Intentional risk management through complex networks analysis 9783319264219, 9783319264233, 3319264230

Citation preview

SPRINGER BRIEFS IN OPTIMIZATION

Victor Chapela Regino Criado Santiago Moral Miguel Romance

Intentional Risk Management through Complex Networks Analysis 123

SpringerBriefs in Optimization Series Editors Mirjam Dür Panos M. Pardalos János D. Pintér Stephen M. Robinson Tamás Terlaky My T. Thai

SpringerBriefs in Optimization showcases algorithmic and theoretical techniques, case studies, and applications within the broad-based field of optimization. Manuscripts related to the ever-growing applications of optimization in applied mathematics, engineering, medicine, economics, and other applied sciences are encouraged. More information about this series at http://www.springer.com/series/8918

Victor Chapela • Regino Criado • Santiago Moral Miguel Romance

Intentional Risk Management through Complex Networks Analysis

123

Victor Chapela Suggestic Inc. Palo Alto, CA, USA Santiago Moral Cybersecurity & Digital Trust BBVA, Ronda de Valdecarrizo 21 Tres Cantos, Madrid, Spain

Regino Criado Department of Applied Mathematics Universidad Rey Juan Carlos Móstoles, Madrid, Spain Miguel Romance Department of Applied Mathematics Universidad Rey Juan Carlos Móstoles, Madrid, Spain

ISSN 2190-8354 ISSN 2191-575X (electronic) ISBN 978-3-319-26421-9 ISBN 978-3-319-26423-3 (eBook) DOI 10.1007/978-3-319-26423-3 Library of Congress Control Number: 2015956176 Mathematics Subject Classification (2010): 05C82, 05C90, 68M11, 68R10, 90B18, 90C35, 91D99 Springer Cham Heidelberg New York Dordrecht London © The Author(s) 2015 This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, express or implied, with respect to the material contained herein or for any errors or omissions that may have been made. Printed on acid-free paper Springer International Publishing AG Switzerland is part of Springer Science+Business Media (www. springer.com)

To our families

Preface

Mathematical discoveries, small or great, are never born of spontaneous generation. They always presuppose a soil seeded with preliminary knowledge and well prepared by labour, both conscious and subconscious. Henri Poincaré

There is a fuzzy place where theoretical computer science, computer security, and applied mathematics are mixed. We can say that theoretical computer science is a mathematical discipline that often abstracts its problems from the (hardware and software) technology of “real” computer science. A part of these problems come up from computer security. Many applicable theoretical results appear in numerous guises since the explosive growth of computer science makes it impossible for anyone to stay up to date in all areas of the field. This book has been written in response to our perception of such need in the area of cybersecurity. It is meant to serve as both: a resource for researchers and a text on the subject for graduate students. The modeling of networks requires some mathematical background, but we have made the book as self-contained as possible. We do not presume any knowledge beyond some familiarity with linear algebra (vector and matrices), calculus, and probability and statistics. A chapter devoted to the basic concepts on networks is presented after a specific introduction on intentional risk. This is due to the need to find a conceptual framework where the relationships among individual entities or systems can be described and then measured in a meaningful way. Networks address these requirements very well: a network describes a collection of nodes and links between them. The concept of a network addresses these requirements nicely: a network describes a collection of nodes and the links (edges) between them. The notion of nodes is fairly general: they may be individuals, computers, countries, or even groups of such entities. A link between two nodes signifies a direct relation between them. For instance, in a social context a link could be a friendship tie, while in the context of computer science, a link may be, for example, a physical connection between two computers. vii

viii

Preface

Furthermore, in many practical situations, a real-life dataset can be represented as a network (or graph) because this structure can be easily understood and visualized. Such representation has applications everywhere, from the World Wide Web, where nodes represent web pages and edges correspond to the links between pages, to biology, the Internet, and a huge variety of technological systems. In fact, the last two decades have seen the birth of a movement in science, nowadays very well known under the name of complex networks theory. It involved the interdisciplinary effort of some of our best scientists in the aim of exploiting the current availability of big data in order to extract the ultimate and optimal representation of the underlying complex systems and mechanisms. Specifically, network models also naturally abstract a large variety of computational situations. In addition, numerous specific computational problems, say involving decomposition of problem domains, can fruitfully be formulated as problems of manipulating and/or partitioning networks in various ways, including myriad of problems that employ the well-known divide-and-conquer paradigm. In the model we are presenting, a complex network is used to represent the system where the nodes are the different components of the system, while the edges represent links between them. The attacker surfs on the complex network in order to get the valuable information contained in the system, but each jump from one node to another has its own cost depending on the characteristics of the target node and the corresponding link. Following the paradigm given by Game Theory, the focus is put on the motivating elements for the attacker. We have considered the following: Anonymity (how easily the identity of the attacker is determined), Accessibility (how easily the attack is carried out), and Value (how profitable the attack is). All these elements will be introduced and studied in depth throughout the different chapters of this book. So, Chap. 1 is devoted to give an introduction to Intentional Risk and Cybersecurity. The basic concepts on networks are presented in Chap. 2. Chapter 3 is devoted to random walkers on a network. In this chapter we will review the main subjects related to random walkers we will need to introduce the concept of Accessibility of an element within the network, and Chap. 4 is devoted to the description, computation and applications of this concept in our models of intentional risk. In this sense, two different types of risk are identified related to Intentional Risk: Static Risk, studied and developed in Chap. 5, and Dynamic Risk which is analyzed in Chap. 6. Roughly speaking, Static Risk is the opportunistic risk, for instance, the risk concerning identity theft, while Dynamic Risk is the type of directed intentional risk that attempts to follow unauthorized paths. The paradigm for this type of risk is represented by the use of a vulnerability in the system to gain technical or administrative accesses based on affinities. In other words, Dynamic Risk is directly linked to the use of potentially existing paths (but not authorized) in the network when it is based on the potential affinity access layer. Finally, Chap. 7 is devoted to present a proof of concept software application using real data to model real-world computer networks and different types of known risks. It has to be said that although the table of contents represents a categorization of the chapters by subject, the relationship between the chapters is not entirely linear.

Preface

ix

There is a progression in the book, with some of the more technically demanding chapters coming later, as well as those that draw on concepts from earlier chapters, even though some chapters are cross-referenced. This volume has not been designed to be a thorough reference. We refer the reader interested in additional information to the references at the end of the text. We hope this book will encourage research on the field of cybersecurity. Palo Alto, CA, USA Móstoles, Madrid, Spain Tres Cantos, Madrid, Spain Móstoles, Madrid, Spain May 2015

Victor Chapela Regino Criado Santiago Moral Miguel Romance

Acknowledgments

As with any such undertaking, there are many acknowledgments due, and they do not adequately represent the scope and depth of the help received. We would like to take this opportunity to thank all our colleagues who, in one way or another, have been concerned during the development of this book and everyone at the Research Center for Technology Risk Management (CIGTR) (research center created by the joint initiative of BBVA and University Rey Juan Carlos Foundation), Rey Juan Carlos University (URJC), Innovation for Security (I4S), and Sm4rt Security Services for their generous support of this project. We especially wish to acknowledge Rafael Ortega, Angel Pérez del Pozo, Francisco García Marín, Miguel Angel Cano (Mac), Rosa Quintanar, Ricardo Acuña, Paolo Rizzi, and Jess García. The authors also want to thank the anonymous referee for his comments and suggestions. Finally, we would like to take this opportunity to thank Springer for helping us to finalize this book. This book has been partially supported by the project MTM2014-59906 (Spanish Ministry) and the grant “URJC-Grupo de Excelencia Investigadora” GARECOM (2014).

xi

Contents

1

Intentional Risk and Cyber-Security: A Motivating Introduction . . . . . 1.1 Cyber-Attacks and Cyber-Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2 A Mathematical Model for Managing Intentional Cyber-Risk . . . . . . . 1.3 Incorporating Game Theory to Complex Networks . . . . . . . . . . . . . . . . . . . 1.4 Static Risk, Dynamic Risk and New Algorithm Optimizations. . . . . . .

2

Mathematical Foundations: Complex Networks and Graphs (A Review). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1.1 Complex Systems and Complex Networks . . . . . . . . . . . . . . . . . . 2.1.2 Holism vs Reductionism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1.3 Complex Networks and Intentional Risk . . . . . . . . . . . . . . . . . . . . . 2.2 Basic Concepts on Graphs and Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2.1 The Origins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2.2 Graphs vs Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2.3 Matrices, Degrees, Link Density and Some Interesting Graph Families . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2.4 Directed and Weighted Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2.5 Metric Structure, Connectedness, Geodesics and Some Other Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2.6 Characteristic Path Length, Efficiency and Vulnerability of a Network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2.7 Clustering Coefficient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2.8 Finding Out the Critical and the Most Influential Nodes: Eigenvector Centrality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2.9 Information Flow Management: Betweenness Centrality . . . 2.2.10 Degree Distributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3 Some Interesting Complex Networks Models . . . . . . . . . . . . . . . . . . . . . . . . . 2.3.1 Random Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3.2 Small-World Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.3.3 Scale-Free Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1 1 4 6 7 9 9 9 10 11 12 12 14 14 16 18 19 20 21 24 26 27 27 28 29 xiii

xiv

3

4

5

Contents

2.4 New Approaches and Developments of Interest for Our Model . . . . . . 2.4.1 When Edges are More Important than Nodes: Line Graph and Related Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.4.2 Multilayer Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

31

Random Walkers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.1 An Introduction to Random Walkers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 Different Mathematical Models of Random Walkers . . . . . . . . . . . . . . . . . 3.3 Applications to Intentional Risk Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3.1 Accessibility and PageRank . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.3.2 Dynamic Risk, Random Walkers and Multiplex Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

37 38 43 48 48

The Role of Accessibility in the Static and Dynamic Risk Computation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.1 Introduction: Edge’s Accessibility and PageRank . . . . . . . . . . . . . . . . . . . . . 4.2 Mathematical Formulation and Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.3 Edge’s PageRank via Classic PageRank . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.4 Edge’s PageRank Through Line Graph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.5 Classic PageRank vs Line-Graph’s PageRank . . . . . . . . . . . . . . . . . . . . . . . . . Mathematical Model I: Static Intentional Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.1 Intentionality Complex Network for Static Risk . . . . . . . . . . . . . . . . . . . . . . 5.2 Collapsed and Nodes and Edges Assignation Algorithms . . . . . . . . . . . . 5.2.1 0-Collapsed Algorithm and Anonymity Assignation . . . . . . . . 5.2.2 “Max-Path” Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2.3 Value Assignment Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.2.4 Accessibility Assignment Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . 5.3 Static Risk Networks Construction from the Data. . . . . . . . . . . . . . . . . . . . . 5.3.1 Intentionality Network of Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.3.2 Intentionality Network of Administrators . . . . . . . . . . . . . . . . . . . . 5.4 Static Risk Intentionality Network Construction Method: An Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.4.1 Construction Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.4.2 Description of the Method and an Example. . . . . . . . . . . . . . . . . . 5.4.3 Assignment of Attributes in the Original Network . . . . . . . . . . 5.5 Final Formula and Summary of Static Risk Model. . . . . . . . . . . . . . . . . . . .

31 35

49 53 53 55 58 61 62 65 65 68 69 72 73 74 75 76 78 78 79 80 95 96

6

Mathematical Model II: Dynamic Intentional Risk . . . . . . . . . . . . . . . . . . . . . . 99 6.1 Comparative Analysis: Static Risk vs Dynamic Risk . . . . . . . . . . . . . . . . . 99 6.1.1 Accessibility in the Context of Dynamic Risk . . . . . . . . . . . . . . . 100 6.2 Dynamic Risk Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

7

Towards the Implementation of the Model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 7.1 Modeling Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 7.1.1 IP Source and Destination Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Contents

xv

IP Source (e.g. 192.168.1.105) → Destination Port (e.g. 192.168.1.250:23) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.3 Restricted and Unrestricted Access Levels . . . . . . . . . . . . . . . . . . . 7.1.4 Static and Dynamic Risk Access Levels . . . . . . . . . . . . . . . . . . . . . 7.1.5 Static Risk with Network Protocol Analyzer Sniffers . . . . . . . 7.1.6 Dynamic Risk with Network Vulnerability Scanners. . . . . . . . Modeling Anonymity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Determining Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Development of the Proof of Concept Software . . . . . . . . . . . . . . . . . . . . . . . 7.4.1 Software Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Proof of Concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.5.1 Visualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.5.2 Collapse/Expand. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.5.3 Anonymity, Accessibility and Value . . . . . . . . . . . . . . . . . . . . . . . . . 7.5.4 Further Work for the PoC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1.2

7.2 7.3 7.4 7.5

103 104 106 106 106 108 108 108 109 110 112 112 112 113

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Chapter 1

Intentional Risk and Cyber-Security: A Motivating Introduction

Abstract Protecting digital assets has become increasingly difficult. For cyber-attackers, a successful infiltration will grant them valuable stolen assets or confer them beneficial strategic advantages. The main driver to assess the risk of a cyber-attack is the expected profit or benefit that the attacker will gain out of it. Two theoretical elements configure the pillars for a suitable high-level mathematical cyber-security model. On one hand, Game Theory, based on the stability analysis of the John Nash equilibrium Intentionality management and, on the other hand, Complex Network Theory (structure and dynamics) that provides a physical and logical structure where the game is played. The aim of this book is to present this cyber-risk management methodology and tools together with the scientific, mathematical and theoretical basis to support it. We present this management methodology by introducing the concept of intentionality as the backbone of cyber-risk management. This will allow information security professionals to better decision-making through real-time scenario analysis.

