An Approach to Incorporating Uncertainty in Network Security Analysis

Similar documents
An Approach to Incorporating Uncertainty in Network Security Analysis

LAPLACE TRANSFORMS. 1. Basic transforms

Bipartite Matching. Matching. Bipartite Matching. Maxflow Formulation

Optimality of Myopic Policy for a Class of Monotone Affine Restless Multi-Armed Bandit

e t dt e t dt = lim e t dt T (1 e T ) = 1

Positive and negative solutions of a boundary value problem for a

Flow Networks Alon Efrat Slides courtesy of Charles Leiserson with small changes by Carola Wenk. Flow networks. Flow networks CS 445

graph of unit step function t

Contraction Mapping Principle Approach to Differential Equations

4.8 Improper Integrals

Algorithmic Discrete Mathematics 6. Exercise Sheet

Randomized Perfect Bipartite Matching

The solution is often represented as a vector: 2xI + 4X2 + 2X3 + 4X4 + 2X5 = 4 2xI + 4X2 + 3X3 + 3X4 + 3X5 = 4. 3xI + 6X2 + 6X3 + 3X4 + 6X5 = 6.

CSC 373: Algorithm Design and Analysis Lecture 9

Problem Set If all directed edges in a network have distinct capacities, then there is a unique maximum flow.

Section P.1 Notes Page 1 Section P.1 Precalculus and Trigonometry Review

Network Flows: Introduction & Maximum Flow

Motion. Part 2: Constant Acceleration. Acceleration. October Lab Physics. Ms. Levine 1. Acceleration. Acceleration. Units for Acceleration.

5. Network flow. Network flow. Maximum flow problem. Ford-Fulkerson algorithm. Min-cost flow. Network flow 5-1

0 for t < 0 1 for t > 0

IX.1.1 The Laplace Transform Definition 700. IX.1.2 Properties 701. IX.1.3 Examples 702. IX.1.4 Solution of IVP for ODEs 704

IX.1.1 The Laplace Transform Definition 700. IX.1.2 Properties 701. IX.1.3 Examples 702. IX.1.4 Solution of IVP for ODEs 704

GEOMETRIC EFFECTS CONTRIBUTING TO ANTICIPATION OF THE BEVEL EDGE IN SPREADING RESISTANCE PROFILING

CS4445/9544 Analysis of Algorithms II Solution for Assignment 1

Chapter 2: Evaluative Feedback

5.1-The Initial-Value Problems For Ordinary Differential Equations

3. Renewal Limit Theorems

Solutions to assignment 3

PHYSICS 1210 Exam 1 University of Wyoming 14 February points

Transformations. Ordered set of numbers: (1,2,3,4) Example: (x,y,z) coordinates of pt in space. Vectors

Some basic notation and terminology. Deterministic Finite Automata. COMP218: Decision, Computation and Language Note 1

The Residual Graph. 11 Augmenting Path Algorithms. Augmenting Path Algorithm. Augmenting Path Algorithm

Flow networks. Flow Networks. A flow on a network. Flow networks. The maximum-flow problem. Introduction to Algorithms, Lecture 22 December 5, 2001

Admin MAX FLOW APPLICATIONS. Flow graph/networks. Flow constraints 4/30/13. CS lunch today Grading. in-flow = out-flow for every vertex (except s, t)

can be viewed as a generalized product, and one for which the product of f and g. That is, does

Minimum Squared Error

Introduction to Congestion Games

Minimum Squared Error

Research Article The General Solution of Differential Equations with Caputo-Hadamard Fractional Derivatives and Noninstantaneous Impulses

18 Extensions of Maximum Flow

The Residual Graph. 12 Augmenting Path Algorithms. Augmenting Path Algorithm. Augmenting Path Algorithm

An integral having either an infinite limit of integration or an unbounded integrand is called improper. Here are two examples.

EECE 301 Signals & Systems Prof. Mark Fowler

Math Week 12 continue ; also cover parts of , EP 7.6 Mon Nov 14

September 20 Homework Solutions

1 Motivation and Basic Definitions

6.8 Laplace Transform: General Formulas

f t f a f x dx By Lin McMullin f x dx= f b f a. 2

u(t) Figure 1. Open loop control system

Average Case Lower Bounds for Monotone Switching Networks

CHAPTER 7: SECOND-ORDER CIRCUITS

Laplace Transform. Inverse Laplace Transform. e st f(t)dt. (2)

Recent Enhancements to the MULTIFAN-CL Software

Main Reference: Sections in CLRS.

Chapter Introduction. 2. Linear Combinations [4.1]

EXISTENCE AND UNIQUENESS OF SOLUTIONS FOR A SECOND-ORDER ITERATIVE BOUNDARY-VALUE PROBLEM

Sph3u Practice Unit Test: Kinematics (Solutions) LoRusso

2. VECTORS. R Vectors are denoted by bold-face characters such as R, V, etc. The magnitude of a vector, such as R, is denoted as R, R, V

4/12/12. Applications of the Maxflow Problem 7.5 Bipartite Matching. Bipartite Matching. Bipartite Matching. Bipartite matching: the flow network

Price Discrimination

Algorithm Design and Analysis

t s (half of the total time in the air) d?

5.2 GRAPHICAL VELOCITY ANALYSIS Polygon Method

CS3510 Design & Analysis of Algorithms Fall 2017 Section A. Test 3 Solutions. Instructor: Richard Peng In class, Wednesday, Nov 15, 2017

Applications of Prüfer Transformations in the Theory of Ordinary Differential Equations

( ) ( ) ( ) ( ) ( ) ( y )

Linear Response Theory: The connection between QFT and experiments

Graduate Algorithms CS F-18 Flow Networks

A continuous-time approach to constraint satisfaction: Optimization hardness as transient chaos

A new model for limit order book dynamics

Introduction to SLE Lecture Notes

1.0 Electrical Systems

Solving Evacuation Problems Efficiently. Earliest Arrival Flows with Multiple Sources

NECESSARY AND SUFFICIENT CONDITIONS FOR LATENT SEPARABILITY

ENGR 1990 Engineering Mathematics The Integral of a Function as a Function

Sample Final Exam (finals03) Covering Chapters 1-9 of Fundamentals of Signals & Systems

A Kalman filtering simulation

MATH 124 AND 125 FINAL EXAM REVIEW PACKET (Revised spring 2008)

, the. L and the L. x x. max. i n. It is easy to show that these two norms satisfy the following relation: x x n x = (17.3) max

Physics 2A HW #3 Solutions

FUZZY n-inner PRODUCT SPACE

arxiv: v1 [cs.cg] 21 Mar 2013

Reminder: Flow Networks

To become more mathematically correct, Circuit equations are Algebraic Differential equations. from KVL, KCL from the constitutive relationship

Soviet Rail Network, 1955

Notes on cointegration of real interest rates and real exchange rates. ρ (2)

Discussion Session 2 Constant Acceleration/Relative Motion Week 03

Flow Networks. Ma/CS 6a. Class 14: Flow Exercises

Hermite-Hadamard-Fejér type inequalities for convex functions via fractional integrals

Convergence of Singular Integral Operators in Weighted Lebesgue Spaces

1 jordan.mcd Eigenvalue-eigenvector approach to solving first order ODEs. -- Jordan normal (canonical) form. Instructor: Nam Sun Wang

DC Miniature Solenoids KLM Varioline

CSC 364S Notes University of Toronto, Spring, The networks we will consider are directed graphs, where each edge has associated with it

ON NEW INEQUALITIES OF SIMPSON S TYPE FOR FUNCTIONS WHOSE SECOND DERIVATIVES ABSOLUTE VALUES ARE CONVEX

The Concepts and Applications of Fractional Order Differential Calculus in Modelling of Viscoelastic Systems: A primer

Price of Stability and Introduction to Mechanism Design

3D Transformations. Computer Graphics COMP 770 (236) Spring Instructor: Brandon Lloyd 1/26/07 1

Mathematics 805 Final Examination Answers

Matching. Slides designed by Kevin Wayne.

