A Bottom-Up Approach to Applying Graphical Models in Security Analysis

Abstract

Graphical models have emerged as a widely adopted approach to conducting security analysis for computer and network systems. The power of graphical models lies in two aspects: the graph structure can be used to capture correlations among security events, and the quantitative reasoning over the graph structure can render useful triaging decisions when dealing with the inherent uncertainty in security events. In this work we leverage these powers afforded by graphical model in security analysis. Given that the analyst is the intended user of the model, the most difficult task for research in this area is to understand the real world constraints under which security analysts must operate with. Those constraints dictate what parameters are realistically obtainable to use in the designed graphical models, and what type of reasoning results can be useful to analysts. We present how we use this bottom-up approach to design customized graphical models for enterprise network intrusion analysis. In this work, we had to design specific graph generation algorithms based on the concrete security problems at hands, and customized reasoning algorithms to use the graphical model to yield useful tools for analysts.

This article was based on a previously published work [38].

Appendices

A Semantics of the Overlapping Factors

Since we only have two non-zero bpa subsets: t and \(\theta \), in each hypothesis’s frame of discernment, we use \(w_i\) to denote the fact that we trust \(h_i\) (\(h_i=t\)) and \(\bar{w_i}\) (negation of \(w_i\)) to denote the fact that we do not trust \(h_i\) (\(h_i=\theta \)). One may find it strange that \(w_i\) and \(\bar{w_i}\) appear to be not mutually exclusive, since \(\theta \) includes both t and f. This is exactly the unique way in which DS expresses disbelief in a hypothesis – it differentiates clearly between not believing a hypothesis and believing the negation of that hypothesis. When we trust a hypothesis, we believe its state is t and when we do not trust a hypothesis, we do not know what its state is, hence \(\theta \). Interested readers are referred to Shafer’s discussion on how to handle non-independent evidence using this interpretation [26]. The semantics of overlapping factor can be defined as:

$$\begin{aligned}&r_1 = \frac{Pr[w_2|w_1] - Pr[w_2]}{Pr[\bar{w_{2}}]}, r_2 = \frac{Pr[w_1|w_2] - Pr[w_1]}{Pr[\bar{w_{1}}]} \end{aligned}$$

Let us take \(r_1\) as an example to explain the semantics. If we condition on trusting hypothesis \(h_1\), the probability that we also trust \(h_2\) is greater than or equal to its absolute probability since shared IDS sensors only give us positive correlation. The bigger the difference, the stronger influence trusting \(h_1\) has on trusting \(h_2\). The extreme case is when \(Pr[w_2|w_1] = 1\), which gives \(r_1 = 1\). Both \(r_1\) and \(r_2\) measure the dependence between \(w_1\) and \(w_2\), but from different directions.

Theorem A1

$$\begin{aligned}&r_{2}= \alpha \cdot r_1 , \textit{ where } \alpha =\frac{Pr[w_{1}] \cdot Pr[\bar{w_2}]}{Pr[w_{2}] \cdot Pr[\bar{w_1}]} \end{aligned}$$

(14)

Proof

$$\begin{aligned}&r_1\cdot Pr[\bar{w_2}]\cdot Pr[w_1]=Pr[w_1,w_2]-Pr[w_1]\cdot Pr[w_2]\\&r_2\cdot Pr[\bar{w_1}]\cdot Pr[w_2]=Pr[w_1,w_2]-Pr[w_1]\cdot Pr[w_2] \end{aligned}$$

We then have

$$\begin{aligned}&r_1\cdot Pr[\bar{w_2}]\cdot Pr[w_1]=r_2\cdot Pr[\bar{w_1}]\cdot Pr[w_2] \end{aligned}$$

Theorem A2

$$\begin{aligned} \psi [h_1 , h_2] = Pr[w_1 , w_2] \end{aligned}$$

Proof

Let us substitute \(r_i\)’s into formulas (7)–(10). Let us also substitute the following definitions:

$$\begin{aligned} \begin{array}{ll} m_i(t) = Pr[w_i]&m_i(\theta )= Pr[\bar{w_i}] \end{array} \end{aligned}$$

knowing that:

$$\begin{aligned}&Pr[w_2|w_1]=\frac{Pr[w_1,w_2]}{Pr[w_1]} \end{aligned}$$

then substitute the above into the definition of \(r_1\), we get

$$\begin{aligned}&r_1\cdot Pr[\bar{w_2}]\cdot Pr[w_1]=Pr[w_1,w_2]-Pr[w_1]\cdot Pr[w_2] \end{aligned}$$

knowing that \(Pr[\bar{w_2}]=1-Pr[w_2]\), then:

$$\begin{aligned}&Pr[w_1,w_2]=r_{1} \cdot Pr[w_{1}] +(1-r_{1}) \cdot Pr[w_{1}] \cdot Pr[w_{2}] \\&=\psi [t,t] \end{aligned}$$

The importance of this theorem is that our way of calculating the joint bpa \(\psi [h_1, h_2]\) is sound in that it gives a generalization of the joint probability distribution of the trustworthiness of two (potentially) dependent sources. This also follows Shafer’s general guide on how to handle non-independent evidence sources in DS [26], although Shafer did not provide the specific formulations.

B Belief Calculation Algorithm

The main algorithm is DsCorr (Algorithm 1). This function takes GraphSet which is a set of correlation graph segments. It iterates on each graph, and returns a set of the graph segments sorted by the belief of the sink node (or highest sink node for multiple sinks) in descending order.

Algorithm ComputeNodeBelief (Algorithm 2) takes a node and returns the belief value of it. There are three cases to consider for the node: (1) it is a source node; (2) it has only one parent node, (3) it has multiple parents. In the first case AssignBpaValues is called to compute the basic probability assignment based on the method in Sect. 3.2. This case applies to the alert nodes, e.g., node 1–5 in Fig. 1. In the second case the node has only one parent so the translation function is called. The third case for combination is done by first translating implicitly into the node and then combine.