1.1 Cyber-Attacks and Cyber-Security In the last decade the problem related to the information security in all kind of organizations has increased up to a level that renders its management extremely difficult. In a published report by Mcafee [88] dated on June 2014, one can read: “Cyber-crime is a growth industry. The returns are great, and the risks are low. We estimate that the likely annual cost to the global economy from cyber-crime is more than $400 billion. A conservative estimate would be $375 billion in losses, while the maximum could be as much as $575 billion. Even the smallest of these figures is more than the national income of most countries and governments and companies underestimate how much risk they face from cyber-crime and how quickly this risk can grow.” Protecting digital assets has become increasingly difficult. Over the past three decades cyber-attacks have grown from rare occurrences by lone hackers, into highly specialized teams sponsored by government agencies and criminal organizations. The total value extracted by cyber-crime, cyber-espionage and cyber-attacks worldwide is considered to be in the hundreds of billions.

© The Author(s) 2015 V. Chapela et al., Intentional Risk Management through Complex Networks Analysis, SpringerBriefs in Optimization, DOI 10.1007/978-3-319-26423-3_1

1

2

1 Intentional Risk and Cyber-Security: A Motivating Introduction

For cyber-attackers, a successful infiltration will grant them valuable stolen assets or confer them beneficial strategic advantages. The more potential value or benefit that can be extracted from an attack, the more resources that will be put into its execution. Stealing trade secrets, military secrets, consumer identities and credit card information are the most common sought digital assets because of their high value to other countries or to organized crime. Similarly, taking down critical infrastructures in the event of a war is an inexpensive way to disrupt the opponent. Therefore, because of the value and benefits that are being extracted by cyberattackers this fact is known by some as “the greatest transfer of wealth in human history”. Additionally, cyber-attackers have other advantages over more traditional types of attack. First, a digital attack attribution is very difficult and some times impossible. This gives potential attackers a high anonymity level. Second, even if there is enough evidence, the attacker can stand anywhere and also may have hopped through servers in different jurisdictions. In these cases, existing laws and international treaties almost always fail to punish those who are guilty. High anonymity with a low probability of punishment greatly reduce the attacker’s risk. Furthermore, cyber-attacks also have a very low execution cost compare to other types of attack. The main cost is normally the time and effort spent in gaining access to the infrastructure or data. It is important to note that in this book, we argue that the main driver to assess the risk of a cyber-attack is the expected profit or benefit that the attacker will gain if successful. This is the main component to evaluate the likelihood of an attack. Nevertheless, up until now most cyber-security methodologies that try to evaluate and mitigate the risk of cyber-attacks, start from a completely different perspective. Two very different types of risks have been faced in Information Technology Risk Management: accidental risks and intentional risks. The first ones are events that happen by chance, without anybody actively trying to provoke them. Examples would be natural disasters or hardware malfunctions. In order to manage this kind of risks, the probability of these events is estimated and an effort is made to prevent their causes by implementing redundancy at several layers within the network. Redundancy multiplies the probability of two independent events actually lowering the possibility that two data centers, two hard drives or two power supplies will fail at the same time. On the other hand, intentional risks are those with active agents behind them, who are trying to achieve some kind of benefit or profit for themselves. It is interesting to note that the main difference between accidental and intentional risks is that when intentional, there is someone with a clear incentive to produce the effect that most probably would not have happened on its own. Which forces us to manage risk the other way around: we have to make the end goal (or effect) unprofitable so that the cause will not happen. Intentional risk management performs the opposite to accidental risk management. In accidental risk there is a cause that leads to an effect and we therefore try to mitigate the cause, reduce the possibility of it happening. In intentional risk, someone provokes the cause to get the benefit of the effect. So within intentional

1.1 Cyber-Attacks and Cyber-Security

3

risk, we have to analyze the end goal of the attackers. To prevent these attacks, we need to reduce the value and increase their cost or increase the risk for the attackers. It is important to have in mind that the goal is not to completely avoid all potential incidents (which would be unpractical or unaffordable), but rather to make these incidents less profitable for the attackers and therefore reduce or eliminate their incentives. Information Security is a fairly new discipline. The first computer systems had no password. Physical access to the computer meant unrestricted access to the data within the system. When computers connected to each other and to the Internet, the security threats increased exponentially. Technical vulnerabilities, some of which had existed since the first version of a software application, would grant unauthorized execution privileges and access to data on remote computers when exploited. Cyber-security arose to understand and try to eliminate this new type of intentionally exploitable bugs. But when cyber-security began, there were few methodologies to assess risk. And all of them were based on an actuarial approach, where they would multiply probability and impact. Probability of an event was measured through past observation of the frequency of that type of event. Impact was measured as the potential losses to the host organization. As a consequence, methodologies that were meant to measure isolated accidental risk (as in the probability that a hard drive would fail) were now used to measure directed intentional risk (the probability of being hacked) for which they were ill prepared. Since almost no data was available about the real (and future potential) cyberattacks, the industry used “experts” to assess the probability and impact for each vulnerability. If there were two identical servers, with the same vulnerabilities, and one was in the DMZ of a large financial institution, and the other one was a personal printing and storage server at home, the expert would assess the large difference in the probability and impact of the same vulnerability being exploited. But this change in risk was not intrinsic to the vulnerability nor to the server, the expert would have to bring his real life experience to try an evaluate risk by incorporating his common sense. Traditional methodologies determine the amount and criticality of vulnerabilities. The idea behind this is that if all vulnerabilities can be found and patched, there will be no residual risk. But there is no such thing as perfect security. Even if it were economically and technically feasible to eliminate all the vulnerabilities in a large network (which is not the case), corrupting or coercing human elements could always generate additional paths to the digital loot if the stakes are high enough. But this cannot be done objectively and at a scale. What is the probability for a specific server, network or organization to be attacked? Or if a network were compromised, which path would they most likely use? And therefore, how do we protect ourselves against directed intentional attacks if we have no tools to consistently measure and model cyber-risk? We argue that the only way to effectively and efficiently reduce the risk of an intentional directed attack is to incorporate the attacker’s incentives into the equation. Instead of calculating impact based on how much a company or

4

1 Intentional Risk and Cyber-Security: A Motivating Introduction

organization expects to lose, we start by defining what is considered by potential attackers to be the most valuable assets. And from these initial nodes, we then calculate what the likelihood is that the attackers may choose one network path over another or one server over the other.

1.2 A Mathematical Model for Managing Intentional Cyber-Risk Intentional cyber-risks are in constant evolution and the methodologies and tools to manage them must also evolve to adapt to this ever-changing environment. This evolution implies the need for a theoretical pillar to support new defense strategies. Theoretical models play an increasingly important role in network security and provide a scientific basis for high level security decision-making related. We understand a cyber-attack as a deliberate breach of computer systems with the intention of stealing digital assets, financial resources or disabling, wiping out or gaining control over them. And therefore an Intentional Cyber-Risk model should be able to assess the likelihood that a digital component, computer system, network or computer-operated infrastructure may be targeted, breached or exploited. A pattern started to emerge while working on ethical-hacking penetration-testing (a discipline that emulates the attacker’s methods and objectives to assess the cybersecurity preparedness of a company or organization), and after having hacked thousands of individual computer systems . If we already gained access to the internal network, we would generally find the next easiest step to gain control of the central databases. This was counter-intuitive since we expected these databases to be well protected. Most times the information contained in these databases was

1.2 A Mathematical Model for Managing Intentional Cyber-Risk

5

considered highly valuable and was defined as one of the main targets to assess by the company that ordered the test. Which is the reason for some of the most critical components of the network to generally be the weakest as well? An interesting possible answer emerged when we realized that the same properties of preferential attachment in scale-free networks that allowed PageRank to be accurate with incomplete information, could probably also allow us to define the level of risk in each node. This means that the more connected a node is (or the more accessibility a computer system has) the greater is the risk for it to be hackable. This first insight led to the idea of using complex networks as a way to capture the relationships between computer nodes and using this network’s properties to assess risk. In parallel we had been working within the framework of Game Theory to try to prioritize which attacks were more likely to occur. We built different scenarios of known risks and possible attacks. And even though it worked well for some cases, it was not something we could apply to assess a large network or multiple digital assets, because it could not be easily calculated at scale or automated. We then realized that by bringing the attributes from Game Theory into the topology of a complex network we could define a new and possibly better cyberrisk model. From our point of view, two theoretical elements configure the pillars for a suitable high-level mathematical cyber-security model. On one hand, Game Theory, based on the stability analysis of the John Nash equilibrium Intentionality management and, on the other hand, Complex Network Theory (structure and dynamics) that provides a (physical and logical) structure where the game is played. Game theory provides mathematical tools and models for investigating multiperson strategic decision-making where the players compete for limited and scarce resources. Since the agents (or Decision Makers) play either the role of the attacker or the defender. While Complex Network Theory let us build a representation of the digital networks where the agents fight. In order for this intentional cyber-risk model to be useful and applicable in analyzing real world computer networks, we established the following criteria: 1. all information required to generate the model should be easily and automatically obtainable by running network scanners and sniffers; 2. the calculated risk values should be intrinsic to the attributes of the network and require no expert estimates; 3. the network should be scale-free and able to collapse and expand from one node into millions of nodes without losing its fundamental properties; 4. the model should allow relative and absolute risk assessments and comparisons; 5. it should be able to model the inclusion of security and risk management controls as well as monitor real-time changes in security levels. The aim of this book is to present this cyber-risk management methodology (and tools) together with the scientific, mathematical and theoretical basis to support it. We present this management methodology by introducing the concept of intentionality as the backbone of cyber-risk management. This will allow security professionals better decision-making through real-time scenario analysis.

6

1 Intentional Risk and Cyber-Security: A Motivating Introduction

1.3 Incorporating Game Theory to Complex Networks To properly incorporate Game Theory, some fundamental concepts had to be extracted from it and then reapplied within a Complex Network model. The main concept to include was the notion of the attacker’s expected profit or benefit. To include this profit, it had to be broken down into three parts: 1. Expected Income (the cash-equivalent value for the attacker), 2. Expense (the estimated cost and effort of undertaking the attack), 3. Risk for the attacker (the risk of being caught and/or the potential consequences). First, Expected Income is expressed within this model as the total value contained in a computer, server, database, element or component within the computer network. The Value is determined by analyzing how much cash-equivalent value could attackers extract if they had unrestricted access to this node. This can be calculated by finding the price of data in black markets or by analyzing cash-equivalent market prices for a specific attacker benefit. This value is then assigned to one or several nodes in the Complex Network model. But even though the value may be stored at a single place (which we have named digital vault), it can be accessed by a collection of different computers, applications and users. Therefore part of the initial value gets distributed throughout the network depending on the number of links to the rest of the nodes, the level of privilege of each connection, and the distance or hops from the stored value. Second, the Expense for the attacker depends on how accessible the data is. Accessibility is our proxy to calculate how difficult and time consuming an attack will be. The less access there is to a node, the more expensive it will be to attack it. By adding the number of different IP Addresses that access a specific application, we can determine how accessible it is. We calculate the accessibility of technical users (developers, system administrators and even vulnerabilities fall into this category) and the accessibility non-technical users (other personnel or customers) separately. In the model, we assume technical user access have the authorization and knowledge to access the systems stored data, as well as to change the configuration or code in the computer systems. Technical user accesses are therefore considered much more higher risk in the model. It is important to remember that external attackers will normally impersonate legitimate users or systems; therefore, any technical connection could also be an attack. Both technical and non-technical accesses are then quantified by adding weights to the links and then using a slight variation of the PageRank algorithm which assigns a quantity to every element of the network (related to its centrality) and allows to sort them in a ranking. Finally, the potential attacker’s personal Risk is evaluated by two separate components. On one hand, the possibility of being identified, measured by Anonymity within the network, and on the other, the Deterrence potential, measured by the legal, economic or social consequences. Anonymity and deterrence are both part of the perceived risk by the potential attacker. This risk perception is then factored into the attacker’s risk/reward mental equation.

