Information security assessment of wireless sensor networks based on bayesian attack graphs

Abstract

Network security issues have become increasingly prominent, and information security risk assessment is an important part of network security protection. Security risk assessment based on methods such as attack trees, attack graphs, neural networks, and fuzzy logic has problems such as difficulty in data collection during the assessment process, excessive reliance on expert experience, failure to consider the actual network environment, or ineffective joint application. The qualitative and quantitative information security fuzzy comprehensive evaluation method uses the theory of fuzzy mathematics to better solve the above problems, so that the evaluation method is scientific, comprehensive and operable. To improve the accuracy of information security risk assessment in wireless sensor networks, we propose a fuzzy comprehensive evaluation method based on Bayesian attack graphs. This considers the impact of environmental factors of the assessed system on security risk and the spread of the effects on the Bayesian network. Therefore, this model can reflect possible situations due to network attacks in the wireless sensor network system. The results show that this quantitative evaluation method is applicable to assessing risk in wireless sensor network systems, and the results are more objective and accurate.

Keywords

Information security wireless sensor networks fuzzy comprehensive evaluation dynamic security risk assessment bayesian network attack graph

1 Introduction

Wireless Sensor Networks (WSNs) are realized by deploying a certain number of sensor nodes in a target area. These nodes communicate in a radio, multi-hop, and peer-to-peer manner to form a self-organizing network [1]. The sensors in a WSN can communicate wirelessly, hence, the settings can vary more; the location can be moved, and it can be connected to the Internet in wired or wireless mode.

There are two types of information security risk factors faced by wireless networks. One is determined by the design and maintenance of special medium such as radio waves in wireless networks; the second includes data confidentiality, integrity protection, and network access control security. Compared with wired networks, wireless networks are more vulnerable to attacks. Therefore, if risk assessment methods for wired networks are used to evaluate wireless networks there will be relatively large errors, and its practicality is poor. This means that we have to improve wired network risk assessment methods based on the characteristics of the actual environment of wireless networks, and find a risk assessment method that is truly suitable for such networks. For network threat assessment methods, there are methods based on fuzzy logic and graph theory to perform modeling on the risk in the network, so as to effectively assess security risks. There are also security risk assessment methods that effectively combine attack graphs with fuzzy comprehensive analysis methods. However, these methods have certain dependencies and are not comprehensive enough [2].

Due to the uncertainty and difficulty of risk factors, wireless sensor networks risk assessment will be a complicated process. Information security risk assessment methods for wireless sensor networks typically include qualitative and quantitative methods, and also a combination of the two [3, 4]. The main characteristic of qualitative evaluation methods is strong subjectivity. It requires the evaluator to have a high professional knowledge and ability, otherwise the assessment results may be far from reality. Quantitative evaluation methods are more scientific, transparent, defensive, flexible, and consistent, but need to collect a large amount of information. These methods can involve regression, decision trees, factor analysis, and cluster analysis. Its characteristic is that some complex indexes in the wireless sensor networks are quantified, and the resulting calculation is complicated and time-consuming [5]. At present, qualitative and quantitative analysis methods are combined in most cases.

With the increasing awareness of information security risk assessment, a number of risk analysis approaches are also emerging and developing. However, no matter the kind of risk assessment method, it will involve the following aspects: 1) identifying the assets of the assessment object, 2) confirming the threats, vulnerabilities, and existing security measures of the assets, 3) identifying the risk level, 4) improving the security measures, and controlling the acceptable risk.

In order to improve the accuracy of information security risk assessment in wireless sensor networks, this paper tries to establish a model based on Bayesian attack graphs [6]. The research results show that the proposed quantitative assessment method is well-targeted and reliable. It is suitable for the information security risk assessment of complex wireless sensor networks, and the assessment results are more scientific and reasonable.

2 The bayesian attack graph model

This section first introduces the concept of attack graphs, and then proposes the Bayesian attack graph model.

