Difficulty-level metric for cyber security training

Cyber security training systems work as a suitable learning environment for educating cyber analysts on how to detect and defense before real cyber attacks happen. As training is an iterative process, the assessment component not only assesses the knowledge gained by the cyber analysts, but also adjusts the difficulty of training lessons accordingly based on the analysts´ performance. In this paper, we present an attack graph-based probabilistic metric to measure lesson scenarios´ difficulty levels. Based on causal relationships between vulnerabilities in an attack graph, we apply Bayesian Reasoning to aggregate individual vulnerabilities into an probabilistic value representing the attackers success likelihood to achieve the attack goal. However, one major complication of using Bayesian Reasoning is that it does not allow for cycles, which exists in attack graphs. We identify different types of cycles in the attack graphs and propose an efficient algorithm to remove cycles while preserving cyclic influence in the probability calculation.