ورود
مقالات فارسیISIکنفرانسهاژورنالها

Dynamic Security Risk Management Considering Systems Structural and Probabilistic Attributes

محل انتشار: مجله مهندسی کامپیوتر و دانش، دوره: 6، شماره: 2
سال انتشار: 1402
نوع سند: مقاله ژورنالی
زبان: انگلیسی
مشاهده: 49

فایل این مقاله در 16 صفحه با فرمت PDF قابل دریافت می باشد

استخراج به نرم افزارهای پژوهشی:

لینک ثابت به این مقاله:
https://civilica.com/doc/1902664

شناسه ملی سند علمی:

JR_CKE-6-2_005

تاریخ نمایه سازی: 16 بهمن 1402

چکیده مقاله:

Today’s cyber-attacks are getting more sophisticated and their volume is consistently growing. Organizations suffer from various attacks in their lifetime each of which exploiting different vulnerabilities, therefore, preventing them all is not affordable nor effective. Hence, selecting the optimal set of security countermeasures to protect IT assets from being compromised is a challenging task which requires various considerations such as vulnerabilities characteristics, countermeasures effectiveness, existing security policies and budget limitations. In this paper, a dynamic security risk management framework is presented which identifies the optimal risk mitigation plans for preventing ongoing cyber-attacks regarding limited budget. Structural and probabilistic analysis of system model are conducted in two parallel and independent aspects in which the most probable system's risk hotspots are identified. Suitability of countermeasures are also calculated based on their ability in covering vulnerabilities and organizational security policies. Moreover, a novel algorithm for dynamically conducting cost-benefit analysis is proposed which identifies optimal security risk mitigation plans. Finally, practical applicability is ensured by using a case study.

کلیدواژه ها:

Security Risk Management ، Attack Graph ، Bayesian Network ، Countermeasure Analysis ، Cost-Benefit Analysis

نویسندگان

Masoud Khosravi-Farmad

Data and Communication Security Lab., Computer Engineering Department, Ferdowsi University of Mashhad, Mashhad, Iran

Abbas Ghaemi Bafghi

Data and Communication Security Lab., Computer Engineering Department, Ferdowsi University of Mashhad, Mashhad, Iran

مراجع و منابع این مقاله:

