JIS  Vol.7 No.3 , April 2016
Cybersecurity: A Statistical Predictive Model for the Expected Path Length
Abstract: The object of this study is to propose a statistical model for predicting the Expected Path Length (expected number of steps the attacker will take, starting from the initial state to compromise the security goal—EPL) in a cyber-attack. The model we developed is based on utilizing vulnerability information along with having host centric attack graph. Utilizing the developed model, one can identify the interaction among the vulnerabilities and individual variables (risk factors) that drive the Expected Path Length. Gaining a better understanding of the relationship between vulnerabilities and their interactions can provide security administrators a better view and an understanding of their security status. In addition, we have also ranked the attributable variables and their contribution in estimating the subject length. Thus, one can utilize the ranking process to take precautions and actions to minimize Expected Path Length.
Cite this paper: Kaluarachchi, P. , Tsokos, C. and Rajasooriya, S. (2016) Cybersecurity: A Statistical Predictive Model for the Expected Path Length. Journal of Information Security, 7, 112-128. doi: 10.4236/jis.2016.73008.

[1]   Secunia Vulnerability Review 2015: Key Figures and Facts from a Global Information Security Perspective.

[2]   NVD, National Vulnerability Database.

[3]   Kijsanayothin, P. (2010) Network Security Modeling with Intelligent and Complexity Analysis. PhD Dissertation, Texas Tech University.

[4]   Alhazmi, O.H., Malaiya, Y.K. and Ray, I. (2007) Measuring, Analyzing and Predicting Security Vulnerabilities in Software Systems. Computers and Security Journal, 26, 219-228.

[5]   Noel, S., Jacobs, M., Kalapa, P. and Jajodia, S. (2005) Multiple Coordinated Viewsfor Network Attack Graphs. VIZSEC'05: Proc. of the IEEE Workshops on Visualization for Computer Security, Minneapolis, October 2005, 99-106.

[6]   Mehta, V., Bartzis, C., Zhu, H., Clarke, E.M. and Wing, J.M. (2006) Ranking Attack Graphs. In: Zamboni, D. and Krugel, C., Eds., Recent Advances in Intrusion Detection, Vol. 4219, 127-144.

[7]   Frei, S. (2009) Security Econometrics: The Dynamics of (IN) Security. PhD Dissertation, ETH, Zurich.

[8]   Schiffman, M. Common Vulnerability Scoring System (CVSS).

[9]   Bass, T. (2000) Intrusion Detection System and Multi-Sensor Data Fusion. Communications of the ACM, 43, 99-105.

[10]   Lawler, G.F. (2006) Introduction to Stochastic Processes. 2nd Edition, Chapman and Hall/CRC Taylor and Francis Group, London, New York.

[11]   Jajodia, S. and Noel, S. (2005) Advanced Cyber Attack Modeling, Analysis, and Visualization. 14th USENIX Security Symposium, Technical Report 2010, George Mason University, Fairfax.

[12]   Abraham, S. and Nair, S. (2014) Cyber Security Analytics: A Stochastic Model for Security Quantification Using Absorbing Markov Chains. Journal of Communications, 9, 899-907.

[13]   Wang, L., Singhal, A. and Jajodia, S. (2007) Measuring Overall Security of Network Configurations Using Attack Graphs. Data and Applications Security XXI, 4602, 98-112.

[14]   Wang, L., Islam, T., Long, T., Singhal, A. and Jajodia, S. (2008) An Attack Graph-Based Probabilistic Security Metric. DAS 2008, LNCS 5094, 283-296.

[15]   R statistics Tool.