1.4 Static Risk, Dynamic Risk and New Algorithm Optimizations

7

Anonymity in the model is measured as the number of users who have access to that same computer application. The more users that access an application, the more anonymous they shall perceive themselves to be. Deterrence is determined by the contractual status, laws, jurisdictions and international treaties at the time and place of an attack. Therefore, it has been assigned a constant that is different for each environment, such as the Internet, wireless networks, contractor offices networks and internal networks. Each origin has a different initial perceived risk for the attacker. If the attacker is initiating his attack from abroad or through the Internet, his perceived anonymity will be very high and the potential of deterrence will be very low. Therefore deterrence perception will be very different for an external foreign hacker who perceives his risk as null, to the perception of an internal employee who has a binding contract, is using his own name to login and knows he is one of few that has access to a specific application.

1.4 Static Risk, Dynamic Risk and New Algorithm Optimizations While building the model and mapping different types of risk into it, a natural division became evident. We have since divided the potential risks into two categories: Static Risk and Dynamic Risk. Static Risk measures the probability for a user who has authorized access to a specific application to choose to abuse his access for personal gain. Therefore static risk measures the potential value that can be obtained from each node, as well as the accessibility and anonymity of authorized users. In Static Risk the main driver for the attacker is how accessible the value is and on the flip side, can be deterred by reducing anonymity. In Dynamic Risk the attacker manipulates and modifies the routes and computer systems to access his target value. It measures the most probable path to value through authorized or unauthorized accesses. It assumes an attacker will try to get to the most valuable node through the least number of hops through the network. It also assumes that the attacker will choose existing busy applications (highly accessible) over unused “easy to detect” connections. And finally, an unauthorized attacker will also prefer using privileged administrative access, exploiting critical remote-execution vulnerabilities and hopping to similar systems, over lowprivilege restricted access. Therefore this type of attack “creates” new links through exploiting vulnerabilities or system similarities. In Dynamic Risk, attackers are not deterred by anonymity since they can effectively erase their tracks or impersonate other users. The main driver for an attacker is the Value stored in the network. It is important to remark that several tools and algorithms presented in this book are based on the optimization of certain algorithms. For example, we specifically introduce a complete description of a new algorithm called max-path which is devoted to assign a specific value to each component of the network

8

1 Intentional Risk and Cyber-Security: A Motivating Introduction

(nodes and edges) by distributing the initial value of information assets (digital vaults), throughout the whole network. Moreover, several algorithms are needed to get accurate and applicable real-world scenarios, for example, to locate and optimize the places where we must put controls in order to manage intentional technological risk. At the present moment, the authors of this paper are working in a model for measuring the risk of suffering an intentional attack in a digital information system. In this model, a complex network is used to represent the system, where the nodes are the different components while the edges represent links between them. The attacker surfs on the complex network in order to get the valuable information contained in the system, but each jump from one node to another has its own cost depending on the characteristics of the target node and the corresponding link. Following the paradigm given by Game Theory, the focus is set on the motivating elements for the attacker. They are called anonymity (how easily the identity of the attacker is determined), accessibility (how easily the attack is carried out) and value (how profitable the potential attack is). A more detailed discussion about these topics may be seen, for example, in [28, 96, 97]. To conclude this introductory chapter, it is important to remark that this book aims to deliver a validated methodology for intentional security incident risks management. Our main proposal is to build a whole mathematical model based on Game Theory and Complex Networks Theory and its tools for a better understanding, management and identification of solutions to prevent and mitigate the risk of suffering intentional cyber-attacks in digital environments. We hope the following chapters to contribute towards this.

Chapter 2

Mathematical Foundations: Complex Networks and Graphs (A Review)

Abstract It is possible that the main approach to capture the global properties of complex systems is to model them as networks (graphs) whose nodes represent the units, and whose links stand for the interactions between them. This chapter is devoted to establish the main needed concepts on Graph Theory and Complex Networks we will use in building of our mathematical model.

2.1 Introduction 2.1.1 Complex Systems and Complex Networks Although the concept of a network roots back to Pythagoras (fifth/sixth centuries BC) in his theory of cosmos (κ o` σ μ oς ), the first book in networks appeared in 1936 (D. König: Theory of Finite and Infinite graphs (see [119])). The analysis of networks had one of its most critical and exciting moments in 1999 with the discovery of new types of graphs (small-world networks and scale-free networks) so-called complex networks. From that moment, complex networks have been used for modeling different systems of the real world and have attracted considerable interest due mainly to its study has been found to be very productive in science and technology. Many complex systems of the real world can be modeled using complex networks where nodes represent the different constituents of the system and edges depict the interactions between them. Different systems such as transport networks (underground, airline networks, road networks), communication networks (computer servers, internet), biochemical networks (metabolic, protein and genomic networks), social networks, infrastructure networks (electric power grids, water supply networks) and some others (including the World Wide Web) are known to have common characteristics in their behaviour and structure [6, 7, 16, 22, 54, 62, 77, 102– 104, 118]. The huge complexity of these objects stemming from their size and dynamics, requires new tools beyond classical graph theory, which have crystallized in the scientific area known as complex network analysis, that involves not only mathematical tools (including probability, dynamical system analysis, graph theory, matrix analysis and others), but also techniques coming from other fields (as statistical mechanics or computer sciences, to name a couple of them). So, the investigation on © The Author(s) 2015 V. Chapela et al., Intentional Risk Management through Complex Networks Analysis, SpringerBriefs in Optimization, DOI 10.1007/978-3-319-26423-3_2

9

10

2 Mathematical Foundations: Complex Networks and Graphs (A Review)

complex networks has attracted an increasing amount of attention from numerous research fields due to its applications to model complex systems within the real world. In the background of the elegant and efficient descriptions of very different complex systems is the general framework of modern graph theory [70, 72] initiated by Erdös [56]. Because of this reason complex systems can be studied using non-linear mathematical models and computer modeling approaches. In fact, complex networks provide a natural alternative for representing, characterizing and modeling the structure and non-linear dynamics of all discrete complex systems. The study of structural properties of the underlying network is very important in the understanding of the functions of a complex system as well as, for example, to quantify the strategic importance of a node (or set of nodes) in order to preserve the best functioning of the network as a whole. The improvements in computers performance in the last decades granted us the ability to analyze huge complex networks. The model introduced throughout joins together all the research on intentional attack risk modelled from complex networks concepts and tools and from previous research based on information accessibility (its value and the anonymity level of the attacker) carried out over the last 3 years. The original aim of this work is to locate and quantify the most susceptible elements (devices, links, accesses) within a digital communication network through the use of complex networks analysis advanced tools. It is therefore necessary to provide here an overview of key definitions and complex networks advanced tools we will use in the following chapters.

2.1.2 Holism vs Reductionism Complex networks are used since they are understood to be the appropriate environment to deal with the complexity of the Intentional Risk model. In this sense, the complexity concept related to interactions is relatively new. Around 35 years ago the main scientific line/thread used to be reductionism, whose approach considers it to be enough a detailed knowledge of every system component and its fundamental laws to be able to globally understand a system. Nevertheless, it is only possible if the system is lineal so that it can be broken down into the pieces it is composed by, analyzed piece by piece and joint back together to see how the set behaves. This is what happens with, for example, a salt crystal. In spite of the fact that it is composed by a massive amount of particles, it is a system susceptible to be studied from a physical approach since all the particles present an average behavior. In any case, most of the systems are non-linear (systems with thresholds that amplify little perturbations). For instance, we can perfectly know the way a neuron works but we are far from understanding how the brain behaves to carry out its tasks related to the memory or the language. Consequently, the complexity in a system does not only lay in the number of degrees of freedom (variables that

2.1 Introduction

11

describe the system) it has, it is also related to the non-linearity present in it and in the interactions among its components interaction structure. Complexity appears at the border between order and disorder, when a new qualitative and different from the elemental components of the system behavior emerges. For example, when a neuron receives a stimulus above a threshold, it can react in a chaotic way or in a periodic/regular way. However, if we connect just a few neurons, the result can be a synchronous electrical activity due to the synaptic interaction amongst them. Another of the features of the complexity in a system is related to the structure in which the elements it is composed by interact. For example, the nature of the structure in an average salt crystal helps to simplify the problem in the interactions among the atoms it is composed by assuming that each atom only interacts with the atoms next to it, leading into a meshed net structure (a tidy structure). A different type of simplification is applied when, for example, a star cluster is considered. In this case, we assume every star interacts with all the rest (fact that also enables a huge mathematical simplification within the interactions model). However, several real complex systems show a different connectivity pattern that does not allow such simplifications. For example, the physical connections among computers (Internet) presents a way more complex structure than the previous ones since the number of computers an average computer of the net is connected to is not uniform. The complex networks theory allows to model this type of systems since it is, in fact, a tool that enables the representation of the interactions within a complex system through a graph where every element of the system is represented by a node (computer) and the interaction between two of its elements corresponds to a link between them which we can easily represent graphically.

2.1.3 Complex Networks and Intentional Risk Differently from the existing security standards, intentionality complex networks aim to understand risk in a (global) holistic way in a net environment, an organization or even in a country. Analyzing the risk as a combined property in every element of the net, a way more efficient selection of effective controls is fomented. Intentionality complex networks are modelled through a graph, in which nodes are IP Addresses or IP:ports, and the edges or “links”. Among these elements appear the connections that ease the accesses. The edges are the basic elements that configure the paths or routes in the net. The main difference between the graph theory (combinatoria) and the complex networks theory lays in both: the size (smaller for the graph and bigger for the net) and in the parameters and tools employed to analyse its structures. The fact that the size is smaller for the graph and bigger for the net makes it compulsory to have extra care with the complexity of the algorithms that will be employed. Finally, it shall be highlighted that complex networks theory is based on the observation of the elements (in this case IPs and IP:port) that integrate a system and on their interactions. Once we have observed their behavior and translated it into entrances able to be registered in a data-base,

12

2 Mathematical Foundations: Complex Networks and Graphs (A Review)

we obtain predictive models that can be applied to both: Technology (where the behavior of the system is the result of the interaction between several elements) and Biology (in the inside of the cell the elements have a defined mission they constantly repeat). In can be applied even to Social Sciences. In this last sentence, it must be highlighted that social networks, or friendship networks have turned into the paradigm of a new net type known as multiplex networks. With the Intentionality complex networks we intend to extrapole this explicative capacity to hundreds of thousands or millions of nodes, aiming to model the intentional access risk to valuable information by potential attackers.

2.2 Basic Concepts on Graphs and Networks 2.2.1 The Origins From a schematic point of view, a complex network (or a graph) is a mathematical object G = (X, E) composed by a set of nodes or vertices X = {1, . . . , n} that are pairwise joined by links or edges belonging to the set E = {1 , . . . , m }. This kind of representation may appear simple but, as we will see, it has an enormous potential, since some problems become simpler and more treatable if they are represented as a graph. Graph theory, the mathematical scaffold behind network science, has its origins in a problem, solved by Euler in 1736, known as the “Königsberg Bridge Problem” (Fig. 2.1). The Königsberg bridge problem asks if the seven bridges of the city of Königsberg over the river Pregel can all be traversed in

Fig. 2.1 “The Königsberg bridge problem”

2.2 Basic Concepts on Graphs and Networks

13

a single trip without doubling back, with the additional requirement that the trip ends in the same place it began. This problem was answered in the negative by Euler, and represented the beginning of graph theory. Euler hit upon the idea of using four nodes to represent each of the four land areas separated by the river as nodes, distinguishing them with letters A, B, C, and D. Next he connected with lines each piece of land that had a bridge between them. In this way he built a graph, whose nodes were the pieces of land and links were the bridges. Once the city was represented as a graph, the Königsberg Bridge Problem can be reformulated as follows: is it possible to find a path between two nodes for which every link appears exactly once? Such path is called an Euler walk in graph theory. Now it is needed to introduce some new concepts and notations: In a graph, two vertices are called adjacent (or neighbors) if they are connected by an edge. The number of neighbors of a node i, denoted by ki , is its node degree. So, the degree of a node is the number of links the node shares with its neighbors and which are available for routing purposes. Euler proved that any graph with n nodes and m links satisfies that ∑ni=1 ki = 2m. Hence, the sum of degrees is even and, consequently, the number of nodes with odd degree is even. Well, having in mind this result, it is not difficult to show that, if w is the number of nodes of G with odd degree, then if w > 2, then no Euler walk exists. On the other hand, if w = 0, there are Euler walks starting from any node. Finally, if w = 2 Euler walks only exist starting from one of the odd nodes. Therefore, since the underlying graph of the Königsberg Bridge Problem had four nodes with odd degree, there was no solution to the problem, that is, no Euler walk exists. So, in this sophisticated and elegant manner, Euler gave the first example of how small changes (i.e., adding or removing one bridge) may have global consequences (in this case, the existence or not of Euler walks) (see Fig. 2.2).

