Using Bayesian Networks for Enterprise Network Security Analysis

Restricted (Penn State Only)
Sun, Xiaoyan
Graduate Program:
Information Sciences and Technology
Doctor of Philosophy
Document Type:
Date of Defense:
May 05, 2016
Committee Members:
  • Peng Liu, Dissertation Advisor
  • Peng Liu, Committee Chair
  • John Yen, Committee Member
  • Dinghao Wu, Committee Member
  • George Kesidis, Outside Member
  • Cloud Security
  • Bayesian Network
  • Situation Awareness
  • System Call
  • Zero-day Attack
  • Enterprise network security
Achieving complete and accurate cyber situation awareness (SA) is crucial for security analysts to make right decisions. A large number of algorithms and tools have been developed to aid the cyber security analysis, such as vulnerability analysis, intrusion detection, network and system monitoring and recovery, and so on. Although these algorithms and tools have eased the security analysts’ work to some extent, their knowledge bases are usually isolated from each other. It’s a very challenging task for security analysts to combine these knowledge bases and generate a wholistic understanding towards the enterprise networks’ real situation. To address the above problem, this paper takes the following approach. 1) Based on existing theories of situation awareness, a Situation Knowledge Reference Model (SKRM) is constructed to integrate data, information, algorithms/tools, and human knowledge into a whole stack. SKRM serves as an umbrella model that enables e ective analysis of complex cyber-security problems. 2) The Bayesian Network is employed to incorporate and fuse information from di erent knowledge bases. Due to the overwhelming amount of alerts and the high false rates, digging out real facts is di cult. In addition, security analysis is usually bound with a number of uncertainties. Hence, Bayesian Networks is an e ective approach to leverage the collected evidence and eliminate uncertainties. With SKRM as the guidance, two independent security problems are identified: the stealthy bridge problem in cloud and the zero-day attack path problem. This paper will demonstrate how these problems can be analyzed and addressed by constructing proper Bayesian Networks on top of di erent layers from SKRM. First, the stealthy bridge problem. Enterprise network islands in cloud are expected to be absolutely isolated from each other except for some public services. However, current virtualization mechanism cannot ensure such perfect isolation. Some “stealthy bridges” may be created to break the isolation due to virtual machine image sharing and virtual machine co-residency. This paper proposes to build a cloud-level attack graph to capture the potential attacks enabled by stealthy bridges and reveal possible hidden attack paths that are previously missed by individual enterprise network attack graphs. Based on the cloud-level attack graph, a cross-layer Bayesian network is constructed to infer the existence of stealthy bridges given supporting evidence from other intrusion steps. Second, the zero-day attack path problem. A zero-day attack path is a multi- step attack path that includes one or more zero-day exploits. This paper proposes a probabilistic approach to identify the zero-day attack paths. An object instance graph is first established to capture the intrusion propagation. A Bayesian network is then built to compute the probabilities of object instances being infected. Connected through dependency relations, the instances with high infection probabilities form a path, which is viewed as the zero-day attack path.