research article using a prediction model to manage cyber

Research ArticleUsing a Prediction Model to Manage Cyber Security Threats

Venkatesh Jaganathan, Priyesh Cherurveettil, and Premapriya Muthu Sivashanmugam

Department of Management Studies, Anna University Regional Centre Coimbatore, Jothipuram Post, Coimbatore,Tamilnadu 641 047, India

Correspondence should be addressed to Priyesh Cherurveettil; [email protected]

Received 12 September 2014; Revised 14 December 2014; Accepted 25 December 2014

Academic Editor: Aneel Rahim

Copyright © 2015 Venkatesh Jaganathan et al. This is an open access article distributed under the Creative Commons AttributionLicense, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properlycited.

Cyber-attacks are an important issue faced by all organizations. Securing information systems is critical. Organizations should beable to understand the ecosystem and predict attacks. Predicting attacks quantitatively should be part of risk management. Thecost impact due to worms, viruses, or other malicious software is significant. This paper proposes a mathematical model to predictthe impact of an attack based on significant factors that influence cyber security. This model also considers the environmentalinformation required. It is generalized and can be customized to the needs of the individual organization.

1. Introduction

The digital assets of an organization are prone to attackany time. With threats gathering new dimensions, organi-zations should be able to objectively evaluate the risks ofexisting and new software applications. Based on this riskevaluation, sufficient resources can be allocated to mitigatecyber security risks. Quantitatively predicting proneness toattack can help organizations counter attack occurrences.TheCommon Vulnerability Scoring System (CVSS) is a standardframework used by many organizations. It communicatesthe characteristics and impacts of IT vulnerabilities. Thisframework has three groups, namely, Base, Temporal, andEnvironmental. The base group highlights the qualities ofvulnerability that are unchanged over time and user.The tem-poral group covers the characteristics of vulnerability overtime and the environmental group highlights the specific userenvironment. The CVSS helps establish a common languagein the IT community. This paper proposes a mathematicalmodel for predicting the impact of an attack based on thesignificant factors that influence cyber security. These factorsare arrived at by considering several historical data points andmathematically verifying their significance to the impact andcharacteristics of attacks.

2. Related WorkSheyner et al., Wang et al., and Kuhl et al. [1–3] highlightedthat security analysis is based on attack graph generation and

simulation. The focus of their work was on attack generationtools. This paper proposes establishing the quantitative rela-tionship between the attack impact and the attack parameters.Tittel [4] explains about Unified Threat Management andwhy it is important to address it in his paper. Wu et al. [5]established a prediction model based on integrating envi-ronmental factors and attack graphs in a Bayesian network.They found that environmental information is importantfor accurate safety evaluations. This paper proposes mathe-matically proving that environmental information influencesthe characteristics and impacts of an attack. Anusha et al.[6] studied various models like unimodel and multimodelfor enhanced security. They discussed about authenticationat the beginning of the exam and the user system checks.Axelrad et al. [7] introduced a Bayesian network modelfor the motivation and psychology of the malicious insider.Khan and Hussain [8] established relationships betweenattack probability and vulnerability. However, the collectiveinfluence of attack environment factors on the attack was notrevealed. Moore et al. [9] described a modeling and simula-tion foundation, based on the system dynamics methodologyto test the efficacy of insider threat detection controls. Thepaper discusses risk management and early detection of risksbased on insider threat.

The three impact metrics in the CVSS measure howvulnerability is assessed and how it impacts on an IT asset.These three metrics are Access Vector, Access Complexity,

Hindawi Publishing Corporatione Scientific World JournalVolume 2015, Article ID 703713, 5 pageshttp://dx.doi.org/10.1155/2015/703713

2 The Scientific World Journal

and Authentication. It is also important to understand howvulnerability affects the integrity, confidentiality, and avail-ability of these parameters. Cyber security metrics can bebroadly classified into two based on the source of measure-ment. Several measurements are possible from the malicioususer/group end. Some measurements are also possible fromthe host/victim end. From the side of a malicious user[10], the Intensity, Stealth and Time of attack are possiblemeasurements. Further, the technical and cyber knowledgeof personnel are relative measurements from the malicioususer/group end. Measurements that are possible from thehost end include the Vulnerabilities present in the tool, whichare detectable through tools such as Nessus and X-Force,the Traffic to a particular application over a period of time,the Power of the protection tools installed at the targetsystem, and the Value of the assets present in the network.From these two classifications, to build a prediction model,the measurement taken from the host end is used, whereasnone of the malicious user/group end measurements isconsidered. With the increasing dimensions of attack nature,it is not possible to accurately calculate these measurements.Moreover, such measurements from the malicious user endare of little use if the attack possibilities need to be controlledby organizations hosting the target applications.

