Research on Network Security Quantitative Model Based on Probabilistic Attack Graph

. In order to identify the threat of computer network security and evaluate its fragility comprehensively, the related factors of network security are studied, and the methods based on attack graph are improved. Based on the attribute attack graph, the probabilistic attack graph model is generated by adding various factors which affect network security. The model uses security equipment performance data, common vulnerability scoring system data and etc. to calculate priori probability, finally obtains the network security index, and carries on the exploratory analysis. The experimental results show that the model is feasible and effective. Compared with other vulnerability assessment methods, the model has the characteristics of comprehensive evaluation and concise calculation.


Introduction
Network attacks persist and rise, which pose a great threat to the Internet and various business networks. In order to protect the network effectively, it is necessary to analyse the network security comprehensively and realize the threat from attack and defence. In order to achieve this goal, the model based on probabilistic attack graph is improved.
There are many researches on security evaluation methods, which have been developed based on attack graph [1][2][3][4][5][6][7][8][9] , but none of them consider some uncertainties in the network. Network attack is a complex behaviour, and the result is not convincing because the network security is quantitatively analysed based on the combination of attack. The main contributions of this paper are as follows: (1) The factors that affect the attack effect are added in the probabilistic attack graph, (2) The new conversion method of attribute attack graph to probabilistic attack graph is given.
The 2nd section of this paper introduces the relevant research work, and the 3rd section gives the definition of the probabilistic attack graph model, then introduces the construction method of probabilistic attack graph, the probability calculation formula and the network security quantification method, the 4th section shows the calculation process and the validity of the probabilistic attack graph model by experiment. Finally, it summarizes the work of this paper and forecasts the future research.

Related work
The related research work started from the research of attack graph, Sheyner et al. [1] gave the method of automatic generation of state attack graph. Wang et al. [3] proposed a network security measurement method based on attribute attack graph. Chen Sisi [10] proposed a quantitative evaluation method for the vulnerability assessment based on the calculation of Bayesian network. Chen Feng et al. [5] , Ye Yun et al. [4] used the maximum probability to solve the problem of the attribute attack graph including the loop. Jia Wei et al. [6] quantitatively evaluated the cost of an attacker using a vulnerability attack and carried out the analysis on a minimal attack cost path. This paper is similar to the research work in the literature [8,9] . Fang Yan et al. [8] proposed to avoid the loop-containing algorithm removes some of the state nodes, which would cause the loss of some information for security assessment. In addition, there is a mixed relation between the nodes in the graph, which leads to an unclear description of the graphs. The Bayesian attribute attack graph model established by Wang Xiujuan et al. [9] didn't consider the factors that affected the attack effect in the network, so there were some defects.

Probabilistic Attack Graph Model
The attack graph is mainly divided into two categories: a state attack graph [1] and an attribute attack graph [3] . In recent years, scholars have tended to use attribute attack graphs. It is a directed graph that contains two types of nodes, namely, attribute nodes and atomic attack nodes. Atomic attacks occur when the conditional attributes of an atomic attack are fully met, and an atomic attack succeeds, and the resulting attribute is used to represent the new attack condition that the attacker has acquired. This paper uses attribute attack graph to generate probabilistic attack graph.

Definition of probabilistic attack graph
The probabilistic attack graph is a directed loop-free graph, which has causality and probability semantics; the state and occurrence probability of the node in the graph are only related to its parent node. A probabilistic attack graph is defined as a directed loop-free graph = ( , , ).
N represents a collection of nodes, = ∪ ∪ ∪ ∪ , S represents a set of attribute nodes, A represents an atomic attack node set, I represents a collection of scan nodes, C represents an operation control node set, D represents a set of security protection nodes, and all nodes are valued as 1 or 0. P is a probability set. ∀ ∈ , ( ) represents the probability that a attribute condition is satisfied. ∀ ∈ , ( ) represents the probability of success of an atomic attack. ∀ ∈ , ( ) represents the probability that information about the target network obtained by an attacker through a tool, such as a probe scan can help an attacker to successfully implement an atomic attack . ∀ ∈ , ( ) represents the probability that an attacker would ensure the success of an atomic attack through control or other tools. ∀ ∈ , ( ) represents the probability that an atomic attack would succeed if the protection in the target network fails.
E is a set of directed edges that represent causal relationships between various nodes. E can be expressed where in a probabilistic attack graph, there are 'AND' and 'OR' relations between edges pointing to the same node (see Fig. 1), which is defined as follows: (1) The edges pointing to the attack node are in the relation of "AND". ∀ , ∈ { , , , } ∧ end( ) = end( ) = , and the relation between and is "AND"; (2) The edges pointing to the attribute nodes are in the relation of "OR", ∀ , ∈ ∧ end( ) = end( ) = the relation between and is "OR".

