Security Threat Assessment of an Internet Security System Using Attack Tree and Vague Sets

Security threat assessment of the Internet security system has become a greater concern in recent years because of the progress and diversification of information technology. Traditionally, the failure probabilities of bottom events of an Internet security system are treated as exact values when the failure probability of the entire system is estimated. However, security threat assessment when the malfunction data of the system's elementary event are incomplete—the traditional approach for calculating reliability—is no longer applicable. Moreover, it does not consider the failure probability of the bottom events suffered in the attack, which may bias conclusions. In order to effectively solve the problem above, this paper proposes a novel technique, integrating attack tree and vague sets for security threat assessment. For verification of the proposed approach, a numerical example of an Internet security system security threat assessment is adopted in this paper. The result of the proposed method is compared with the listing approaches of security threat assessment methods.


Introduction
Due to information age's advance, security threat assessment of an Internet security system has become much more important and complicated. To ensure information security, many organizations use firewalls to provide a level of security by controlling access to information systems. A security manager has to make a decision and choose to implement a subset of these policies in order to maximize resource utilization. There has now been extensive research on security threat assessments; for some recent examples, see Tidwell et al. [1], Dhillon and Torkzadeh [2], Satoh et al. [3], Symantec Corporation [4], Opdahl and Sindre [5], Wu and Ye [6], Lee and Chang [7], and Blyth [8]. Helmer et al. [9] proposed the Multi-Agents Intrusion Detection System (MAIDS), which uses mobile agents in a distributed system to obtain audit data, correlate events, and discover intrusions. They used software fault trees to define intrusions and develop the requirement model for intrusion detection systems. Azaiez and Bier [10] used optimal attack strategies by analogy with existing results for the least expected cost failure state diagnosis of reliability systems. In addition, the growing popularity of e-government services on the Internet has also brought with it security threats. Similarly, J. J. Zhao and S. Y. Zhao [11] assessed the security of US state e-government sites to identify opportunities for and threats to the sites and their users. They used a combination of three methodsweb content analysis, information security auditing, and computer network security mapping-for data collection and analysis.
The increasing frequency and complexity of Internet attacks have raised the level of sophistication required by systems administrators to effectively cope with script kiddies and more sophisticated hackers, for example, top causes of data breaches of Symantec Corporation in 2012, as shown in Figure 1. Hackers continue to be responsible for the largest number of data breaches, making up 40 percent of all breaches [4]. A secure computer system provides guarantees regarding the confidentiality, integrity, and availability of its data. However, systems generally contain design and implementation flaws that result in security vulnerabilities [9]. In addition, due to uncertainties and imprecision of data, it may be difficult or even impossible to precisely determine the failure probabilities of components. On the other hand, the incomplete failure data of the bottom events suffered in the attack also increase the difficulty of security threat  Figure 1: Top causes of data breaches [4]. assessment and calculation. It cannot be fully solved by traditional probability reliability. Therefore, this study used a vague set approach to overcome this problem. The concept of vague set was proposed by Gau and Buehrer [12]. A great deal of literature [13][14][15][16][17][18][19] has been carried out in vague set methods.
An attack tree supports design and required decisions. Attack trees are thus a formalized and structured method for analyzing threats. The possible decomposition of an attack tree to divide the goal into subgoals is an interesting alternative to explore. It is also known as a fault tree [20]. In 1999, Schneier was the first to propose attack trees to analyze the security of systems and subsystems [20]. Attacks are represented in a tree structure, with the attacker goal as the root node and the different ways of achieving that goal as leaf nodes. The attack tree includes the "AND" node and the "OR" node. To reach an AND node, all subgoals must be achieved. To reach an OR node, at least one of the subgoals must be achieved. The attack tree is a formal and methodical way of describing the security of the system based on varying attacks.
In reliability assessment, when the malfunction data of the system's elementary event are incomplete, the conventional approach of calculating reliability is no longer applicable [21]. Huang et al. [22] proposed the posbist fault tree analysis method to find a system's reliability by redefining the "AND" and "OR" operators based on the minimal cut of a posbist fault tree. However, their method only selects the maximal failure probability of the bottom event, which can result in biased conclusions. To solve this problem, this paper proposes a novel security threat assessment method that collects experts' knowledge and experience on the problem domain to build the possibility of the failure of leaf nodes through integrating attack tree and vague sets to assess security threats of an Internet security system. A security threat assessment of an Internet security system is presented as a case study to further illustrate the proposed method. It also compares the proposed approaches with several other listed methods in this paper.
The rest of this paper is organized as follows. Section 2 introduces the basic definition and operations of the attack tree. Section 3 introduces the basic definition and operations of the vague sets. Section 4 presents the proposed approach, AND OR Node Node Figure 2: "AND" node and "OR" node.
which integrates the attack tree and the vague sets for safety assessment. A numerical example of an Internet security system is adopted, and some comparisons with the listed approaches are discussed in Section 5. The final section makes conclusions.

