Statistical Analysis of Computer Network Security

Abstract: In this thesis it isshown how to measure the annual loss expectancy of computer networks due to therisk of cyber attacks. With the development of metrics for measuring theexploitation difficulty of identified software vulnerabilities, it is possibleto make a measurement of the annual loss expectancy for computer networks usingBayesian networks. To enable the computations, computer net-work vulnerabilitydata in the form of vulnerability model descriptions, vulnerable dataconnectivity relations and intrusion detection system measurements aretransformed into vector based numerical form. This data is then used to generatea probabilistic attack graph which is a Bayesian network of an attack graph.The probabilistic attack graph forms the basis for computing the annualizedloss expectancy of a computer network. Further, it is shown how to compute anoptimized order of vulnerability patching to mitigate the annual lossexpectancy. An example of computation of the annual loss expectancy is providedfor a small invented example network