Probabilistic modeling and analysis of sequential cyber‐attacks

Security is one of the major challenges for promoting the computer industry. Existing models for assessing security have mostly assumed that different hazards causing the security breach are independent of each other. Dependencies however can exist among different hazardous actions and they may affect the system security attribute greatly. This paper advances the state of the art in quantitative security risk assessment by modeling one such dependency, where multiple sequence‐dependent hazardous actions are performed to launch a successful security cyber‐attack. Continuous‐time Markov chain and semi‐Markov process–based methods are proposed to estimate the occurrence probability of a security risk for systems undergoing the sequential cyber‐attacks. While the CTMC method is limited to the exponential state transition time, the proposed semi‐Markov process–based approach is applicable to analyzing attacks with any arbitrary types of transition time distributions. Both methods are illustrated using case studies where Trojan attacks in the banking application are modeled and analyzed.


INTRODUCTION
Diverse types of cyber-attacks have caused increasing security threats to contemporary computing and networking systems. 1 These threats pose huge potential security risks to individuals, societies, and enterprises. 2,3 For instance, massive hack attacks to Sony pictures caused the theft and online exposure of about 40 gigabytes of sensitive data (including pertinent scripts of unreleased films, private information of Sony employees, etc). 4 For another instance, as one of the largest security breaches in the computer network history, one billion Yahoo email accounts were breached from attacks utilizing fake Internet cookies. 5 Therefore, it is crucial to assess security risks in a quantitative manner, providing effective guidance on secure design and operation of critical systems and networks.
In general, the risk is referred to as the potential for damage, loss, or destruction of an asset due to some threat exploiting system vulnerabilities. 6 Vulnerabilities associated with computer-based systems are the main threats to the network security. 7,8 With a proper quantitative analysis of the security, the system survivability may be effectively enhanced, thereby promoting the response to unexpected security attacks to complex networks and systems.
The soaring development of information technology in last few decades has produced over 200 risk assessment methods. 9 These risk assessment methods can be categorized into three types, ie, qualitative assessment, quantitative assessment, and hybrid (semiquantitative) assessment methods. 6,10,11 Different methods not only have different aims, advantages, and weaknesses, 12 but also differ in the severity level, complexity to use, and applicability to different-sized organization models. 13,14 Qualitative assessment methods involve identifying, characterizing, and ranking unwanted events primarily based on the assessor's experience, knowledge, strategies, and exceptional cases on information systems. 6,15 A qualitative assessment requires specific expectations rather than exact data. It can make more general and sound conclusions compare to other assessment tools. However, the qualitative assessment usually takes more time (not suitable for dynamic risk assessments that require efficient assessment and decision) and is harder to make an objective assessment. 11 According to studies of Shameli-Sendi et al 16 and Bolczak et al, 17 the typical qualitative assessment methods include the factor analysis, game theory, 18 fuzzy set theory, 19 historical comparison, and Delphi method. 20 Quantitative assessment approaches use mathematic calculations, probability theory and statistics to analyze the level of the risk of an organization and produce number indicators. 21,22 They typically use monetary values, probabilities, or percentages 23 to present assessment results in a scientific and formal manner. More specifically, a quantitative assessment approach involves evaluating the risk probability and hazardous level characterized by the expected losses of assets and potential impacts to the organization. For example, as the traditional risk assessment method, the information technology-security risk assessment is based on the likelihood of occurrence of a hazardous event and potential consequence caused by the event. 6,24 Contemporary approaches often focus on requirements of confidentiality, integrity, and availability (CIA) and are mostly model or system-based. [25][26][27] The typical quantitative assessment methods include the Markov analysis, statistical parameter analysis, Bayesian network models, 11,28 and clustering methods. 29 Quantitative methods aim to estimate the loss of assets, vulnerabilities of organization systems, frequency of threats, and cost of the risk. 10,24 The disadvantages of the quantitative methods include the detailed data needed for assessments could be costly, and the calculation could be time-consuming. 11,30 A typical example of quantitative risk assessment methods is CORAS (a model-based approach for conducting security risk analysis). 25 This model is mainly based on the multiplication operation without any formal support. 25,31 The risk assessment methodology in CORAS integrates classic analysis methods 32 such as the failure mode and effect analysis, 6 Markov analysis, 7 fault tree analysis, 33 and HAZOP analysis. 34 The method can deal with all types of potential threats with different CIA properties and accountability.
In summary, most research on risk assessment are qualitative analysis with subjectivity that limits the model to only specific systems. On the other hand, quantitative risk assessment methods are typically based on certain risk assessment standards. 24,25,[35][36][37] Accuracy of those standard-based methods, however, is dependent on numerous historical data with long investment cycles. In addition, the existing quantitative risk assessment methods mostly focused on the amount or frequency of different and independent system vulnerabilities or hazardous events. In practice, however different hazardous events may take place in a dependent manner, ie, the occurrence of one hazardous event impacts the occurrence of another hazardous event happening to the same system. 38 Dependencies or interactions between different attack events or outcomes have received considerable research attentions from the cybersecurity community in the past several years (see, eg, other works 28,[39][40][41][42]. Cyber-attacks have become a major threat to many modern systems and networks. For example, industrial control systems have been targeted by cyber-attacks based on vulnerabilities in these systems and their environments 43,44 or based on the equipment degradation. 3 It is a challenging task to address dependence in cybersecurity models. 39 In this work, we focus on security risks from cyber-attacks subject to sequence dependence, where the occurrence order of hazardous events matters to the system status. 45 Specifically, we address the problem of modeling and assessing the occurrence probability of a security risk from cyber-attacks launched though multiple sequence-dependent hazardous actions. The sequential attack behavior is modeled using an attack tree. The probability of a successful attack (ie, the occurrence probability of security risk) is evaluated using Markov-based methods. Specifically, a continuous-time Markov chain (CTMC) is applied to determine the time-dependent solution and a semi-Markov process (SMP) is utilized to find the steady-state solution for systems undergoing the sequential cyber-attack. Trojan attacks launched to a bank application are modeled and analyzed to demonstrate the type of attacks considered in this work and the proposed approaches. Effects of different attack model parameters on the system security are also demonstrated through examples.
Note that there exists research on sequential attacks in literature. However, the existing models are mostly limited to physical sequential attacks in areas such as physics, 46 military, 47 and smart grids. 48,49 Despite the growing literature on addressing dependencies in cyber-attacks (as briefed above), little work has focused on the sequence dependence. In particular, a security threat with a sequence of small attacks on applications of reinforcement learning in deep neutral networks was investigated using simulations in the OpenAI Gym. 50 To the best of the authors' knowledge, the work presented in this paper is the first that models and evaluates security risks from sequential cyber-attacks using the analytical modeling methods (CTMC and SMP).
The remainder of this paper is arranged as follows. Section 2 describes the sequential threat model considered in this work, and the attack tree modeling. Section 3 focuses on the CTMC-based time-dependent solution. Section 4 focuses on the SMP-based steady-state solution. Section 5 concludes this work and points out directions of future research.