Max Flow, Min Cut COS 521. Kevin Wayne Fall Soviet Rail Network, Cuts. Minimum Cut Problem. Flow network.

Transcription:

An Approch o Incorporing Unceriny in Nework Securiy Anlyi Hong Hi Nguyen hnguye11@illinoi.edu Krik Plni plni2@illinoi.edu Deprmen of Elecricl nd Compuer Engineering Univeriy of Illinoi Urbn-Chmpign Urbn, IL 61801 Dvid M. Nicol dmnicol@illinoi.edu ABSTRACT Ack grph ued in nework ecuriy nlyi re nlyzed o deermine equence of exploi h led o ucceful cquiiion of privilege or d criicl e. An ck grph edge correpond o vulnerbiliy, cily uming connecion exi nd cily uming he vulnerbiliy i known o exi. In hi pper we explore ue of uncerin grph o exend he prdigm o include lck of ceriny in connecion nd/or exience of vulnerbiliy. We exend he ndrd noion of uncerin grph (where he exience of ech edge i probbiliiclly independen) however, ignificn correlion on edge exience probbiliie exi in prcice, owing o common underlying cue for di-conneciviy nd/or preence of vulnerbiliie. Our exenion decribe ech edge probbiliy Boolen expreion of independen indicor rndom vrible. Thi pper (i) how h hi formlim i mximlly decripive in he ene h i cn decribe ny join probbiliy diribuion funcion of edge exience, (ii) how h when hee Boolen expreion re monoone hen we cn eily perform unceriny nlyi of edge probbiliie, nd (iii) ue hee reul o model pril ck grph of he Suxne worm nd mll enerprie nework nd o nwer imporn ecuriy-reled queion in probbiliic mnner. Keyword Nework ecuriy; ck grph; unceriny nlyi 1. INTRODUCTION A compuer become more ubiquiou in criicl infrrucure, evluing he effec of vulnerbiliie become increingly imporn. In order o mke deciion bou defene meure, i i vil o udy he ph h n cker migh ke o inrude ino rge nework nd dirup ervice. The ck grph formlim [16] i repreenion of he poible wy in which n cker cn ge Permiion o mke digil or hrd copie of ll or pr of hi work for peronl or clroom ue i grned wihou fee provided h copie re no mde or diribued for profi or commercil dvnge nd h copie ber hi noice nd he full ciion on he fir pge. Copyrigh for componen of hi work owned by oher hn he uhor() mu be honored. Abrcing wih credi i permied. To copy oherwie, or republih, o po on erver or o rediribue o li, require prior pecific permiion nd/or fee. Reque permiion from permiion@cm.org. HoTSoS, April 04-05, 2017, Hnover, MD, USA c 2017 Copyrigh held by he owner/uhor(). Publicion righ licened o ACM. ISBN 978-1-4503-5274-1/17/04... $15.00 DOI: 10.1145/3055305.3055308 o he deired rge ho by exploiing vulnerbiliie on nework ho while gining he required privilege ech ep. The fir ep in ck grph generion i nlyzing he conneciviy of he nework componen nd i ermed rechbiliy nlyi [11]. Thi informion i ued o deermine if rge ho i rechble by n cker from hi curren ho. Idelly, informion bou he nework opology of he rge nework, pplicion running on nework ho, cce conrol rule for he nework, nd he ru relionhip beween ho i known o he modeler. Accurcy nd exhuivene of nework configurion informion direcly ffec ccurcy of he genered ck grph [14]. Depie being ueful nd well-developed ool, ck grph hve deerminiic emnic nd hence re no cpble of expreing unceriny [18], which i inheren o ny model. To our inere, unceriny rie minly from hree ource: he unceriny bou he cker (e.g. hi kill e, gol, nd knowledge), bou he yem being modeled (e.g. he verion nd configurion deil of nework ervice nd heir ocied vulnerbiliie), nd bou he environmen in which he yem i opered (including he legiime uer nd dminiror). In ech cegory, unceriny my lo come in differen hpe, eiher due o he lck, indequcy, inccurcy, or omeime inconiency of informion. Idelly we hould be ble o boh ue n ck grph o idenify poible phwy of ck, bu lo qunify unceriny bou hoe phwy. Thi pper im o inegre unceriny ino ecuriy modeling nd nlyi of compuer yem. A fir ep, we chooe o focu only on udying unceriny bou he yem. Hence, uncerinie bou he cker nd he environmen (nd heir implicion) will no be conidered. Under hi umpion, we propoe o ue uncerin grph, grph where poenil edge re lbeled wih n exience probbiliy. Uncerin grph hve been uccefully pplied o vriou problem in differen domin [2] [26] [8] [9]. We ue i o nlyze unceriny of he exience of epping one ck encoded in d rucure like ck grph. However, he uul definiion of uncerin grph ume edge exi independenly of ech oher [10] [12] [13], mjor iue when pplying o ecuriy modeling, e.g., one vulnerbiliy my imulneouly enble ck from muliple ho. Furhermore, exiing uncerin grph reerch doe no conider he preciion of conneciviy ubjeced o chnge (or unceriny) in edge exience; in oher conex, unceriny nlyi ell u in wh ce, robu concluion cn be mde in he fce of model inpu unceriny. A mjor porion of hi pper im o ddre hoe wo