Philips and Swiler first proposed attack graphs [7]. An attack graph is a graphical method to describe the whole attacker’s attack path from the starting point to the target. After analyzing all the configuration and vulnerability information of the network, it finds out all possible attack paths through global dependency relationships [7 –10]. The formal definition of an attack graph is as follows:

Definition 1. An attack graph is a directed graph AG (C₀ ∪ C ∪ C_g, E, R_r ∪ R_i), where C₀ is a collection of initial condition nodes, C_g is a collection of target condition nodes, C is the collection of all condition nodes, E is the collection of all atomic attack nodes, R_r is the set of edges from the condition nodes to atomic attack nodes, and R_i is the set of edges from the atomic attack nodes to the condition nodes.

This paper performs extensions on this basis. The attack graph is modelled, and a Bayesian attack graph is defined using a Bayesian network.

Definition 2. Bayesian attack graph (BAG). Assume that S is a collection of network attributes, and A is a collection of atomic attacks defined on S. A Bayesian attack graph is a quadruple BAG = (S, τ, ɛ, P), where:

1) S = N_internal ∪ N_external ∪ N_terminal. N_external is a set of attributes S_i. For S_i, ∄a ∈ A|S_i = post (a). N_internal is a set of attributes S_j. For S_j, ∃a₁, a₂ ∈ A| [S_j = pre (a₁) and S_j = post (a₂)]. N_terminal is a set of attributes S_k. For S_k, ∄a ∈ A|S_k = pre (a).

2) τ ⊆ S × S. Assume S_pre → S_post ∈ A, then we have the ordered pair (S_pre, S_post) ∈ τ. In addition, for S_i ∈ S, Pa [S_i] = {S_j ∈ S| (S_j, S_i) ∈ τ} is called the father node set of S_i.

3) ɛ is the set of two tuple elements of the form 〈S_j , d_j〉. The definition is as follows: for all S_j ∈ N_internal ∪ N_terminal, d_j ∈ {AND, OR}. If S_j = 1 ⇒ ∀ S_i ∈ Pa [S_j], S_i = 1, then d_j is AND. If S_j = 1 ⇒ ∃ S_i ∈ Pa [S_j] , S_i = 1, then d_j is OR.

4) P is the collection of local condition probability distributions (LCPDs). Every attribute S_j ∈ N_internal ∪ N_terminal has an LCPD to represent the value of Pr(S_j|Pa [S_j]).

Definition 3. Local condition probability distribution (LCPD). Assume BAG = (S, τ, ɛ, P) is a Bayesian attack graph, S_j ∈ N_internal ∪ N_terminal. For S_i ∈ Pa [S_j], e_i are the conditions related to the attack S_i → S_j. The LCPD of S_j is Pr(S_j|Pa [S_j]), the definition is as follows:

d_j = AND $Pr (S_{j} | Pa [S_{j}]) = {\begin{matrix} 0, \exists S_{i} \in Pa [S_{j}] | S_{i} = 0 \\ Dif (⋂_{S_{i} = 1} e_{i}), otherwise \end{matrix}$ (1)

d_j = OR $Pr (S_{j} | Pa [S_{j}]) = {\begin{matrix} 0, \forall S_{i} \in Pa [S_{j}], S_{i} = 0 \\ Dif (⋃_{S_{i} = 1} e_{i}), otherwise \end{matrix}$ (2)

When multiple conditions are involved, to calculate the local conditional probability, the following processes are carried out. For the case of ‘AND’, each condition is an independent event. The probability of destroying the target depends on the probability of using a single condition successfully. Thus, with the independence rule of an event, we have $Dif (⋂_{S_{i} = 1} e_{i}) = \prod_{S_{i} = 1} Dif (e_{i})$ . For the case of ‘OR’, this relationship is actually a kind of Noisy-OR relationship. In this case, we have $Dif (⋃_{S_{i} = 1} e_{i}) = 1 - \prod_{S_{i} = 1} [1 - Dif (e_{i})]$ .

