Network Security Risk Assessment Based on Item Response Theory

Owing to the traditional risk assessment method has onesidedness and is difficult to reflect the real network situation, a risk assessment method based on Item Response Theory (IRT) is put forward in network security. First of all, the novel algorithms of calculating the threat of attack and the successful probability of attack are proposed by the combination of IRT model and Service Security Level. Secondly, the service weight of importance is calculated by the three-demarcation analytic hierarchy process. Finally, the risk situation graph of service, host and network logic layer could be generated by the improved method. The simulation results show that this method can be more comprehensive consideration of factors which are affecting network security, and a more realistic network risk situation graph in real-time will be obtained.


INTRODUCTION
Network security situation awareness [7] is a new security technology which is based on the analysis of historical data and the detection of current network security status.Network security situation assessment is the important bond between the obtainment of situation elements and the prediction of trend in network security situation awareness.To solve wireless network risk evaluation problems, a four-layer of wireless network risk assessment mechanism was proposed by the characteristics of different configuration [10].Concurrently, some traditional assessment methods only considered the influence of vulnerability by scanning in the network but not safety measures [1,13].In fact, the threat of network is the inherent vulnerability threat after taking safety measures.Moreover, the threat of attack is defined too broad in most methods of risk assessment [9,5].
This paper puts forward a method of combining item response theory with the hierarchical network risk assessment model.It will solve some problems.Firstly, the lack of objectivity in the successful probability of attack will be improved by the system information, Common Vulnerability Scoring System (CVSS) [2,8] and the safety measures.Next, the concept of attack ability is proposed by item response theory and the discrimination of threat of attack is improved.Following this, with the three-demarcation analytic hierarchy process [12] to calculate the service weight of importance, the accuracy will be improved.The last, the risk situation graph of service, host, and network logic layer are draw by analyzing each layer of the risk situation.

NETWORK SECURITY RISK ASSESSMEN-T BASED ON ITEM RESPONSE THEO-RY
Item response theory [4,3,11] is also called the latent trait theory, widely used in pedagogy and originated by the American psychological statistician Frederic M. Lord.It is a kind of method by estimating the tester ability and linking the reaction probability of tester for each project.

The Real-time Network Security Risk Assessment Framework
In order to scientifically evaluate the network security and effectively manage risk accident, some measures should be taken.Network security situation risk is displayed by risk situation graph, and then we can focus on protecting high risk of service or host.As the size of network expands in real life constantly, the network system(System), from the bottom to up, is divided into vulnerability logic layer (Vulnerability), service logic layer (Service), host logic layer (Host) and network logic layer (Network), and is given as follows: where RV = ∪Rv i is a set of vulnerability logic layer properties which reflects the degree of difficulty to attack service by the existing vulnerabilities in the services the complexity of attack and the conditions of attack.
where RS = ∪Rs i is a set of service logic layer properties which reflects the risk situation of attacked service by service category, quantity and degree of importance in the hosts.
where RH = ∪R h i is a set of host logic layer properties which reflects the risk situation of working host by host category, quantity and degree of importance in the network.
where RN is a set of network logic layer properties which represents the polymerization of logical layer.
The real-time network security risk assessment framework is shown in Figure 1.
Based on the alarm information of IDS, target network topology and vulnerability information, combining with the rule base, the risk situation is evaluated from service logic layer to network logic layer.
The following are four basic definitions in the process of assessing.

Definition 1. Attack alarm (A):
The behaviors which can trigger IDS alarm information are called attack alarm.It can be expressed as A = {ID, Time, Type, SIP, DIP, SP, DP}, where ID is serial number of attack event, Time is its time occurring, Type is the type of attack activity, SIP and SP are IP address and port number of attack source respectively, DIP and DP are IP address and port number of attack destination respectively.Definition 2. The service weight of importance (SW): SW reflects the degree of important service in the host, which depends on effect from the average number of visits, access frequency and degree of importance in the host.SWi is the i service weight of importance and is expressed as follows: where SIi is the importance of i service, n is the total number of running services in the host.Definition 3. Attack Successful Probability (AP): Attack Successful Probability is the successful possibility of attack which utilizes service vulnerabilities and performs dangerous activities.
Definition 4. Defensive intensity (I): Defensive intensity is the degree of obstruction to the security protection measures taken on attack.

