An iterative learning and inference approach to managing dynamic cyber vulnerabilities of complex systems

doi:10.1016/j.ress.2019.106664

Reliability Engineering & System Safety

Volume 193, January 2020, 106664

https://doi.org/10.1016/j.ress.2019.106664 Get rights and content

Highlights

•
Address the dynamic nature of cyber-system vulnerabilities through application of an iterative learning and inference approach.
•
Incorporate hidden time-varying system health characteristics that may not be directly observable to cyber-system administrators or managers.
•
Recognize that multiple types of cyber vulnerabilities need to be assessed to provide a holistic assessment for overall system state of health.

Abstract

As modern infrastructure systems become increasingly reliant on cyber technologies and continue to be integrated with physical systems, managing risks from deliberate and non-deliberate sources is a significant research challenge. Unlike strictly physical systems, cyber-enabled physical systems are influenced by dynamic and evolving technologies, environments, and attack mechanisms. As a result, vulnerabilities are rapidly changing and difficult to detect and manage. While there is recent interest in the dynamic properties of performance through resilience analysis, limited research addresses the dynamic nature of cyber-system vulnerability. This paper presents an iterative data-driven learning approach to evaluate and manage vulnerabilities for such complex systems. These time-varying system health characteristics may not be directly observable, but can be inferred using observable indicators. The approach recognizes that multiple types of vulnerabilities need to be included in a holistic system health assessment. The methods are applied to the Common Vulnerability Scoring System (CVSS) database containing thousands of documented cybersecurity vulnerabilities over nearly two decades. We acknowledge the dynamic properties of cyber vulnerability, while also inferring system health using observable data and hidden operational states. The results will be of interest to managers of large-scale cyber-enabled physical systems who are seeking to prioritize system health investments.

Introduction

Cyber attacks have potential to cause significant disruptions to the performance of cyber-enabled physical infrastructure systems. As the importance of cyber infrastructure health becomes increasingly apparent, numerous efforts are underway globally to secure and protect critical national infrastructure systems. For example, in 2018, the United States launched the Cybersecurity and Infrastructure Security Agency (CISA), promoting cybersecurity assessment for the support of critical infrastructures and operations [15]. Similarly, in 2019, the European Union Cybersecurity Act created a permanent mandate for the European Union Agency for Cybersecurity [22]. Within the agency's scope is the intent to protect the cybersecurity network and improve cyber resilience. With increased attention to cybersecurity at a national level, it is critical for government agencies to understand the state of health of their entire cyber infrastructure system. This is a challenging endeavor, as historically, cyber-system modeling literature has addressed security and vulnerability at an organizational level, largely focusing on various software-specific vulnerabilities.

The U.S. National Science Foundation (NSF) defines cyber-physical systems as “engineered systems that are built from, and depend upon, the seamless integration of computation and physical components” [49]. Consider for example reports of software security flaws in vehicles that allow for remote attacks on physical control of vehicles [45], cyber-attacks that can halt operations in shipping, pharmaceuticals, oil and gas, and other industries [25], [56], or large-scale data breaches [32]. Globally, these cyber-enabled physical systems are critical for the movement of people, goods, and services. When compromised, these systems can have disastrous impacts on the safety, security, and economic well-being of organizations [11], [39]. Since application domains comprise of most critical infrastructure systems (such as transportation, energy, communications [18]) and private sector operations involving severe potential health/safety consequences [34], [57], it is critical for owners of these systems to objectively manage system vulnerability and investments as part of enterprise-level risk management processes.

Managing risk for these cyber-enabled physical systems also poses several preventive, reactive, and proactive cybersecurity challenges. These systems involve technologies that are rapidly changing and adapting, with notable recent emergence of: 1) cloud computing [44], 2) large-scale data availability [37], 3) Internet of Things (IoT) capabilities [55], 4) blockchain technologies [60], and 5) sophisticated methods such as hacking exercises and real-world programs used to identify system vulnerabilities [65]. These systems are also sensitive to other dynamic conditions, such as cybersecurity policies, security-related legislation, human error, and operational uncertainties. The impact of these changing conditions can be influenced by several factors in the physical and cyber space, such as: remoteness of the attacker, complexity of the attack, and authentication privileges for the attacker among others [21]. This suggests the need for learning-based vulnerability models that can rapidly adapt to current operational information, emerging conditions, and sudden changes in network characteristics. Additionally, there is need to reconcile vulnerability analyses to the study of zero-day attacks [8] which exploit vulnerabilities that may not yet have even been reported. This suggests that in many cases, the “true” system health due to a vulnerability may not be known by system owners. Instead, owners may observe known vulnerabilities to make generalizations about the overall health of the system.