Fig. 2.2 A “solution” for Königsberg’s inhabitants

14

2 Mathematical Foundations: Complex Networks and Graphs (A Review)

2.2.2 Graphs vs Networks As we have said, a complex network (or a graph) is a mathematical object G = (X, E) where X = {1, . . . , n} is the set of nodes of G, and E = {1 , . . . , m } is the set of links (or edges) of G. The term “complex network”, or simply “network”, often refers to real systems while the term “graph” is generally considered as the mathematical representation of a network. Some authors consider that there are some differences between the graph theory and the complex networks theory. These differences lay mainly in the size (smaller for the graph and bigger for the network) and in the parameters and the tools employed to analyze both structures. Following this idea, we will talk for example, about a graph of twelve nodes and about a network of five hundred nodes. Specifically, the fact that the size is smaller for the graphs and bigger for the networks makes it compulsory to have an extra care with the complexity of the algorithms that will be employed. In any case, in the sequel, we will use the terms “graph” and “network” interchangeably. For example, the union of two networks G = (X, E) and G = (X  , E ) is the union of their node and edge sets: G ∪ G = (X ∪ X  , E ∪ E ). When V and V  are disjoint, the union G ∪ G is referred to as the disjoint union. Similarly, the intersection of two networks G = (X, E) and G = (X  , E ) is G ∩ G = (X ∩ X  , E ∩ E ). It may be noted that we will assume implicitly that in any network there are no self-loops or multiple links between its nodes (i.e., more than one link between two specific nodes).

2.2.3 Matrices, Degrees, Link Density and Some Interesting Graph Families The adjacency matrix of a graph G = (X, E) is a way to determine the graph completely. The adjacency matrix A(G) = (aij ) of G = (X, E) is defined by the conditions  1 if {i, j} ∈ E aij = (2.1) 0 if {i, j} ∈ / E. Obviously, ∀i ∈ {1, . . . , n} we get that aii = 0 (since there are not self-loops). On the other hand, the degree of a node i can be now easily calculated by the expression ∑nj=1 aij . A node with a high degree can be considered as being well connected and a node with a relatively low degree can be considered weakly connected. In the sequel, we will denote by δ (G) the minimum node degree of the nodes of G, by Δ (G) the maximum node degree of the nodes of G and by k =

1 n ∑ ki n i=1

(2.2)

2.2 Basic Concepts on Graphs and Networks

15

the average degree calculated over all the nodes of G. Now, it is easy to get that k = 2m n . The degree of an individual node and the minimum, maximum and average degree over all the nodes are standard characterization metrics in graph theory. If all the nodes of G are pairwise adjacent, then G is called complete and a complete network of n nodes is denoted by Kn . Note that a complete network with n nodes has exactly n(n−1) edges. The graph K3 is called a triangle. 2 Given a network G = (X, E) where X = {1, . . . , n} and E = {1 , . . . , m }, it is n(n − 1) obvious that the number of edges of G is at most . The link density of G is 2 defined by the equation

Δ=

2m . n(n − 1)

(2.3)

Obviously, the link density of a network takes values within the interval [0, 1], where Δ 1 means the network is sparse, Δ  1 means the network is dense, and Δ = 1 means the network is the complete network of n nodes. A bipartite network is a network whose nodes can be divided into two disjoint sets U and V, X = U ∪ V such that every link connects a node in U to one in V. If ∀u ∈ U and ∀v ∈ V there is an edge connecting u and v, the bipartite network is called complete, and if U = {1, . . . , r}, and V = {1, . . . , s}, the complete bipartite network G = (X, E) = (U ∪ V, E) is denoted by Kr,s . In Fig. 2.4 some complete bipartite networks are represented. In general, a network G = (X, E) is called q-partite if X admits a partition into q classes such that every edge has its ends in different classes: nodes in the same partition class must not be adjacent. Obviously, if q = 2 we have a bipartite network. A q-partite network in which every two nodes from different partition classes are Fig. 2.3 Some directed networks

16

2 Mathematical Foundations: Complex Networks and Graphs (A Review)

Fig. 2.4 Some examples of complete bipartite networks

adjacent is called complete. A complete bipartite network such that the set U has r elements and the set V has s elements is denoted by Kr,s . A star is a complete bipartite network such that one of the classes has exactly one element. A star of n nodes is denoted by Sn . A regular network is a network whose nodes have exactly the same degree (i.e., the same number of neighbors). A regular network with nodes of degree k is called a k-regular network. The incidence matrix of G is a n×m matrix I(G) = (bij ) defined by the conditions  bij =

1 if 0 if

i ∈ j i∈ / j .

(2.4)

2.2.4 Directed and Weighted Networks So far we have implicitly assumed that the relationship between nodes is symmetric, i.e., if there exists an edge ij between the nodes i and j implicitly we have assumed the existence of the edge ji = ij . But this situation does not apply in the general case. This may be the situation if, for example, a link represents geographical proximity (if a node A is close to another node B, then B is also close to A). However, in many cases the connections between nodes are asymmetric since the edge runs only in one direction. When this happens, we say that the link is directed (Fig. 2.3). Networks composed of directed edges are referred to as directed networks or digraphs. Likewise, those networks without directed edges are called undirected networks. Obviously, the adjacency matrix A(G) = (aij ) of an undirected network G is symmetric, i.e., ∀i, j ∈ {1, . . . , n} aij = aji . Nevertheless, this is not the case

2.2 Basic Concepts on Graphs and Networks

17

of a directed network: In a directed network the adjacency matrix is not necessarily symmetric, i.e., it may happen that there exists a link between two nodes i −→ j such that its “inverse” j −→ i does not exist and, in such a case, aij = 1 whilst aji = 0. Notice that an undirected network can be represented by a directed one having two edges between each pair of connected nodes, one in each direction. Understandably, if the network is directed, the degree of a node is twofold. We have the so called out-degree of the node (i.e., the number of outgoing edges), n

kiout = ∑ aij ,

(2.5)

j=1

and the in-degree of the node (i.e., the number of ingoing edges), n

kiin = ∑ aji .

(2.6)

j=1

Hence, as in the context of directed networks the degree of a node i has two components (kiin , kiout ), the total degree of a node i is defined as ki = kiin + kiout . Edges can also carry weights to measure the capacity or the intensity of the relationship between two nodes. Examples of this situations are the existence of strong and weak ties in social networks or unequal traffic on the Internet. These networks are better described as weighted networks, i.e., networks in which each edge has associated a value measuring the strength of the relationship, and in these cases we consider the so called weights matrix W = (wij ) whose entry wij is the weight of the edge from node i to node j. So, a weighted (directed or undirected) network is a triplet G = (X, E, W) where (X, E) is a (directed or undirected) network and W = (wij ) is the weights matrix of G (Fig. 2.5). Fig. 2.5 Adjacency matrices of a non-directed and a directed network

18

2 Mathematical Foundations: Complex Networks and Graphs (A Review)

2.2.5 Metric Structure, Connectedness, Geodesics and Some Other Concepts Once we have introduced the concept of complex networks as the main object of the complex network analysis, we should give the basic parameters used in the literature in order to analyze these objects. There are plenty of mathematical functions that help to study and classify the behavior of complex network structure (see, for example [22, 61]), including metric parameters, clustering, spectral functions and dynamical parameters among many others. In the rest of this chapter we will put mainly the stress in some metric and spectral functions that we will use to analyze the structure of a complex network. The metric structure of a complex network is related to the topological distance between nodes of the network, written in terms if walks and paths in the graph. A walk (of length k) in G is a non-empty alternating sequence {i1 , 1 , i2 , 2 , . . . , k−1 , ik } of nodes and edges such that r = ir , ir + 1 for all r < k. If i1 = ik , the walk is closed. A path between two nodes is a walk through the network nodes in which each node is visited only once. A cycle is a closed walk that starts and ends at the same node, in which no edge is repeated. A cycle of n nodes is denoted by Cn . C3 is a triangle. To see the difference between paths and walks, consider any two adjacent vertices not part of a cycle. Then there is exact one path between the two vertices i.e. the edge between them, but there exists an infinite number of walks between them. For example, {i1 , 1 , i2 , 2 , i1 , 1 , i2 , 2 , i1 } is a walk from i1 to i2 of length 3. Specifically, paths do not allow repetition of vertices while walks do. In any case, we will say that a node j is reachable from another node i if there exists a walk connecting them. On the other hand, by using the adjacency matrix A(G), we can obtain the number of k-length walks from one node to another. More specifically, it is not difficult to check that the number of walks of length r from i to j, equals the (i, j)th entry of the rth power of the adjacency matrix A(G)r . If it is possible to find a path between any pair of nodes the network is referred to as connected ; otherwise it is called disconnected. A tree is a connected graph in which any two vertices are connected by exactly one path. The length of a path is the number of edges of that path. If i, j ∈ X a geodesic between i and j is a path of the shortest length that connects i and j. The distance dij between i and j is the length of a geodesic between i and j. The maximum distance D(G) between any two vertices in G is called the diameter of G. By nij we will denote the number of different geodesics that join i and j. If v ∈ X is a node and  ∈ E is a link, then nij (v) and nij () will denote the number of geodesics that join i and j passing through v and  respectively. The length of a cycle is, obviously, its number of edges (or nodes). The minimum length of a cycle (contained) in a graph G is the girth g(G) of G. The maximum length of a cycle in G is its circumference. If Y ⊆ X is any set of nodes, then G(Y) denotes the network on Y whose edges are precisely the edges

2.2 Basic Concepts on Graphs and Networks

19

of G with both ends in Y. A network H = (Y, F) is a subnetwork of G = (X, E) if Y ⊆ X, F ⊆ Y and the edges in F connect nodes in X. A connected component is a maximal connected subgraph of G. Two paths connecting the same pair of vertices in a network are said to be vertex-independent if they share none of the same vertices other than their starting and ending vertices. A k-component is a maximal subset of the vertices of a network such that every vertex in the subset is connected to every other by k independent paths. For the special cases k = 2, k = 3, the k-components are called bi-components and three-components of the network. For any given network, the k-components are nested: every three-component is a subset of a bi-component, and so forth. To close this section, we think it is opportune to mention the concept of algebraic connectivity which was introduced in [60]. This measure, which depends on both the number of nodes and their respective configurations, indicates the level of connectivity in the graph [80, 92, 132]. So, the larger the algebraic connectivity is, the more difficult it is to cut the network into disconnected parts.

2.2.6 Characteristic Path Length, Efficiency and Vulnerability of a Network The characteristic path length is defined as L(G) =

n n 1 1 djk = djk . ∑ ∑ n(n − 1) j=1 k=1 n(n − 1) j =∑ k∈X

(2.7)

k =j

This parameter give us a way of measuring the performance of a network (the bigger is L(G) the smaller is its performance), but in order to use it as a measure of performance, it has a problem because of errors and attacks, networks can become disconnected. In fact, if the distance between two nodes is infinite, L(G) becomes infinite. The concept of efficiency, introduced by Latora and Marchiori in [87] is a well defined quantity also for non-connected networks. The efficiency of a network G is defined as E(G) =

1 1 . ∑ n(n − 1) i,j∈X dij

(2.8)

i =j

The concept of network’s vulnerability appears in different contexts. A series of different approaches from several branches of knowledge have been introduced to quantify the vulnerability of a complex network [1, 5, 14, 17, 20, 22, 23, 32, 40, 42, 69, 71, 75, 85, 121, 135]. In fact, what must be understood by the concept of network’s vulnerability depends on the context in which that term is used [34]. For example, it is commonly understood that a structure is vulnerable if any small

20

2 Mathematical Foundations: Complex Networks and Graphs (A Review)

damage produces disproportionately large consequences [2, 3, 12, 75, 98, 99]. In general, the concept of vulnerability in a network aims at quantifying the network security and stability under the effects of all that kind of disfunctions. In classical graph theory, the term vulnerability is related to a lack of resistance of the graph to the deletion of nodes and edges [14], i.e., how the topology of a network is affected by the removal of a finite number of links and/or nodes. This point of view matches up with another approach to the concept of vulnerability, the structural vulnerability which aims to study the way in which the topology of a network is affected by the removal of a finite number of links and/or nodes. In the context of classic graph theory the analysis of vulnerability is carried out by studying different versions of the connectivity of the graph [14, 72, 104]. In any case, it is important to point out that from a strictly complex networks analysis perspective, the concept of vulnerability lies on statistical graph measures and numerical models (simulation) in order to study complex (large) networks and their susceptibility to damage by errors and attacks [5, 17, 20–22, 32, 33, 40–43, 74, 83, 84, 86]. An alternative way to analyze connectivity is by considering the number of nodeindependent paths between two vertices or, in the same way, to the minimum number of other vertices in the network that must fail in order for those two vertices to become disconnected from one another [72, 89, 104]. In this approach, it is considered the impact of nodes and edges destruction in terms of potentially disconnecting the network. Several results related to structural vulnerability (minimal number of edges and/or nodes whose removal disconnects the network) can be found in [52, 53, 60, 65, 89], and a broader and more detailed approach to this concept can be found in [34].