3 Information security risk assessment of wireless sensor networks

3.1 Security risk assessment

Based on the definitions of the previous section, this section assesses the security risk of wireless sensor networks using the Bayesian attack graph model.

Risk assessment is the foundation and premise of risk management [11]. It is the possibility assessment for the vulnerability, potential impact, faced threats of information assets, and the combined risks of the three. It provides data support for risk management. At present, risk assessment techniques can be divided into two categories, namely static and dynamic risk assessment [12].

Static risk assessment assesses the system risk for a relatively short period of time or at a certain time point. The to-be-assessed system is considered as a stationary object, and the assessment process does not have continuity in time [13]. For a static risk assessment method, according to existing security risk assessment standards, the important elements include threateners, threats, assets, vulnerabilities, risks, etc.

Although the outcomes of static risk assessments are accurate, due to the variability and suddenness of network security incidents, they have a relative lag, the assessment costs are high, and cannot meet the actual demands [12]. Therefore, dynamic risk assessment techniques, which have the obvious advantages of being real-time, predictable, and low-cost, have attracted increasing attention recently.

Dynamic risk assessment considers the change of risk with the change of environmental factors based on the study of risk evolution trends, and, combined with system environment changes, evaluate the system security for a period. The continuous data of the to-be-assessed system is studied to analyze and predict the security status of the system. The assessment results have better real-time performance and are well targeted [14]. More details of the proposed method in this paper are discussed as follows.

3.2 Bayesian attack graph-based dynamic security risk assessment

First, according to the relevant literature, this paper decomposes the wireless sensor networks, establishes a security risk assessment index system, and determines the scope that needs to be assessed, as shown in Fig. 1.

Fig. 1

Risk assessment index system.

(texts in the above figure: information security risk; assets, threats, vulnerability, security measures; integrity, availability, confidentiality; external threats, internal threats; technical vulnerabilities, management vulnerabilities; disaster recovery measures, safety precautions, emergency responses.)

In the life cycle of the system, the probability of every network security factor may change. New security incidents will affect the security assessment results. The proposed Bayesian attack graph can determine the information security risk of wireless sensor networks from these new conditions by computing the posterior probability [15 –18].

Assume S = {S₁, . . . , S_n} is a collection of attributes in a Bayesian attack graph. $E = {S_{1}^{'}, . . ., S_{m}^{'}} \subset S$ is a subset of S. The attributes in this collection represent the existing security incidents, and we call these attributes ‘evidences’; we have $S_{i}^{'} = 1$ for all $S_{i}^{'} \in E$ . Now we have S_j ∈ S - E, and the posterior probability of S_j needs to be determined. According to Bayes’ theorem, we have Pr(S_j|E) = Pr(E|S_j) × Pr(S_j)/Pr(E). Here, Pr(E|S_j) is the conditional probability of the joint occurrence of ${S_{1}^{'}, . . ., S_{m}^{'}}$ when the status of S_j is given. Pr(E) and Pr(S_j) are the corresponding values of priori unconditional probabilities. Because of the independence of the evidences in E, we have $Pr (E | S_{j}) = \prod_{i} Pr (S_{i}^{'} | S_{j})$ and $Pr (E) = \prod_{i} Pr (S_{i}^{'})$ .

To illustrate this, in Fig. 2, the system administrator notices an attack that has occurred at node A (the attacker destroyed the FTP server). Then node C’s posterior probability is calculated in the following way:

Fig. 2

Example of a Bayesian attack graph.