3. Prediction Model

Prediction models can be developed to predict differentproject outcomes and interim outcomes by using statisti-cal techniques. A process performance model adopts theconcepts of probability. This can also be explored furtherby building simulations. Output can be studied as a range.Depending on the predictions, midcourse corrections can berecommended. The model can be simulated to predict finaloutcomes based on the corrections suggested. It is thus aproactive model that helps the technical analyst to analyzethe data and predict outcomes. Analysts can change the dataand perform what-if analyses. They can then record theseinstances and decide on the best option. The model helpsanalysts decide which lever to adjust to meet the final projectgoal.

In the current system, the focus of fixing vulnerabilitiesis not based on the potential impact of the vulnerability.Further, more than adequate importance is given to fixingall the vulnerabilities or too little importance due to timeand cost constraints. A proactive risk assessment prior to therelease of the IT application is not available.The impact of anyvulnerability is identified by using the CVSS calculator, onlyafter analyzing how the attack took place.

In the proposedmodel, whichwas also piloted in a sampleproject organization, the potential impact of the vulnerabilityis predicted well before the IT application is released forusage. With this impact information, adequate cost andresources can be allocated to resolving vulnerabilities, therebyreducing the impact.

The multiple regression method is chosen to predict theimpact of attacks in this proposal. Multiple regressions havecertain underlying assumptions such as linearity, the nonex-istence of multicollinearity, homoscedasticity, and normality.

Each of these assumptions is validated for our attempt toestablish the relationship between the impact of attack andthe influencing factors. Based on the research above, factorsthat can influence the impact of an attack were identified,namely, Level of security protection on the target system,Usage or traffic in the identified network, Vulnerabilitiespresent in the target system, and Value of assets present inthe network. Oluwatosin and Samson [11] highlighted thechallenges of existing computer applications that need to beconsidered from a security perspective.

Shar et al. [12] predicted vulnerabilities with featuresrelated to dataflow. Khan and Hussain [8] stated that itis safe to assume that all these factors have individuallinear relationships with the probability of attack. A similarrelationship is seen from the scatterplot of the impact ofan attack and the environmental factors considered. Thissatisfies the first condition for using the multiple regressiontechnique for our prediction model.

Multicollinearity and homoscedasticity are verifiedthrough the variance inflation factor (VIF). Normalityis tested by performing the Anderson–Darling Test. Inaddition, a hypothesis test is run individually for each ofthe attack factors to ensure that the probability that thefactor does not influence the independent factor is keptto a maximum of only 0.05. The coefficient of correlation(𝑅2) and adjusted coefficient of correlation (Adj. 𝑅2) aremaintained close to each other. This is sufficient to provethat among the many factors that can cause an attack, theselected factors predict the impact of an attack with the bestpossible accuracy. That is, the number of factors, beyond acertain point, becomes immaterial.

The operational definition of cyber security metricsconsidered is mentioned below.

(1) 𝑌 is theOverall CVSS Score, the dependent factor.TheCVSS [13, 14] is predicted based on the environmentand system characteristics of the target application.

(2) 𝑋1 is the number of vulnerabilities, namely, the totalnumber of vulnerabilities detected by the static anddynamic vulnerability detection tools for the targetapplication. The tools installed and run against thetarget application can identify several vulnerabilitiesbased on algorithms such as but not limited toimproved tainted algorithms or penetration testing.In a given application, the vulnerabilities reported bythe tools can be broadly classified into 23 categories:API Abuse, Authentication Vulnerability, Authoriza-tion Vulnerability, Availability Vulnerability, CodePermission Vulnerability, Code Quality Vulnerabil-ity [15], Configuration Vulnerability, CryptographicVulnerability, EncodingVulnerability, EnvironmentalVulnerability, Error Handling Vulnerability, GeneralLogic Error Vulnerability, Input Validation Vulnera-bility, Logging and Auditing Vulnerability, PasswordManagement Vulnerability, Path Vulnerability, Pro-tocol Errors, Range and Type Error Vulnerability,Sensitive Data Protection Vulnerability [16], Ses-sionManagement Vulnerability, Synchronization and

The Scientific World Journal 3

Table 1: Project data points.

