Computer Science ›› 2022, Vol. 49 ›› Issue (9): 306-311.doi: 10.11896/jsjkx.210600171

• Information Security • Previous Articles     Next Articles

Network Security Risk Assessment Framework Based on Tactical Correlation

LIU Jie-ling1, LING Xiao-bo2, ZHANG Lei3, WANG Bo1, WANG Zhi-liang1, LI Zi-mu1, ZHANG Hui1, YANG Jia-hai1, WU Cheng-nan4   

  1. 1 Institute for Network Science and Cyberspace & BNRist,Tsinghua University,Beijing 100084,China
    2 State Grid Shanghai Electric Power Company,Shanghai 200122,China
    3 State Grid Shanghai Electric Power Research Institute,Shanghai 200437,China
    4 Songjiang Power Supply Company of State Grid Shanghai Municipal Electric Power Company,Shanghai 201699,China
  • Received:2021-06-22 Revised:2021-12-27 Online:2022-09-15 Published:2022-09-09
  • About author:LIU Jie-ling,born in 1995,master.His main research interests include advan-ced persistent threat and game theory.
    YANG Jia-hai,born in 1966,professor,Ph.D supervisor,is a member of China Computer Federation.His main research interests include network mana-gement,network measurement and security,cloud computing and network functions virtualization.
  • Supported by:
    National Key Research and Development Program of China(2017YFB0803004).

Abstract: Power system network is one of the important targets of cyber attack.In order to ensure the safe operation of power system,network managers need to evaluate the network security risk.Usually,existing network security risk assessment framework only aims at a single scenario,and can not find the strategic attackers who use a variety of low-risk methods to achieve high-risk threat targets from large quantities of network security alerts.In order to meet the above challenges,this paper proposes a network security risk assessment method based on tactical correlation.In this method,the warning information generated on va-rious network security detection devices when an attacker implements a multi-step attack is associated to form an attack chain,and the security risk of the organization intranet is evaluated by calculating the threat,vulnerability,impact score of each node in the attack chain and the risk score of the whole attack chain.In order to verify the effectiveness and robustness of the proposed method,this paper selects a representative example to illustrate the specific implementation process of the proposed method for network security risk assessment in the organizational intranet.The example shows that the network security risk assessment framework based on the tactical association can correctly assess the harm of multi-step attack caused by low-risk alarm association to achieve high-risk targets,and is more robust than the traditional single scenario analysis method,which can better provide decision-making basis for organization decision-makers in network security risk management.

Key words: Network security, Advanced persistent threat(APT), Risk assessment, Tactical correlation, Risk Management

CLC Number: 