Pr(C|A) = Pr(A|C) Pr(C)/Pr(A) =0.81, where

$\begin{matrix} Pr (A | C) = \sum_{B \in {T, F}} [Pr (A | B, C = T) Pr (B)] \\ = (1 . 0 \times 0 {. 6)}_{T} + (1.0 \times 0.4)_{F} \\ = 1 . 0 \end{matrix}$

Pr(A) =0.61, Pr(C) =0.49

In a similar way, the posterior probability of node B can also be calculated. It is worth noting that, initially, the unconditional probability of node C is 0.49. After considering the incidents for node A, the posterior probability of node C becomes 0.81, which has an obvious increase. By considering the environmental information in the system, the security situation of a wireless sensor network system can be assessed more accurately and effectively [19 –22].

4 Results and analysis

The network in the above figure is used as a to-be-assessed network in this section for experimental analysis. This is to verify the rationality and effectiveness of the proposed Bayesian multi-step attack graph model in evaluating wireless sensor networks.

The network system shown in Fig. 3 includes three subnetworks: the demilitarized zone, the trusted zone, and the internal user zone. The three zones are divided by a firewall, and the whole network accesses the Internet through the gateway. The main services and the corresponding programs on each server/host are shown in Table 1.

Fig. 3

Experimental network topology.

Table 1

Services on each server/host

Server/host	Function	Software/service
Web Server	Web service	Apache
Email Server	Email service	SMTPD
FTP Server	Provides document service for the Web Server	FTPD, SSHD
Database Server 1	Provides database service for the Web Server	SQL Server
Database Server 2	Provides database service for the Email Server	SQL Server
PC1	Can access the FTP Server	The remote desktop function is open
PC2	Can access the FTP Server	none

Potential network attackers mainly include external attackers accessing from the Internet and internal attackers accessing through the internal user zone. The constructed Bayesian attack graph, using the definition in this paper, is shown in the diagram below (Fig. 4).

Fig. 4

Bayesian attack graph used in the experiments.

The semantics of all nodes in the above diagram are shown in Table 2.

Table 2

Node semantics

Node	Semantics
C1	Attackers can access the networks in the demilitarized zone
C2	Web Server provides HTTP(80) access services to the public
C3	Web Server has a vulnerable point CVE-2010-0425
C4	The attackers get permission to execute any code on the Web Server
C5	Web Server can access the FTP(21) service of the FTP Server
C6	FTP Server has a vulnerable point CVE-2011-4130
C7	The attackers get permission to execute any code on the FTP Server
C8	The kernel version of the system is 2.6.x
C9	FTP Server has a vulnerable point CVE-2012-0056
C10	Attackers have root authority on the FTP Server

In order to determine the utility of the proposed dynamic risk assessment method based on the Bayesian attack graph model, with the topological structure, accessibility, and network vulnerability of the above to-be-assessed network remaining unchanged, we simulated two application scenarios for experimental analysis.

Scenario 1: In this network, the Web Server is only an ordinary web server that publishes commonsense and introductory information. Web Server 1 stores data, documents, and the information needed for the Web Server, but no important or valuable data is stored. Both PC1 and PC2 do not store important or valuable information.

Scenario 2: In this network, the Web Server undertakes the main services of the network. Crashes or intrusion on this server will have a great impact on the enterprise. Important data, documents, and information needed for the Web Server are stored in the FTP Server and Database Server 1. The Email Server is an auxiliary mail server with a small number of users. The Database Server 2 stores mail information without any important data and information.

The node risk probabilities of the two scenarios were calculated using the proposed attack graph assessment method. The method proposed in [8] was also used to calculate the node attack probabilities of the two scenarios. All the obtained attack probabilities of the non-initial condition nodes and original attack nodes are shown in Table 3.