THREAT MODEL AND ATTACK TREE
This work focuses on one type of security risks from Trojan attacks that were designed to commit bank fraud crimes (stealing identity of bank customers and further their money through mobile devices like smartphones). 51,52 As illustrated in Figure 1, a hacker sends a message to a mobile banking user, which contains link information with Trojan virus. If the user does not open the link, the malware stays in the mobile device without causing any harm. However, if the user clicks the link, the Trojan virus is triggered to be downloaded and installed on the device. At this time, the device is in an infection state. During the infected state, the Trojan malware is able to simulate the victim's online-banking operations and transmit data to the hacker. Figure 2 presents an attack tree model, which describes the cause of a successful banking Trojan attack (denoted by the top event of the tree) and dependent relationship among basic events A (Trojan virus link received), B (virus installed and infected), and C (online-banking activity). The gates connecting the basic events in Figure 2 are priority-AND (PAND) gates from the dynamic fault tree analysis. 33 Each PAND gate is logically equivalent to a logic AND gate with extra condition that the left input event must take place before the right input event to fire the gate. The two cascading PAND gates in Figure 2 model a successful Trojan attack (ie, the top event occurring), which is caused by A happening before B, which happens before C. In other words, any violation to this occurrence sequence of events A, B, and C fails the attack.
Based on the attack tree model in Figure 2, the Markov-based methods are developed in Sections 3 and 4 to quantify the occurrence probability of a security risk in systems subject to the sequential cyber-attack. In general, the Markov models are constructed based on system states, and transitions between the states (caused by the occurrence of a particular event). 53 For systems undergoing the sequential Trojan attack, four states are defined, ie, 0 (clean), 1 (acquisition), 2 (infection), and 3 (fraud complete). Two scenarios of transitions are considered, ie, no recovery transition is possible from the fraud complete state (Section 3) and a recovery is possible from the fraud complete state (Section 4).