Operational security management of cyber-enabled physical systems typically involves reactive processes. When a particular vulnerability is discovered, patches are created to minimize or eliminate the vulnerability through some form of enterprise patch management processes [58]. Because no single entity can control each organization's ability to detect and treat cyber vulnerabilities, a national agency or large-scale organization must consider policy-level investments that can minimize vulnerability or exposure of the overall system without directly managing organizational behavior. In some cases, organizations may also focus efforts on proactive processes, such as investing in cyber insurance [5] and increasing system monitoring.

In this paper, we treat an individual organization as a subsystem, thereby assuming a national cyber security agency or large-scale organization as the system of interest. We assume that these subsystems are interdependent, such that an exploited vulnerability in one subsystem can have cascading effects on other connected systems. For example, consider the case of a malicious code spreading across a network [40], possibly causing significant physical damage [13]. Similar to aspects of resilience that do not focus on specific attack scenarios, an overall assessment of vulnerability is not focused on specific vulnerabilities within sub-systems. Instead, overall assessment of vulnerability seeks to understand an inherent characteristic, attribute, or property of the overarching system, with limited knowledge of individual subsystem vulnerabilities. To clarify, we introduce two types of characteristics:

Subsystem vulnerability: Vulnerability characteristics of each organization within the studied system. Each organization is referred to as a subsystem, allowing for each subsystem to manage their own protocol for identifying and treating known vulnerabilities.

Overall system health: System health that is influenced by vulnerability of the interacting subsystems as a whole.

We introduce the term System Posture (SP) to represent metrics that characterize the overall system health. This SP metric can apply to a single system or a system-of-systems that may be geographically dispersed or autonomously managed. We assume the subsystems interact while the system manager has no knowledge or ability to predict the interaction patterns. Therefore, the interactions are treated as unknown or unstructured. This overall system has limited control over the vulnerability management behavior of subsystems, yet is tasked with supporting the maintenance of overall health of the system through monitoring of the SP metric.

While the use of vulnerability scoring and other real-time assessment metrics have been adopted industry-wide, these types of metrics illustrate only current conditions based on steady-state/equilibrium assumptions. These approaches are helpful for near-term reactions to current vulnerabilities, such as immediate patch management practices. However, there is need to use this information to inform strategic and tactical strategies that are able to respond to trends or changes in conditions with recognition that various types of vulnerability conditions may require tailored vulnerability management strategies. We address these shortcomings by developing a data-driven learning and stochastic modeling approach to classify system vulnerabilities. The approach consists of modeling dynamic system vulnerabilities using a hidden state-based approach to understand system posture for overall system health, and identifying system properties that are most important for reinforcement with vulnerability management practices.

To the best of our knowledge, this paper is one of the first to study the dynamic characteristics of cyber-system vulnerabilities, recognizing that the system properties can be adaptive and change rapidly. We also introduce vulnerability metrics while considering both observable and hidden states of such cyber-enabled physical systems. This state-based approach includes model learning, such that it can adapt to changing technologies and conditions. Moreover, we model the “hidden” properties of system vulnerability while acknowledging risks that are considered to be unknown knowns, such that the assessors may not know that they lack some knowledge that potential attackers (or system users) may have. This is consistent with similar attacker-related contexts, in which the system managers have limited knowledge of attacker intents and exploits. It also addresses previous shortcomings of vulnerability assessments, by acknowledging dynamic system properties that can help address zero-day attacks or persistent system attacks. To the best of our knowledge, while this paper represents one of the first efforts to address dynamic properties of system vulnerabilities, the intent is to serve as a springboard for further research that explores other data-driven and statistically well-grounded machine learning/artificial intelligence methods. These methods can be used for optimal determination of model parameters, key system vulnerabilities necessary for modeling, and how system managers should use this information within decision-making processes.

Section 2 provides background on modeling of cyber-system vulnerability, stochastic modeling of hidden system states, and the relevance of the methods to cyber-enabled physical systems. Section 3 presents our iterative learning and inference methodology. Section 4 applies the methodology to a real dataset cataloging all Common Vulnerability Scoring System (CVSS) vulnerabilities over an 18-year period. Section 5 provides concluding remarks and opportunities for future research.

Section snippets

Background

This section provides a background of core issues in the modeling of vulnerability and risk, with particular emphasis on cyber-enabled physical systems. Section 2.1 discusses the modeling of vulnerability. Section 2.2 discusses the role of vulnerability modeling in emerging risk management principles.

