A bottom-up approach to applying graphical models in security analysis

Abstract

Graphicalmodels have emerged as a widely adopted approach to conducting security analysis for computer and network systems. The power of graphical models lies in two aspects: the graph structure can be used to capture correlations among security events, and the quantitative reasoning over the graph structure can render useful triaging decisions when dealing with the inherent uncertainty in security events. In this work we leverage these powers afforded by graphical model in security analysis. Given that the analyst is the intended user of the model, the most difficult task for research in this area is to understand the real world constraints under which security analysts must operate with. Those constraints dictate what parameters are realistically obtainable to use in the designed graphical models, and what type of reasoning results can be useful to analysts. We present how we use this bottom-up approach to design customized graphical models for enterprise network intrusion analysis. In this work, we had to design specific graph generation algorithms based on the concrete security problems at hands, and customized reasoning algorithms to use the graphical model to yield useful tools for analysts.