iue. For he fir iue, we exend he uncerin grph formlim nd model he correlion beween edge exience due o common underlying cue. We decribe common cue uing independen indicor rndom vrible nd ue Boolen expreion of hee o expre he edge exience probbiliie. For he econd iue, we how how unceriny nlyi of uncerin grph cn be eily done when he Boolen expreion re monoone [4], i.e. hey do no ue negion of rndom vrible. In ummry, our conribuion re fourfold: 1. To he be of our knowledge, we re he fir o propoe uncerin grph for ecuriy modeling nd nlyi of yem wih unceriny. 2. We exend he rdiionl uncerin grph formlim o model he correlion beween edge exience nd prove heoreicl reul bou he expreivene of uncerin grph. 3. We perform unceriny nlyi of uncerin grph by leverging he monooniciy of rechbiliy. 4. We how how o ue uncerin grph o model yem wih unceriny nd how he grph help nwering differen ecuriy-reled queion bou he modeled yem in probbiliic mnner. The re of he pper i orgnized follow: Secion 2 dicue bckground, Secion 3 exend he uncerin grph formlim nd prove ome heoreicl reul, Secion 4 perform unceriny nlyi of uncerin grph, Secion 5 nd 6 how wo modeling exmple, Secion 7 dicue reled work, nd Secion 8 conclude he pper. 2. BACKGROUND Symbol Definiion V e of verice, verice in V, r nd end poin of ck n ize of V E e of edge m ize of E G deerminiic grph E(G) e of edge in G Γ V e of ll de. grph wih verex e V N ize of Γ V which i 2 n(n 1) p probbiliy ignmen vecor X e of rndom vrible r ize of X,, logic operor AND, OR, NOT q funcion h ign boolen exp. o edge G uncerin grph (bic nd exended) w G,G he probbiliy of G in G f ochic mpping R, rechbiliy of deerminiic grph R, rechbiliy of uncerin grph [0, 1] m uni hypercube of dimenion m H p,ɛ hyperrecngle conining p Tble 1: Summry of noion b p 1 p 2 p 3 G p 4 b p 5...... b G 1 G i G 32 Figure 1: A 4-verex, 5-edge uncerin grph nd hree of i 32 poible world. In ecuriy modeling, denoe he ring poin (e.g. compromied compuer in he nework) nd he ending poin of he ck (e.g. criicl compuer h he cker wn o gin cce o). 2.1 Ack grph nd cenrio grph The operion of yem cn be modeled o be in differen e differen inn of ime. While mo e migh be benign, here exi criicl e h cn led he yem o filure. A filure cenrio i decribed equence of even h viole correcne propery defined for he yem. A cenrio grph [24] i n exhuive nd uccinc repreenion of ll filure cenrio. A pecil ce of he cenrio grph i n ck grph. An ck grph model he poible wy n cker migh ge cce o criicl e by exploiing e of vulnerbiliie on he ervice running on he ho. The verice of he grph repreen he privilege level of he cker on he nework ho nd he edge repreen he vulnerbiliie h he cker could exploi [22]. Trdiionlly, em of exper hve looked he ervice running on ho o deermine vulnerbiliy informion nd hve coupled hi wih nework informion, uch he conneciviy of ho, o build ou hee ck grph. However, hi informion i no lwy redily vilble, which mke i imporn o ccoun for unceriny in he model. 2.2 Overview of uncerin grph Uncerin grph exend he definiion of deerminiic grph by cribing o ech of deerminiic grph edge n exience probbiliy [19] [10] [13]. Formlly, le G = (V, E) denoe deerminiic grph 1 where V = {V 1,..., V n} nd E = {E 1,..., E m} re he e of verice nd edge. The uncerin grph G = (V, E, p), where p = (p 1,..., p m) (0, 1] m, llow ech edge E i E o exi independenly of ech oher nd wih probbiliy p i for i = 1,..., m. We cll p he probbiliy ignmen vecor of E. An uncerin grph my conin boh cerin edge edge h exi wih probbiliy one nd uncerin edge edge h exi wih probbiliy ricly le hn one. When ll edge re cerin edge, he uncerin grph degenere o deerminiic grph. In he lierure, uncerin grph 1 we only conider imple direced grph b

re omeime reed generive model of deerminiic grph [19] [10]. Wih hi view, every deerminiic grph G = (V, E ) where E E i clled poible world (or poible oucome) of G. Slighly buing he noion, we denoe hi G G. G genere n exponenil number of 2 m poible world, ech G = (V, E ) wih probbiliy: w G,G = p i (1 p i) E i E E i E\E where m m i he number of uncerin edge in G. For exmple, he probbiliy of G i in G (Figure 1) i w Gi,G = p 1p 2(1 p 3)(1 p 4)p 5. Obviouly w G,G (0, 1] G G nd he lw of ol probbiliy dice h G G wg,g = 1. An uncerin grph diinguihe ielf from Byein nework [27] [29], which w deigned o model cul effec. While Byein nework re cyclic, cyclic relionhip rie from mny prcicl iuion nd i llowed in uncerin grph. [27] circumvened he problem wih cycle, bu he echnique hd o rely on meric-dependen propery. Uncerin grph lo do no ume he e rniion modeled in rniion yem [3] (e.g. Mrkov deciion procee, probbiliic uom). Such rniion hve uble drwbck in ecuriy modeling of compuer nework ince n cker doe no jump from one plce o he oher. Ined, he gin cce o more nd more plce he ck progree nd i cpble of howing up muliple plce he me ime. 2.3 Properie of uncerin grph For ny given grph propery, e.g., rechbiliy from verex o verex, deerminiic grph h he propery or doe no hve i. Since edge in n uncerin grph re rndom, we will pek of he probbiliy h n uncerin grph h given propery, he um of he probbiliie of grph in i poible world h poe h propery. We re priculrly inereed in rechbiliy. Uing mhemicl ymbol, le funcion R,(G) denoe he rechbiliy of he deerminiic grph G, which evlue o 1 if reche in G nd o 0 oherwie. In Figure 1, R,(G i) = R,(G 32) = 1 nd R,(G 1) = 0. The rechbiliy of he uncerin grph G i defined : R,(G) = G G w G,G R,(G) = G G E i E(G) p i E i E\E(G) (1 p i) R,(G) where E(G) denoe he e of edge in G. Uing Equion 1, he rechbiliy of he uncerin grph in Figure 1 cn be compued follow (fer implificion): R,(G) = p 1p 2 + p 4p 5 + p 1p 3p 5 p 1p 2p 3p 5 p 1p 2p 4p 5 p 1p 3p 4p 5 + p 1p 2p 3p 4p 5 Alhough we only focu on rechbiliy in hi pper, mny oher properie of uncerin grph cn be defined in imilr fhion. 2.4 Meuring uncerin grph properie Mo problem in uncerin grph re #P-complee, including he problem of compuing rechbiliy [25]. For h (1) reon, mpling echnique hve been propoed he lernive o direc compuion in olving problem of lrge uncerin grph [7] [19] [10] [13]. A bic Mone-Crlo mehod for eiming he rechbiliy of n uncerin grph G work follow. Fir, mple i poible world G 1,..., G i from G. Thi cn be chieved by mpling edge in G independenly ccording o heir exience probbiliie. Then, compue he rechbiliy R,(G j) for ech G j, j = 1,..., i. The rechbiliy of he uncerin grph i eimed : ( i ) R,(G) = 1 R,(G j) i j=1 The eimor R,(G) i rndom vrible whoe men i R,(G) (for hi we y he eimor i unbied) nd vrince 1 R,(G)(1 R,(G)) [7] [10]. Advnced mpling i echnique hve been propoed o reduce he eimor vrince while requiring fewer number mple [10] [13]. Thoe echnique recurively compue R,(G) by condiioning on he exience of n edge. 3. EXTENDED UNCERTAIN GRAPHS While promiing ool, he exiing uncerin grph formlim however doe no uppor modeling of he correlion beween edge exience. Such correlion rie nurlly from modeling vriou yem (Secion 5 nd 6). Here i n exmple. Aume in cerin nework, ho 0 nd ho 1 cn freely communice wih ll ervice running on ho 1 nd ho 2, repecively. Furhermore, boh ho 1 nd ho 2 run imilr e of ervice. If n cker from ho 0 cn gin cce o ho 1 by exploiing ome vulnerbiliy of ervice running on ho 1, hen urely he i lo ble o do o from ho 1 o ho 2. A we model he poibiliy of ck in he nework uing n uncerin grph, edge (0, 1) exience gurnee h edge (1, 2) lo exi. In oher word, here i no poible world in which edge (0, 1) exi while edge (1, 2) doe no. Thi behvior cnno be modeled uing he decribed uncerin grph where edge exi independenly of one noher (Secion 3.2). A he reul, n lered nd more powerful formlim i indeed required. The lyou of hi ecion i follow. Fir, we formlly define he correlion beween edge exience nd exend he bic uncerin grph formlim o model uch propery (Secion 3.1). Nex, we how h modeling he correlion expnd he expreivene of bic uncerin grph, in he ene h here exi n exended uncerin grph h h no equivlen bic uncerin grph (Secion 3.2). Lly, we prove h exended uncerin grph cn model n rbirry ochic mpping, mking he wo of hem equivlen in erm of expreivene (Secion 3.3). 3.1 Forml definiion Define G = (V, E, X, p, q) where V = {V 1,..., V n} nd E = {E 1,..., E m} re he e of verice nd edge, X = {X 1,..., X r} he e of independen Boolen rndom vrible, p = (p 1,..., p r) (0, 1] r he probbiliy ignmen vecor of X, i.e. p i = P [X i] i he probbiliy h X i evlue o rue for i = 1,..., r, nd q he funcion h ocie ech edge E i E wih Boolen expreion of he rndom vrible in X for i = 1,..., m. The exience probbiliy of edge E i i he probbiliy h i ocied Boolen expreion evlue o rue, or P [E i exi] =

