Abstract:
Attacks from insiders usually disguise themselves as normal behaviors, which causes the uncertainty of the results based on anomaly detection models. Attack graph model is frequently used to describe the causal relationships among the steps in multiple attack progress, yet the uncertainty of events represented by the current observations is rarely considered in calculating the optimal security hardening measures, neither the impact of the probability of the attack success is depicted from the angle of probability after the implementation of the security measures. In this paper, we discuss completly three kinds of uncertainty in attack graph, and add the security hardening nodes into the probability attack graph model based on previous studies, and clarify the influence of the transition probability by security hardening measures. For the first time we put forward measures probability attack graph (MPAG) and apply it to the calculation of the optimal security hardening measures for insider threat risk analysis and mitigation. Based on this model, we prove that the calculation for optimal security hardening measures is an NP-hard problem, furthermore, we propose a greedy algorithm to calculate dynamically the approximate optimal security hardening measures set. Finally the paper proves in real network environment that the algorithm can calculate the approximate optimal security hardening measures set under certain cost constraints, given current observables sequence and the responding confidence probability.