Attack Tree
Schneier [20] proposed attack trees to analyze the security of systems and subsystems. It is a catalog of all possible attacks against a system. The purpose of the attack tree is to define and analyze possible attacks on a system in a structured way. The attack trees provide a formal, methodical way of describing the security of systems, based on varying attacks. An attack tree is initiated by a root node describing a type of attack, and each path is terminated by a leaf node (no children). Nodes can be decomposed by "AND" and "OR" relations.
If we let be a random variable such that = 1 corresponds to the accomplishments of subtask and = 0 corresponds to the failure of task , then ( 1 , 2 , . . . , ) is the joint probability distribution. In an "AND" node (see Figure 2), it must have ( 1 = 1, 2 = 1, . . . , = 1). The accomplishment for the parent goal requires the success of all children-that is, and = ∏ =1 -which is the product of the probability of accomplishments of all children. In an "OR" node (see Figure 2), this is essentially the negation of the probability that all subtasks fail: 1 − ( 1 = 0, 2 = 0, . . . , = 0). The accomplishment for the parent goal requires the success of any one of the children-that is, or = 1 − ∏ =1 (1 − )-which is the product of the probability of an accomplishment of any one of the children. It assumes that the attacker can try all available subtasks until he finds one that succeeds. This is an unrealistic assumption in attack modeling, because if an attacker needs to try more than one subtask, he has manifested at least one failure. This is a situation that may be untenable in an attack. Therefore, Yager [23] assumed that in an "OR" node, where the attacker needs only to succeed at one subtask, he cannot try all possibilities but must try one. Thus, the probability of success at an "OR" node without any failure is OR

Vague Sets and Their Operations
This section introduces the definitions and properties of vague sets and four arithmetic operations of the triangle vague set. [24]. Zadeh [25] proposed fuzzy sets to describe fuzzy phenomena under The Scientific World Journal a specific attribute. A fuzzy set is a class of objects, along with a grade of membership function. This membership function, ( ), ∈ , assigns a grade membership to each object that ranges between 0 and 1. This single value combines the evidence for ∈ and the evidence against ∈ , without indicating how much there is of each value. The notion of an intuitionistic fuzzy set was introduced for the first time by Atanassov [26] in 1983 as a generalization of an ordinary Zadeh fuzzy set. Let a set be fixed. An intuitionistic fuzzy set in is an object that has the form The concept of the vague set was proposed by Gau and Buehrer [12]. In a vague set , for assigning a membership grade to every phenomenon, this membership grade is an interval of [0, 1]. This interval presents accepted evidence of ∈ and declined evidence at the same time. In membership grade ( ), a vague set uses a truth-membership function and a false-membership function V to represent the lower bound ( ) and upper bound (1 − V ). The interval [ ( ), 1 − ( )] can extend the fuzzy set of the membership function. In 1996, Bustince and Burillo [27] proposed that vague sets are intuitionistic fuzzy sets. The membership grade can explain that belongs to vague set and accepts that the evidence is 0.6 and the declined evidence is 0.1. If is the vote result from 10 people, it implies that six people voted in favor, one person voted against, and three persons abstained. Figure 3 shows a vague set explanation of a real number .

Definitions and Properties of Vague Sets
The uncertainty of can be described as the differential value of (1 − ( )) − ( ). If the differential value is small, it means that the value of is more certain. If the differential value is great, it means that the computation is more uncertain about . When 1 − ( ) = ( ), the vague set regresses to a fuzzy set. Obviously, when 1 − ( ) = ( ) = 1 or 1 − ( ) = ( ) = 0, the vague set regresses to a crisp set. From the above result, crisp sets and fuzzy sets can be viewed as special cases of vague sets. Therefore, vague sets can be used to describe vague objects in our daily life in more detail.

Arithmetic Operations of Triangle Vague Sets. Let and
be two vague sets, as shown in Figure 4. If ̸ = and ̸ = , then the arithmetic operations are defined as (1) When 1 = 1 , 1 = 1 and 2 = 2 , 2 = 2 , the vague sets of its four arithmetic operations will be easier.

The Reason for Using Attack Tree and Vague Sets.
Security threat assessment of the Internet security system has become a greater concern in recent years, due to progress and diversification of information technology. For an Internet security system, due to uncertainties and imprecision of data, it may be difficult or even impossible to precisely determine the failure probabilities of components. Moreover, we must consider the failure probability of the bottom events suffered in the attack when security threat assessment is executed.

4
The Scientific World Journal Therefore, it cannot be fully solved by traditional probability reliability. An attack tree provides a way of modeling goals of an attack and alternative ways to achieve that goal. This helps us to study the system from the attackers' points of view, which may lead us to determine possible ways that the system can be compromised. Therefore, using an attack tree and vague sets approach to solve security threat assessment problems is more suitable. The major advantage of the vague set over the fuzzy set is that the vague set separates the positive (the degree of membership) and negative (the degree of nonmembership) evidence of membership of an element in the set. Fuzzy sets are vague sets, but the converse is not necessarily true. For this reason, it is more suitable to use the vague set, not the fuzzy set, in attack tree diagrams.