Figure 3: Top: ochic mpping f nd hree deerminiic grph wih non-zero probbiliie len bic uncerin grph repreenion. Define he b- equiv- no h grph uncerin exended hi h how ic uncerin grph G = (V, E, p) where V = (,, ), E = f(g1) = 0.5, f(g2) = 0.2, f(g3) = 0.3. Boom: n equivlen exended uncerin grph G of f genered uing he conrucion decribed in Secion 3.3. P[X 1 ]=0.5 G X 1 X 1 f(g 1 )=0.5 f(g 2 )=0.2 f(g 3 )=0.3 G 1 G 2 Figure 2: An exended uncerin grph nd i only wo poible world. Thi grph h no equivlen bic uncerin grph. (X 1 X 2 ) ㄱ X 3 P [q(e i)]. We refer o hi formlim he exended uncerin grph, in conr wih he bic uncerin grph G = (V, E, p) defined in Secion 2.2. An exmple of n exended uncerin grph i hown in Figure 2. When he conex i cler, we ue he erm uncerin grph o refer o boh bic nd exended uncerin grph (lhough heir probbiliy ignmen vecor hve lighly differen mening). Every bic uncerin grph G = (V, E, p) h n equivlen exended uncerin grph repreenion G = (V, E, X, p, q), which ue m rndom vrible nd q(e i) = X i for i = 1,..., m. The definiion of bic uncerin grph properie (Secion 2.3) nd mehod o eime he grph properie (Secion 2.4) pply o exended uncerin grph in imilr fhion. If we conider uncerin grph generive model of deerminiic grph, hen ech uncerin grph define mpping from he e of poible world o he uni inervl (0, 1]. Le Γ V denoe he e of ll deerminiic grph wih verex e V nd N = Γ V = 2 n(n 1) he ize of Γ V (i.e. we conider ll poible direced edge excep loop). Define mpping f : Γ V [0, 1] h ocie wih ech deerminiic grph G Γ V rel number w G,G beween 0 nd 1. If he mpping f ifie he condiion G Γ V f(g) = 1, hen we cll i ochic mpping 2. A ochic mpping i hen join probbiliy diribuion funcion over he pce of deerminiic grph whoe edge re ube of E. We expre { w G,G if G G f(g) = 0 if G Γ V \G (X 1 X 2 ) ㄱ X 3 ㄱ X 1 X 2 X 3 nd cll f he equivlen ochic mpping of G nd denoe h G f. Every uncerin grph h n equivlen ochic mpping nd wo uncerin grph re equivlen if hey hve he me ochic mpping. 3.2 Expreivene of bic uncerin grph In hi ubecion, we prove he following heorem: Theorem 3.1. Exended uncerin grph ricly expnd he expreivene of bic uncerin grph, i.e. here exi n exended uncerin grph h h no equivlen bic uncerin grph. Proof. We prove hi heorem by giving n exmple. Conider he exended uncerin grph G in Figure 2. I h only wo poible world G 1 nd G 2 wih w G1,G = 1 P [X 1] = 0.5 nd w G2,G = P [X 1] = 0.5. We will 2 in ochic vecor

for ny ochic mpping of Γ V, we cn conruc n exended uncerin grph whoe join edge exience probbiliy diribuion i ideniclly h of Γ V ochic mpping. Theorem 3.2. Every ochic mpping h n equivlen exended uncerin grph. Proof. Fix he e of verice V. Le f be ochic mpping defined over Γ V = {G 1,..., G N }. Define f (i) for i = 1,..., N he following mpping: f (i) (G j) = { f(gj ) ik=1 f(g k ) if 1 j i 0 if i < j N Wihou lo of generliy, ume f(g 1) > 0 o h every f (i) i well-defined nd moreover, i i vlid ochic mpping ince N j=1 f (i) (G j) = 1. Epecilly, f (N) f. We will how how o ierively conruc n equivlen exended uncerin grph G (i) of every f (i). The fir ep i o how n equivlen exended uncerin grph G (1) of f (1), ochic mpping h mp G 1 o 1 nd he re in Γ V o 0. Define he exended uncerin grph G (1) = (V, E, X (1), p (1), q (1) ) follow: V he e of verice nd E he e of ll n(n 1) edge, i.e. G = (V, E) i complee direced grph X (1) = {X 1} p (1) = (p 1) where p 1 = 1 (i.e. P [X 1] = p 1 = 1) q (1) work follow: E j E, if E j E(G 1) hen q (1) (E j) = X 1, ele q (1) (E j) = X 1 I cn be eily een h G (1) f (1). Aume we hve conruced G (i) = (V, E, X (i), p (i), q (i) ) where X (i) = {X 1,..., X i} nd p (i) = (p 1,..., p i) uch h G (i) f (i) for ome 1 i < N. If f(g i+1) = 0 hen f (i+1) f (i). Hence G (i+1) = G (i) i he equivlen exended uncerin grph of f (i+1). When f(g i+1) > 0, he equivlen exended uncerin grph G (i+1) = (V, E, X (i+1), p (i+1), q (i+1) ) of f (i+1) cn be conruced follow: V he e of verice nd E he e of ll n(n 1) edge X (i+1) = {X 1,..., X i, X i+1} where X i+1 i he newly inroduced rndom vrible p (i+1) = (p 1,..., p i, p i+1) where p i+1 = ij=1 f(g j ) i+1 j=1 f(g j ) q (i+1) work follow: E j E, if E j E(G i+1) hen q (i+1) (E j) = q (i) (E j) X i+1, ele q (i+1) (E j) = q (i) (E j) X i+1 The full proof of correcne of hi conrucion i no included in hi pper. The conrucion of G (i+1) work by cling down he edge exience probbiliie in G (i) by fcor of p i+1 before dding he new grph G i+1 wih probbiliy 1 p i+1 = 1 ij=1 f(g j ) = f(g i+1) i+1 j=1 f(g j ) i+1 j=1 f(g j ) = f (i+1) (G i+1). The l ep of he conrucion chieve hi by fir performing logic AND operion ( ) beween he Boolen expreion ocied wih every edge of G (i) nd he new rndom vrible X i+1, or formlly q (i+1) (E j) = q (i) (E j) X i+1. Then, for every edge of G (i) h pper in G i+1, we ddiionlly perform logic OR operion ( ) beween i ocied Boolen expreion nd X i+1. The purpoe of doing o i o force G (i+1) o genere G i+1 wih probbiliy 1 p i+1. Combining hee wo operion, he Boolen expreion ocied wih every edge of G (i+1) h pper in G i+1 i: q (i+1) (E j) = (q (i) (E j) X i+1) X i+1 = (q (i) (E j) X i+1) (X i+1 X i+1) = q (i) (E j) X i+1 Thi proce llow u o conruc n equivlen exended uncerin grph G (i) of f (i) for i = 1,..., N. A he reul, G = G (N) will be he equivlen exended uncerin grph of f ince f f (N) G (N). The conrucion oulined here require new rndom vrible for every deerminiic grph h h non-zero probbiliy in f. Therefore, he ol number of rndom vrible ued by he finl exended uncerin grph i r = {G i f(g i) > 0 for i = 1,..., N}. For exmple, he exended uncerin grph in Figure 3 only ue hree rndom vrible o model n equivlen ochic mpping in which only hree deerminiic grph hve non-zero probbiliie G 1, G 2, nd G 3. Afer he fir, econd, nd l ierion of he conrucion, he Boolen expreion ocied wih edge (, ) in G (1), G (2), nd G (3) re X 1, X 1 X 2, nd X 1 X 2 X 3, repecively. We noice h boh edge (, ) nd (, ) in G re ocied wih he me Boolen expreion (X 1 X 2) X 3. Thi i becue (, ) nd (, ) coexi in ll deerminiic grph h hve non-zero probbiliy in f. In generl, bic uncerin grph re no cpble of modeling uch behvior. The min impornce of hi reul i h our priculr mehod for exending uncerin grph, moived by priculr need o decribe correlion mong edge in n ck grph, i cpble of decribing ny join diribuion of edge exience probbiliie. Thi i n imporn foundionl reul in he heory of uncerin grph. 4. UNCERTAINTY ANALYSIS Unceriny nlyi ply n imporn role in undernding how unceriny in model inpu ffec i oupu. While elecion of vecor p give n expreion of unceriny, h expreion ielf i likely inexc. Thi i prly becue in mny ce, p cnno be direcly compued or meured nd hence ome form of eimion i required. When eimion i ued, he reuling eime uully come wih he form of men, which i p, nd i upper nd lower bound. Anlye of he uncerin grph herefore mu be pplied o p well i credible neighborhood o h robu concluion cn be mde [21]. Among he neighborhood of p, we re inereed in wo probbiliy ignmen vecor under which he model oupu, i.e. propery of he uncerin grph, cquire i mximum nd minimum vlue. Thoe exrem ell u how preciely we cn rrive he vlue of he propery in he fce of model inpu unceriny.