2.2.7 Clustering Coefficient The clustering coefficient of a node indicates how concentrated the neighborhood of that node is. From a sociological point of view, clustering measures the acquaintance property of the network, where two nodes with a common neighbour are likely to connect each other, i.e., they form a triangle [130]. Specifically, Watts and Strogatz define in [131] the local clustering coefficient Ci for a vertex i as the proportion of links between the nodes within its neighbourhood (i.e., between the neighbours of i) divided by the number of links that could possibly exist between them: Ci =

2ti ki (ki − 1)

(2.9)

i.e., the number of triangles in which node i participates normalized by the maximum possible number of such triangles, where ti denotes the number of triangles around i (if the degree of node i is 0 or 1, we which gives us Ci = 00 , we can set Ci = 0). Hence Ci = 0 if none of the neighbours of a node are connected, and Ci = 1 if all of the neighbours are connected. The clustering coefficient C(G) for the whole network G is the average of the local values Ci :

2.2 Basic Concepts on Graphs and Networks

C(G) =

21

1 n ∑ Ci . n i=1

(2.10)

By definition 0 ≤ Ci ≤ 1 and 0 ≤ C ≤ 1. The average of Ci taken over all nodes with a given degree k is the so-called clustering coefficient of a connectivity class k. Alternatives measures of the clustering properties of a network G = (X, E) are the transitivity T [15, 101, 102] whose value is given by the formula: T(G) =

3 × (number of triangles in G) , (number of connected triples of nodes in G)

(2.11)

i.e., the fraction of connected triples of nodes (triads) which also form triangles, and the local efficiency of G [83, 87] defined as: Eloc (G) =

1 n ∑ E(Gi ). n i=1

(2.12)

where E(Gi ) is the efficiency of Gi , the subnetwork formed by the neighbours of the node i. The differences between C(G) and T(G) are illustrated in [83, 102]. The clustering coefficient is one of the most interesting parameters used in complex networks analysis. In [61] a panoramic view of the main existing measurements of complex networks can be found.

2.2.8 Finding Out the Critical and the Most Influential Nodes: Eigenvector Centrality The use of spectral methods in networks and graph theory have a long tradition. Eigenvector centrality is a concept often used in social network analysis and was first proposed by Bonacich [25]. Addressed more precisely, we can say that eigenvectorlike centralities were introduced in sociology to measure the influence of each actor in a social group, taking into account the immediate effects, the mediative effects and the global effects of the social interaction [25], but they are also useful in many other applications such as the web search engines like Google. In this sense, it is remarkable that Google uses a similar centrality ranking technique (called PageRank) to rank the relevance of hyper-linked pages in search results [27]. In order to clarify this concept, as we will see below, the eigenvector centrality of a node is proportional to the sum of the centrality values of all its neighboring nodes, so eigenvector centrality is defined in a circular manner. In the social-network context, an important node (or person) is characterized by its connectivity to other important nodes (or people). A node with a high centrality value is a well-connected node and has a dominant influence on the surrounding network.

22

2 Mathematical Foundations: Complex Networks and Graphs (A Review)

In an overall perspective, spectral graph theory studies the eigenvalues of matrices that embody the graph structure. One of the main objectives in spectral graph theory is to deduce structural characteristics of a graph from such eigenvalue spectra. Among other applications, these methods are used in the study of the measures of vulnerability based on the fall of connectivity. In addition, spectral analysis has a lot of applications too numerous to be collected here. For example, spectral analysis allows characterizing models of real networks [90, 113], determine communities [105], to find the edges which connect different communities and remove them in a iterative form, breaking the network into disconnected groups of nodes [10, 66] and even visualizing networks [115]. To introduce the eigenvalue spectra of a network some additional concepts are needed. The characteristic polynomial det(xI − A(G)) of the adjacency matrix A(G) is called the characteristic polynomial of G. The eigenvalues of A(G) (i.e., the zeros of det(xI − A(G)) are also called the eigenvalues of G. If μ is an eigenvalue of G, then a non-zero vector V ∈ Rn satisfying A(G) · V = μ · V, is called an eigenvector of A(G) for μ ; it is also called a μ -eigenvector. The relation A(G) · V = μ · V can be interpreted in the following way: if V = (v1 , . . . , vn )t , where the superscript t denotes the transpose of V (i.e., the column vector V t ) then for any node i we have that μ · vi = ∑j∼i vj , where the summation is over all neighbours j of i. If μ is an eigenvalue of G, then the set {V ∈ Rn : A(G) · V = μ · V} is a linear subspace of Rn , called the eigenspace of G for μ . On the other hand, since A(G) is a real symmetric matrix, it is important to point out that all the eigenvalues of G are real. Moreover, Rn has a basis {V1 , . . . , Vn } of n normal eigenvectors of 1A(G) (see, for example, [30]). The set of eigenvalues of A(G):

σ (A(G)) = {μ1 (G), μ2 (G), . . . , μn (G)},

(2.13)

μ1 (G) ≤ μ2 (G) ≤ . . . ≤ μn (G)

(2.14)

where

is called the “spectrum” of G. Many authors have studied the algebraic aspects of spectral graph theory (see, for example,[18, 30, 48–50, 64, 67, 68, 79, 80, 92–95, 122]). The eigenvalue spectra of a network provide valuable information about the behaviour of many dynamical processes running within the network, but in this section we only consider the applications of spectral analysis to static networks. For example, in [49] it is shown that diameter D(G) of a network satisfies D(G) ≤ r − 1 where r is the number of distinct eigenvalues. The largest eigenvalue of the adjacency matrix μn (G) is called spectral radius of G. This eigenvalue is usually denoted by ρ (G). It is important to remark that for ρ (G), since A(G) is non-negative, there exists an eigenvector whose all entries are non-negative.

2.2 Basic Concepts on Graphs and Networks

23

This eigenvalue of A(G) has received the most attention in this context, since this quantity refers to the speed of growth of walks in the graph (the number of walks of length k is, approximately, ρ (G)k ) [30]. A nice and useful property is given by the following inequality [49]: 

Δ (G) ≤ μn (G) = ρ (G) ≤ Δ (G),

(2.15)

where Δ (G) is the maximum node degree of G. It is important to highlight that the spectral radius of G plays an important role in modelling virus propagation in computer networks. The smaller the largest eigenvalue, the larger the robustness of a network against the spread of viruses. 1 In fact, the epidemic threshold in spreading viruses is proportional to ρ (G) [128]. Another example that remarks the importance of ρ (G) is given by the Bonacich centrality of G [25, 26, 36] (measure based on the eigenvectors associated to the spectral radius of G) generally known as eigenvector centrality. The eigenvector centrality is calculated by using the adjacency matrix A(G) = (aij ) to find central nodes in the networks. Let V = (v1 , . . . , vn ) be a vector whose ith element vi represents the centrality (normalized) measure of node i. Let N(i) the set of neighbours of node i in the network G. Eigenvector centrality is defined using the following formulas: vi ∝

∑

vj ,

(2.16)

j∈N(i)

which can be rewritten as n

vi ∝= ∑ aji vj ,

(2.17)

j=1

which can be rewritten in the form A(G) · v = μ · v.

(2.18)

Since A(G) is a n × n symmetric matrix, it has n eigenvectors and n (not necessarily distinct) corresponding eigenvalues. The classical way to compute the eigenvalues of A(G) is to find the roots of the characteristic polynomial det(xI − A(G)) of A(G). The principle eigenvector is the eigenvector associated to the spectral radius ρ (G). After the principle eigenvector is found, its entries are sorted from highest to lowest values to determine a ranking of nodes. The most central node has the highest rank and most peripheral node has the lowest rank. So, in any network the connectivity of a node depends on the connectivity of its neighbours, and eigenvector centrality can help capture this property. It is remarkable that the main drawback of this measure is that it can only be calculated in a centralized way. To close this section it is important to remark that some new developments related to eigenvector centrality have been recently introduced in

24

2 Mathematical Foundations: Complex Networks and Graphs (A Review)

the literature (see, for example, [112]). Moreover, there exist many interesting and recent publications related to critical element detection in a graph-theoretic setting (see, for example, [11, 123, 124, 127]). And finally, it is also remarkable that in the last decade there exists a trend towards generalizing centrality classes which may perhaps play a significant role in the context of cyber-security (see, for example, [47, 59, 78, 111, 125]).

2.2.9 Information Flow Management: Betweenness Centrality Another approach to the study of network’s centrality is based on the idea that critical nodes and links stand between others, playing the role of an intermediary in the interactions or in the communications. So, the greater the number of paths in which a node or edge participates, the higher the importance of this node or edge for the network. Thus, assuming that the interactions follow the shortest paths between two vertices, it is possible to quantify the importance of a node or an edge in terms of its betweenness centrality. Node betweenness was first proposed by Freeman [63] in 1977 in the context of social networks. This concept has been considered more recently as an important parameter in the study of networks associated to complex systems [102]. Girvan and Newman [66] generalize this definition to edges and introduce the edge betweenness of an edge as the fraction of shortest paths between pairs of vertices that run along it. Specifically, the betweenness centrality is related to the concentration of the geodesic structure throughout the network. The node betweenness centrality B(G) of a network G [63] is:  B(G) =

 1 ∑ bi , n i∈X

(2.19)

where bi is the betweenness of the node i ∈ X (see, for example [106, 130]) given by bi =

nkj (i) 1 ∑ nkj , n(n − 1) k,j∈Xi =j

(2.20)

where nkj is the number of different geodesics that join k and j, and nkj (i) is the number of geodesics that join k and j passing through i. The maximum betweenness of the network G is Bmax (G) = max{bi : i ∈ X}.

(2.21)

2.2 Basic Concepts on Graphs and Networks

25

The same parameters can be defined for edges exactly in the same way as before, obtaining the edge-betweenness BE (G)  BE (G) =

 1 ∑ b . m ∈E

(2.22)

where, in the same way as before, b is the betweenness of the link  ∈ E given by b =

nij () 1 ∑ nij n(n − 1) i,j∈Xi =j

(2.23)

and the maximum edge betweenness centrality BEmax (G) = max{b :  ∈ E}.

(2.24)

A remarkable relationship between the characteristic path length L(G) and BE (G) as it is shown in [20] is the following:   njk () 1 1 BE = ∑ b = |E| ∑ ∑ njk |E| ∈E ∈E j,k∈X   1 1 = ∑ njk ∑ njk () . |E| j,k∈X ∈E Notice that if Pjk is the set of all geodesics joining j and k then one has njk () =

∑

χg (),

(2.25)

g∈Pjk

where ωg () is 1 if  belongs to the geodesic g and 0 otherwise. Hence if dj,k denotes the distance between j and k in the network then 1 1 BE = ∑ |E| j,k∈X njk 1 1 = ∑ |E| j,k∈X njk 1 1 = ∑ njk |E| j,k∈X





∑ njk ()



∈E



∑ ∑ ωg ()



g∈Pjk ∈E

∑

g∈Pjk

dj,k

 =

n(n − 1) L(G) |E|

and therefore BE (G) measures essentially the same global properties than the characteristic path length L(G).

