Erinevus lehekülje "Thesis:Fuzziness as a Measure of Uncertainty in Quantitative Security Metrics" redaktsioonide vahel

Allikas: Kursused
Mine navigeerimisribale Mine otsikasti
(Kustutatud kogu lehekülje sisu)
 
1. rida: 1. rida:
Back [[Aleksandr_Lenin_MSc_Thesis_topics|to the list of topics]]
 
  
As any other model, security models take a set of input parameters, perform some sort of model-specific transformations and calculations, and output the result. Quantitative analysis models require quantitative inputs, and produce quantitative results. In the case of simple models and not so big amount of input parameters, these parameters may be evaluated by domain experts. The same team of experts analyses the results of such an analysis.
 
 
Some input parameters used by the security models, e.g. the attack scenario description in the form of an ''attack graph'', contains thousands, or even dozens of thousands of nodes, and is not meant for human processing in any way. Indeed we strive for automation of input data gathering by means of data mining, but full automation is not achievable. We may face situations, when we get several different estimations for different data sources. We cannot treat them equally, as these data sources have different degree of ''reliability'', or ''confidence'' in the precision of the provided estimations, provided by these data sources. In certain cases automated data gathering may fail to provide values for certain input parameters at all, and in this case we should fall back to human estimations.
 
 
Humans have proven themselfes to have really hard time estimating parameters in the quantitative domain. Experiments have shown that, as a rule, such results are not realiable, and are often meaningless for analysis. Humans in their nature think in categories, e.g. Low / Medium / High / Very high, etc., and estimating values on such an ordinal scale is more common to them. Even if we ask them to estimate a quantitative parameter, such as ''Cost'', their estimations will contain some degree of uncertainty.
 
 
For example:
 
* the cost is approximately (somewhere around) 100.
 
* the cost might be something between 100 and 300.
 
* the cost is somwhere around 100-300.
 
* I am pretty sure the cost will be close to 2000.
 
* most likely the cost will be 50, but anyway it will not exceed the value 70.
 
* the cost most likely will be something between 200 and 250, but in any case it will be not less than 100 and not greater than 300.
 
* the damage will be not less than 50000.
 
* the expected damage may range from 100 thousand up to one million, but it is reasonable to expect damage ranging from 300 to 500 thousand monetary units.
 
* the damage will not exceed 200000.
 
* the damage will be from ''Low'' to ''Medium''
 
* I am almost sure the damage will be ''Medium''
 
* I am absolutely sure it will cost us 6000.
 
* the cost will be usually greater than 5000 but definitely not less than 3800 (lower bound).
 
* it is reasonable to expect costs up to 8000, but definitely not greater than 8500 (upper bound).
 
* etc.
 
 
 
Currently this sort of uncertainty in human estimated values is not taken into account by the existing implementations of the analysis models, and we need to fix this! The hypothesis of this research is that taking into account uncertainty in estimations will enable us to operate more precise input values (more close to the real situation, or real opinion of the expert) which in turn will allow to model the reality in a more precise way and eventually will lead to more precise results. When we use input parameters containing a degree of uncertainty, in the result we get the analysis results, containing a degree of uncertainty - this sort of result contains more information, compared to a single value, and facilitates flexibilty in analysis.
 
 
There are several ways to express uncertainty in our models. One of them is ''intervals''. For instance, we might say, ''the cost is between 100 and 500''. On the other hand, fuzzy sets add one more dimension to such an estimation, called ''fuzzy quantity'' (aka ''degree of fuzziness'', aka ''degree of confidence''), expressing the degree of certainty on this or that value belonging to the considered interval. This adds flexibility to the analysis and allows to get a more detailed description of the security situation.
 
 
Thus:
 
* Exact values (e.g. parameters) are rare in practice.
 
* Reason: incomplete and imprecise information.
 
* Fuzzy quantities are important in many fields.
 
* Mathematically OK but not always intuitive.
 
* How to model e.g. imprecise system parameters?
 
* How to compute with imprecise parameters?
 
* Fuzzy numbers and fuzzy algebra is the key.
 
 
Consequences:
 
* Analysis, validation and interpretation of imprecise models is more complex.
 
* Overestimation and shape perserving produce non-intuitive results.
 
* Accumulation of fuzziness skews membership functions.
 
* Heuristics and appropriate reasoning is a link.
 
 
The tasks of the thesis are the following:
 
* Write down the list of ''imprecise estimations'' that we may face and learn which types of fuzzy sets can be used to represent these types of estimations. Reason about why this or that type of a fuzzy set is suitable for the considered estimation.
 
* Aggregating a set of evaluations of different kinds into a single joint estimation. Outline what can we use to do such an aggregation.
 
* Performing calculations. Determine the set of algebraic operations required to be performed by the existing security risk analysis tools and outline how to make such calculations.
 
* Interpreting the results of analysis. What kinds of qualitative analysis can exist in this context (if any)? Bring some examples. Can we still get quantitative estimation out of the fuzzy result? Explore the de-fuzzification methods. Bring some examples.
 
* Conclude. What are the merits and drawbacks of using fuzziness as a measure of uncertainty in quantitative security analysis. Is this approach viable? Did we achieve anything beyond the existing state of the art?
 

Viimane redaktsioon: 19. veebruar 2020, kell 09:28

Pärit leheküljelt "http://courses.cs.taltech.ee/w/index.php?title=Thesis:Fuzziness_as_a_Measure_of_Uncertainty_in_Quantitative_Security_Metrics&oldid=9141"