Methodology for forecasting the probability of an insider attack based on the analysis of Bayesian networks
DOI: 10.31673/2409-7292.2023.030404
DOI:
https://doi.org/10.31673/2409-7292.2023.030404Abstract
The danger of an insider threat is high enough for any enterprise. In order to predict possible insider attacks, it is necessary to know the structure of the enterprise, the roles of personnel and the security policies that are applied. Given the stochastic nature of the system, forecasting methods based on Bayesian estimation have become widely used. The article develops an insider threat forecasting model based on a Bayesian network, which includes a description of various states in the form of a graph of network attacks, as well as a derivation algorithm for calculating the probability of an insider threat risk. To form the methodology, the concepts of "elementary attack" are used, as the minimum set of operations necessary for an attacker to move from one resource to the next, and "proof of intrusion", as a collection of a series of actions recorded by an attacker from one resource to another resource and which can be monitored using a log - magazine. To measure the extent of an intrusion, "proof of intrusion confidence" is used, as the probability that a proof of intrusion determined over a set of operations covers an elementary attack. To verify the reliability of the proposed method of predicting an insider attack, a Monte Carlo simulation was carried out, where the variables were determined using a random number generator. According to the simulation results, it was established that with an increase in the number of tests and the initial probability of penetration to the resource (an individual node of the network), the total number of penetrations increases, and the total probability of penetration to the node also increases. However, the result is almost independent of the current trial step and the overall probability remains constant. The network structure of the insider threat, which is described by the Bayesian model, can be used to calculate the overall probability of insider attacks.
Keywords: insider, insider attack, Bayesian network, Bayesian estimation, penetration, forecasting.