CONTINUOUS-TIME MARKOV CHAIN-BASED TIME-DEPENDENT SOLUTION AND ANALYSIS
This section presents the CTMC-based time-dependent solution to address the sequential cyber-attack. Effects of different model parameters on the attack success probability are also examined. Figure 3 illustrates the state transition diagram in the CTMC-based solution. In the initial clean state 0, the security attribute of the system (eg, confidentiality) can be guaranteed. Because of event A (ie, the user receiving the virus link), the system transits to the acquisition state 1, where the maliciousness exists but the system still functions. The system can go back to the clean state 0 from the acquisition state 1 with performing the deletion of suspicious, hazardous files. However, if the user clicks the malicious link (ie, event B takes place), the Trojan virus is triggered and the system transits from the acquisition state 1 to the infection state 2. In state 2, once the user conducts any online banking operations, eg, making online payment (ie, event C takes place), the hacker could steal personal banking information and accomplish the banking fraud. That is, due to the occurrence of event C, the system transits to the final fraud complete state 3. In the infection state 2, the system can also be restored to the acquisition state 1 if the user takes some timely and appropriate quarantine action, or even be restored to the clean state 0 through virus clean-up operations. All the transitions are characterized by certain rates. The transition rates A , B , and C are, respectively, occurrence rates of events A, B, and C. The transition rates d , q , c , respectively, denote deletion, quarantine, and clean-up rates. Based on the state transition diagram in Figure 3, the state equations in the matrix form is given in (1), where the left-most matrix is the transition rate matrix of the CTMC, P j (t) represents the probability of the system being in state j ( j = 0,1,2,3), and . P (t) represents the derivative of the state j probability. Equation (1) can also be detailed using differential equations (2) to (5)
Applying the Laplace transform-based method to solve (2)-(5) (using the initial state probability P 0 (0) = 1), 54 the Laplace transform of those state probabilities is obtained as P * 1 (s) = Applying the inverse Laplace transform of P * (s), the system state probabilities in the time domain P j (t) ( j = 0,1,2,3) can be derived, which is carried out by MATLAB in this work. Table 1 lists five sets of parameters designed based on statistics and data from. [55][56][57][58] The CTMC in Figure 3 is analyzed using these parameter sets to study effects of different model parameters on the attack success probability. Particularly,      parameter B reflects a user's awareness and responsibility in protecting the system or device; effects of this parameter on the system security are investigated through parameter sets a, b, and c in Table 1. The system security risk also depends the user's capability of handling infected devices or the user's experience and knowledge about the device. For instance, a computer expert user would know how to restore the device and keep the system functioning in the case of attacks happening or the device being already infected. The three recovery rates d , q , c model the system recovery capability; their effects are investigated through parameter sets d, b, and e in Table 1.

Effects of user parameter B
Among the three sets a, b, and c in Table 1, B in set a corresponds to a cautious user (who would seldom open suspicious files containing virus), B in set c corresponds to a relatively careless user (who is more likely to click malicious links or files infecting the device), and B in set b corresponds to an intermediate case between the former two. Moreover, set a corresponds to a case where the recovery capability dominates ( B << q ), while set c corresponds to a case where the occurrence rate of the malicious event dominates ( B > q ). Tables 2 to 4 summarize the four system state probabilities under parameter sets a, b, and c for several example mission time. Note that k means the unit of 1000.
In Figures 4 to 7, we illustrate each system state probability under parameter sets a, b, and c graphically. Figure 4 supports the intuition that the clean state probability decreases with time. The clean state probability under set a is the best (largest) among the three cases compared and it declines slowly as time proceeds due to the lowest transition rate B (a cautious user), while this probability under set c is the worst and declines more quickly with time as compared to the other two cases due to the largest transition rate B used (a careless user).
As observed from Figure 5, the acquisition state probability under the three parameter sets P 1-a , P 1-b , and P 1-c ascends quickly at the beginning due to the occurrence of event A, reaching a peak value, and then falling gradually due to interactions of effects from the attack and recovery events. Again, the acquisition state probability under set a is the best among the three cases. In particular, P 1-a stays the highest all the time with the zenith 0.2156 at 2 k hours; P 1-c keeps the lowest over the considered mission time reaching its bottom around 0 after t = 12 k hours.
As observed from Figure 6, the infection state probability reaches a peak quickly at the beginning and then declines gradually with a different pace under each different parameter set. The infection state probability under set c declines   Figure 7). Figure 7 shows an upward trend of the fraud complete state probability as time proceeds. In particular, P 3-a with the low transition rate B stays below 0.6 during the entire considered mission time with a steady ascending pace. In contrast, P 3-b and P 3-c increase more substantially over the time, especially in the case of the careless user P 3-c , it jumps in the fastest pace and keeps rising to the roof 1 around 16 k hours. It supports the intuition that the fraud complete state probability is the lowest under set a (having the smallest B ), and is the largest under set c with the highest B .