The Procedure of the Proposed Approach.
According to the definitions in Section 3, this paper proposes six steps in order to implement vague attack tree analysis in security threat assessment of an Internet security system. The six steps are described as follows.
Step 1 (construct the attack tree diagram). Construct the attack tree diagram by the AND node and OR node, tracing back the whole process from the main goal to the physical tasks.
Step 2 (establish a system of reliability block diagram). A reliability block diagram can explain the units' relationships in parallel and in series.
Step 3 (define the vague membership degree of leaf nodes). A unit fault can cause the breakdown of the whole system. Define the vague membership degree of leaf nodes according to an expert's knowledge and experience. Possible failure intervals of bottom events are obtained by aggregating group decision-making opinions of the experts' opinions.
Step 4 (calculate the possible malfunction probability of the main goal). Use the attack tree diagram and vague set arithmetic operations to calculate the possible malfunction probability of the main goal.
Step 5 (calculate the reliability of the main goal). The reliability of the main goal is equal to one minus the possible malfunction probability of the main goal.
Step 6 (analyze the results and provide suggestions). From Step 5, the results can be further analyzed to provide the decision maker with feasible solutions.

An Illustrative Example
In this section, an illustrative example of Internet security system failure during attack is presented in order to demonstrate the procedure that is proposed in this paper. This research also compares the experimental results with the traditional probability reliability and Huang et al. 's [22] methods. First of all, an attack tree is constructed that includes the main goal (the failure of the Internet security system during attack), the sub-goals (IP table, firewall daemon, domain name system (DNS), transport layer security, post office protocol 3 (POP3), secure shell (SSH)), the subtasks (Detection Service Failure), and the physical tasks (IP Table configuration errors, address translation failure, authentication failure, etc. ). An attack tree integrates the main goal, the subgoals, the subtasks, and the physical tasks with "AND" and "OR" nodes ( Figure 5). The descriptions of the physical tasks are listed in Table 1. Because of the incomplete failure data of system physical tasks, this paper proposes speculation by experts' opinions according to the incomplete information condition. The reliability block diagram of the Internet security system failure during attack is shown in Figure 6.

Traditional Probability Reliability.
This research calculated the failure possibility of an "Internet security system" during attack, based on the data of Table 1 ( After the calculation above, it is shown that the failure probability of the "Internet security system" during attack is 0.2359 and the reliability of the "Internet security system" is 0.7641. [22]. When the failure probability of a system is extremely small or when essential statistical data are scarce, the posbist fault-tree analysis proposed by Huang et al. [22] could be applied to predict and diagnose a system's failures and evaluate its reliability and safety. Calculations of   Table)) = max (0.04, 0.18, 0.14, 0.40, 0.05, 0.35) = 0.40.

Huang et al. Method
(4) 6 The Scientific World Journal  After the calculation above, it is shown that the failure probability of the "Internet security system" during attack is 0.40 and the reliability of the "Internet security system" is 0.60.

Proposed Method.
According to (1), the failure range of subgoals (SSH, POP3, Transport Layer Security, DNS, Detection Service Failure, Firewall Daemon, and IP Table) can be calculated as  Table) =

Comparisons and Discussion.
In order to evaluate the proposed method, a numerical verification is performed in Section 5. This study also compares the experimental results with the traditional probability reliability and Huang et al. 's [22] methods. The input data of these methods are shown in Figure 5 and Table 1. In the comparison of the results of the three methods, the differences between the proposed method and the listing methods can be shown clearly in Figure 7. From Figure 7, there are some findings.
(1) The traditional probability reliability and Huang et al. 's [22] methods do not consider the confidence level of domain experts. Therefore, the proposed method can be more flexible to present the confidence level of experts (highest confidence = 0.9).  [22] methods under -level 0.9 are the same.
From the comparison, it is clear that the integrated attack tree and vague set technique outlined in this study provides the following advantages. Firstly, the failure information is being described as vague variables; this results in a more realistic and flexible reflection of the real situation. Secondly, the proposed method has considered the failure probability of the bottom events suffered in the attack. Finally, the proposed approach can indeed help to solve security threat assessments of an Internet security system when the available information is incomplete.

Conclusions
This paper has proposed a novel technique to assess the security threats of an Internet security system while under attack. It is useful when evaluating system reliability using the available information and expert's expertise, which is often uncertain or vague in the Internet security system. In particular, this approach has considered the failure probability of the bottom events of an Internet security system suffered in an attack.
In order to further illustrate the proposed method and compare it with other techniques of traditional reliability methods, the Internet security system example is adopted as a simulation example. This study also compares the simulation results with the traditional probability reliability and Huang et al. 's [22] methods. The results show that the proposed approach could provide a more accurate and reasonable security threat assessment to assist the decision-making process. Furthermore, the presented approach is more realistic and is a flexible reflection of the real situation. Moreover, the proposed methodology can help engineers solve security threat assessment problems under the situation of vague or incomplete information.
The advantages of the proposed approach are summarized as follows.
(1) The proposed method considers the malfunction data of the system elementary event as incomplete. (2) The proposed method provides more accurate and effective information to assist the decision-making process.
(3) The failure information in a system's elementary event is described as vague variables; this result is more realistic and is a flexible reflection of the real situation. (4) From a hacker's point of view, finding the weak links in the system for design is to find out a better design of an Internet security system.