Customized and Adaptive approach for Optimal Cybersecurity Investment

最佳网络安全投资的定制和自适应方法

• 批准号: EP/R002983/1
• 负责人: Chris Hankin
• 金额: $ 49.2万
• 依托单位: Imperial College London
• 依托单位国家: 英国
• 项目类别: Research Grant
• 财政年份: 2017
• 资助国家: 英国
• 起止时间: 2017 至 无数据
• 项目状态: 已结题
• 来源: https://gtr.ukri.org/projects?ref=EP%2FR002983%2F1
• 关键词: Customized; Adaptive; approach; Optimal; Cybersecurity

The proposed research aims to help organisations to make better cybersecurity investments. For example is it better in a given organization to prioritise a policy of changing passwords over patching software regularly? And how frequently should passwords be changed? Should all employees scan for malware all USB sticks? The answers to these kind of questions largely depends on the type of organization and the specific threats it faces. For example while requiring employees to change passwords often may decrease the threat from some kind of attacks, it also imposes costs on the organization both in terms of help desk workload and employee productivity. Are these costs justified? it depends on the specific organization and the threats it faces.There is no one size fits all solution in cybersecurity, hence a cybersecurity investment plan should start with an appropriate model of the organization and its threat profile. We will build such a model which will capture in a formal way important aspects of the socio-human-technical characters of the organization and its exposure to attacks.This model will inform our decision support engine, which will evolve from our recent research using optimisation and game theory. In this project we will refine our existing decision support engine.One of the planned refinements is about the possible threats faced: is the attacker someone just exploring the web for weak websites or a criminal targeting that specific organization or maybe an employee from a foreign intelligence agency? The mathematical modelling of these different attackers presents challenges. Other refinements are in terms of dealing with different ways security controls can be combined, for example how to measure the effectiveness of changing password and encryption in relation to an attacker who wants to steal data - do they combine additively (i.e. are independent)? or multiplicatively (i.e. are totally correlated)?We also want our engine to be resilient, i.e. we want to give meaningful advice even if the data is not very precise, and we want it to be robust, i.e. it should provide security guarantees even when the data is not very precise. We will enrich our decision support engine with adaptivity so that once deployed it is capable to adapt to changes in the organisation, the threat profile and the general societal environment. For example the investment advice should change if a major new attack has been reported (for example the Heartbleed and Shellshock vulnerabilities in 2014), or if a new more effective security control is available.Our research will both provide theoretical and practical advances to these challenging issues. The practical advance will be in the form of prototype tools. We will measure our achievements via validation of these prototype tools. The validation will start by comparing our calculated investment strategy with expert advice and will evolve to larger case studies involving our partners and careful deployment in the field.

拟议的研究旨在帮助组织进行更好的网络安全投资。例如，在一个给定的组织中，优先考虑更改密码的策略是否比定期修补软件更好？密码应该多久更换一次？所有员工都应该扫描所有U盘中的恶意软件吗？这类问题的答案在很大程度上取决于组织的类型及其面临的具体威胁。例如，虽然要求员工经常更改密码可能会减少某种攻击的威胁，但它也会在帮助台工作量和员工生产力方面给组织带来成本。这些费用是否合理？这取决于具体的组织及其面临的威胁。在网络安全方面没有一个放之四海而皆准的解决方案，因此，网络安全投资计划应从组织的适当模型及其威胁概况开始。我们将建立这样一个模型，它将以正式的方式捕捉组织的社会-人类-技术特征及其暴露于攻击的重要方面。该模型将为我们的决策支持引擎提供信息，该引擎将从我们最近使用优化和博弈论的研究中发展而来。在这个项目中，我们将改进我们现有的决策支持引擎。其中一个计划的改进是关于可能面临的威胁：攻击者是只是在网络上寻找薄弱网站的人，还是针对特定组织的犯罪分子，或者是外国情报机构的雇员？这些不同攻击者的数学建模提出了挑战。其他改进是在处理安全控制可以组合的不同方式方面，例如，如何衡量与想要窃取数据的攻击者相关的更改密码和加密的有效性-它们是否以相加方式（即独立）组合联合收割机？还是乘法（即完全相关）？我们还希望我们的引擎具有弹性，即即使数据不是非常精确，我们也希望提供有意义的建议，我们希望它是健壮的，即即使数据不是非常精确，它也应该提供安全保证。我们将丰富我们的决策支持引擎，使其具有自适应性，以便一旦部署，它就能够适应组织，威胁概况和一般社会环境的变化。例如，如果报告了重大的新攻击（例如2014年的Heartbleed和Shellshock漏洞），或者如果有新的更有效的安全控制，投资建议应该改变。我们的研究将为这些具有挑战性的问题提供理论和实践上的进步。实际进展将以原型工具的形式出现。我们将通过验证这些原型工具来衡量我们的成就。验证将从比较我们计算的投资策略与专家建议开始，并将发展到涉及我们的合作伙伴和在该领域的精心部署的更大的案例研究。

项目成果

Improving ICS Cyber Resilience through Optimal Diversification of Network Resources

通过网络资源的优化多样化提高 ICS 网络弹性

• DOI: 10.48550/arxiv.1811.00142
• 发表时间: 2018
• 期刊: arXiv e-prints
• 作者: Li Tingting

Attack Dynamics: An Automatic Attack Graph Generation Framework Based on System Topology, CAPEC, CWE, and CVE Databases

攻击动力学：基于系统拓扑、CAPEC、CWE和CVE数据库的自动攻击图生成框架

• DOI: 10.1016/j.cose.2022.102938
• 发表时间: 2022
• 期刊: Computers & Security
• 影响因子: 5.6
• 作者: ..zdemir S..nmez F

Scalable Approach to Enhancing ICS Resilience by Network Diversity

通过网络多样性增强 ICS 弹性的可扩展方法

• DOI: 10.1109/dsn48063.2020.00055
• 发表时间: 2020
• 作者: Li T

Optimal security hardening over a probabilistic attack graph: a case study of an industrial control system using the CySecTool tool

概率攻击图的最佳安全强化：使用 CySecTool 工具的工业控制系统案例研究

• DOI: 10.48550/arxiv.2204.11707
• 发表时间: 2022
• 作者: Buczkowski P

Decision support for healthcare cyber security

• DOI: 10.1016/j.cose.2022.102865
• 发表时间: 2022-08
• 期刊: Comput. Secur.
• 作者: Ferda Özdemir Sönmez;Christiana C. Hankin;P. Malacaria