26

2 Mathematical Foundations: Complex Networks and Graphs (A Review)

2.2.10 Degree Distributions The degree distribution of a network G = (X, E) is a function P(k) which give us the probability of finding a node in G with degree k. In other words, P(k) is referred to the fraction of nodes having degree k. So, P(k) = N(k) n , where N(k) is the number of nodes whose degree is k. Obviously, by using the degree distribution of G, we can get another expression for the average degree of G: k =

1 n 2m . ki = ∑ k · P(k) = ∑ n i=1 n k

(2.26)

It is remarkable that this concept is the simplest and most studied one-node feature that we can find in a network, an it is used as the basis for network topological characterization. Information on how the degree is distributed among the nodes of an undirected network can be obtained either by plotting P(k), or by the calculation of the moments of the distribution. The -moment of P(k) is defined as k = ∑ k · P(k).

(2.27)

k

So, the first moment k1 = k is the average degree of G, the second moment k2 (degree variance) measures the fluctuation of the connectivity distribution of G, the third moment k3 is the degree skewness and the fourth moment k4 is the degree kurtosis. On the other hand, if the network is directed, the degree of a node is twofold. We have the so called out-degree of the node (i.e., the number of outgoing edges), n

kiout = ∑ aij ,

(2.28)

j=1

and the in-degree of the node (i.e., the number of ingoing edges), n

kiin = ∑ aji .

(2.29)

j=1

Consequently, in the directed case, we need two distributions P(kout ) and P(kin ) to describe the network.

2.3 Some Interesting Complex Networks Models

27

2.3 Some Interesting Complex Networks Models 2.3.1 Random Networks Paul Erdös (1913–1996) is indeed the most prolific mathematician in history after Euler. He published around 1500 articles in his lifetime about many branches of science: graph theory, probability theory, set theory, classical analysis, approximation theory and number theory. Standing out, especially, the development of Ramsey theory and the application of the probabilistic method. However, Erdös is famous by his eccentricities: all his life was travelling between scientific conferences and the homes of colleagues all over the world. Erdös and his colleague Alfred Rényi started working on graphs to understand the structure of social networks. In other words, Erdös and Rényi, having in mind the original motivation of analyzing, by means of probabilistic methods, the properties of networks as a function of the increasing number of random connections, were the first to study this kind of mathematical objects. To tackle this issue, they focused on the so-called random graphs [55], in which the existence of an edge between a pair of nodes has probability p. This implies that, given a network with n nodes, the average degree is: k = p · (n − 1) ∝ p · n

(2.30)

and the number of random connections between them is 1 1 L = p · n · (n − 1) = k · n. 2 2

(2.31)

Now, given a random graph with n  1 nodes and average degree k = p · (n − 1) fixed, the probability of a node having degree k is   n k k k P(k) = p (1 − p)n−k  e−k , k k!

(2.32)

where the approximation becomes exact when n → ∞ but k remains fixed. In other words, the degrees of a random graph follow a Poisson distribution [22, 24, 129]. As it is known, a Poisson distribution has a well defined mean value indicating that all nodes have “essentially” the same number of links. Nodes on either sides of the peak may have many more or fewer links than the average node, but these nodes are extremely rare since the distribution rapidly diminishes for values far from the mean. In random graphs, the probability that two neighbours of a node are connected is the probability that two randomly chosen nodes are linked. Then, the clustering coefficient is simply C=p∼ =

k

1, n

(2.33)

28

2 Mathematical Foundations: Complex Networks and Graphs (A Review)

which means that large scale random networks have no clustering in general. On the other hand, if the average degree in a random graph is k , every node has approximately k neighbours. Then, since each neighbour has in turn other k neighbours, every node has (approximately) k 2 second neighbours. Extending this argument, the number of links n needed to reach all nodes in the network can be roughly estimated by the condition: k n ∼ n,

(2.34)

and, in that circumstances, ∼

log(n) , log(k )

(2.35)

which implies that the average distance in a random network is rather small, even for very large networks. It is remarkable that we can carry out this calculation because the clustering is small. In a network with large clustering a node i does not have k 2 second neighbours, since many of those second neighbours are also themselves neighbours of i. As a consequence, the number of second nodes will be (possibly) much smaller.

2.3.2 Small-World Model In the last years, several models of complex networks have been proposed after the pioneering idea of random graph model of Erdös-Rénji [55, 56] such as the smallworld model of Watts and Strogatz [131]. The main reason for this was the discovery that real networks like the Internet graph have characteristics which are not explained by uniformly random connectivity. Specifically, the small-world property indicates that the network diameter is much smaller than the number of nodes or, in other words, most vertices can be reached from the others through a small number of edges, like in social networks. The term small world was introduced by Watts and Strogatz [131] in their study of various real-world networks, such as the network of Hollywood movie actors. In [131] the average distance (or characteristic path length), which measures global distances in a network, and the clustering coefficient, which is a measure of “cliquishness” of neighbourhoods in a network, are introduced. Watts and Strogatz [131] proposed a small-world model based on a rewiring procedure of the edges of a regular network with a probability p. The WattsStrogatz algorithm starts with a regular network with n nodes arranged in a ring. Each edge is randomly rewired with probability p. Varying p from p = 0 to p = 1 the transition between the regular network and randomness can be monitored and, by for example, for a small rewiring probability the network clustering coefficient scarcely differs from its initial value, but the characteristic path length downfalls

2.3 Some Interesting Complex Networks Models

29

rapidly and is of the same order as that of random networks. So, Watts and Strogatz created the first model that conciliated the existence of a large clustering with a small diameter or characteristic path length. In [8] diverse real-world networks are studied, arising three classes of smallworld networks, namely scale-free, broad scale and single scale networks.

2.3.3 Scale-Free Networks In many real world networks the degree distribution does not follow a Poissonlike distribution (for instance the world-wide web, electric power grid, network of world airports), but instead does follow a power law, i.e., P(k) = ak−γ where a is a constant and γ is a positive exponent (this exponent, empirically varies between two and three for the majority of the real world networks). Having a P(k) that has a decaying tail in the power law means that the vast majority of nodes have low degree and that there exist few nodes, the so-called hubs, that have an extremely high connectivity. A network with degree power law distribution is called scale-free. This model was introduced in 1999 by Barabási and collaborators [4, 13] in 1999, after verifying that the degree distribution of some complex systems follows “power laws” instead of being Poisson-like distribution and, additionally, many systems are strongly clustered with a big number of short paths between the nodes, i.e., they obey the small world property. Scale-free networks usually emerge in the context of a growing network in which new nodes prefer to connect to the highly connected nodes in the network. When there are constraints limiting the addition of new edges, like aging of the nodes or cost of adding edges to the nodes or the limited capacity of a node, then the broadscale or single-scale networks appears [8]. One of the most frequently used graphical methods of identifying power-law probability distributions using random samples are log-log plots. This method consists of plotting the logarithm of an estimator of the probability that a particular number of the distribution occurs versus the logarithm of that particular number. Usually, this estimator is the proportion of times that the number occurs in the data set. If the points in the plot tend to “converge” to a straight line for large numbers in the x axis, then the researcher concludes that the distribution has a power-law tail. A power-law function can be expressed as a polynomial p(x) = ax−γ where a and γ are constants and γ is called the power-law exponent. A power law distribution has no peak at its average value and is a relatively slow decreasing function, but the main property of power laws is their scale invariance, i.e., if we substitute the argument x by the same argument multiplied by a scaling factor c we get a proportionate scaling of the function itself, i.e., p(cx) = a(cx)−γ = c−γ p(x) ∝ p(x), which means that they are proportional and therefore it preserves the shape of the function itself. Moreover, by taking logarithms the following linear relation is obtained log p(x) = log a − γ log x (Fig. 2.6).

30

2 Mathematical Foundations: Complex Networks and Graphs (A Review)

−k

P(k) = e

P(k) = k−C

m=c

Fig. 2.6 A visual comparison between random and scale-free networks

The model proposed by Barabási and Albert [13] is based on two observed facts in real networks: networks expand continuously by the addition of new vertices, and new vertices attach preferentially to sites that are already well connected. The model starts with a small number of nodes at step t = 0, and at every time step a new node is connected to a number of nodes of the existing graph. The probability of the new node to be connected to an existing node depends on the degree of that node, in the sense that nodes with higher degree have stronger ability to grab links added to the network. As we have said, a typical value for the degree power-law exponent in the majority of real networks is 2 ≤ γ ≤ 3. The Barabási-Albert model produces a degree power-law distribution with exponent γ = 3, meanwhile the Watts-Strogatz and the Erdös-Rénji follow a Poisson distribution. Related to this, it is important to introduce the concept of network’s assortativity as another fundamental property of networks. This feature measures the degreedegree correlation between nodes. In assortative networks, most edges connect nodes that exhibit similar degrees (nodes aristocracy). On the other hand, disassortative networks are such that high-degree nodes are connected to low-degree nodes. For a survey of all the previous network properties and more we refer the reader to [22].

2.4 New Approaches and Developments of Interest for Our Model

31

2.4 New Approaches and Developments of Interest for Our Model 2.4.1 When Edges are More Important than Nodes: Line Graph and Related Concepts The choice of the proper network representation for a given problem and its associated tools may determine our ability to use network theory successfully. In some cases there is a natural representation of the problem using networks. In other cases, the chosen representation can help us to solve the posed problem. For example, sometimes it seems appropriate to give more importance to the edges of a network than to its nodes in the context of certain networks and graphs. An example of this comes from urbanism where sometimes the streets of a city are represented by the nodes of the graph, and the intersections between them as the links [44–46, 110]. Distribution networks constitute another example of this situation. The appropriate object to support this point of view is the line graph L(G) (also called dual graph) as it has been shown in the context of urbanism above and transport networks [9, 126] or urban traffic [76]. To study this kind of problems the concept of line graph is introduced in a natural way. The line graph associated to G = (V, E) is the network L(G) = (E, L) whose set of nodes is the initial set of edges of the graph G, with the assumption that two such nodes  and  are connected by the edge {,  } if on the initial graph G the edges  and  share some node. So, the line graph of the “claw graph” K1,3 is the triangle C3 , the line graph of the cycle Cn is itself, and the line graph of the star graph Sn is the complete graph Kn−1 . In any case, it is remarkable that line graphs have been studied for more than 80 years, although this concept has been rediscovered several times throughout this period of time, with different names such as the adjoint graph, derived graph or edge-to-vertex dual [73]. The first time this concept appears in the literature was in 1932 [133]. Of course, many properties of a graph G that depend only on adjacency between edges may be translated into equivalent properties in L(G) that depend on adjacency between vertices. For instance, the line graph of a connected graph is connected since if G is connected, it contains a path connecting any two of its edges, which translates into a path in L(G) containing any two of the vertices of L(G). However, a graph G that has some isolated vertices, and is therefore disconnected, may nevertheless have a connected line graph. More relevant is the following property: If a graph G has an Euler cycle, that is, if G is connected and has an even number of edges at each vertex, then the line graph of G is Hamiltonian, i.e., a graph possessing a Hamiltonian cycle (a Hamiltonian cycle in graph G is a cycle that passes through all its nodes exactly once). At this point it is remarkable that there are no known (non-trivial) conditions that would be necessary and sufficient for the existence of a Hamiltonian cycle in a graph.

32

2 Mathematical Foundations: Complex Networks and Graphs (A Review)

On the other hand, line graph has been considered for networks (graphs with many nodes and edges) only in a reduced number of studies an applications. Particularly, networks are commonly used in the analysis of urban and territorial cases, for example, if we are looking for the places or streets inside a city that are more important—or more frequented—than others due to their geographic situation. As it was shown in [110], the study of centrality in complex networks within the context of urban design based on the primal graph representation give us similar results than the corresponding analysis made using its associated line graph. A natural question then arises: given G and L(G) and some certain parameter (such as efficiency, centrality, clustering, betweenness, etc.) can we estimate the value of this parameter on G (respectively, on (L(G)) if we know its value on L(G) (respectively, on G)? As we will see, in some cases the answer is “Yes”. The point is that sometimes it may be easier to work with L(G) instead of G, or conversely. The bipartite network B(G) associated to G is defined by B(G) = (X ∪ E, E(B(G))) whose adjacency matrix is given by  A(B(G)) =

 0 I(G) , I(G)t 0

(2.36)

where I(G) is the incidence matrix of G. It is shown that  A(B(G))2 =

A(G) + gr 0 0 A(G ) + 2Im

 ,

(2.37)

where A(G)+gr = IG IGt denotes the matrix obtained by adding to A(G) the diagonal matrix (bij ) where (bii ) is the degree of the vertex vi , and L(G) denotes the line (or dual) network associated to G [70, p. 26]. Observe that the equality IGt IG = AL(G) + 2Im , where Im is the identity matrix in Rm , trivially holds. On the other hand, as it is shown in [36], if we know the Bonacich centrality c(L(G)), we can recover c(B(G)) and reciprocally. If, in addition, G is regular then each of the three centralities can be recovered from any of the other. On the other hand, it is not difficult to get the relationships between the metrics in G, L(G) and B(G) established in the following propositions (see [70, p. 302] if needed): Proposition 2.1. Let i, j and i , j be two pair of nodes in G = (V, E) joined respectively by the edges  = {i, j}  = {i , j } and such that  =  . Then, the distance in L(G) = (E, L) between the edges  and  is dL(G) (,  ) = 1 + dG ({i, j}, {i , j }), where dG is the Hausdorff distance between the sets {i, j} and {i , j }, i.e. dL(G) (,  ) = 1 + min{dG (i, i ), dG (i, j ), dG (j, i ), dG (j, j )}.