In hi pper, we focu on he rechbiliy propery of uncerin grph (fir inroduced in Secion 2.3). Rechbiliy h n inuiive inerpreion in he conex of ecuriy nd form he bi o he nwering of numerou ecuriyreled queion (Secion 5.2). Henceforh, when we lk bou unceriny nlyi we will implicily refer o he rechbiliy propery of uncerin grph. In he remining pr of hi ecion, we fir formlly define unceriny nlyi he problem of finding he exrem of he model oupu (Secion 4.1). Then, we how how o quickly idenify he exrem uing he monooniciy of rechbiliy of he cl of monoone uncerin grph (Secion 4.2). Remrk 1. I i imporn o noe h for he upplied edge exience probbiliy, we never ruly know he underlying probbiliy (if one exi) nd do no conider uch vlue in our model. Ined, he edge exience probbiliy i he numericl repreenion of our belief (nd he bound our confidence in he number), given he informion we hve colleced nd ubjeced o he umpion we hve mde. 4.1 Forml definiion Le G = (V, E, p) denoe bic uncerin grph nd R,(G) he probbiliy h reche in G. Define ɛ = (ɛ 1,..., ɛ m) [0, 1] m he perurbion vecor nd H p,ɛ he hyperrecngle 3 obined by perurbing ech enry p i in p by n moun of mo ɛ i, or formlly: H p,ɛ = {p [0, 1] m p i p i ɛ i i = 1,..., m} The men nd confidence inervl of eime decribed erlier cn be modeled uing he probbiliy ignmen nd perurbion vecor. Unceriny nlyi of uncerin grph (wih repec o he rechbiliy propery) im o find wo probbiliy ignmen vecor p min, p mx in he hyperrecngle H p,ɛ uch h he rechbiliy of he uncerin grph G reche i exrem, i.e: p min = rgmin R,(V, E, p ) (2) p H p,ɛ p mx = rgmx R,(V, E, p ) (3) p H p,ɛ Here we ue he noion R,(V, E, p ) o denoe R,(G) where G = (V, E, p ). Unceriny nlyi of exended uncerin grph i defined in imilr fhion. Serching for p min nd p mx in he hyperrecngle H p,ɛ prove o be nonrivil k. Pr of i come from he difficuly of eiming he rechbiliy of lrge uncerin grph. Forunely, he monooniciy propery of rechbiliy llow u o find p min nd p mx immediely wihou hving o formule Equion 2 nd 3 opimizion problem. The monooniciy of rechbiliy in he conex of deerminiic grph men (i) dding one or more edge o deerminiic grph doe no chnge i rechbiliy u (wih repec o ome ource nd deinion verex) from 1 o 0 nd vice verc, (ii) removing one or more from he grph doe no chnge i rechbiliy u from 0 o 1. The nex ubecion exend hi propery o he cl of monoone uncerin grph uncerin grph whoe edge re ocied wih monoone Boolen expreion nd he implicion regrding how o find p min nd p mx. 3 recngle generlized for higher dimenion X 1 X 1 X 2 X 2 b X 1 X 2 X 1 X 2 Figure 4: Two monoone uncerin grph nd heir equivlen ingle uncerin grph. 4.2 Unceriny nlyi of monoone uncerin grph An exended uncerin grph G = (V, E, X, p, q) where ech uncerin edge i ocied wih only one rndom vrible, i.e. q(e i) X for every uncerin edge E i E, i clled ingle uncerin grph. We fir r wih n obervion bou monoone nd ingle uncerin grph. Lemm 4.1. Every monoone uncerin grph h n equivlen ingle uncerin grph repreenion. Deil of he proof re omied o conerve pce. An exmple of monoone uncerin grph nd heir equivlen imple uncerin grph repreenion i given in Figure 4. Lemm 4.1 llow u o prove he following heorem bou he monooniciy of rechbiliy wih repec o monoone uncerin grph. Theorem 4.2. Le G = (V, E, X, p, q) nd G = (V, E, X, p, q) be wo monoone uncerin grph. Furhermore, le p i p i for i = 1,..., r. For ll, V, he following inequliy hold: R,(G) R,(G ). Proof. Wihou lo of generliy, ume G nd G re imple uncerin grph, i.e. q(e i) X for every uncerin edge E i E (oherwie, we cn ue lemm 4.1 o rnform hem ino imple uncerin grph). We fir prove pecil ce of heorem 4.2 in which G = (V, E, X, p, q) where p = (p 1, p 2,..., p r). Define E 1 E he e of ll edge ocied wih he rndom vrible X 1 nd ume E 1 (oherwie, redefine G nd G wihou X 1). Furhermore, define wo following uncerin grph: G 0 = (V, E\E 1, X, (p 2, p 3..., p r), q) G 1 = (V, E, X, (1, p 2,..., p r), q) In plin ex, ll poible world in G 1 conin ll edge in E 1 while none in G 0 conin ny. The rechbiliy of G nd G wih repec o ny, V cn be compued by condiioning on he rndom vrible X 1 follow: Hence: R,(G) = p 1R,(G 1 ) + (1 p 1)R,(G 0 ) R,(G ) = p 1R,(G 1 ) + (1 p 1)R,(G 0 ) R,(G) R,(G ) = (p 1 p 1) ( R,(G 1 ) R,(G 0 ) ) Since p 1 p 1, we only need o prove h R,(G 1 ) R,(G 0 ). For every poible world G 1 G 1, he four following properie hold: (i) G 1 conin ll edge in E 1, (ii) G 0, he reul of removing ll edge in E 1 from G 1, i poible world in G 0, (iii) moreover w G 1,G 1 = w G 0,G0, nd lly (iv) R,(G 1 ) R,(G 0 ) ccording o he monoonic-