Generation of a probabilistic attack graph
To generate a probabilistic attack graph, the loop path in the attribute attack graph should be eliminated at first. The loop in the attack graph can occur in real-world network attacks, such as the repeated infection of a virus to a machine. But in the study of the attack graph, most of the scholars used the monotonicity hypothesis [2] , that is, the attacker's income is monotonically increasing, the attacker will not repeatedly attack a machine. There are many methods to eliminate the attack graph loop, the literature [4] deletes some nodes of the loop, and literature [9] deletes the most difficult atomic attack in the loop. This paper holds that: (1) The least secure path should be retained, and (2) all states that can be reached by attackers should be kept as far as possible. The algorithm of generating attribute attack graph and the algorithm of eliminating loop are not the focus of this paper, which is not explained in detail here. After deleting the loop, additional nodes need to be added according to the security assessment requirement. First, find out the uncertain factors related to the attack effect, according to the relationship between the location that they deploy and the attack path, judge the atomic attack that it may affect, then add the protection node, the information node, the control node and so on in the graph. Second, there are a number of attacks which don't exploit software vulnerabilities, such as guessing password attacks, traffic-based Denial-of-service attacks. Such attacks should be added to the graph as atomic attacks. After the above treatment, the basic structure of the probabilistic attack graph is determined.
According to the previous definition, there are only two relationships between edges pointing to a node in a probabilistic attack graph: "AND" and "OR". In accordance with the Bayesian theory, ( ) = ( | ( )) or ( ) = ( | ( )) can be obtained, where is the middle node or leaf node, ( ) and ( ) are the parent node sets of and respectively; thus, ( ) and ( ) are defined as The following is a discussion of the assignment method of the root nodes in a probabilistic attack graph. It is assumed that is a collection of initial attribute nodes, is a collection of intermediate nodes, and is a collection of endpoint states. The initial attribute state is an initial condition for an attacker, so ∀ ∈ , ( ) = 1.
In this paper, we use the intrusion path AV, identity authentication AU and attack complexity AC, which are provided by CVSS, as the basis for calculating ( ). In CVSS, the availability metric for a vulnerable point is defined as = 20 (0 ≤ ≤ 10). The smaller the value of E, the greater the difficulty of an atomic attack, the more difficult it is to manipulate control. So in general, the following Formula (2) is used to assign the value to Assign a value to ( ) by using a popular scanning tool (such as NMAP) accuracy index. The computation of ( ) is a little complicated, and the probability & − is used to express the influence of network protection equipment and security mechanism on atomic attack.

Network security exploration and analysis
Using probabilistic attack graph to evaluate security, the contents include: (1) Evaluate network security after obtaining some evidences, (2) Do exploring analysing on network security. The literatures [8,9] [11] carried on the researches to (1), and this paper mainly aims at the realization of (2). The basis of exploratory analysis is the quantification of network security. The quantified value is called the Network Security Index (NSI), which is defined as the maximum gain that an attacker can gain in a network, that is, the weighted sum of all the available states of an attacker or of all atomic attacks. The weight values depend on the value of the network assets, and the NSI is calculated as follows: Or to calculate an atomic attack: In the Formula (5), is the weight value of the asset. The basic process of exploratory analysis is: first, generate exploration cases according to the threat of the network and the possible security plans, and then determine the impact of different security schemes on potential attacks; then calculate the NSI (or NSI') value of each case and do comparative analysis; finally, determine the optimal security improvement program to do actual deployment.

Experimental verification
Literature [11] is referred to establish the experimental environment and to detect the feasibility and effectiveness of the model. The network contains 3 subnets: An Internet zone, an isolated zone, and a trusted zone. The quarantine includes a Web server, a mail server, and a DNS server. The trust zone includes database server, FTP server, and gateway server. S node C node I node A node

Fig. 3. Probabilistic attack graph
The C-node value is a priori probability calculated according to the Formula (2) as follows: Table 1 The attack network of an attacker typically requires two probes, so there are two I nodes, and this paper assumes that each I node has the same effect on the corresponding atomic attack. The value of the Node I depends on the accuracy and completeness to obtain the vulnerability information and related information. Generally, 1 < 2 . It is more difficult to get information from outside the network than to get it inside the network.
After the probabilistic attack graph model is established, the security of the network can be evaluated under different circumstances, and the security of the network can be evaluated after obtaining some evidence. This paper quantifies the changes of network security before and after the detection and scanning measures of each host in the network. It is supposed 1 = 0.85, 2 = 0.95 before taking measures. After taking a series of protective measures, the value of the I node is greatly reduced, 1 = 0.45, 2 = 0.90. Because the attackers have dominion over their own machines, thus P(user(A)) = 1. A probabilistic attack graph can be used to quantitatively evaluate the probability of the computer network being attacked, and can be applied to do security analysis in various situations. The implementation of security measures and the enhancement of attack skills will result in the change of the value of I, C and D, which results in the change of the whole network security value, so we can explore all kinds of schemes and find the best safety decision by analyzing the size of various effects quantitatively.

Conclusions
Security evaluation has always been a hot topic in the field of network research, and as an effective method of analysis, and the scholars have been developing new research on attack graphs. In order to analyse some uncertain factors in the process of network security improvement, this paper quantifies the network security