(2.38)

2.4 New Approaches and Developments of Interest for Our Model

33

Proposition 2.2. Let B(G) the bipartite graph associated to G = (V, E). Then for every i, j, k, i , j ∈ V (i) dB(E) (i, j) = 2dG (i, j), (ii) dB(G) (i, {j, k}) = 1 + 2 min{dG (i, j), dG (i, k)}, (iii) dB(E) ({i, j}, {i , j }) = 2dL(G) ({i, j}, {i , j }).

Now, having in mind that the adjacency matrix of a directed network (digraph) → − → − → − G = (V, E), also denoted by A( G ), is the n × n dimensional (0, 1)-matrix A( G ) = (aij ) determined by the conditions:  aij =

1 if (i, j) ∈ E 0 if (i, j) ∈ / E.

(2.39)

and the bipartite network B(G) associated to G is defined by B(G) = (V ∪ E, E(B(G))) whose adjacency matrix is given by  − = AB(→ G)

− 0 H→ G t T→ 0 −

 ,

(2.40)

G

→ − − is the incidence matrix of heads of G defined by where H = H→ G  Hij =

1 if j = (i, −) 0 otherwise,

(2.41)

→ − − is the incidence matrix of tails of G defined by and T = T→ G  Tij =

1 if j = (−, i) 0 otherwise

(2.42)

Definition 2.1. Given a graph, G, the line graph associated to G, denoted by L(G), is the graph whose vertices are the edges of G, while (i , j ) is an edge in L(G) if i and j share a node in G (G is now the primal graph of L(G)). It is easily checked that  (AB(G) ) = 2

0 AG + D 0 AL(G) + 2Im

 ,

(2.43)

34

2 Mathematical Foundations: Complex Networks and Graphs (A Review)

where AG + D denotes the matrix obtained by adding to AG the diagonal matrix D = bij and bii is the degree of the vertex i. Whenever there is no risk of confusion AG will simply be denoted by A. Also   − A→ 0 2 G − ) = (AB(→ (2.44) G) − → − , 0 A→ L (G) → − → − where L ( G ) denotes the directed line network (line digraph) associated to the → − →→ − − → − directed network G , i.e., the digraph L ( G ) whose vertices are the arcs E( G ) of → − → − → − G , while (e, f ) is an arc in L ( G ) if the end of e coincides with the origin of f (Fig. 2.7). − → − )2 is simpler than (AB(G) )2 . Remarkably (AB(→ L ( G )) If now G is an undirected graph, we will denote by D(G) the associated symmetric digraph obtained by replacing each edge of G by an arc pair in which the two arcs are inverse to each other. Observe that AG = AD(G) . Using this idea, there is an alternative definition for the line graph associated with G that has received → − relatively little attention: the directed line graph L (D(G)). In any case the networks we are working on are mainly directed networks and therefore the linegraph we will → − → − refer in the next chapters is L ( G ). A more detailed and in-depth work about this topic may be found in [36, 37]. Fig. 2.7 An example of the line-graph of an undirected network (on the left) and for a directed network (on the right)

2.4 New Approaches and Developments of Interest for Our Model

35

2.4.2 Multilayer Networks In the last few years network scientists have directed their attention to the multiplex character of real-world systems, and explicitly considered the multi-layered nature of networks (see, for example, [19, 38, 81]). In [19] a comprehensive review of both structural and dynamical organization of a network made of diverse relationships (layers) between its constituents may be found. That review covers several relevant issues, from a full redefinition of the basic structural measures, to understanding how the multilayer nature of the network affects processes and dynamics. Complex systems incorporate multiple channels of connectivity and communication. Multilayer networks incorporate explicitly multiple channels of connectivity and constitute the natural environment to describe systems interconnected through different categories of connections in such a way that each channel (relationship, activity, category) will be represented by a layer and the same node or entity may have a different kinds of connections (different set of neighbors in each layer). For instance, in social networks, one can consider several types of different actors’ relationships: friendship, vicinity, membership of the same cultural society, etc. In such a case, the adequate representation is a multilayer network, where nodes interact through multiple layers of links to properly encompass those topological properties of heterogeneous-type systems which couldn’t be captured by the classical single-layer network representation. Following [19], a multilayer network is a pair M = ({G1 , · · · , GL }, {Eij ⊂ Xi × Xj , i, j ∈ {1, · · · , L}, i = j}) where {G1 , · · · , GL } is a family of (directed or undirected, weighted or un-weighted) graphs Gk = (Xk , Ek ) (called layers of M ) and each Eij ⊂ Xi × Xj , i = j is the set of interconnections between nodes of the layers Gi and Gj . Note that if L = 1 the multilayer network M is a classic complex network that we call a monolayer network. If M is a multilayer network, there are two monolayer networks associated to M . The projection network of M is the graph proj(M ) = (X, E) where X=

L  k=1

 Xk ,

E=

L 

k=1

 Ek







 Eij .

(2.45)

1≤i =j≤L

Note that the projection network proj(M ) is the monolayered vision of the multilayer network M . In addition to the projection network, the interconnection network of M is the graph inter(M ) = (Y, F), where Y = {1 , L } and

F = (i , j ); Eij = 0/ .

(2.46)

This monolayer network inter(M ) takes into account the (interlayer) connection between layers in the multiplex network M , since each node of inter(M ) represents each layer of M and two layers are connected in inter(M ) if there are interlayer connection between the corresponding layers of M .

36

2 Mathematical Foundations: Complex Networks and Graphs (A Review)

x1 x4

x2

G3

x3 x1

x2

G2

x3

x4 x1 x4

x2 x3

G1

Fig. 2.8 A multiplex network with three layers

It is important to remark that the concept of multilayer network extends some objects introduced in the literature, specifically, a multiplex network is a special type of multilayer network in where X1 = X2 = · · · = Xk = X and the only possible type of inter-layer connections are ones in which a given node is connected to its counterpart nodes in the other layers, i.e., Eij = {(x, x); x ∈ X} (Fig. 2.8). In [19, 81] we can find a more detailed and in-depth review about these new concepts and their related topics.

Chapter 3

Random Walkers

Abstract There are several papers where the classical description of random walkers on a graph and on a network are given (Tetali, J Theor Probab 4:101–109, 1991; Wilson, Introduction to graph theory, vol 111. Academic, New York, 1972) although applications to networks with complex topology are quite more recent (Noh and Rieger, Phys Rev Lett 92:118701, 2004; Yang, Phys Rev E 71:016107, 2005). In this chapter we will review the main subjects related to random walkers we will need to introduce the concept of Accessibility in order to build our mathematical model in both contexts: Static Risk and Dynamic Risk. Moreover, we provide a review of the random walker basics. We also introduce the Markov chain mathematical model as a tool in order to ease the study of random surfers’. And finally, we present its applications to the computation of Accessibility in the context of Static and Dynamic Risk.

The random walker concept constitutes one of the most useful tools used in Statistical Mechanics in the study of Complex Systems and Networks. Therefore it is not a surprise that this tool can be employed in the computation of some basic magnitudes in Intentional Risk Analysis (Static and Dynamic). Let us remember that the Static Risk estimate is based on the computation of three basic magnitudes (Anonymity, Accessibility and Value) for each element of the network. Each one of these magnitudes is computed by employing different algorithms. In the case of Accessibility we intend to calculate the edge relevance in terms of accessing information resident on the network. In the Static and Dynamic Risk models some specific algorithms have been developed in order to compute the different parameters to achieve our environmental goals as independently and efficiently is possible, in such a way that parameters to be set off from network’s structure and functionality instead of relying entirely on arbitrary decisions. Accordingly, in relation to Accessibility, the relevance of each element in the network has been chosen as the methodology of study to be applied in both Static and Dynamic Risk. In order to achieve this goal, the use of random walkers is one of the most powerful and versatile tools employed in the context of complex networks analysis, showing its usefulness particularly to study Accessibility in the context of this book.

© The Author(s) 2015 V. Chapela et al., Intentional Risk Management through Complex Networks Analysis, SpringerBriefs in Optimization, DOI 10.1007/978-3-319-26423-3_3

37

38

3 Random Walkers

This chapter is meant to provide a review of the random walker basics as well as to introduce the Markov chain mathematical model as a tool which facilitates to study the random surfers’ and applies it to Static and Dynamic Risks. In the first section of this chapter we will give an intuition about the random walker concept, leaving the rigours of mathematical work to the next sections. In addition, we will present some more general models of random walkers (random walkers on multiplex networks and customization matrices), since these more sophisticated new random walker types could be employed to analyse the Intentional Risk more precisely.

3.1 An Introduction to Random Walkers Roughly speaking, a random walker in a network G = (X, E) is a process which develops as follows: 1. In the initial instant t = 0, a node x0 is randomly-chosen and we will place ourselves on it. 2. If in the previous instant we had chosen a node x, in the next instant we move in a random way to another node of X being an immediate neighbour of x. In other words, if in the instant t we were in the node xt , in the next instant t + 1 we choose a node xt+1 in such a way that the edge xt → xt+1 is an edge of G = (X, E). 3. We repeated the process indefinitely for t = 1, t = 2, . . . In this way, we get a node sequence x0 , x1 , x2 , · · · that could be though as the path would follow a drunken man who moves randomly through the network. The critical key to understanding this process is the meaning of “we randomly move” and depending on the type of random movement we will get a specific random walker or another. In order to fix ideas, now we consider a very specific example to illustrate what a random walker means for us. Let us consider the (non directed) network of 14 nodes given in Fig. 3.1. In order to build a random walker, we follow the previously described process, i.e.: Fig. 3.1 A first random walker example

3.1 An Introduction to Random Walkers

39

1. In the initial instant t = 0, a node x0 is randomly-chosen. For example, we choose x0 = 6 we put ourselves on it. 2. Now, once we have fixed x0 = 6, in the next instant t = 1 one of the neighbours of x0 = 6 has to be chosen. In this case, the neighbours (the directly connected nodes with x0 = 6) are the nodes 1, 2, 3, 4, 8, 9, 10 and 11. But the key point is: How can we choose one of those nodes randomly ? There are several ways to do it: by assuming all of them have the same probability to be chosen, by assuming that the probabilities of even nodes’ are greater than the probabilities of odd nodes’, by choosing in each case the node labelled with the smaller number, etc. Each criterion to randomly choose the next node will give us a different random walker. Intuitively, once we are on the node x0 = 6, we have to choose a dice (possibly loaded, with all its sides equal or otherwise) in order to choose a new node amongst the neighbours of x0 , in such a way that the random walker we are building will depend on the dice we have choose. The simplest and more natural case consists of to choosing the node amongst the neighbours of x0 in such a way that all of them have the same probability of being chosen (uniform probability distribution). This form of picking out just one of the eight neighbours of x0 would correspond to choosing it by using an eight-sided nonloaded dice (because all of them have the same probability to be chosen). The dice must be eight-sided since the node x0 = 6 has eight neighbours, the nodes: t1, 2, 3, 4, 8, 9, 10 and 11. Following this criterion we choose, for example, the node x1 = 2 and we now move from the node x0 = 6 to the node x1 = 2. 3. Once we are on the node x1 = 2, we follow the same criterion and we randomly choose (with a uniform probability distribution) a new neighbour of x1 = 2. The node x1 = 2 only has three neighbours, so the new choice will be done by throwing a three sides dice. We take, for example x2 = 5, and consequently we now move from the node x1 = 2 to the node x2 = 5. 4. We repeat the process with x2 in order to obtain x3 , after x4 and so on . . . As result of this process we obtain, for example, the sequence of nodes 6, 2, 5, 2, 7, 10, 6, 9, 12, · · · . This is an example of a uniform random walker. It is called uniform because when we have chosen a node xt , the next node xt+1 is randomly chosen amongst the neighbours of xt in such a way that every neighbour of xt has the same probability to be chosen. Most of the scientific literature has been centered around this type of random walkers, so that when we read in the literature something about (“random walkers” ) in fact it is referred to uniform random walkers. On the other hand, a biased random walker is in which the choice of the neighbour of xt is done by employing a loaded dice in such a way that some neighbours can be more likely chosen than the rest. It is at this point that we have to remark that, roughly speaking, a random walker on a network G = (X, E) is no more than the trajectory we can draw on the network, by starting in a randomly selected node and following randomly the