Effects of recovery rates d , q , and c
Effects of recovery rates d , q , and c on the system security are investigated through parameter sets d, b, and e in Table 1. These three sets share same transition rates A , B , and C but have different values of d , q , and c . Specifically, set d models a strong recovery capability (system used by an experienced user who protects the device with adequate antivirus/attack measures), set e models a weak recovery capability (system used by an amateur user), and set b models a case in-between the former two. The state probabilities under set b are presented in Table 3. Tables 5 and 6 show the system state probabilities under sets d and e, respectively. In Figures 8 to 11, we illustrate each system state probability under parameter sets (d, b, e) graphically. As shown in Figure 8, under set d having the largest recovery rates (ie, strong/effective antihacking measure), the clean state probability appears the best (largest) among the three cases compared, and declines the slowest over the time; under set e having the smallest recovery rates (ie, weak antihacking measures), the clean state probability appears the smallest all the time, and it declines the most quickly. As observed from Figure 9, the acquisition state probability ascends quickly at the beginning due to the occurrence of event A, reaching a peak value, and then descending due to interacting effects from the attack and recovery events. In particular, P 1-b first ascends to the highest point at 0.14, then drops quickly, and becomes less than P 1-d at around 10 k hours; P 1-d (with the strongest recovery capability among the three cases) has a steady fall from 0.058 to 0.044 after the initial ascending to the peak; P 1-e falls suddenly and stays around a very low value for the rest of time after the initial ascending to the peak. In the long run, the acquisition state probability is the best (largest) under set d and the lowest under set e.
As observed from Figure 10, the infection state probability reaches a peak quickly at the beginning and then declines gradually; this probability under set e is the highest at the beginning due to the lowest recovery rates (among the three parameter sets compared), then drops more quickly, and becomes the lowest due to an increase in the corresponding fraud complete state probability (Figure 11). Figure 11 demonstrates the growing probabilities of the fraud complete state under different levels of antiattack measures. This figure illustrates the intuitive result that the fraud complete state probability under set d (having the largest recovery rates) is the lowest due to the effective recovery actions, and is the largest under set e (having the smallest recovery rates). In particular, P 3-d rises slowly to 0.273 at the end of the considered mission time; P 3-e soars up to 0.8 by t = 2 k hours, and then rises to 1 around 6 k hours.

SEMI-MARKOV PROCESS-BASED STEADY-STATE SOLUTION AND ANALYSIS
The CTMC-based time-dependent solution in Section 3 is limited to exponentially distributed transition time between different system states (ie, all the transition rates in Figure 3 are constant). However, in many applications, the Weibull distribution is a more desirable choice due to its additional shape parameter signifying the trend in the transition rate. In this section, we present the SMP-based 59-62 steady-state solution to systems subject to the sequential cyber-attack, which relaxes the limitation of the exponential transition time. Effects of different model parameters on the attack success probability are also investigated.

SEMI-MARKOV PROCESS-BASED SOLUTION
To illustrate the SMP-based steady-state solution, we consider a scenario where the banking fraud protection service is available to cancel any suspicious payments. Specifically, in the case of suspicious payments, eg, purchase for overpriced items, or credit card payments happening in a totally different area, the subjective bank would send the customer a message (via phone or email) to confirm the activity; the payment would be canceled if no positive confirmation is received. This fraud protection service can possibly bring the system back to the infection state from the fraud complete state, as shown in Figure 12. All the other transitions are similar to those in Figure 3. Different from the model in Figure 3 having constant transition rates, the SMP model presented in Figure 4 is capable of handling nonexponential distributions such as the Weibull distribution or Gamma distribution, represented using the cumulative distribution function (CDF) F ij , (i, j = 0, 1, 2, 3). In particular, F ij denotes the CDF of the transition time from state i to state j (i, j = 0, 1, 2, 3). We choose the Weibull distribution with scale and shape parameters ( ij , ij ) in the following study due to its flexibility in modeling different failure rate behaviors and its wide application in system dependability. 53,63 The CDF of the Weibull distribution is F ij The exponential distribution appears as a special case of the Weibull distribution when ij = 1. The Rayleigh distribution is also a special case of the Weibull distribution when ij = 2.
According to other works, 61,62,64 the hierarchical analytical approach for steady-state analysis of SMP contains two stages. Stage 1 deals with the evaluation of the one-step transition probability matrix of the embedded Markov chain (EMC) of the SMP using equations in the appendix (A1 to A3) of the work of Kumar et al. 62 Stage 2 evaluates the sojourn time in each system state. The steady-state probability P i of each state is further obtained using (6): where v i means the steady-state probability of state i ∈ {0,1,2,3} in the EMC, and T i means the sojourn time at state i ∈ {0,1,2,3} for the SMP.