Methodology

In light of the challenges and opportunities described above, our proposed methodology is summarized in Fig. 3, noting that each step of the methodology relates directly to a subsection in this paper. The methodological workflow consists of: (1) Modeling system properties and evolution using Markov assumptions for the cyber-enabled physical system, (2) Learning model parameters from historical observable cyber vulnerabilities, (3) Inferring likely system state sequences (referred to as the

Demonstration of methods using CVSS scoring system

This section provides a demonstration of the methods described in Section 3 of this paper. The demonstration of methods uses CVSS scores to provide a foundation for evaluating system vulnerabilities and overall system health. Consider the CVE vulnerability data from the National Vulnerability Database by the National Institute of Standards and Technology. One analysis of historical documented CVSS vulnerabilities [16] that is classified using keyword matching for CVSS Base Scores resulted in

Conclusions

This paper presented an iterative learning and inference approach to evaluate the dynamic properties of vulnerability for cyber-enabled physical systems. The approach distinguishes between subsystem vulnerability (vulnerability of each firm within a larger system), and overall system health (influenced by vulnerability of interacting sub-systems). We introduced four system posture metrics, consisting of: System Posture Metric #1 (Stability), System Posture Metric #2 (Antifragility), System

References (68)

Victor Bolbot
Vulnerabilities and safety assurance methods in cyber-physical systems: a comprehensive review
Reliab Eng Syst Saf
(2019)
S. Jung et al.
Predicting system failure rates of SRAM-based FPGA on-board processors in space radiation environments
Reliab Eng Syst Saf
(2019)
K. Kambatla et al.
Trends in big data analytics
J Parall Distrib Comput
(2014)
S. Kriaa et al.
A survey of approaches combining safety and security for industrial control systems
Reliab Eng Syst Saf
(2015)
S.C. Patel et al.
Quantitatively assessing the vulnerability of critical information systems: A new method for evaluating security enhancements
Int J Inf Manag
(2008)
F. Sicard et al.
An approach based on behavioral models and critical states distance notion for improving cybersecurity of industrial control systems
Reliab Eng Syst Saf
(2019)
N. Silva et al.
A field study on root cause analysis of defects in space software
Reliab Eng Syst Saf
(2017)
P. Trucco et al.
Dynamic functional modelling of vulnerability and interoperability of Critical Infrastructures
Reliab Eng Syst Saf
(2012)
Amazon (2018). [online] Amazon Web Services, Inc. Available at:...
P. Ammann et al.
Scalable, graph-based network vulnerability analysis

G.E. Apostolakis et al.

A screening methodology for the identification and ranking of infrastructure vulnerabilities due to terrorism

Risk Anal Int J

(2005)

A. Årnes et al.

Using hidden markov models to evaluate the risks of intrusions

W.S. Baer et al.

Cyberinsurance in IT security management

IEEE Secur Privacy

(2007)

Leonard E. Baum

A maximization technique occurring in the statistical analysis of probabilistic functions of Markov chains

Ann Math Stat

(1970)

Beketov, Mikhail A. HMMCont: Hidden Markov Model for Continuous Observations Processes. 1.0, 2014. R-Packages,...

L. Bilge et al.

Before we knew it: an empirical study of zero-day attacks in the real world

Bodeau, D., Graubart, R., LaPadula, L., Kertzner, P., Rosenthal, A., & Brennan, J. (2012). Cyber resiliency metrics,...

Bodeau, D., McColumn, C., and Fox, D. (2018). Cyber threat modeling....

Jaime C. Cepeda

Pattern Recognition–Based approach for dynamic vulnerability status prediction

Dynamic vulnerability assessment and intelligent control: for sustainable power systems

(2018)

T.M. Chen et al.

Lessons from stuxnet

Computer

(2011)

S. Chikkagoudar et al.

Machine learning for cybersecurity

CISA. (2018, November 20). Retrieved July 2, 2019, from Department of Homeland Security website:...

CVE Details (2018). About www.cvedetails.com. [online] Cvedetails.com. Available at:...

Joseph DiRenzo et al.

The little-known challenge of maritime cyber security

DHS (2018). [online] Dhs.gov. Available at:...

Dou, W., Tang, W., Wu, X., Qi, L., Xu, X., Zhang, X. and Hu, C., 2018. An insurance theory based optimal...

R.O. Duda et al.

Pattern classification

(2012)

Edgar, T.W., and Manz, D.O. (2017). Research methods for cyber security. Syngress–Elsevier, Cambridge, MA, pp....

European Union Agency for Cybersecurity - A new chapter for ENISA [Press Release]. (n.d.). Retrieved July 2, 2019, from...

