Sage Journals: Discover world-class research

Abstract

This paper describes an approach for improving cyber resilience through the synthesis of optimal microsegmentation policy for a network. By leveraging microsegmentation security architecture, we can reason about fine-grained policy rules that enforce access for given combinations of source address, destination address, destination port, and protocol. Our approach determines microsegmentation policy rules that limit adversarial movement within a network according to assumed attack scenarios and mission availability needs. For this problem, we formulate a novel optimization objective function that balances cyberattack risks against accessibility to critical network resources. Given the application of a particular set of policy rules as a candidate optimal solution, this objective function estimates the adversary effort for carrying out a particular attack scenario, which it balances against the extent to which the solution restricts access to mission-critical services. We then apply artificial intelligence techniques (evolutionary programming) to learn microsegmentation policy rules that optimize this objective function.

Keywords

Security policy optimization attack graphs genetic algorithms

Get full access to this article

View all access options for this article.

References

United States Army Training and Doctrine Command (TRADOC). The US Army in multi-domain operations, 2028. Pamphlet 525-3-1, 6 December 2018. Fort Eustis, VA: TRADOC.

Bodeau

Graubart

. Cyber resiliency engineering framework. Technical report MTR110237, September 2011. McLean, VA: The MITRE Corporation.

Linkov

Eisenberg

Plourde

, et al. Resilience metrics for cyber systems. Environ Syst Decis 2013; 33: 471–476.

Ross

Pillitteri

Graubart

, et al. Developing cyber resilient systems: a systems security engineering approach, vol. 2 (Special publication no. 800-160). Gaithersburg, MD: National Institute of Standards and Technology (NIST), 2019.

Klein

Micro-segmentation: securing complex cloud environments. Netw Secur 2019; 2019: 6–10.

Program Executive Office Command Control Communications-Tactical (PEO C3T). Command post computing environment, https://peoc3t.army.mil/mc/cpce.php (accessed 20 November 2020).

Noel

A review of graph approaches to network security analytics. In: Samarati

Ray

(eds) From database to cyber security (Lecture notes in computer science). Cham: Springer, 2018, pp. 300–323.

Albanese

Jajodia

Noel

(inventors). Methods and systems for determining hardening strategies. Patent 9,203,861, USA, 1 December 2015.

Million

The Hadamard product, 2007, http://buzzard.ups.Edu/courses/2007spring/projects/million-paper.pdf (accessed 28 November 2018).

10.

Noel

Jajodia

Understanding complex network attack graphs through clustered adjacency matrices. In: Proceedings of the 21st annual computer security applications conference (ACSAC), Tucson, AZ, 5–9 December 2005.

11.

Kepner

Gilbert

Graph algorithms in the language of linear algebra. Philadelphia, PA: Society for Industrial and Applied Mathematics (SIAM), 2011.

12.

Weisstein

EW.

Matrix multiplication, http://mathworld.wolfram.com/MatrixMultiplication.html (accessed 30 November 2018).

13.

Valiant

LG.

The complexity of enumeration and reliability problems. SIAM J Comput 1979; 8: 410–421.

14.

Roberts

Kroese

DP.

Estimating the number of s–t paths in a graph. J Graph Algorithm Appl 2007; 11: 195–214.

15.

Eppstein

Finding the k shortest paths. SIAM J Comput 1998; 28: 652–673.

16.

Aljazzar

Leue

K^∗: a heuristic search algorithm for finding the k shortest paths. Artif Intell 2011; 175: 2129–2154.

17.

Miettinen

Nonlinear multiobjective optimization. New York: Springer Science+Business Media, 1998.

18.

Rebovich

Cormier

Norman

, et al. Systems engineering guide. McLean, VA: The MITRE Corporation, 2014.

19.

Musman

Tanner

Temin

, et al. A systems engineering approach for crown jewels estimation and mission assurance decision making. In: Proceedings of the IEEE symposium on computational intelligence in cyber security, Paris, 11–15 April 2011, pp. 210–216. New York: IEEE.

20.

Heinbockel

Noel

Curbo

. Mission dependency modeling for cyber situational awareness. In: Proceedings of the NATO IST-148 symposium on cyber defence situation awareness, Sofia, 3–4 October 2016, pp. 5.1–5.14. North Atlantic Treaty Organization Science and Technology Organization.

21.

Schulz

O’Gwynn

Kepner

, et al. Dynamically correlating network terrain to organizational missions. In: Proceedings of the NATO IST-153/RWS-21 workshop on cyber resilience, Munich, 23–25 October 2017, pp. 1–5. CEUR Workshop Proceedings.

22.

Fortin

De Rainville

Gardner

, et al. DEAP: evolutionary algorithms made easy. J Mach Learn Res 2012; 13: 2171–2175.

23.

Amazon Web Services (AWS). Elastic compute cloud, 2020, https://aws.amazon.Com/ec2/ (accessed 17 November 2020).

Optimizing network microsegmentation policy for cyber resilience

Abstract

Keywords

Get full access to this article

References