FIGURE 12
Semi-Markov process model of the Trojan attack Specifically, in stage 1, the SMP model is illustrated by its kernel matrix K(t), whose elements k ij (t) are the probabilities that the SMP has just entered state i, the next transition occurs within time t and the next state is state j. 62 The matrix K(t) for the SMP model in Figure 12 is given in (7).
Assuming the Weibull state transition time, the nonzero elements of K(t) are given in (8) to (14). 62 Wolfram mathematics and MATLAB are used to calculate the complex integrals involved. dx (10) For the SMP steady-state analysis, 64 the one-step transition probability matrix of the EMC is evaluated as K(∞) (t approaches infinity) as shown in (15), with condition that the sum of elements on the same row of K(∞) is always 1. Thus, k 01 (∞) and k 32 (∞) should be equal to 1 as they are the only element in row 1 and row 4, respectively, Solving the EMC steady-state equations v = v · K(∞) and v · e T = 1, where row vectors v = [v 1 v 2 v 3 v 4 ] and e = [1 1 1 1], we obtain the steady-state probabilities of the EMC for the SMP. The set of equations is solved by Wolfram mathematics in this work to find values of v i used in (6).
In stage 2, sojourn time T i used in (6) is evaluated using (16) to (19) according to the work of Kumar et al. 62 Finally, according to (6), the steady-state probabilities P i (i = 0, 1, 2, 3) for the SMP model in Figure 12 are determined. The attack success probability is given as P 3 , and the system security is equal to 1-P 3 = P 0 + P 1 + P 2 . Table 7 shows some baseline values of model parameters for the example system based on statistics and data of other works. 62,[65][66][67] While in Section 3, the system security performance is investigated from the perspective of user's protection awareness and recovery capability, in this section, we study effects of different transition time distribution parameters on the system security. Particularly, we choose to vary the Weibull distribution parameter ( or ) of a single attack transition F 12 (case 1), or a single recovery transition F 10 (case 2), or all attack transitions (F 01 , F 12 , F 23 ) (case 3), or all recovery transitions (F 10 , F 20 , F 21 , F 32 ) (case 4) to illustrate their effects on the system security performance.

Effects of scale parameter
We vary the value of scale parameter from 1 second to 1 month and collect the system state probabilities and the final security (evaluated as P 0 + P 1 + P 2 ) in Tables 8 to 11 under four cases with changing 12 (mean time to infection), changing 10 (mean time to delete malicious files or links), changing ( 01 , 12 , 23 ) (mean time from a better state to a worse state), and changing ( 10 , 20 , 21 , 32 ) (mean time from a worse state to a better state), respectively. All other unchanging parameters remain the same as those in Table 7. Figures 13 to 16 show the results graphically.
Specifically, Figure 13 illustrates the graphical results when 12 (mean time to infection) varies from 1 second to 1 month. As 12 increases, the attack success probability (P 3 ) reduces or the system security (P 0 + P 1 + P 2 = 1-P 3 ) increases.       In particular, the steady-state probability for the clean state P 0 decreases quickly, but for the acquisition state, P 1 grows fast; their combined effects contribute to the increasing trend of the entire system security (last row of Table 8). Figure 14 illustrates the graphical results when 10 (mean time to delete hazardous file) varies from 1 second to 1 month. As 10 increases, the time of the system being in the acquisition state becomes longer, making it more likely to be infected. Thus, the attack success probability increases or the system security decreases. Figure 15 illustrates the graphical results when 01 = 12 = 23 vary simultaneously from 1 second to 1 month. The similar but more prominent decreasing trend than that in Figure 13 for the attack success probability can be observed. Figure 16 illustrates the graphical results when 10 = 20 = 21 = 32 vary simultaneously from 1 second to 1 month. The similar but more prominent increasing trend than that in Figure 14 for the attack success probability can be observed. Namely, it is notable that trends for the system security (1-P 3 ) when transition rate parameters change together have a much wider range (0.16 to 0.999) than cases with only one variant transition rate with range (0.91 to 0.99). All those results support the intuition that, as the time toward the fraud complete state takes longer (increasing 01 , 12 , 23 ), the attack success probability P 3 becomes lower (ie, the system security increases); as the recovery time toward the clean state takes longer (increasing 10 , 20 , 21 , 32 ), the attack success probability P 3 becomes higher (ie, the system security decreases). These studies clearly show that the steady-state probabilities and the system security are highly dependent on the scale parameters of the Weibull distributions modeling the transition time between different states.

