Optimal monitoring and attack detection of networks modeled by Bayesian attack graphs  

作　　者：Armita Kazeminajafabadi Mahdi Imani 

机构地区：[1]Department of Electrical and Computer Engineering,Northeastern University,Boston,MA,USA

出　　处：《Cybersecurity》2024年第1期1-15,共15页网络空间安全科学与技术（英文）

基　　金：supported in part by the National Science Foundation award IIS-2202395;ARMY Research Office award W911NF2110299;Oracle Cloud credits and related resources provided by the Oracle for Research program.

摘　　要：Early attack detection is essential to ensure the security of complex networks,especially those in critical infrastructures.This is particularly crucial in networks with multi-stage attacks,where multiple nodes are connected to external sources,through which attacks could enter and quickly spread to other network elements.Bayesian attack graphs(BAGs)are powerful models for security risk assessment and mitigation in complex networks,which provide the probabilistic model of attackers’behavior and attack progression in the network.Most attack detection techniques developed for BAGs rely on the assumption that network compromises will be detected through routine monitoring,which is unrealistic given the ever-growing complexity of threats.This paper derives the optimal minimum mean square error(MMSE)attack detection and monitoring policy for the most general form of BAGs.By exploiting the structure of BAGs and their partial and imperfect monitoring capacity,the proposed detection policy achieves the MMSE optimality possible only for linear-Gaussian state space models using Kalman filtering.An adaptive resource monitoring policy is also introduced for monitoring nodes if the expected predictive error exceeds a user-defined value.Exact and efficient matrix-form computations of the proposed policies are provided,and their high performance is demonstrated in terms of the accuracy of attack detection and the most efficient use of available resources using synthetic Bayesian attack graphs with different topologies.

关 键 词：Multi-stage attacks Bayesian attack graph Attack detection Optimal monitoring 

分 类 号：TP393.08[自动化与计算机技术—计算机应用技术]