  • TP309
[1]KOTZIAS P,BILGE L,VERVIER P,et al.Mind your own busi-ness:a longitudinal study of threats and vulnerabilities in enterprises [C]//26th Annual Network and Distributed System Security Symposium.San Diego:The Internet Society,2019.
[2]NOUR B,MASTORAKIS S,ULLAH R,et al.Information-centric networking in wireless environments:security risks and challenges [J].IEEE Wireless Communications,2021,28(2):121-127.
[3]OLTSIK J.2017:Security operations challenges,priorities,and strategies [R/OL].[2021-01-19].https://resources.sei.cmu.edu/asset_files/Handbook/2005_002_001_14273.pdf.
[4]BROUGHTON K.Automated incident response:respond to eve-ry alert [R/OL].[2021-01-19].https://swimlane.com/blog/automated-incident-response-respondevery-alert/.
[5]SPATHOULAS G P,KATSIKAS S K.Using a Fuzzy Inference System to Reduce False Positives in Intrusion Detection [C]//International Conference on Systems,Signals and Image Processing.IEEE,2009.
[6]BIANCO D.The numbers game:how many alerts are too many to handle? [R/OL].[2021-01-19].https://www2.fireeye.com/StopTheNoise-IDC-Numbers-Game-Special-Report.html.
[7]ALBERTS C,DPRPFEE A,STEVENS J,et al.OCTAVE-S implementation guide,version 1.0 [R/OL].[2021-01-20].https://resources.sei.cmu.edu/asset_files/Handbook/2005_002_001_14273.pdf.
[8]MARBUKH V.Towards robust security risk metrics for networked systems:work in progress[C]//17th IFIP/IEEE International Symposium on Integrated Network Management.IEEE,2021:658-661.
[9]SENDI S A,BARZEGAR R A,CHERIET M.Taxonomy of information security risk assessment [J].Computers & Security,2016,57:14-30.
[10]Joint Task Force Transformation Initiative.Managing information security risk:organization,mission,and information system view [R/OL].[2021-01-20].https://csrc.nist.gov/publications/detail/sp/800-39/final.
[11]International Organization for Standardization.Information technology-security techniques-information security risk management [R/OL].[2021-01-20].https://www.iso.org/standard/42107.html.
[12]British Standards.Information security management systems.Guidelines for information risk management [R/OL].[2021-01-20].https://shop.bsigroup.com/ProductDetail?pid=000000000030354572.
[13]Fair Institute.Measuring and managing information risk:a fair approach.[R/OL].[2021-01-20].https://www.fairinstitute.org/fair-book.
[14]Microsoft.Microsoft security risk assessment.[R/OL].[2021-01-20].https://servicetrust.microsoft.com/ViewPage/RiskAssessmentOverview.
[15]SCHMITZ C,PAPE S.LiSRA:lightweight security risk assessment for decision support in information security [J/OL].Computers & Security,2020,90.https://www.sciencedirect.com/science/article/pii/S0167404819301993.
[16]FIGUEIRA T P,BRAVO L C,LOPEZ R L J.Improving information security risk analysis by including threat-occurrence predictive models [J/OL].Computers & Security,2020,88.https://www.sciencedirect.com/science/article/pii/S0167404819301592.
[17]TANTAWY A,ABDELWAHED S,ERRADI A,et al.Model-based risk assessment for cyber physical systems security [J/OL].Computers & Security,2020,96.https://www.sciencedirect.com/science/article/pii/S016740482030136X.
[18]Mandiant.MANDIANT:Exposing One of China's Cyber Espionage Units [R/OL].[2021-01-20].https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf.
[19]MITRE.ATT&CK [R/OL].[2021-01-20].https://attack.mitre.org.
[20]MITRE.CAPEC:common attack pattern enumeration and classification [R/OL].[2021-01-20].https://capec.mitre.org/index.html.
[21]Forum of Incident Response and Security Teams.Common vulnerability scoring system v3.0:specification document [R/OL].[2021-01-20].https://www.first.org/cvss/specification-document.
[22]Microsoft.STRIDE chart [R/OL].[2021-01-20].https://www.microsoft.com/security/blog/2007/09/11/stride-chart/.
[1] ZHAO Dong-mei, WU Ya-xing, ZHANG Hong-bin. Network Security Situation Prediction Based on IPSO-BiLSTM [J]. Computer Science, 2022, 49(7): 357-362.
[2] DU Hong-yi, YANG Hua, LIU Yan-hong, YANG Hong-peng. Nonlinear Dynamics Information Dissemination Model Based on Network Media [J]. Computer Science, 2022, 49(6A): 280-284.
[3] LYU Peng-peng, WANG Shao-ying, ZHOU Wen-fang, LIAN Yang-yang, GAO Li-fang. Quantitative Method of Power Information Network Security Situation Based on Evolutionary Neural Network [J]. Computer Science, 2022, 49(6A): 588-593.
[4] DENG Kai, YANG Pin, LI Yi-zhou, YANG Xing, ZENG Fan-rui, ZHANG Zhen-yu. Fast and Transmissible Domain Knowledge Graph Construction Method [J]. Computer Science, 2022, 49(6A): 100-108.
[5] ZHANG Shi-peng, LI Yong-zhong. Intrusion Detection Method Based on Denoising Autoencoder and Three-way Decisions [J]. Computer Science, 2021, 48(9): 345-351.
[6] CHEN Hai-biao, HUANG Sheng-yong, CAI Jie-rui. Trust Evaluation Protocol for Cross-layer Routing Based on Smart Grid [J]. Computer Science, 2021, 48(6A): 491-497.
[7] WANG Jin-heng, SHAN Zhi-long, TAN Han-song, WANG Yu-lin. Network Security Situation Assessment Based on Genetic Optimized PNN Neural Network [J]. Computer Science, 2021, 48(6): 338-342.
[8] YONG Qi, JIANG Wei-na, LUO Yu-ze. Trial Risk Assessment System Based on Fuzzy Number Similarity [J]. Computer Science, 2021, 48(5): 209-216.
[9] ZHANG Kai, LIU Jing-ju. Attack Path Analysis Method Based on Absorbing Markov Chain [J]. Computer Science, 2021, 48(5): 294-300.
[10] LIU Quan-ming, LI Yin-nan, GUO Ting, LI Yan-wei. Intrusion Detection Method Based on Borderline-SMOTE and Double Attention [J]. Computer Science, 2021, 48(3): 327-332.
[11] WANG Yu-chen, QI Wen-hui, XU Li-zhen. Security Cooperation of UAV Swarm Based on Blockchain [J]. Computer Science, 2021, 48(11A): 528-532.
[12] LIU Shan-shan, ZHU Hai-long, HAN Xiao-xia, MU Quan-qi, HE Wei. Enterprise Risk Assessment Model Based on Principal Component Regression and HierarchicalBelief Rule Base [J]. Computer Science, 2021, 48(11A): 570-575.
[13] MA Lin, WANG Yun-xiao, ZHAO Li-na, HAN Xing-wang, NI Jin-chao, ZHANG Jie. Network Intrusion Detection System Based on Multi-model Ensemble [J]. Computer Science, 2021, 48(11A): 592-596.
[14] WANG Xiao-xiao, WANG Ting-wen, MA Yu-ling, FAN Jia-yi, CUI Chao-ran. Credit Risk Assessment Method of P2P Online Loan Borrowers Based on Deep Forest [J]. Computer Science, 2021, 48(11A): 429-434.
[15] JIANG Jian-feng, SUN Jin-xia, YOU Lan-tao. Security Clustering Strategy Based on Particle Swarm Optimization Algorithm in Wireless Sensor Network [J]. Computer Science, 2021, 48(11A): 452-455.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!