Effects of shape parameter
In reliability engineering, the value of has a distinct effect on the failure rate. 53,63 Specifically, < 1 corresponds to a failure rate that decreases with time, = 1 corresponds to a constant failure rate (ie, exponential distribution), and > 1 corresponds to a failure rate that increases with time. According to these characteristics, we choose values of covering all those three categories, specifically, (0.1, 0.5, 1, 1.5, 2, 5). Figure 17 illustrates the CDFs of the Weibull distribution with the chosen values of and = 2. All the CDFs share the same point with t = = 2. Their relative relationships are different before and after this common turning point (eg, the CDF for = 5 is the lowest among the six values, but becomes the highest after the point).

FIGURE 18
Steady-state probabilities and security with changing 12 While we vary , all other unchanging parameters remain the same as those in Table 7. Tables 12 to 15 summarize the system state probabilities and the final security under the four cases. Figures 18 to 21 show the results graphically.
Specifically, Figure 18 illustrates the steady-state probabilities and security when 12 varies. The attack success probability P 3 first increases, then reaches the maximum around 12 = 2, and then drops due to interacting effects between and . This trend can be observed more clearly in the zoomed graph for the system security (right figure), which declines at the beginning, reaches the bottom around 2, and then ascends slowly. When parameters 01 , 12 , and 23 vary simultaneously, the nonmonotonic change in the attack success probability or the system security becomes more apparent, as demonstrated in Figure 19. The curve for the system security declines quickly at the beginning, then reaches the bottom around 01 = 12 = 23 = 0.4, then starts to increase, and eventually reaches the peak value 1. Figure 20 illustrates the monotonic decreasing trend of the system security as 10 increases within the set of considered values. It shows that the shape parameter affects the system security in a way that is different from the scale parameter ( Figure 14 versus Figure 20). The nonmonotonic change in the attack success probability or the system security starts to show when parameters 10 , 20 , 21 , and 32 vary simultaneously in Figure 21. Specifically, the system security ranges from 0.0008 to 0.9; it reaches the peak quickly at the beginning, and then decreases gradually after 10 = 20 = 21 = 32 = 1. It is also observed that, for the case with changing 01 = 12 = 23 , the system security plot is concave, while for the case with changing 10 = 20 = 21 = 32 , the system security is a convex curve.
The analysis based on the numerical results in this section shows that the system steady-state probabilities and particularly, the system security, are highly dependent on values of the transition time distribution parameters. For the Weibull distribution studied, the scale parameter and the shape parameter affect the system security differently (the former's impact is more intuitive, while the latter's impact is more complicated appearing nonmonotonic).

CONCLUSION AND FUTURE WORK
Most of the existing works for security risk assessment have assumed independence among different hazardous events toward a successful malicious attack. In this paper, we have contributed by addressing the sequence dependent cyber-attack in the modeling and analysis of the attack success probability (ie, the security risk occurrence probability). The solution methodology encompasses a CTMC-based method to assess the security risk occurrence probability for any mission time and an SMP-based method to assess the steady-state probabilities for systems subject to sequential cyber-attacks. While the CTMC-based method is limited to exponential state transition time, the SMP-based method is flexible in modeling diverse types of transition time distributions. Effects of different model parameter reflecting users' protection awareness and recovery capabilities are demonstrated via detailed analyses of Trojan attacks launched to the bank application.
There exist other types of sequential cyber-attacks such as the denial-of-service attack 68,69 and the buffer overflow attack. 70 The proposed model will be applied to these cases where different Markov models should be generated to represent their sequential attack behaviors and then analyzed to obtain the occurrence probabilities of security risks from those attacks. We are also interested in extending the SMP-based method for time-dependent analysis of systems under sequential cyber-attacks. Another direction is to study other types of dependencies (eg, function dependencies and competitions 33,71 ) in system security modeling and analysis. In addition, we are interested in exploring models and algorithms for addressing both reliability and security of complex systems in a unified manner.