Table 3

The calculated results of the node attack probabilities

Node	Host	Reference method	Scenario one	Scenario two
C4	Web Server	0.7218	0.478	0.8519
C7	FTP Server	0.7646	0.3958	0.9457
C10	FTP Server	0.2465	0.0704	0.4836
C13	Database Server 1	0.518	0.2562	0.7227
C16	Email Server	0.7218	0.7694	0.6248
C19	Database Server 2	0.518	0.6527	0.3349
C23	PC1	0.6201	0.3187	0.82
e1	Web Server	0.7598	0.6294	0.8605
e2	FTP Server	0.574	0.315	0.7194
e3	FTP Server	0.2594	0.0785	0.4951
e4	Database Server 1	0.5453	0.2859	0.74
e5	Email Server	0.7598	0.7793	0.7437
e6	Database Server 2	0.5453	0.6683	0.3737
e7	PC1	0.6528	0.3772	0.8355
e8	FTP Server	0.506	0.2256	0.701

The above table shows the results of the node risk probability calculations for two application scenarios with the proposed method and the reference method. Since the results of the reference method in the two application scenarios are the same, only one set of results are shown in this paper.

From Table 3, it is obvious that the method proposed in Ref. [8] does not model the impact of environmental threat information and other factors on the attack probabilities. Thus, the calculated risk probabilities of each node in the two scenarios are the same. The proposed Bayesian attack graph retains the original characteristics of the previous attack graph, and further extends its semantics. The Bayesian attack graph can cover the impacts of the environmental threat information and other factors on the attack probabilities, so that the node attack probabilities can have corresponding changes according to these factors.

For example, the Web Server is only an ordinary web server that publishes commonsense and introductory information in Scenario 1. It does not contain valuable or important data. A crash or an intrusion for this Web Server will not have a significant impact on the enterprise. Meanwhile, the Web Server undertakes the main services of the network in Scenario 2. It is the main business asset of the enterprise, and a crash or invasion will result in a significant impact on the enterprise. Therefore, the probability of an attack on the Web Server in Scenario 2 is greater than that in Scenario 1 in the calculated results of the proposed method.

Another example is as follows. In scenario 1, the attack difficulty of database server2 and database Server1 is similar. However, because the information value and importance of Database Server 2 are greater than that of Database Server 1, Database Server 2 is more attractive to attackers. Therefore, the probability of attack for Database Server 2 is higher than for Database Server 1 in the calculated results of the proposed method.

According to the above analysis, it can be concluded that the proposed attack graph can consider the impact of environmental threat information, asset information, and other factors on security risk assessment. This makes it more suitable for the real situation of wireless sensor networks attacks, and the objectivity and accuracy of the assessment results are further improved.

5 Conclusions

In order to improve the accuracy of information security risk assessment for wireless sensor networks, this paper proposed an assessment approach using a Bayesian attack graph model. Compared with a traditional network risk assessment method, the proposed method can analyze the potential risks from every segment of the network through the analysis of the network configuration and vulnerabilities, so as to evaluate most of the risks present in the system. The results from the experimentation indicate that the proposed quantitative assessment method is more suitable for the assessment of the risk of wireless sensor network systems. The results are more objective and accurate.

Footnotes

Acknowledgments

This work is supported by the 2019 science and technology project of Guangxi Province, China (No. 2019AC20168) and the Special Funds of Applied Science and Technology Research and Development of Guangdong Province, China (Grant No. 2015B010128015).

References

Gawade

D.R.

and Nalbalwar

S.L.

, A centralized energy efficient distance based routing protocol for wireless sensor networks, Journal of Sensors21(4) (2016), 212–216.

Luo

Y.L.

and Chang

X.L.

, Network threat assessment based on attack graph and fuzzy comprehensive evaluation, Cyberspace Security11(7) (2020), 113–119.

Sun

W.H.

and He

D.Q.

, Fuzzy comprehensive assessment of information security from qualitative to quantitative, Systems Engineering Theory and Practice26(12) (2006), 93–98.

, Business Security Assessment, Information Security and Communication Security (8) (2012), 113–115. DOI:10.3969/j.issn.1009-8054.2012.08.046

Wang

B.D.

, Research on Network Security Risk Assessment, New Course (Teaching and Research Edition) (6) (2010), 329–330.