iy of rechbiliy of deerminiic grph. Conequenly: w G 1,G 1R,(G1 ) w G 0,G 0R,(G0 ) w G 1,G 1R,(G1 ) w G 0,G 0R,(G0 ) G 1 G 1 G 0 G 0 R,(G 1 ) R,(G 0 ) Therefore, R,(G) R,(G ) for pecific ce in which G = (V, E, X, p, q) where p = (p 1, p 2,..., p r). Define G (i) = (V, E, X, p (i), q) where p (i) = (p 1,..., p i, p i+1,..., p r) for i = 1,..., r. Noe h G (0) = G nd G (r) = G. By chining he inequliie in he following fhion where ech hold pecific ce, R,(G) = R,(G (0) ) R,(G (1) )... R,(G (r 1) ) R,(G (r) ) = R,(G ), he heorem i proven. The nex reul immediely follow heorem 4.2: Corollry 4.2.1. Le G = (V, E, X, p, q) be monoone uncerin grph, ɛ [0, 1] r perurbion vecor uch h p i ɛ i 0 nd p i + ɛ i 1 for i = 1,..., r. We hve: p min = p ɛ nd p mx = p + ɛ. A he min reul of hi ecion, corollry 4.2.1 how u how o perform unceriny nlyi of monoone uncerin grph. The e of ll monoone uncerin grph conin ll bic uncerin grph bu ricly ubume he e of ll exended uncerin grph, one migh expec. If we ke he exended uncerin grph in Figure 2 nd chnge he boolen expreion ocied wih edge (, ) from X 1 o X 1, hen we obin grph h doe no hve n equivlen monoone uncerin grph repreenion. We believe h unceriny nlyi for exended uncerin grph in he generl ce cn be reduced o he Boolen ifibiliy problem, o i i NP-hrd wih repec o he number of rndom vrible X i uch h boh X i nd i negion X i pper in q. No urpriingly, hi i uully he price we hve o py for exending he expreivene of modeling formlim. However, ince he NOT logic operor i no required in he modeling exmple in Secion 5 nd 6, unceriny nlyi cn be performed efficienly in boh ce. Remrk 2. Incorporing unceriny ino he model inpu i one righ ep owrd producing more ruworhy nlye. However, lrge moun of unceriny in he model inpu will likely produce lrge moun of unceriny in he model oupu. Alhough unceriny nlyi help u qunify hi relion, i doe no ell excly wh pr of he inpu unceriny ribue he mo o he oupu. Thi informion i crucil o modeler who deire o drw more robu concluion bou he yem nd who wn o know he be plce o pend on reducing unceriny (by collecing more informion, dding more deil ino he model, ec.) When hi i he ce, differen bu cloely reled form of nlyi clled eniiviy nlyi hould be conidered. 5. CASE 1: STUXNET PARTIAL ATTACK GRAPH In he fir modeling exmple, we how how o ue n uncerin grph o model pril ck grph of he Suxne worm (Figure 5), he cyberwepon h boged he Irnin nucler progrm in 2009. Figure 5: Suxne pril ck grph (figure doped from [5]) 5.1 Modeling pproch Convering he Suxne pril ck grph (denoed G Sux) o n uncerin grph (denoed G Sux) i relively righforwrd. G Sux ue he me e of verice of G Sux. Ech rndom vrible of G Sux repreen unique edge lbel of G Sux. Muliple edge of G Sux h hre he me ring nd ending verex rnle ino ingle edge of G Sux. Ech edge of G Sux (e.g. (Conrcor, Lpop)) i ocied wih dijuncion of rndom vrible (e.g. X S7 X USB) where ech vrible repreen n edge lbel of G Sux (i.e. X S7 denoe he rik ocied wih S7 Projec File nd X USB Infeced USB Drive ). The remining k i o come up wih numericl vlue for he probbiliy ignmen vecor of G Sux. Thoe number, which my include boh he men nd heir bound, cn be obined fer performing full ecuriy udiing of he yem.

5.2 Securiy nlyi The reuling uncerin grph G Sux nd he nlye in previou ecion llow n nly o nwer he following ecuriy-reled queion: 1. Wh i he probbiliy R,(G Sux) h here exi ph from he ouide of he yem o rgeed induril proce? 2. To wh exend hould I ru he compued probbiliy R,(G Sux), or in oher word how precie i i ubjeced o perurbion of model inpu? 3. If ome form of nework hrdening i pplied o he yem nd he probbiliy ignmen vecor re-eimed, will R,(G Sux) be reduced nd if o, by how much? 4. Ined of performing nework hrdening, I wn o deploy n inruion deecion yem (IDS) o deec ongoing ck. Aume I chooe o monior pecific e of ho, wh i he chnce h I mi n ck? 5. Wh hould I do if he oucome of he nlyi i no precie enough o drw concluion? Queion 1 nd 3 k bou he rechbiliy of he uncerin grph which i eimed by men of mpling hown in Secion 2.4. If he ize of he grph i relively mll, hen rechbiliy cn be direcly compued uing Equion 1. Unceriny nlyi in Secion 4 nwer Queion 2 ince G Sux i monoone. Queion 4 cn be rephred ino he problem of eiming rechbiliy of uncerin grph: if I remove he e of verice h correpond o he e of moniored ho (ogeher wih ll edge h connec o nd from hoe verice), wh i he probbiliy h remin rechble from? Queion 5 i likely o rie in prcice nd uully indice h he given moun of informion i no ufficien o reon bou he ecuriy poure of he yem (refer o Remrk 2 he end of Secion 4). 6. CASE 2: NETWORK SECURITY WITH SERVICE UNCERTAINTY In he econd modeling exmple, we how how o ue uncerin grph o model compuer nework wih incomplee informion bou he nework ervice, or ervice unceriny. We fir inroduce he udied nework nd ome bic neworking concep (Secion 6.1). Then we define he hre model (Secion 6.2) nd propoe n pproch o model ervice unceriny uing uncerin grph (Secion 6.3). We conclude he ecion wih noe on how he probbiliy ignmen vecor cn be eimed uing vilble informion obined from he common vulnerbiliy dbe. 6.1 Nework model Figure 6 how imple enerprie nework coniing of 3 firewll nd 8 ho. The firewll rule regule he communicion rffic in he nework nd define which ho cn direcly lk o he oher. For exmple, he 5-uple rule <6,0,1,*,80> of firewll 1 llow ll TCP rffic (proocol ype 6) from ny por on ho 0 o por 80 on ho 1. The deny-by-deful policy i pplied o ll firewll. A reul, firewll 1 block ll TCP rffic from ny por on ho 0 o por 25 on ho 1.The given enerprie nework nd he Ho 0 Firewll 1 <6,0,1,*,80> <6,0,2,*,21> Ho 3 Ho 1 Firewll 2 <6,7,6,*,21> <6,3,7,*,25> Ho 4 Ho 7 Ho 2 Firewll 3 <6,4,5,*,22> <6,7,6,*,21> Ho 5 Ho 6 Figure 6: An enerprie nework wih 3 firewll nd 8 ho (exmple doped from [28], lighly modified for illurion purpoe.) 0 <80> <21> 1 2 4 <25> 3 7 <22> 5 <21> Figure 7: Flow grph repreenion of he enerprie nework in Figure 6. Lbel <80> on flow from verex 0 o verex 1 i hor for <6:0-65535:80-80>. Flow wihou lbel llow ny rffic. firewll rulee effecively define flow grph of logiclly conneced ho (Figure 7). The flow grph i direced grph where ech verex repreen ho in he enerprie nework nd ech direced edge flow, i.e. logicl connecion. For exmple, he direced edge from verex 0 o verex 1 wih he lbel <80> in Figure 7 repreen 3-uple flow <6:0-65535:80-80> (i.e. he proocol, he ource nd deinion por). There cn be more hn one flow from one ho o noher nd in h ce, he flow grph i direced muligrph. The flow grph i generl decripion of he ype of rffic llowed beween ho in he nework. Knowing h flow <6:0-65535:80-80> from ho 0 o ho 1 exi, we cn mke n educed gue h ho 1 run ome form of n hp ervice. For he purpoe of ecuriy modeling nd nlyi, we re lo inereed in knowing he verion nd configurion deil of he ervice. Wihou uch informion, he exience of flow doe no necerily imply h n cker cn uilize i link in hi epping-one ck equence (in fc, he flow migh exi while i correponding ervice i no running ll). Securiy modeling nd nlyi under unqunified inpu unceriny will no produce ny ignificn reul ince ny oucome i eqully likely. However, if we re llowed o mke furher umpion, which re vlid one, hen he ervice unceriny in flow grph cn be grely reduced nd reonbly eimed uing ugmened informion from he public domin. 6.2 Thre model 6