The Threat of Attack Algorithm Based on Item Response Theory
The threat of network attack is mainly divided into two parts: the one is for the user permissions, including fake user identity legitimacy and illegally elevate permissions to steal or distort the information of server; the other is a malicious traffic shock for the network function, which uses a large number of service requests to consume service resources, as a result, the server is difficult or impossible to handle the legitimate user requests.The threat of network attack adopts the algorithms of [9] and [5], which uses the threat factor to define the threat of attack on service, by distinguishing port scan attack, denial of service, elevated privileges and the remote user attack to define all kinds of attack.Then the threat factor is regarded as a major factor in judging the threat of attack.
However, we consider the different behaviors of attack in the same type of attack, they may be different in the threat of attack.In order to improve the discrimination of the traditional threat of attack, the concept of attack ability is proposed by item response theory and a new threat of attack formula is redefined as formula (4).
where θi is the ability of i attack which is determined by the parameter estimation from single parameter logistic function and attack response matrix; T Fi is the threat factor of i attack which is separately quantized as digits 1∼3.

Attack Successful Probability Algorithms Based on Item Response Theory
The execution of a successful attack and some conditions are inseparable, for instant, special ports are opened, the security defects are found in certain positions, the vulnerabilities can be exploited and so on.When these conditions are not satisfied or partially satisfied, Attack Successful Probability will be greatly reduced.For [13] does not consider the impact of Defensive intensity and attack ability, the Attack Successful Probability is redefined depending on the item response theory.Definition 5. Service Security Level (SL): the degree of obstruction which is appeared after attacking is referred to Service Security Level.It is constituted by the vulnerability information (C) and Defensive intensity (I).The vulnerability information is determined by CVSS, as shown in Table 1, and the formula is defined as C = AC+AV +AU 3 .Defensive intensity is listed in Table 2.
According to the above analysis, Service Security Level is defined as formula (5), at the same time, combined with a single parameter Logistic model of item response theory, Attack Successful Probability is put forward as formula (6).
where λ1 and λ2 show that the vulnerability and security measures accounts for the proportion in service safety respectively, through the past experience, λ1 = 0.4 and λ2 = 0.6; θi indicates that the ability of i attack; D=1.702 is a constant.With the passage of time, new attacks will be detected, the original attack response matrix will be changed and the attack ability will be updated.Thus, the threat of attack and Attack Successful Probability can realize the real-time updating.

The Factor of Risk Weight
According to the factors that affect the service performance, the importance of service is mainly decided by the average number of visits, access frequency, degree of importance in the host and is calculated by the algorithm of three-demarcation analytic hierarchy process.We establish a process of calculating weight step by step from index layer to target layer.2 when zi is more important than zj 1 when zi is the same important as zj 0 when zi is less important than zj (6) where zi is the index layer or criterion layer evaluation, and zi ∈ Z(i = 1, 2, ..., n) , zij indicates the relative importance between zi and zj.
b) Establish judgment matrix where ri is represented as the sum of comparison matrix element in each row, rmax, rmin signify the maximum value and the minimum value of ri; The judgment matrix Q = ∪qij(i, j = 1, 2, ..., n), ei is a constant that reflects the relative importance in a certain standard.ei = 9 is often taken in practical application.Design ws, wp as index and criterion layer weight respectively.wsrv is the weight of service in target layer.whost is the weight of host.

The Value of Risk Situation
Risk situation represents the extent of harm caused by attack in the network, it can be assessed by the threat factor, the attack ability, the Attack Successful Probability, the weight of importance and other factors.As the value of risk situation increases, the danger of network also increases.Definition 6. Risk of service (SR): within the time (t, t + ∆t), the number of attack in service Si(0 Threat factor and the attack ability of type k are T F k and θ k .The risk situation of service Si is defined as formula (13).
Definition 7. Risk of host (HS): within the time (t, t+∆t), u kinds of services run in the host Hg(1 ≤ g ≤ v) and the weight of service is Si(0 ≤ i ≤ u).The risk situation of host Hg is defined as formula (14).

EXPERIMENT RESULTS ANALYSIS AND COMPARISON
In order to verify scientific and comprehensive of the proposed method, the simulation platform of laboratory is used to collect network data in two months from July 1, 2013 to August 31, 2013 and dynamically analyze the risk of vulnerable host.

