A Threat Computation Model using a Markov Chain and Common Vulnerability Scoring System and its Application to Cloud Security

Main Article Content

Ngoc Thuy Le
Doan B. Hoang


Security threats, quantitative security metrics, cloud threats, Markov Chain, Common Vulnerability Scoring System


Securing cyber infrastructures has become critical because they are increasingly exposed to attackers while accommodating a huge number of IoT devices and supporting numerous sophisticated emerging applications. Security metrics are essential for assessing the security risks and making effective decisions concerning system security. Many security metrics rely on mathematical models, but are mainly based on empirical data, qualitative methods, or compliance checking, and this renders the outcome far from satisfactory. Computing the probability of an attack, or more precisely a threat that materialises into an attack, forms an essential basis for a quantitative security metric. This paper proposes a novel approach to compute the probability distribution of cloud security threats based on a Markov chain and Common Vulnerability Scoring System. Moreover, the paper introduces the method to estimate the probability of security attacks. The use of the new security threat model and its computation is demonstrated through their application to estimating the probabilities of cloud threats and types of attacks.


Download data is not yet available.


Metrics Loading ...
Abstract 351 | 181-PDF-pp37-56 Downloads 26


Aissa, A. B., Abercrombie, R. K., Sheldon, F. T., & Mili, A. (2012). Defining and computing a value based cyber-security measure. Information Systems and e-Business Management, 10(4), 433-453.

Almasizadeh, J., & Azgomi, M. A. (2013). A stochastic model of attack process for the evaluation of security metrics. Computer Networks, 57(10), 2159-2180.

Anderson, B., Quist, D., Neil, J., Storlie, C., & Lane, T. (2011). Graph-based malware detection using dynamic analysis. Journal in Computer Virology, 7(4), 247-258.

Aroms, E. (2012). Risk Management Guide for Information Technology Systems. NIST Special Publication 800-30.

Bar, A., Shapira, B., Rokach, L., & Unger, M. (2016). Identifying Attack Propagation Patterns in Honeypots Using Markov Chains Modeling and Complex Networks Analysis. Paper presented at the 2016 IEEE International Conference on Software Science, Technology and Engineering (SWSTE).

CIS [Center for Internet Security]. (2010). The CIS security metrics. Available at http://www.itsecure.hu/library/image/CIS_Security_Metrics-Quick_Start_Guide_v1.0.0.pdf

Cloud Security Alliance. (2016). The Treacherous Twelve - Cloud Computing Top Threats in 2016. From https://downloads.cloudsecurityalliance.org/assets/research/top-threats/Treacherous-12_Cloud-Computing_Top-Threats.pdf

Ghayvat, H., Mukhopadhyay, S., Liu, J., Babu, A., Alahi, M. E. E., & Gui, X. (2015). Internet of things for smart homes and buildings. Australian Journal of Telecommunications and the Digital Economy, 3(4).

Hashizume, K., Rosado, D. G., Fernández-Medina, E., & Fernandez, E. B. (2013). An analysis of security issues for cloud computing. Journal of Internet Services and Applications, 4(1), 5.

Hoang, D. (2015). Software Defined Networking? Shaping up for the next disruptive step? Australian Journal of Telecommunications and the Digital Economy, 3(4).

Hoang, D. B., & Farahmandian, S. (2017). Security of Software-Defined Infrastructures with SDN, NFV, and Cloud Computing Technologies. In S. Y. Zhu, S. Scott-Hayward, L. Jacquin, & R. Hill (Eds.), Guide to Security in SDN and NFV: Challenges, Opportunities, and Applications (pp. 3-32). Cham: Springer International Publishing.

Hu, Q., Asghar, M. R., & Brownlee, N. (2017). Evaluating network intrusion detection systems for high-speed networks. Paper presented at the 2017 27th International Telecommunication Networks and Applications Conference (ITNAC).

Huang, K., Zhou, C., Tian, Y.-C., Tu, W., & Peng, Y. (2017). Application of Bayesian network to data-driven cyber-security risk assessment in SCADA networks. Paper presented at the 2017 27th International Telecommunication Networks and Applications Conference (ITNAC).

Jha, S., Sheyner, O., & Wing, J. (2002). Two formal analyses of attack graphs. Proceedings. 15th IEEE Computer Security Foundations Workshop, 2002.

Jouini, M., & Rabai, L. B. A. (2015). Mean Failure Cost Extension Model towards Security Threats Assessment: A Cloud Computing Case Study. Journal of Computers, 10(3), 184-194.

Le, N. T., & Hoang, D. B. (2017). Cloud Maturity Model and metrics framework for cyber cloud security. Scalable Computing: Practice and Experience, 4, 277-290.

Li, X., Parker, P., & Xu, S. (2011). A stochastic model for quantitative security analyses of networked systems. IEEE Transactions on Dependable and Secure Computing, 8(1), 28-43.

Madan, B. B., Goševa-Popstojanova, K., Vaidyanathan, K., & Trivedi, K. S. (2004). A method for modeling and quantifying the security attributes of intrusion tolerant systems. Performance Evaluation, 56(1), 167-186.

NIST. (2018). National Vulnerability Database. Available at https://nvd.nist.gov/

Patcha, A., & Park, J.-M. (2007). An overview of anomaly detection techniques: Existing solutions and latest technological trends. Computer Networks, 51(12), 3448-3470. doi: https://doi.org/10.1016/j.comnet.2007.02.001

Patel, S., & Zaveri, J. (2010). A risk-assessment model for cyber attacks on information systems. Journal of Computers, 5(3), 352-359.

Ramos, A., Lazar, M., Holanda Filho, R., & Rodrigues, J. J. (2017). Model-Based Quantitative Network Security Metrics: A Survey. IEEE Communications Surveys & Tutorials, 19(4), 2704-2734.

Ristenpart, T., Tromer, E., Shacham, H., & Savage, S. (2009). Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. Proceedings of the 16th ACM conference on Computer and communications security.

Ross, S. M. (2014). Introduction to probability models. Academic press.

Singh, A., & Shrivastava, D. M. (2012). Overview of attacks on cloud computing. International Journal of Engineering and Innovative Technology (IJEIT), 1(4).

Taylor, C. (2019). Probability of the Union of Three or More Sets. Retrieved March 5, 2019, from https://www.thoughtco.com/probability-union-of-three-sets-more-3126263

Thomson, W. (1889). Lord Kelvin: Electrical units of measurement. Popular lectures and addresses. Macmillan, London.