Network Risk Estimation: A Risk Estimation Paradigm for Cyber Networks

TL;DR

Network Risk Estimation (NRE) addresses the challenge of estimating per-entity cyber risk in large, dynamic networks using sparse measurements. It builds a functional connectivity graph from connection data, models risk propagation as linear diffusion on this graph, and refines estimates with a Kalman filter, producing a real-time probabilistic risk distribution over all entities. The approach enables risk-aware network management, including simple safe routing, and demonstrates superior network-state inference on CIC-IDS-2017 data compared with risk-measurement baselines, while maintaining scalable real-time performance through partitioning and memory mechanisms. Overall, NRE provides a data-driven, adaptive framework that enhances visibility and security of cyber networks in real time.

Abstract

Cyber networks are fundamental to many organization's infrastructure, and the size of cyber networks is increasing rapidly. Risk measurement of the entities/endpoints that make up the network via available knowledge about possible threats has been the primary tool in cyber network security. However, the dynamic behavior of the entities and the sparsity of risk-measurable points are limiting factors for risk measurement strategies, which results in poor network visibility considering the volatility of cyber networks. This work proposes a new probabilistic risk estimation approach to network security, NRE, which operates on top of existing risk measurements. The proposed method NRE extracts relationships among system components from the network connection data, models risk propagation based on the learned relationships and refines the estimates whenever risk measurements are provided. In this work, (i) the risk estimation scheme is proposed, (ii) an application of quantitative risk estimates is devised, (iii) descriptiveness of the risk estimates are compared to a pure risk measurement alternative and (iv) low computational complexity of the proposed method is illustrated capable of real-time deployment. The proposed method, NRE, is ultimately a quantitative data-driven risk assessment tool that can be used to add security aspects to existing network functions, such as routing, and it provides a robust description of the network state in the presence of threats, capable of running in real-time.

Figures (14)

• Figure 1: An enterprise network chakravarthiamonitoring consisting of users, servers and routers. The interconnection of these entities makes up the network topology, which indicates existing direct communication channels. The network topology of a cyber network is the starting point of Risk Estimation.
• Figure 2: An application of risk estimation on a cyber network. The graph gives the network topology where each node is an entity, and an edge indicates an allowed communication channel. Red entities are measured to have relatively higher risks, green entities have low measured risks, and blue entities desire to communicate. Two possible routes are depicted via green and red dashed arrows. For safe routing, the green path is chosen over the red one since measured entities in the vicinity have less risk.
• Figure 3: An illustration of the synchronization process involving two entities. Shaded and unshaded regions denote consecutive synchronization time windows. Flows: Flow history of two arbitrary entities. Each tick corresponds to a flow in connection data. Activation: The connection parameters that lead to a signal that depicts the activities of respective entities. Number of Packets Received (NPR): Another connection parameter that grants a signal indicating the number of packets an entity receives. Ultimately, the obtained signals are defined per entity and are synchronous.
• Figure 4: A Functional Connectivity Graph $\mathbf{F}$ that manifests the relationships among entities at two different timestamps. (a)$\mathbf{F}^{(t)}$ and (b)$\mathbf{F}^{(t+\tau)}$. For each pair of entities $(i,j)$, the strength of influence $F^{(.)}_{ij}$ is calculated, which results in a weighted directed graph in general. The graph evolves with time as the connections happen.
• Figure 5: Entity groups detected via spectral partitioning algorithm. Left: The matrix representation of the Functional connectivity graph $\mathbf{F}^{(t)}$ for the whole network where entities are enumerated on both axes. The $(i,j)$th entry, or $F^{(.)}_{ij}$, is the weight quantifying how much entity $i$ influences entity $j$. Right: A sub-network of interest. Risk estimation is solved independently on the detected entity groups.