The Three-demarcation Analytic Hierarchy Process to Calculate the Weight of Importance
Service information and vulnerability information are used to our experiment data.The target layer expresses the importance of service; the criterion layer represents the value of the average number of visits, access frequency and degree of importance in the host; the index layer signifies the service whose importance will be calculated.By the experience, we respectively define the degree of importance, the access frequency and the average number of visits in the host for the [0.6 0. Based on this method, we can calculate the service and host weight of importance as shown in Table 3.
Through the data analysis, the three-demarcation analytic hierarchy process is not only reduces the complexity of the nine-demarcation analytic hierarchy process [6], but also avoids the fuzzy of weight when constructing the judgment matrix.

The Threat of Attack and Attack Successful Probability
By the above definition on the threat of attack and Attack Successful Probability algorithms, we take the information from service, vulnerability and attack alarm in July as the basic of data.After statistical analysis, there are 7 kinds of service in the network attacked by 12 kinds of attacks.We use the parameter estimation method in item response theory to get the attack ability and calculate Attack Successful Probability as shown in formula (4).The proposed method and the conventional methods of the threat of attack are indicated in curves of Figure 2.
In order to achieve the real-time risk situation, we count the number of attack for August each day.If there is a new The behavior of attack The threat of attack the Ref. [9] method the proposed method attack which has not been appeared last month, it will be added to the original attack response matrix.At the same time, the probability matrix and the threat of attack will be updated.

Network Risk Assessment in Real Time
With the data of network in August 2013, the improved risk assessment algorithm is used to calculate the risk of whole network every other day.Then, we can draw a onemonth trend curve of risk and make a decision.3. We can see the service of TELNET is the most serious attack on the month, the service of WWW Secondly and the lowest risk of attack is the service of FTP.There are four hosts which have some vulnerability in the network and the risk situation of them is exhibited in Figure 4. We know that the risk of host 4 is the largest, and the risk of the remaining three hosts is similar.The risk situation of whole network is shown in Figure 5. Through the analysis of the above three figures, network attacks are occurred, for the most part, focusing on the weekend, so we believe that the attackers are likely have

The Comparison of Network Risk
The occurrence of network security events exist great contingency and randomness.If only considering the losses, we can hardly restore the real security situation.Thus, a novel method to assess network is proposed.The traditional assessment method of risk situation has been improved by Attack Successful Probability, the weight of importance, Service Security Level and the attack ability.The network risk assessment results of two different methods are indicated in curves of Figure 6.It is obvious that the value of risk situation in method [5] is higher than that of the proposed method.In fact, some attacks do not successfully harm to the network and the calculation of the threat of attack is imprecise.For example, a few days with high differentiation in security could have used several different decisions on network protection, but the gap between the results from conventional methods may not be obvious and use the same decision.So we can reduce the waste of resources by the proposed method.These issues will be easy to cause the phenomenon that the conventional methods can not reflect the real status of network security, thus misleading the network security administrator, or even making the wrong decision.Accordingly with the method for risk assessment in this paper, quantitative risk situation is not only obtained, but also comprehensive and directive.

CONCLUSION
In this paper, we have quantitatively analyzed the risk situation in service, host and network logic layer, and proposed a novel risk assessment method for network security based on item response theory.Compared with traditional methods, the advantages are exhibited as follow: 1) In contrast with the risk assessment by vulnerability coming from security detecting and scanning facilities, we have defined an assessment of security parameter by the combination of CVSS with Defensive intensity, so we can get more comprehensive and reasonable results.
2) Through the three-demarcation analytic hierarchy process to improve the accuracy of the importance weight.
3) Combining with item response theory, we propose a higher degree of discrimination in the threat of attack algorithm and a more realistic Attack Successful Probability algorithm.
4) With the Attack Successful Probability and the threat of attack to update dynamically, we realize the real-time assessment of risk situation.
Due to the affected by the accuracy of the dataset, this method has certain limitations.The next work will be devoted to improving the accuracy of the dataset in the largescale network.We would like to obtain more comprehensive and more precise quantitative risk situation analysis.

Definition 8 .
Risk of network (NS): within the time (t, t+ ∆t), v kinds of hosts are running in the network and the weight of host is Hg(1 ≤ g ≤ v).The risk situation of network is defined as formula (15).

Figure 2 :
Figure 2: Comparison of the Threat of Attack with Two Methods

Figure 3 :Figure 4 :
Figure 3: Risk of Services in Real Time

Figure 5 :
Figure 5: Risk of Network in Real Time

Figure 6 :
Figure 6: Comparison of Network Risk Assessment with Two Methods