FIRST (2018a). Common Vulnerability Scoring System SIG. [online] FIRST — Forum of Incident Response and Security Teams....

FIRST (2018b). Frequently Asked Questions. [online] FIRST — Forum of Incident Response and Security Teams. Available...

Henry Foy

Maersk, WPP and FedEx Still Struggling with Cyber Attack Fallout

Financ Times Financ Times

(2017)

M. Frigault et al.

Measuring network security using dynamic bayesian network

FTC (2018). Financial institutions and customer information: complying with the safeguards rule. [online] Federal Trade...

Cited by (19)

Enhancing cybersecurity capability investments: Evidence from an experiment
2024, Technology in Society
In recent years, investments in cybersecurity capabilities $(C C)$ have emerged as an essential practice in reducing cyberattacks and optimizing the usage of technologies. Therefore, optimal investments in capabilities must be determined according to the cybersecurity scenario of firms. This experiment pursues an understanding of the effectiveness of the iterative learning process in investments in $C C$ . Through a simulator game, experienced and inexperienced participants overcome challenges related to uncertainties of cyber incidents to decision-making in cybersecurity capability investments. The collected data were empirically tested from 119 participants analyzing 3,808 simulation runs. The findings demonstrated that there is a slight difference in the learning curve between the two groups even if they learn proactively and iteratively. However, experienced, and inexperienced groups did not demonstrate enough capacity to analyze the cybersecurity ecosystems designed in the simulator game to mitigate cyber incidents. Both groups exhibited similar results regarding gaps to invest in $C C$ to address uncertainties associated with cyber threats. In this sense, this experiment highlights the relevance of learning about $C C$ investments in any context to avoid resource losses and time to uncover the complexities related to incident responses.
Multi-level fine-tuning, data augmentation, and few-shot learning for specialized cyber threat intelligence
2023, Computers and Security
Gathering cyber threat intelligence from open sources is becoming increasingly important for maintaining and achieving a high level of security as systems become larger and more complex. However, these open sources are often subject to information overload. It is therefore useful to apply machine learning models that condense the amount of information to what is necessary. Yet, previous studies and applications have shown that existing classifiers are not able to process information about emerging cybersecurity events, such as new malware names or novel attack contexts, due to their low generalisation capability. Therefore, we propose a system to overcome this problem by training a new classifier for each new incident. Since this requires a lot of labelled data using standard training methods, we combine three different low-data regime techniques – transfer learning, data augmentation, and few-shot learning – to train a high-quality classifier from very few labelled instances. We evaluated our approach using a novel dataset derived from the Microsoft Exchange Server data breach of 2021 which was labelled by three experts. Our findings reveal an increase in F1 score of more than 21 points compared to standard training methods and more than 18 points compared to a state-of-the-art method in few-shot learning. Furthermore, the classifier trained with this method and 32 instances is only less than 5 F1 score points worse than a classifier trained with 1800 instances.
Artificial intelligence for cybersecurity: Literature review and future research directions
2023, Information Fusion
Artificial intelligence (AI) is a powerful technology that helps cybersecurity teams automate repetitive tasks, accelerate threat detection and response, and improve the accuracy of their actions to strengthen the security posture against various security issues and cyberattacks. This article presents a systematic literature review and a detailed analysis of AI use cases for cybersecurity provisioning. The review resulted in 2395 studies, of which 236 were identified as primary. This article classifies the identified AI use cases based on a NIST cybersecurity framework using a thematic analysis approach. This classification framework will provide readers with a comprehensive overview of the potential of AI to improve cybersecurity in different contexts. The review also identifies future research opportunities in emerging cybersecurity application areas, advanced AI methods, data representation, and the development of new infrastructures for the successful adoption of AI-based cybersecurity in today's era of digital transformation and polycrisis.
Resilient backstepping control for a class of switched nonlinear time-delay systems under hybrid cyber-attacks
2023, Engineering Applications of Artificial Intelligence
In the present investigation, the tracking control problem is being addressed for a switched time-delay nonlinear nonstrict-feedback cyber-physical systems (CPSs). Since modern infrastructure applications depend greatly on cyber technologies, these CPSs are exposed to two types of collusive network attacks, including unknown false data injection (FDI) and denial-of-service (DoS) attacks. When a DoS attack is active, state variables are unavailable. Furthermore, when an FDI attack is launched, the general state is manipulated by the attacker. Inspired by these complications, a Lyapunov–Krasovskii (LK) candidate is employed to handle time delays, a neural network (NN) switched observer is applied to approximate unavailable system states under attacks, and a Nussbaum gain approach is implemented to deal with the unknown sign of the attack function. By using the common Lyapunov function, it is proved that all closed-loop system signals and tracking errors are bounded by the proposed resilient control. Eventually, two practical and numerical examples to corroborate the capability of the proposed scheme, are presented.
Model-based IDS design for ICSs
2022, Reliability Engineering and System Safety
Citation Excerpt :
On the other hand, the second model focuses on the quantitative and qualitative evaluation of the effects of system-specific vulnerabilities and the mitigation measures against them on cyber-security. Chatterjee et al. [15] present an iterative learning approach to evaluate the dynamic properties of vulnerabilities of the CPS. Their approach distinguishes between subsystem vulnerability and overall system health.
Industrial systems present security risk factors related to their cyber vulnerabilities. These systems spread out over the world, continue to be targets of attacks. While industrial systems share common vulnerabilities with Information Technology (IT) systems, they tend to have more constraints due to the interaction between cyber and physical systems. Intrusion detection systems give visibility to the system and are considered to be one of the solutions to detect targeting attacks. Hence, it seems relevant to rely on a physical model of the cyber–physical system to obtain an intrusion detection system (IDS) for industrial systems. Most IDSs are based on rules that define how potential attacks are detected. These rules are generally used to describe either the normal system behavior or potential attack scenarios. However, manually creating and maintaining rules for a complex Cyber–Physical system or ICS can prove to be a very tedious and difficult task. This paper proposes a solution to model ICSs and design specific IDSs for ICSs. A model-based IDS rules generator is proposed, which converts a system model into anomaly-based IDS rules. Finally, the effectiveness of the generated rules is evaluated.
A clustering-based framework for searching vulnerabilities in the operation dynamics of Cyber-Physical Energy Systems
2022, Reliability Engineering and System Safety
Citation Excerpt :
In this regards, investigation of the system operation dynamics is fundamental. For instance, Ref [9] recognized multiple types of vulnerabilities in time-varying system properties classified by a Hidden Markov Model. Ref [29] proposed a machine learning technique to reveal the time-varying vulnerability features of a CPES and defend them against continuous cyber-attacks.
Being highly digitalized and interconnected through smart sensors in an advanced communication network, Cyber-Physical Energy Systems (CPESs) enhance the dynamic control under different operational conditions, but bring up concerns on cybersecurity failures due to deliberate cyber-attacks. In this study, we propose a clustering-based framework for searching the minimum combination of the most vulnerable communication channels (between sensors and the control center) that are susceptible to the operation dynamics of CPESs. We first adopt a mixed-integer linear programming (MILP) approach to select the extreme operational condition period clusters, taking into account the multiple sources of uncertainty influencing the system dynamic behavior. For each cluster, we inject undetectable false data vectors into different sets of communication channels, and test their effects on system functionalities by resorting to the Conditional Value-at-Risk (CVaR) measure. The minimum combination of vulnerabilities is identified, when its False Data Injection Attacks (FDIAs) start to deviate the system functionality from the normal range.
We illustrate the proposed framework by application to a renewable energy system susceptible to primary renewable resources availability. Specifically, the IEEE 30-bus test system is taken as case study and considered under FDIA scenarios in weather-related extreme operation transients, when accidents can aggravate damages.