𝑌 𝑋1 𝑋2

CVSS Score Vulnerability Network Traffic2.1 20 3245.3 53 6231.0 15 2358.0 85 9322.9 28 4383.0 25 4983.8 38 3911.0 18 1321.2 16 1775.9 63 8234.3 39 5792.8 30 4551.1 14 2314.2 35 7255.4 51 7401.9 21 3452.0 25 4324.1 37 4676.2 58 8451.1 15 1112.3 22 1911.2 16 1822.8 30 2926.9 68 9524.8 55 600

Timing Vulnerability, UnsafeMobile Code andUse ofDangerous API [17].

(3) 𝑋2 is the Average Input Network Traffic recorded forthe application during the week of the attack in KBPS.

Table 1 highlights the data points for each metric during allinstances of an attack. In total, 25 such attack history datafrom a project are shown in Table 1. The data points from theCVSS calculator were recorded for every attack encountered.Output from the vulnerability tool was recorded for thetarget application. For the specified week range of the attack,network traffic was also recorded. The data from these threesources were tabulated every time an attack was encountered,as shown in Table 1. We also ensured that respective datapoints were taken from the same sample. The sample defini-tions were defined by the technical analyst. In this regressionmodel, CVSS score (𝑌) was predicted by using the two 𝑋variables, vulnerability and network traffic.

The null hypothesis considered is that𝑋1 and𝑋2 have noinfluence over 𝑌. In other words, vulnerability and networktraffic have no influence over CVSS score. No mirror patterncan be found in the residual plot in Figure 1 and henceno heteroscedasticity is found. The normal probability plotshown in Figure 2 is approximately linear. From the figure,it is clear that the normality assumption for the errors hasnot been violated. With regard to the 𝑃 value, since it is 0.02

−0.6

−0.4

−0.2

0

0.2

0.4

0.6

0.8

0 1 2 3 4 5 6 7 8 9

Resid

ual

Figure 1: Residual plot.

−3

−2

−1

0

1

2

3

−1 −0.5 0 0.5 1

Corr

espo

ndin

g no

rmal

Z

Residual

Figure 2: Normal probability plot.

Table 2: Regression equation.

Intercept Vulnerability Network Traffic−0.2983 0.07174 0.0025

(<0.05), the null hypothesis is not valid, which means thevariables selected have an impact on CVSS score.

As shown in Table 2, vulnerability has a positive influ-ence on CVSS score. As vulnerability increases, CVSS scoreincreases and hence the impact on IT assets is high. Theinfluence of network traffic on CVSS is positive. This meansthat when network traffic is high, the impact of vulnerabilitiesis high and CVSS score is high.Thus, CVSS score is impactedpositively both by vulnerability and by network traffic:

Predicted CVSS Score

= −0.2893 + 0.07174 ∗Number of vulnerabilities

on the IT application reported by tools

+ 0.0025 ∗ Proposed average input network traffic

for the application for a week measured in KBPS.(1)

As shown in Table 3, 𝑏 is the coefficient that gives the leastsquares estimates, while 𝑠(𝑏) gives the standard errors of theleast squares estimates for the 𝑥 variables and 𝑡 gives the com-puted 𝑡-statistic.This is the coefficient divided by the standard

4 The Scientific World Journal

Table 3: Multiple regression results.

Intercept Vulnerability Network Traffic𝑏 −0.296 0.0706 0.002𝑠(𝑏) 0.121 0.007 0.0005𝑡 −2.442 9.359 4.545𝑃 0.0231 0.0000 0.0002

Table 4: ANOVA table.

Source SS Df MS 𝐹 𝑃

Regression. 96.22 2 48.15 597 0.000Error 1.77 22 0.080Total 98 24

error.The𝑃 value gives the𝑃 value for the hypothesis test.TheVIF quantifies the severity of multicollinearity in an ordinaryleast squares regression analysis.The VIF for the given data is6.41.

As shown in Table 4, SS is the sum of squares due tothe regression. This measure of total variation in 𝑌 can beexplained by the regression with the 𝑋 variable. Df is thedegrees of freedom. MS is the mean square, which is a mea-sure of the sum of squares divided by the degrees of freedom.Mean square regression (MSR) andmean square error (MSE)are the two variables that define 𝐹: 𝐹 = MSR/MSE. The 𝐹-statistic is used to test whether the 𝑌 and 𝑋 variables arerelated.

