Minimizing Expected Maximum Risk from Cyber-Attacks with Probabilistic Attack Success

Organizations are being hit by small and large multi-stage cyber-attacks every day. One tool for integrating and analyzing many potential multi-stage attacks is the attack graph. Nodes of an attack graph represent attack states, and the arcs represent atomic attacks. The attack graph as a whole represents all the potential attack paths to compromise target nodes beginning from a set of initially vulnerable nodes. Given a limited budget, finding an optimal subset of arcs in the attack graph is an important problem in seeking to optimally deploy security countermeasures to minimize risks associated with potential cyber-attacks. In this research, we develop a stochastic network interdiction model based on a probabilistic attack graph with uncertain attack success probabilities on arcs and formulate it as a two-stage stochastic mixed-integer linear program. We employ the sample average approximation scheme in conjunction with Benders decomposition approach to solve the resulting problem. Our model provides an optimal recommendation for countermeasure deployment in a stochastic environment. Results demonstrate the value of stochastic solutions and the variation of risk with the accuracy of estimates of attack success probabilities.