View all citing articles on Scopus

View full text

An iterative learning and inference approach to managing dynamic cyber vulnerabilities of complex systems

Highlights

Abstract

Introduction

Section snippets

Background

Methodology

Demonstration of methods using CVSS scoring system

Conclusions

Reliab Eng Syst Saf

Reliab Eng Syst Saf

J Parall Distrib Comput

Reliab Eng Syst Saf

Int J Inf Manag

Reliab Eng Syst Saf

Reliab Eng Syst Saf

Reliab Eng Syst Saf

Scalable, graph-based network vulnerability analysis

A screening methodology for the identification and ranking of infrastructure vulnerabilities due to terrorism

Risk Anal Int J

Using hidden markov models to evaluate the risks of intrusions

Cyberinsurance in IT security management

IEEE Secur Privacy

A maximization technique occurring in the statistical analysis of probabilistic functions of Markov chains

Ann Math Stat

Before we knew it: an empirical study of zero-day attacks in the real world

Pattern Recognition–Based approach for dynamic vulnerability status prediction

Dynamic vulnerability assessment and intelligent control: for sustainable power systems

Lessons from stuxnet

Computer

Machine learning for cybersecurity

The little-known challenge of maritime cyber security

Pattern classification

Maersk, WPP and FedEx Still Struggling with Cyber Attack Fallout

Financ Times Financ Times

Measuring network security using dynamic bayesian network