For the given data, MSR is 48 and MSE is 0.08. The 𝐹-statistic determines that the 𝑃 value is zero. This confirmsthe existence of a linear relationship between CVSS andthe two variables, network traffic and vulnerabilities. 𝑅2provides information about the goodness of fit of a model. Inthe regression equation, the 𝑅2 coefficient of determinationdetermines howwell the regression line approximates the realdata points. Adjusted𝑅2 is a modified version that adjusts thenumber of predictors in the model. For the given data, 𝑅2 is0.9819 and adjusted 𝑅2 is 0.9803.

The data prove that overall CVSS score is influencedby vulnerabilities in the network and network traffic. Theinfrastructure team in the organization shares the baselinedata for these variables on a regular basis with the qualityteam. For each network process, based on the network typeand applications hosted, a logical grouping can be consideredand organization values can be baselined. Technical analystscan then refer to these baseline organizational data when theystart the network design process. As part of the process, theycan also use these reference values to determine the upperand lower specification limits. These values will be availablefor each of the subprocess parameters. The technical analystcan then determine and analyze which vulnerabilities need tobe controlled and select threshold values based on that.

Based on the selected threshold values, what-if analysisis performed. Going by the different scenarios, vulnerabilityandnetwork traffic values are assumed andprovided as inputsto the model. The predicted outcome is then compared withthe thresholds. It is important to note that while changing

the parameters, technical analysts should understand thepractical implications of the project. It is not only aboutthe mathematical model, but about how it can be put intopractice. For example, if CVSS score is high, how can it bereduced? How can vulnerabilities be reduced during design?Cost implications need to be considered. Then, the technicalanalyst has to look at the environmental constraints. Asthe prediction model considers the key influencing factorsto predict the CVSS, the influencing factor values mightaffect the project schedule and project cost, which needto be analyzed as well. These forecasts serve as alertsthat it should take action to mitigate the threat of cyber-attacks.

Predicting CVSS scores helps prioritize vulnerabilitiesand remediate those with high risks. CVSS scores are sharedby software application vendors with their customers. Thishelps customers understand the severity of vulnerabilitiesand allows them to effectively manage their risks. Vulnerabil-ity bulletins are shared by few organizations. These bulletinsshare the date of attack, systems affected, and patches per-formed.Thus, the CVSS prediction model is vital and shouldbe used extensively. Technical analysts should be comfortableusing the prediction model extensively. For every scenario,the analyst should document the assumptions and associatedrisks. A detailed attack prevention plan should be in place.At every step, the attack, its type, cause, and preventiveaction should be documented. Different root-cause analysistechniques such as 5-why can be used to pinpoint the rootcause. After identifying the root cause, the next steps interms of corrective and preventive actions should also bethought through. Technical experts should review these plansso that they can bring in their experience and highlight anyimprovements.

Prediction models should not be a one-time activity.Technical analysts should use the model on an ongoingbasis and also suggest shortcomings. Based on the scores,decisions need to be taken considering impact on cost andsecurity. Prediction models are statistical and simulative innature. These models should help simulating scenarios aswell as determining outcomes. They can also model differentvariation factors and help the analyst with the predicted rangeor the variation of its outcomes.

4. Conclusion

Cyber-attack is an attempt to exploit computer systems andnetworks. Cyber-attacks use malicious codes to alter algo-rithms, logic, or data. Securing information systems is thuscritical.Multiple countermeasures need to be built.TheCVSSis an industry framework that helps quantify the vulnerabilityimpact. This paper demonstrated a mathematical model topredict the impact of an attack based on significant factorsthat influence cyber security. Vulnerability and networktrafficwere selected as the influencing factors to predict CVSSscore. Based on the score, the technical analyst can analyzethe impact and take necessary preventive actions.This modelalso considers the environmental information required. It isthus generalized and can be customized to the needs of theindividual organization.

The Scientific World Journal 5

Conflict of Interests

The authors declare that there is no conflict of interestsregarding the publication of this paper.

References

[1] O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J. M. Wing,“Automated generation and analysis of attack graphs,” in Pro-ceedings of the IEEE Symposium on Security and Privacy, pp.273–284, May 2002.

[2] L.Wang,A. Singhal, and S. Jajodia, “Towardmeasuring networksecurity using attack graphs,” in Proceedings of the ACMWork-shop on Quality of Protection, pp. 49–54, October 2007.

