This paper proposes a methodology to enable a risk-averse, resource constrained cyber network defender to optimally deploy security countermeasures that protect against potential attackers with an uncertain budget. The proposed methodology is based on a risk-averse bi-level stochastic network interdiction model on an attack graph–maps the potential attack paths of a cyber network–that minimizes the weighted sum of the expected maximum loss over all attack scenarios and the risk of substantially large losses. The conditional-value-at-risk measure is incorporated into the stochastic programming model to reduce the risk of substantially large losses. An exact algorithm is developed to solve the model as well as several acceleration techniques to improve the computational efficiency. Numerical experiments demonstrate that the acceleration techniques enable the solution of relatively large problems within a reasonable amount of time: simultaneously applying all the acceleration techniques reduces the average computation time of the basic algorithm by 71% for 100-node graphs. Using metrics called mean-risk value of stochastic solution and value of risk-aversion, computational results suggest that the stochastic risk-averse model provides substantially better network interdiction decision than the deterministic (ignores uncertainty) and risk-neutral models when 1) the distribution of attacker budget is heavy-right-tailed and 2) the defender is highly risk-averse.

本文提出了一种方法，使规避风险，资源受限的网络防御者能够最佳地部署安全对策，以防范预算不确定的潜在攻击者。所提出的方法基于攻击图上的规避风险的二级随机网络拦截模型-映射网络的潜在攻击路径-最大限度地减少了所有攻击场景下预期最大损失和风险的加权总和。损失很大。风险条件值度量被合并到随机规划模型中，以减少大量损失的风险。开发了一种精确的算法来求解模型以及几种加速技术来提高计算效率。数值实验表明，加速技术可以在合理的时间内解决较大的问题：同时应用所有加速技术，对于100节点图，基本算法的平均计算时间减少了71％。通过使用称为随机解的均值风险值和规避风险值的度量，计算结果表明，与1时的确定性模型（忽略不确定性）和风险中性模型相比，随机避险模型提供的网络拦截决策要好得多。攻击者的预算是右尾巴很重，并且2）防御者是高度规避风险的。同时应用所有加速技术可将100节点图的基本算法的平均计算时间减少71％。通过使用称为随机解决方案的均值风险值和风险规避值的度量，计算结果表明，与1）分布时的确定性模型（忽略不确定性）和风险中性模型相比，随机风险厌恶模型提供的网络拦截决策要好得多。攻击者的预算是右尾巴很重，并且2）防御者是高度规避风险的。同时应用所有加速技术可将100节点图的基本算法的平均计算时间减少71％。通过使用称为随机解的均值风险值和规避风险值的度量，计算结果表明，与1时的确定性模型（忽略不确定性）和风险中性模型相比，随机避险模型提供的网络拦截决策要好得多。攻击者的预算是右尾巴很重，并且2）防御者是高度规避风险的。