based on Common Vulnerability Scoring System (CVSS) and attack modeling. Techniques use a set of integrated security metrics and consider input data from security information and event management (SIEM) systems. Risk assessment techniques differ according to the used input data. They allow to get risk assessment considering requirements to the accuracy and efficiency. Input data includes network characteristics, attacks, attacker characteristics, security events and countermeasures. The tool that implements these techniques is presented. Experiments demonstrate operation of the techniques for different security situations.

Choosing Models for Security Metrics Visualization

This paper aims at finding optimal visualization models for representation and analysis of security related data, for example, security metrics, security incidents and cyber attack countermeasures. The classification of the most important security metrics and their characteristics that are important for their visualization are considered. The paper reviews existing and suggested research by the author’s data representation and visualization models. In addition, the most suitable models for different metric groups are outlined and analyzed. A case study is presented as an illustration on the way the visualization models are integrated with different metrics for security awareness.

Countermeasure Selection in SIEM Systems Based on the Integrated Complex of Security Metrics

The paper considers a technique for countermeasure selection in security information and event management (SIEM) systems. The developed technique is based on the suggested complex of security metrics. For the countermeasure selection the set of security metrics is extended with an additional level needed for security decision support. This level is based on the countermeasure effectiveness metrics. Key features of the suggested technique are application of the attack and service dependencies graphs, the introduced model of the countermeasure and the suggested metrics of the countermeasure effectiveness, cost and collateral damage. Other important feature of the technique is providing the solution on the countermeasure implementation in any time on the base of the current security state and security events.

The CAPEC based generator of attack scenarios for network security evaluation

The paper proposes a technique and a software tool for generation of attack scenarios - random sequences of attack patterns and appropriate sequences of security events. The technique suggested is based on the application of open standards for representation of attack patterns and vulnerabilities. The tool was developed in scope of the integrated system of network security analysis, risk assessment and countermeasure generation. It is intended to test effectiveness of this system by simulation of the input data - random attacks against computer networks.

Selection of countermeasures against network attacks based on dynamical calculation of security metrics

This paper considers the issue of countermeasure selection for ongoing computer network attacks. We outline several challenges that should be overcome for the efficient response: the uncertainty of an attacker behavior, the complexity of interconnections between the resources of the modern distributed systems, the huge set of security data, time limitations, and balancing between countermeasure costs and attack losses. Although there are many works that are focused on the particular challenges, we suppose that there is still a need for an integrated solution that takes into account all of these issues. We suggest a model-driven approach to the security assessment and countermeasure selection in the computer networks that takes into account characteristics of different objects of assessment. The approach is based on integration with security information and event management systems to consider the dynamics of attack development, taking into account security event processing. Open standards and databases are used to automate security data processing. The suggested technique for countermeasure selection is based on the countermeasure model that was defined on the basis of open standards, the family of interrelated security metrics, and the security analysis technique based on attack graphs and service dependencies. We describe the prototype of the developed system and validate it on several case studies.