Boosting Markov Reward Models for Probabilistic Security Evaluation by Characterizing Behaviors of Attacker and Defender

While Markov reward models (MRMs) have been widely used for system dependability evaluation, their application for evaluating security still poses as a challenge. It is observed that attacker behavior plays a key role in causing models of security evaluation to be complicated. Another observation is that representing attacker behavior in terms of attack effects instead of attack itself enables the system security to be indirectly evaluated by identifying families of attacks rather than individual instantiations. Furthermore, an attacker behavior tends to be affected by defense mechanisms (we say defender) due to their close interactions. These observations motivate us to boost MRMs to the security context by extracting the behaviors of attacker and defender. To do that, we present a general yet simple state- based approach to characterizing and inferring the behaviors of attackers and defenders in typical network attacks. It specifically contributes in two folds: 1) two objective-oriented models are developed to measure the attacker´s and defender´s behaviors, respectively; 2) the objectives, actions, and the resultant effects by the attacker and defender, along with the underlying system states, are then integrated and formulated as partially observable Markov decision processes. The developed models and analysis allow the behaviors of attacker and defender to be characterized in a fine-grained way, and specific attack-defense strategies to be inferred approximately via existing model-based algorithms. The system security hereby can be indirectly validated on the basis of the aggregated effects resulted from the interactive behaviors of attacker and defender. A real trace study is conducted to show feasibility and effectiveness of our proposed approach.