Solomon

, Ketikidis

and Choudhary

, A knowledge based approach for handling supply chain riskmanagement, In Proceedings of the Fifth Balkan Conference in Informatics (BCI ’12). ACM, New York, NY, USA, (2012), 70–75.

Nath

H.V.

, Gangadharan

and Sethumadhavan

, Reconciliation engine and metric for network vulnerability assessment, In Proceedings of the First International Conference on Security of Internet of Things (SecurIT ’12). ACM, New York, NY, USA, (2012), 9–21.

Nayot

, Rinku

and Indrajit

, Dynamic security risk management using Bayesian attack graphs, IEEE Trans on Dependable and Secure Computing9(1) (2012), 61–74.

Agarwal

P.K.

, Kaplan

and Sharir

, Union of random minkowski sums and network vulnerability analysis, In Proceedings of the twenty-ninth annual symposium on Computational geometry (SoCG’13). ACM, NewYork, NY, USA, (2013), 177–186.

10.

Bleikertz

M.S.

, Probst

C.W.

, Pendarakis

and Eriksson

, Security audits of multi-tier virtual infrastructures in public infrastructure clouds, In Proceedings of the 2010 ACM workshop on Cloud computing security workshop (CCSW ’10). ACM, New York, NY, USA, (2010), 93–102.

11.

Zhang

, Ren

J.D.

and Wang

, Network security risk assessment method: a review, Journal of Yanshan University44(3) (2020), 290–305.

12.

Liu

C.-H.

and Zhang

X.-F.

, A dynamic risk assessment method based on hidden Markov model, Journal of Xi’ an University of Posts and Telecommunications17(2) (2012), 31–36.

13.

Zhang

B.Y.

, Chen

Z.G.

, Yan

X.A.

, Wang

S.L.

and Fan

, Network security situation assessment based on hidden semi-markov model, In Proceedings of the 7th international conference on Advanced Intelligent Computing (ICIC’11), De-Shuang Huang, Yong Gan, Vitoantonio Bevilacqua, and Juan Carlos Figueroa (Eds.). Springer-Verlag, Berlin, Heidelberg, (2011), 509–516.

14.

Mengshoel

O.J.

, Constraint handling using tournament selection: Abductive inference in partly deterministic bayesian networks, Evol Comput17(1) (2009), 55–88.

15.

Wang

Z.G.

, Lu

and Li

J.D.

, Network security risk assessment method based on Bayesian attack graph, Journal of Academy of Armored Force Engineering32(3) (2018), 81–86.

16.

Zhou

Y.Y.

, Cheng

and Guo

C.S.

, Risk assessment method for network attack surface based on Bayesian attack graph, Chinese Journal of Network and Information Security4(6) (2018), 11–22.

17.

Sen

and Madria

, Risk Assessment in a Sensor Cloud Framework Using Attack Graphs, IEEE Transactions on Services Computing (99) (2017), 1–1.

18.

Wang

, Fan

, Mo

, et al., A Method for Information Security Risk Assessment Based on the Dynamic Bayesian Network, International Conference on Networking & Network Applications (2016), 279–283.

19.

Z.W.

, Guo

Y.B.

, Wang

C.D.

, et al., Survey on application of attack graph technology, Journal on Commuications38(11) (2017), 121–132.

20.

Nguyen

T.H.

, Wright

, Wellman

M.P.

, et al., Multi-stage attack graph secunity games: heuristic strategies, with empirical game-theoretic analysis, ACM Workshop on Moving Target Defense (2017), 87–97.

21.

, Wang

and Cao

, Searching Forward Complete Attack Graph Generation Algorithm Based on Hypergraph Partitioning, Procedia Computer Science107 (2017), 27–38.

22.

Gao

, Gao

, He

Y.Y.

, et al., Optimal security hardening measures selection model based on Bayesian attack graph, Computer Engineering and Applications52(11) (2016), 125–130.