0 1 2 X 1,80 X 2,21 1 X 1,!80 2 1 b X 2,!21 2 b 3 4 X 7,25 X 3 X 4 3 4 7 X 5,22 6 5 X 6,21 6 X 6,!21 5 X 5,!22 5b Figure 8: Bic uncerin grph repreenion of he flow grph in Figure 7. We ume he cker h lredy gined cce o ho 0. Hi ulime gol i o gin cce o ho 6, which i criicl e in he yem. To implify he dicuion, we mke ome furher umpion: The cker only exploi vulnerbiliy of nework ervice running on he receiving ho of flow. A reul, if no flow from ho 0 o ho 1 i llowed or ho 1 doe no run ny vulnerble ervice, hen he cker cnno lunch direc ck from ho 0 o ho 1. The flow grph remin unchnged hroughou he ck period, mening he cker doe no emp o ck he firewll nd modify he rulee o enble new flow. Locl ck like privilege eclion re no modeled; we ume he cker cquire he highe cce level fer compromiing mchine. 6.3 Modeling pproch Define X 1,80 nd X 1,!80 he rndom vrible h denoe if ho 1 run vulnerble ervice on por 80 nd on ome oher por h i no 80. The flow grph in Figure 7 indice he correlion beween exploibiliy of flow in he following ene. If ho 1 run vulnerble hp ervice on por 80, or X 1,80 = rue, hen n cker on eiher ho 0 or 2 cn ue he exiing flow o ck ho 1. In conr, if ho 1 doe no run ny vulnerble hp ervice on por 80, or X 1,80 = fle, he cker cnno ck ho 1 from ho 0. However, he migh be ble o do o from ho 2, given h ho 1 run vulnerble ervice on ome oher por, i.e. X 1,!80 = rue. If we conver he flow grph o n exended uncerin grph wih he me e of verice nd edge, hen uch propery cn be modeled by ociing edge (0, 1) wih X 1,80 nd edge (2, 1) wih X 1,80 X 1,!80. Repeing hi proce o oher edge nd verice, we cn build n exended uncerin grph h fihfully model he ervice unceriny nd he correlion beween edge exience of he flow grph in Figure 7. In hi modeling exmple, uch n exended uncerin grph cn be furher reduced o n equivlen bic uncerin grph (Figure 8) uing imple grph rnformion rick, which conin rnformion rifc like cerin edge, or edge h exi wih probbiliy one (olid rrow), nd exr verice (bold circle). In he l pr he ecion, we briefly dicu how o eime he probbiliy ignmen vecor for he conruced bic uncerin grph. The ecuriy nly my ume (or he my lern o from he yem dminiror) h wih no excepion, ll nework ervice run on ndrd nework por, i.e. hp ervice on por 80, fp ervice on por 21, mp ervice on por 25, nd o on. The problem of ervice unceriny ill peri bu he unceriny i now grely reduced. Th i becue he nly know h, e.g, n cker cn go direcly from ho 0 o ho 1 only if ho 1 run vulnerble hp ervice. For ech hp implemenion h, he nly erche in ll common vulnerbiliy dbe (e.g. he Nionl Vulnerbiliy Dbe 4 ) for ome vulnerbiliy of h h llow n cker o compromie he hoing mchine. Denoe v(h) = 1 if he nly find ome vulnerbiliy of h nd v(h) = 0 oherwie. The probbiliy igned o X 1,80 i: ( ) P [X 1,80] = w h v(h) / w h (4) h h where w h i he relive weigh igned o implemenion h (if no furher informion i given, ll implemenion crry he me weigh). The nly migh ume ll ho hre he deful probbiliy p def of running ome vulnerble nework ervice (gin, if no furher informion i given). The probbiliy igned o X 1,80 nd X 1,!80 nd p def re reled ccording o he following equion: p def = 1 (1 P [X 1,80])(1 P [X 1,!80 ]) Therefore P [X 1,!80 ] cn lo be eimed. Thi proce pplie o he remining rndom vrible in imilr fhion. Numericl reul of he nlye re no repored in hi pper nd will be ignificn opic in follow-up work, in which we udy lrger nd more reliic yem. 7. RELATED WORK 7.1 Uncerin grph Uncerin grph, lo known probbiliic grph, hve been pplied o modeling of problem from vriou domin like inercion beween proein uing noiy nd error-prone experimenl d [2], eniy reoluion for inexc mchine lerned model [26], opiml rechbiliy in inermienly conneced nework wih known rouing lgorihm [8], ph querie on rod nework wih unexpeced rffic jm [9], nd mny oher. The power of uncerin grph come from i cpbiliy of modeling yem wih unceriny, wheher due o lck of knowledge bou cerin pr of he yem [8] [9] or o noiy model d [2], [26]. Reoning wih uncerin grph i chllenging ince mo problem in uncerin grph re compuionlly hrd. For exmple, couning he number of poible world of n uncerin grph in which verex reche verex i #P-complee (ST-CONNECTEDNESS [25]). [19] derived mpling-bed pproximion lgorihm for he k-nere neighbor problem of uncerin grph. [10] formuled he dince-conrin rechbiliy (DCR) problem nd inroduced efficien recurive mpling cheme o eime DCR of lrge uncerin grph. [12] udied relibiliy erch problem of uncerin grph, i.e. finding ll verice rechble from ome query 4 hp://nvd.ni.gov/

