If you did not read the first part of this article yet, I recommend you do it first. The second part is more complex and entertaining.

Below we will describe Bayesian Networks applied to Cybersecurity matters, without a doubt, one of the subjects I have been hooked in last months. 

Bayesian Belief Networks

Without going into detail to deep in this complex model, a Bayesian Belief Network can be defined as a mathematical representation given by an acyclic directed graph, with the cause-effect relationships in a concrete problem. The nodes of the graph are random variables from which inference is made. The directed edges represent causal influence between variables; and the strength of the causal relationship is modeled by a Local Conditional Probability Distribution (LCPD), these distributions can be fulfilled with past incidents, metrics of exploitability, etc. This post is aimed at disseminating knowledge in a simple way, thus an easy example focused on a cybersecurity scenario will be explained step by step. The basic scenario of Poolsappasit et al. [1] has been taken as a reference:

In the example, Pr(D)=0,70 represents the administrator’s subjective belief on the chances of a remote attack.  The attacker would have two vulnerabilities to exploit:

1. MATU FTP BOF vulnerability (Node B);
2. Remote BOF on SSH daemon (Node C).

The vulnerability exploitation would give access to root privileges on FTP Server (Node A). The example has a learning purpose; the target is not to assess if this is a realistic scenario, but to understand the behavior of the model behind. The values on the edges reflect the probability of success of the associated vulnerability exploitation, computed by following a modification of CVSS[2] proposed by the authors. The LCPDs are fulfilled from the values of “exploitability”, and the values of the cells are written in formal way as:

• Pr(C|¬D), represents the probability to reach Node C, without the remote attacker (Node D). It is equal to 0,0 (third row, second column of the LCPD in Node C).
• Pr(C|D), represents the probability to reach Node C given D=”remote attacker”=TRUE (Node D). It is equal to 0,7 (second row, second column of the LCPD in Node C).
• Pr(A|B,¬C) , represents the probability to reach Node A given B=TRUE and C=FALSE (The attacker has exploited only the MATU FTP vulnerability). Is equal to 0,65 (third row, third column of the LCPD in Node A).

From the data in the LCPD, the model can compute a priori probability which represents the probability to reach a node in the graph. And a posteriori probabilities, using Bayes Theorem, show the probability to reach a node knowing some hypothesis, some security incidents. Below we will compute examples of the different probabilities:

• Pr(C), is computed as a priori or unconditional probability to reach Node C. Thus, this probability has into account the chance to remote attack happen moreover the probability of successful exploit, in other words, take into account the predecessors.  How can Pr(C) be computed? Following the chain rule, in this case:

o   Pr(C) = [ Pr(C|D) x Pr(D) ]+ [Pr(C|¬D) x Pr(¬D)]

o   Pr(C) = [ 0,7 x 0,7 ] + [0,0 x 0,3] = 0,49

• Now, the same exercise to compute a priori probability in Node A. In order to compute  Pr(A) following the chain rule all possible scenarios must be considered:

o   Pr(A) = [Pr(A|B,C) x Pr(B|D) x Pr(C|D) x P(D)] +

[Pr(A|¬B,C)] x Pr(¬B|D) x Pr(C|D) x Pr(D)] +

[Pr(A|B,¬C)] x Pr(B|D) x Pr(¬C|D) x Pr(D)] +

[Pr(A|¬B,¬C) x Pr(¬B|D) x Pr(¬C|D) x Pr(D)] =

[1 x 0,85 x 0,7 x 0,7] +

[1 x 0,15 x 0,7 x 0,7] +

[0,65 x 0,85 x 0,3 x 0,7] +

[0 x 0,15 x 0,3 x 0,7]= 0,6060

• Lastly, we are going to practice with Bayes Theorem. The Theorem serves (in this scenario) to compute in reverse order, that is, up to now we are computing the a priori probability of future events (‘Access root in FTP server’) given the predecessors (BOF on SSH daemon). With Bayes, we know that there has been a Root Access in FTP Server and we would like to know if the SSH daemon vulnerability has been exploited to gain access. For example, we will compute Pr(C|A) means the probability of C occurring given that we know A has occurred. Following Bayes Theorem:

o   Pr(C|A) = [Pr(A|C) x Pr(C)] / Pr(A) = [1 x 0,49] / 0,61 = 0,80

Predictably, “the probability of C given A=TRUE” is bigger than “a priori probability of C”=Pr(C).

Using Bayes Theorem and computing a posteriori probabilities we could know the most exposed nodes one the attack has been happened. With this model the system administrators dynamically identify the evolution of weak points of the graph based upon the advance of the attack.

References

1. Poolsappasit, N.; Dewri, R. & Ray, I. (2012), 'Dynamic Security Risk Management Using Bayesian Attack Graphs.', IEEE Trans. Dependable Sec. Comput. 9 (1) , 61-74.
2. M. Schiffman, “Common Vulnerability Scoring System (CVSS),” http://www.first.org/cvss/cvss-guide.html , 2011.