[3] M. E. Kuhl, J. Kistner, K. Costantini, and M. Sudit, “Cyberattack modeling and simulation for network security analysis,”in Proceedings of the Winter Simulation Conference (WSC ’07),pp. 1180–1188, Washington, DC, USA, December 2007.

[4] E. Tittel, Preventing and Avoiding Network Security Threats andVulnerabilities, 2013, http://www.tomsitpro.com/articles/threatmanagement-it security-firewall-it certification-network se-curity,2-477.html.

[5] J. Wu, L. Yin, and Y. Guo, “Cyber attacks prediction modelbased on Bayesian network,” in Proceedings of the 18th IEEEInternational Conference on Parallel and Distributed Systems(ICPADS ’12), pp. 730–731, Singapore, December 2012.

[6] N. S. Anusha, T. S. Soujanya, and D. S. Vasavi, “Study ontechniques for providing enhanced security during onlineexams,” International Journal of Engineering Inventions, vol. 1,no. 1, pp. 32–37, 2012.

[7] E. T. Axelrad, P. J. Sticha, O. Brdiczka, and J. Shen, “A Bayesiannetwork model for predicting insider threats,” in Proceedings ofthe 2nd IEEE Security and PrivacyWorkshops (SPW ’13), pp. 82–89, May 2013.

[8] M. A. Khan and M. Hussain, “Cyber security quantificationmodel,” Bahria University Journal of Information and Commu-nication Technology, vol. 3, no. 1, pp. 23–27, 2010.

[9] A. P.Moore, D. A.Mundie, andM. L. Collins, “A systemdynam-ics model for investigating early detection of insider threatrisk,” Tech. Rep. DM-0000143, Program Software EngineeringInstitute, Carnegie Mellon University, 2013.

[10] M. Mateski, C. M. Trevino, C. K. Veitch et al., “Cyber threatmetrics,” Sandia Report SAND2012-2427, 2012.

[11] O. T. Oluwatosin and D. D. Samson, “Computer-based testsecurity and result integrity,” International Journal of Computerand Information Technology, vol. 2, no. 2, pp. 324–329, 2013.

[12] L. K. Shar, H. Beng Kuan Tan, and L. C. Briand, “Mining SQLinjection and cross site scripting vulnerabilities using hybridprogram analysis,” in Proceedings of the 35th InternationalConference on Software Engineering (ICSE ’13), pp. 642–651,IEEE Press, May 2013.

[13] P. Mell, K. Scarfone, and S. Romanosky, A Complete Guide tothe Common Vulnerability Scoring System Version 2.0, NationalInstitute of Standards and Technology, Carnegie Mellon Uni-versity, 2007.

[14] P.Mell, K. Scarfone, and S. Romanosky,AComplete Guide to theCommon Vulnerability Scoring System, Version 2.0, 2007.

[15] Redhat, Bash Code Injection Vulnerability via Specially CraftedEnvironment Variables (CVE-2014-6271, CVE-2014-7169), Red-hat, 2014, https://access.redhat.com/articles/1200223.

[16] Sensitive Data Protection Vulnerability, OWASP, https://www.owasp.org/index.php/Category:Sensitive Data ProtectionVulnerability.

[17] https://www.owasp.org/index.php/Category:Vulnerability.

Submit your manuscripts athttp://www.hindawi.com

Computer Games Technology

International Journal of

Hindawi Publishing Corporationhttp://www.hindawi.com Volume 2014


Distributed Sensor Networks


Advances in

FuzzySystems

Hindawi Publishing Corporationhttp://www.hindawi.com

Volume 2014


ReconfigurableComputing

Hindawi Publishing Corporation http://www.hindawi.com Volume 2014


Applied Computational Intelligence and Soft Computing

Advances in

Artificial Intelligence


Advances inSoftware EngineeringHindawi Publishing Corporationhttp://www.hindawi.com Volume 2014


Electrical and Computer Engineering

Journal of

Journal of

Computer Networks and Communications


Hindawi Publishing Corporation

http://www.hindawi.com Volume 2014

Advances in

Multimedia


Biomedical Imaging


ArtificialNeural Systems

Advances in


RoboticsJournal of



Computational Intelligence and Neuroscience

Industrial EngineeringJournal of


Modelling & Simulation in EngineeringHindawi Publishing Corporation http://www.hindawi.com Volume 2014

The Scientific World JournalHindawi Publishing Corporation http://www.hindawi.com Volume 2014


Human-ComputerInteraction

Advances in

Computer EngineeringAdvances in


research article using a prediction model to manage cyber

Documents