verice wih probbiliy no le hn given hrehold, uing RQ-ree. Recenly, [13] propoed recurive rified mpling-bed eimor o reduce he vrince of ndrd Mone-Crlo pproch in eiming uncerin grph properie. 7.2 Ack grph Trdiionlly, red em hve conruced ck grph o repreen ph h n cker my ue o compromie he ecuriy of yem [22]. Due o he mnul nure of he conrucion of uch ck grph, hey re prone o error nd ofen no exhuive. Auomed ck grph generion uing model checking w inroduced by Richey nd Ammnn [20]. The model check, however, provided ju ingle ck cenrio. Sheyner e l [23] ue model checking on heerogeneou nework o provide n exhuive li of ck cenrio. A more clble oluion for lrger nework h been propoed in [17]. Anoher opimizion uing he monooniciy propery h been propoed by Ammnn e l [1]. Anoher reled pec i he proce of rechbliy nlyi. Rechbiliy nlyi of nework inveige he condiion under which rge ho cn be reched by n cking ho. Nework cnner [15] nd vulnerbiliy dicovery ool [6] cn be leverged o derive he configurion of he rge nework. Work in [27] nd [29] ue Byein nework o cpure he unceriny of informion in ck grph. However we believe h he cyclic nure of Byein nework limi i biliy o model he poible cyclic relionhip h rie in mny prcicl iuion. 8. CONCLUSION In hi pper, we how how o ue uncerin grph for he ecuriy modeling nd nlyi of compuer yem wih unceriny. In doing o, we hve exended he rdiionl uncerin grph formlim o model he correlion beween edge exience nd prove heoreicl reul bou he expreivene of bic nd exended uncerin grph. We lo how how o perform unceriny nlyi of monoone uncerin grph. Modeling-wie, he developed exmple erve ring poin for king on lrger nd more complex yem. In uch yem, unceriny rie from modeling differen lyer of brcion nd from he preence of humn-in-he-loop. Regrding he ler one, uncerin grph cn ue exiing humn-reled model o plug hole in he overll ck grph nd model he probbiliy h phihing cmpign ucceed or he probbiliy h power grid operor plug in he USB ick he received he conference. Anlyi-wie, we re lo inereed in formuling nd olving opimizion problem o find he be defene cion, which minimize he probbiliy of ucceful ck, given limied budge. Thoe pec will be explored in ubequen udie. Acknowledgemen Thi meril i bed upon work uppored by he Deprmen of Energy under Awrd Number DE-OE0000780 nd by he Mrylnd Procuremen Office under Conrc No. H98230-14-C-0141. The view nd opinion of uhor expreed herein do no necerily e or reflec hoe of he Unied Se Governmen or ny gency hereof. 9. REFERENCES [1] Ammnn, P., Wijeeker, D., nd Kuhik, S. Sclble, grph-bed nework vulnerbiliy nlyi. In Proceeding of he 9h ACM Conference on Compuer nd Communicion Securiy (2002), ACM, pp. 217 224. [2] Ahn, S., King, O. D., Gibbon, F. D., nd Roh, F. P. Predicing proein complex memberhip uing probbiliic nework relibiliy. Genome Re. (2004). [3] Bier, C., nd Koen, J.-P. Principle of Model Checking (Repreenion nd Mind Serie). The MIT Pre, 2008. [4] Blum, A., Burch, C., nd Lngford, J. On lerning monoone Boolen funcion. In Proceeding 39h Annul Sympoium on Foundion of Compuer Science (Nov 1998), pp. 408 415. [5] Byre, E. Suxne Repor V: Securiy Culure Need Work. hp://www.iource.com/ uxne-repor-v-ecuriy-culure-need-work/, 2011. [6] Developer, O. The Open Vulnerbiliy Aemen Syem (OpenVAS), 2012. [7] Fihmn, G. S. A Comprion of Four Mone Crlo Mehod for Eiming he Probbiliy of - Connecedne. IEEE Trncion on Relibiliy 35, 2 (June 1986), 145 155. [8] Ghoh, J., Ngo, H. Q., Yoon, S., nd Qio, C. On Rouing Problem Wihin Probbiliic Grph nd i Applicion o Inermienly Conneced Nework. In IEEE INFOCOM 2007-26h IEEE Inernionl Conference on Compuer Communicion (My 2007), pp. 1721 1729. [9] Hu, M., nd Pei, J. Probbiliic Ph Querie in Rod Nework: Trffic Unceriny Awre Ph Selecion. In Proceeding of he 13h Inernionl Conference on Exending Dbe Technology (New York, NY, USA, 2010), EDBT 10, ACM, pp. 347 358. [10] Jin, R., Liu, L., Ding, B., nd Wng, H. Dince-conrin Rechbiliy Compuion in Uncerin Grph. Proc. VLDB Endow. 4, 9 (June 2011), 551 562. [11] Kynr, K. A xonomy for ck grph generion nd uge in nework ecuriy. Journl of Informion Securiy nd Applicion (2016). [12] Khn, A., Bonchi, F., Gioni, A., nd Gullo, F. F Relibiliy Serch in Uncerin Grph. In Proceeding of he 17h Inernionl Conference on Exending Dbe Technology, EDBT 2014, Ahen, Greece, Mrch 24-28, 2014. (2014), pp. 535 546. [13] Li, R.-H., Yu, J. X., Mo, R., nd Jin, T. Recurive Srified Smpling: A New Frmework for Query Evluion on Uncerin Grph. IEEE Trn. on Knowl. nd D Eng. 28, 2 (Feb. 2016), 468 482. [14] Lippmnn, R. P., nd Ingol, K. W. An nnoed review of p pper on ck grph. Tech. rep., DTIC Documen, 2005. [15] Lyon, G. F. Nmp nework cnning: The officil Nmp projec guide o nework dicovery nd ecuriy cnning. Inecure, 2009. [16] McDermo, J. P. Ack ne penerion eing. In Proceeding of he 2000 workhop on New ecuriy prdigm (2001), ACM, pp. 15 21.

[17] Ou, X., Boyer, W. F., nd McQueen, M. A. A clble pproch o ck grph generion. In Proceeding of he 13h ACM conference on Compuer nd communicion ecuriy (2006), ACM, pp. 336 345. [18] Ou, X., nd Singhl, A. Quniive Securiy Rik Aemen of Enerprie Nework. SpringerBrief in Compuer Science. Springer-Verlg New York, 2012. [19] Pomi, M., Bonchi, F., Gioni, A., nd Kollio, G. K-nere Neighbor in Uncerin Grph. Proc. VLDB Endow. 3, 1-2 (Sep. 2010). [20] Richey, R. W., nd Ammnn, P. Uing Model Checking o Anlyze Nework Vulnerbiliie. In Proceeding of he 2000 IEEE Sympoium on Securiy nd Privcy (2000), SP 00, IEEE Compuer Sociey. [21] Slelli, A., Ro, M., Trnol, S., nd Cmpolongo, F. Seniiviy nlyi prcice: Sregie for model-bed inference. Relibiliy Engineering & Syem Sfey 91, 10-11 (2006), 1109 1125. [22] Schneier, B. Ack ree. Dr. Dobb journl 24, 12 (1999), 21 29. [23] Sheyner, O., Hine, J., Jh, S., Lippmnn, R., nd Wing, J. M. Auomed generion nd nlyi of ck grph. In Securiy nd privcy, 2002. Proceeding. 2002 IEEE Sympoium on (2002). [24] Sheyner, O. M. Scenrio grph nd ck grph. PhD hei, US Air Force Reerch Lborory, 2004. [25] Vlin, L. G. The Complexiy of Enumerion nd Relibiliy Problem. SIAM Journl on Compuing 8, 3 (1979), 410 421. [26] Vedpun, N., Bellre, K., nd Dlvi, N. Crowdourcing Algorihm for Eniy Reoluion. Proc. VLDB Endow. 7, 12 (Aug. 2014), 1071 1082. [27] Wng, L., Ilm, T., Long, T., Singhl, A., nd Jjodi, S. An Ack Grph-Bed Probbiliic Securiy Meric. In Proceeeding of he 22Nd Annul IFIP WG 11.3 Working Conference on D nd Applicion Securiy (Berlin, Heidelberg, 2008), Springer-Verlg, pp. 283 296. [28] Wng, L., Jjodi, S., Singhl, A., Cheng, P., nd Noel, S. k-zero Dy Sfey: A Nework Securiy Meric for Meuring he Rik of Unknown Vulnerbiliie. IEEE Trncion on Dependble nd Secure Compuing 11, 1 (Jn 2014), 30 44. [29] Xie, P., Li, J. H., Ou, X., Liu, P., nd Levy, R. Uing Byein nework for cyber ecuriy nlyi. In 2010 IEEE/IFIP Inernionl Conference on Dependble Syem Nework (DSN) (June 2010), pp. 211 220.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback