MODELLING AND MITIGATING MINOR-THREATS IN NETWORK THREAT MANAGEMENT

ABSTRACT

Network Threat Management (NTM) is used to model and mitigate network threats classified as major-threats and minor-threats without exceeding Cost of Detection (CD), Time of Detection (TD) and False Positive Rate (FPR) limits. Existing network threat modelling and mitigation frameworks focused on major-threats because until recently, only major-threats are usually harmful, while minor-threats were perceived non-harmful. Recent studies however have shown that some minor-threats are harmful. This study was designed to model and mitigate minor-threats in NTM. The Threat Prediction Model (TPDM) and Threat Prioritisation Model (TPRM) were used for modelling while Threat Mitigation Model (TMTM) was used for mitigation. The TPDM was modified to identify minor-threats by incorporating actionable attributes. The modified TPDM accuracy was compared with TPDM based on confidence, with 1.0 benchmark. The TPRM was modified to rate minor-threats using Dempster-Shafer Method and compared with snort-classifier and Common Vulnerability Scoring System (CVSS) as standards. The rating range between 0 and 5 was ‗less harmful‘ while rating above 5 was ‗moderately harmful‘. The modified TPDM and TPRM were implemented using java. The TMTM was modified using Hillson‘s risk mitigation model. The CD based on number of rules, TD and FPR were used to compare modified TMTM and TMTM for snort and suricata implementations. Real life minor-threats known as Plymouth University Advanced Persistent Threats (PUAPT) were developed using metasploit for analysis. Existing Lincoln Lab Denial of Service (LLDOS) minor-threats were also analysed for standardisation. The CD, TD and FPR limits for PUAPT analysis were set at 5_rules, 60_seconds and 25% respectively while LLDOS were 5_rules, 90_seconds and 25%. Data were analysed using descriptive statistics. In PUAPT analysis, modified TPDM was accurate with confidence of 1.0 compared to 0.0 of existing TPDM. The modified TPRM rated harmful minor-threats as moderately harmful while non-harmful as less harmful. The snort-classifier rated both harmful and non-harmful minor-threats as less harmful while CVSS rated none of the minor-threats. With modified TMTM for snort implementation, CD, TD and FPR of 5_rules, 1_second and 2.7% respectively were incurred compared to 19082_rules, 240_seconds and 99.1% of existing TMTM. With modified TMTM for suricata implementation, CD, TD and FPR of 5_rules, 1_second and 1.2% respectively were incurred compared to 18701_rules, 240_seconds and 99.8% of existing TMTM. The modified TPDM for LLDOS was accurate with confidence of 1.0 compared to 0.1 of existing TPDM. The modified TPRM rated harmful minor-threats as moderately harmful while non-harmful as less harmful, snort-classifier rated both harmful and non-harmful minor-threats as less harmful and CVSS rated only minor-threats with vulnerabilities. With modified TMTM for snort implementation, CD, TD and FPR of 5_rules, 3_seconds and 21.1% respectively were incurred compared to 19082_rules, 480_seconds and 99.9% of existing TMTM. With modified TMTM for suricata implementation, CD, TD and FPR of 5_rules, 75_seconds and 1.3% respectively were incurred compared to 18701_rules, 480_seconds and 99.0% of existing TMTM. The modified models accurately modelled and mitigated minor-threats without exceeding cost of detection, time of detection and false positive rate limits. The modified models are recommended for modelling and mitigating minor-threats in network threat management.