لیست زیر مراجع و منابع استفاده شده در این مقاله را نمایش می دهد. این مراجع به صورت کاملا ماشینی و بر اساس هوش مصنوعی استخراج شده اند و لذا ممکن است دارای اشکالاتی باشند که به مرور زمان دقت استخراج این محتوا افزایش می یابد. مراجعی که مقالات مربوط به آنها در سیویلیکا نمایه شده و پیدا شده اند، به خود مقاله لینک شده اند :
  • Ross, R., "Guide for conducting risk assessments NIST special publication ...
  • Wheeler, E., Security risk management: Building an information security risk ...
  • Kuzminykh, I., Ghita, B., Sokolov, V., and Bakhshi, T., "Information ...
  • Shameli-Sendi, A., Cheriet, M., and Hamou-Lhadj, A., "Taxonomy of intrusion ...
  • Shameli-Sendi, A., Aghababaei-Barzegar, R., and Cheriet, M., "Taxonomy of information ...
  • Erdogan, G., and Refsdal, A., "A method for developing qualitative ...
  • Dobaj, J., Schmittner, C., Krisper, M., and Macher, G., "Towards ...
  • Khosravi-Farmad, M., Rezaee, R., Harati, A., and Bafghi, A. G., ...
  • Wang, J., Neil, M., and Fenton, N., "A bayesian network ...
  • Hulitt, E., and Vaughn, R. B., "Information system security compliance ...
  • Lo, C.-C., and Chen, W.-J., "A hybrid information security risk ...
  • Figueira, P. T., Bravo, C. L., and López, J. L. ...
  • CVSS, "Common vulnerability scoring system v۳.۰: Specification document" ...
  • FIRST, "Forum of incident response and security teams". https://www.first.org/ ...
  • Khosravi-Farmad, M., Ramaki, A. A., and Bafghi, A. G., "Moving ...
  • Ouassini, A., and Hunter, M., "Advanced Persistent Threats (APTs)", The ...
  • Chen, Z., Liu, J., Shen, Y., Simsek, M., Kantarci, B., ...
  • Hong, J. B., Kim, D. S., Chung, C.-J., and Huang, ...
  • Kaynar, K., "A taxonomy for attack graph generation and usage ...
  • Lallie, H. S., Debattista, K., and Bal, J., "A review ...
  • Shameli-Sendi, A., and Dagenais, M., "Arito: Cyber-attack response system using ...
  • Zahid, M., Inayat, I., Daneva, M., and Mehmood, Z., "A ...
  • Li, S., Tryfonas, T., Russell, G., and Andriotis, P., "Risk ...
  • Shameli-Sendi, A., Louafi, H., He, W., and Cheriet, M., "Dynamic ...
  • Li, S., Zhao, S., Yuan, Y., Sun, Q., and Zhang, ...
  • He, W., Li, H., and Li, J., "Unknown vulnerability risk ...
  • Garg, U., Sikka, G., and Awasthi, L. K., "Empirical analysis ...
  • Hermanowski, D., and Piotrowski, R., "Network risk assessment based on ...
  • Rezaee, R., and Ghaemi Bafghi, A., "A risk estimation framework ...
  • Rezaee, R., Bafghi, A. G., and Khosravi-Farmad, M., "A threat ...
  • Presekal, A., Ştefanov, A., Rajkumar, V. S., and Palensky, P., ...
  • Liu, Y., and Man, H., "Network vulnerability assessment using bayesian ...
  • Frigault, M., and Wang, L., "Measuring network security using bayesian ...
  • Poolsappasit, N., Dewri, R., and Ray, I., "Dynamic security risk ...
  • Feng, N., Wang, H. J., and Li, M., "A security ...
  • Le, A., Chen, Y., Chai, K. K., Vasenev, A., and ...
  • Al-Hadhrami, N., Collinson, M., and Oren, N., "A subjective network ...
  • Ramaki, A. A., Khosravi-Farmad, M., and Bafghi, A. G., "Real ...
  • Chen, Y. Y., Xu, B., and Long, B., "Information security ...
  • Meyur, R., "A bayesian attack tree based approach to assess ...
  • Khosravi-Farmad, M., Ramaki, A. A., and Bafghi, A. G., "Risk-based ...
  • Behbehani, D., Komninos, N., Al-Begain, K., and Rajarajan, M., "Cloud ...
  • Nespoli, P., Papamartzivanos, D., Mármol, F. G., and Kambourakis, G., ...
  • Noel, S., Jajodia, S., O’Berry, B., and Jacobs, M., "Efficient ...
  • Jha, S., Sheyner, O., and Wing, J., "Two formal analyses ...
  • Dewri, R., Poolsappasit, N., Ray, I., and Whitley, D., "Optimal ...
  • Khosravi-Farmad, M., and Ghaemi-Bafghi, A., "Bayesian decision network-based security risk ...
  • Chung, C.-J., Khatkar, P., Xing, T., Lee, J., and Huang, ...
  • Schilling, A., and Werners, B., "Optimal selection of it security ...
  • Kotenko, I., and Doynikova, E., "Selection of countermeasures against network ...
  • Nessus, "Nessus vulnerability scanner", Available on, https://www.tenable.com/products/nessus ...
  • OpenVAS, "Open vulnerability assessment scanner", Available on, http://www.openvas.org/ ...
  • Retina, "Retina network security vulnerability scanner", Available on, https://www.beyondtrust.com/products/retinanetwork- security-scanner/ ...
  • NVD, "NIST US national vulnerability database (NVD)", Available on, https://nvd.nist.gov/ ...
  • CVE, "Common vulnerabilities and exposures (CVE)", Available on, https://cve.mitre.org/ ...
  • Nmap, "Nmap, the network mapper", Available on, https://nmap.org/ ...
  • Ou, X., Govindavajhala, S., Appel, A. W., et al., "Mulval: ...
  • Jajodia, S., and Noel, S., "Topological vulnerability analysis", in Cyber ...
  • Russell, S., and Norvig, P., "Artificial intelligence: A modern approach, ...
  • Khosravi-Farmad, M., Rezaee, R., and Bafghi, A. G., "Considering temporal ...
  • Koller, D., and Friedman, N., Probabilistic graphical models: principles and ...
  • GeNIe, "GeNIe modeler, bayesfusion, llc", Available on, https://www.bayesfusion.com/ ...
    • نمایش کامل مراجع