40

3 Random Walkers

different edges of the network. As we will see, this simple process gives us a very valuable information about the specific network or complex system we are studying, and it can be studied in detail by using sophisticated mathematical tools. A more general class of random walkers are the so-called random walkers with spectral jump. These type of process, in addition to being able to navigate through the edges of a network, sometimes we can be teleported to new nodes of the network which are not directly connected with the current node by an edge. This kind of process can be described as follows: 1. In the initial instant t = 0, a node x0 is randomly-chosen. 2. In the next instant t = 1 we choose between two options: we can navigate through the edges of the network (as in the previous case already described) or, on the contrary, we select to be teleported to another node of the network. Specifically, at the beginning of each turn we flip a coin to decide if we are going to navigate through the edges of the network or, on the contrary, if we are going to be teleported to other nodes. This coin, in general, includes an associated probability p ∈ [0, 1] to obtain the up-side of the coin (probability corresponding to navigate through the edges ) and a probability 1 − p to obtain the down-side of the coin (probability corresponding to be teleported to other nodes ). 3. One we have made a choice between navigate through the edges (and nodes) of the network or, on the contrary, to be teleported to another node in this turn t + 1, two cases are possible: (a) If we are bound by the result to navigate through the edges, we have to choose a new node amongst the neighbours of xt , according to the explained process (uniform random walkers, biased random walkers, etc.) in order to choose the next node x, t + 1. (b) If we are bound by the result to be teleported in this turn t + 1, we randomly choose a node xt+1 amongst all the nodes of the network. This node will be the destination of our teleportation. This jump from xt to xt+1 , whose associated probability is p is called spectral jump. In order to randomly choose the node xt+1 we would need a dice with as many sides as nodes has the network G. This dice could by a loaded dice or a well balanced dice. From a mathematical point of view, the form to describe this dice is the following: If the network G = (X, E) has n nodes, the n -sided dice which let us permit to choose the destination of each spectral jump is in fact a vector (p1 , p2 , · · · , pn ) ∈ Rn in such a way that pi is the probability to be teleported to node i when we are executing the spectral jump. This vector is called personalization vector of the random walker. By using this dice we are teleported to a node xt+1 . 4. We repeat indefinitely the two previous steps obtaining a sequence of nodes x0 , x1 , x2 , · · · , in such a way that two consecutive nodes may be connected by an edge (if we have chosen the step corresponding to navigate) or not (if we had chosen to be teleported in that turn).

3.1 An Introduction to Random Walkers

41

To fix ideas, if we work on the network of Fig. 3.1 and we build a random walker with spectral jump, first of all we fix the probability p (the probability corresponding the choice to be teleported at the beginning of the turn). We can take, for example, p = 2/3 (i.e., one of each three turns we choose to be teleported and the other two we will navigate following the edges of the network). Once fixed this value p = 2/3: 1. We randomly choose a node in the instant t = 0. For example, we take x0 = 9 and we move there. 2. At the beginning of the turn t = 1, we must choose between navigating through the edges or to be teleported. So, we flip a coin that tell us navigate (with a probability of 2/3) and be teleported (with a probability of 1/3). Let us suppose that the result is navigate. Therefore we randomly choose (uniform, since in this case the random walker is not biased) one of the neighbours of x0 = 9. We take, for example, x1 = 5 and we move there. 3. At the beginning of the turn t = 2, we must choose between navigating through the edges or to be teleported. We flip a coin that with a probability of 2/3 tell us navigate and with a probability of 1/3 tell us be teleported. In this case the result is be teleported. Hence we randomly choose (uniform in this case, since we take (1/14, · · · , 1/14) ∈ R as personalization vector) any node of the 14 nodes of the network (not necessarily connected with). We take, for example, x2 = 12 and we move there. 4. We repeat the process for the instants t = 3, 4, · · · obtaining the sequence 9, 5, 12, 9, 2, 6, 10, 12, · · · . Once the concept of biased or uniform random walker, with or without spectral jump is understood, it is necessary to take the appropriate next conceptual step. If we have a random walker, the sequence of nodes we are building in each turn will depend on the choice of the nodes we are making in each case. In other words, if we fix a random walker type in a fixed network G = (X, E) (for example, a uniform random walker without spectral jumps) and we repeat the random walker process 100 times (i.e, we obtain 100 different sequences corresponding to 100 random walkers of the same characteristics), obviously we will get 100 different sequences. However, if we compute how often each node of the network appears in each one of that sequences, the frequency of all the nodes will be the same in all the random walkers developed. This remarkable fact recover the “primitive philosophy” of Statistical Mechanics: Although randomness be present in the sequence of nodes obtained in a random walker, if the node i appears twice as often as the node j, every other random walker we develop in G = (X, E) with the same characteristics (uniform or not uniform, with spectral jump or without spectral jump, with the same value of p, etc.), the frequency with which the node i appears will be the double of the frequency with which the node j appears. In other words, whatever chaos and stochastic noise we have in a complex system, we can find the underlying order. In short, in any type of random walker the most important element is the frequency with which each node appears, because this fact is independent from

42

3 Random Walkers

each particular development of the random walker. On the other hand, the frequency with which each node appears give us very valuable information about the nodes of the network, thanks to the principle known as Random Walker Hypothesis. This principle is one of the foundations of PageRank algorithm employed by Google. It can be stated as follows:

Random Walker Hypothesis: If we move on the network in a random way, we will pass more often through the more accessible nodes.

As we have said, this is the idea behind the PageRank algorithm employed by Google, because the strategy it employs is to build a network whose nodes are the web pages and whose edges are the hyperlinks between them, and a random walker is computed (originally, an uniform random walker, but a biased random walker was subsequently used by Google) doted with spectral jump [27, 82, 108]. Other uses of this principle will let us compute the Accessibility in the context of Intentional Risk (for both the static risk and the dynamic risk). In any case it is remarkable that one of the basic problems related to random walkers is the following:

Problem. Given a network G = (X, E) and a random walker on G, how can we compute the exact frequency each node appears in the random walker sequence?

The provision of an appropriate response to this problem is not, a priori, an easy task. The difficulty to compute the frequency of each node lies in the fact we would have to compute infinite steps of the random walker and, moreover, to be completely sure, we would have to compute several sequences of nodes (with different starting points and choosing in each case the infinite sequence xt ). In the following section we will see how we can mathematically solve this problem by using Markov chains. Finally, it is important to remark that exist many other types of random walkers in networks and structures, including the memory usage, continuous-time random walkers and a long etcetera, including nice results about their properties. For example, in [29], where the power law behavior of PageRank scores in scale-free directed random graphs is analyzed, it is studied the distribution of PageRank on a directed configuration model and it is shown that as the size of the graph grows to infinity, the PageRank of a randomly chosen node can be closely approximated by the PageRank of the root node of an appropriately constructed tree. For more details about random walkers see [114] and the references it contains.

3.2 Different Mathematical Models of Random Walkers

43

3.2 Different Mathematical Models of Random Walkers In this section we are going to introduce the mathematical tools used in the random walkers study described in the previous section. Basically the technical tools proceed from the stochastic processes study, from a mathematical point of view a random walker on a network G = (X, E) is a discrete-time Markov chain [100]. We briefly recall the mathematical concepts related to Markov chains and random walkers. For a more in detail review see [100] (see also [82, 91]).

Definition 3.1. A discrete-time Markov chain is a sequence of aleatory variables (Xn )n∈N = (X1 , X2 , · · · ) in such a way that for each n ∈ N, the distribution of Xn+1 only depends on the value of Xn .

Each discrete-time Markov chain has a transition matrix P = (pij ) associated in such a way that n

P(Xn+1 = j) = ∑ pij P(Xn = i).

(3.1)

i= 1

The underlying idea behind this mathematical formalism coincides with the random walker concept we have seen in the previous section, because the transition matrix P = (pij ) can be interpreted as follows: given the nodes i and j, pij is the probability the random walker go from the node i to the node j in a certain instant. Therefore, from a mathematical point of view, the random walkers are Markov chains with different transition matrices. In particular, we can establish the following definitions:

Definition 3.2. Let G = (X, E) be a network with n nodes X = {1, . . . , n} whose adjacency matrix A = (aij ) is given by  aij =

1, if there exists an edge i → j in G, 0, otherwise.

(3.2)

A random walker without spectral jumps in G = (X, E) is a Markov chain whose random variables Xi can have the values 1, 2, · · · , n in such a way that the transition matrix P = (pij ) for each 1 ≤ i, j ≤ n is given by the expression pij = f (i, j)aij ,

(3.3) (continued)

44

3 Random Walkers

Definition 3.2 (continued) where f : X × X −→ [0, +∞) fulfills n

∑ f (i, j) = 1

(3.4)

j=1

for every 1 ≤ i ≤ n. We will say that the random walker is homogeneous if for each 1 ≤ i, j ≤ n we have that f (i, j) =

1 n

∑ aik

,

(3.5)

k=1

whilst we will say that the random walker is biased if Eq. (3.5) is not fulfilled for any 1 ≤ i, j ≤ n.

As in the previous definitions pij is proportional to aij , this implies that when we are on the node i, the random walker can only move to one of the neighbours of i, and therefore in this model the spectral jumps are not included. On the other hand, if we are working with a uniform random walker, the value pij leads in practice to choose the neighbour of i following the uniform case (i.e., all the neighbours have the same probability). For the case of biased random walkers, we can talk about the entropy they generate and this entropy is related to the entropy of the underlying complex network [116].

Definition 3.3. Let G = (X, E) be a network with n nodes, X = {1, . . . , n}, A = (aij ) its adjacency matrix, a value 1 ≤ p ≤ n and a personalization vector v = (v1 , · · · , vn ) ∈ Rn such that: (i) vi ≥ 0 for each 1 ≤ i ≤ n, n

(ii)

∑ vi = 1.

i=1

A random walker with spectral jumps and personalization vector v in G = (X, E) is a Markov chain whose random variables Xi may have the values 1, 2, · · · , n and in such a way that the transition matrix P = (pij ) is given for each 1 ≤ i, j ≤ n by the expression pij = pf (i, j)aij + (1 − p)vj .

(3.6) (continued)

3.2 Different Mathematical Models of Random Walkers

45

Definition 3.3 (continued) The random walker will be a uniform random walker if for every 1 ≤ i, j ≤ n we have additionally that f (i, j) =

1 . ∑k aik

(3.7)

In this case, it is remarkable that the transition matrix can be decomposed as P = pN + (1 − p)T, where N = (nij ) = (f (i, j))ij corresponds to the random walker’s movements in which it is navigating through the edges of the network, whilst ⎛

v1 ⎜ v1 ⎜ T =⎜ . ⎝ ..

v2 v2 .. .

··· ··· .. .

⎞ vn vn ⎟ ⎟ .. ⎟ . ⎠

(3.8)

v1 v2 · · · vn is the corresponding matrix to the movements that consist in be teleported. With this model, widely studied in the literature since that it is the basis of the PageRank algorithm of Google [27, 82, 108], the probability to be teleported to a node j is the same independently of the node i we are on in that instant. An extension of this model considers that the probability to be teleported to a node j will be different depending on the node i in which the random walker is placed in that moment. This makes sense if we consider the interpretation of a spectral jump in the context of the PageRank algorithm. The underlying idea is the Random Walker Hypothesis : The more relevant webpages are those that are more frequently visited by a random walker, moving himself through the network erratically. This random navigation through WWW can be done basically through the hyperlinks we can find in each webpage (modelled by using the matrix N), albeit sometimes, when the navigator gets tired to do the search in one direction, it continuous the navigation by starting from another webpage possibly away from the webpage it is placed at that moment: this change of mind is modelled by the matrix T which give us the probability to jump to each node j. For example, it is reasonable to assume that if the random walker is on a Spanish webpage and then makes a spectral jump to another page, the new webpage be a Spanish webpage, whilst if the random walker is on a Chinese webpage, the new webpage he prefers to jump be a Chinese webpage. Therefore in the spectral jump (as it happens in the navigation through the network structure) the probability of the destination node depends on the node where the random walker is currently. For this reason a more general model must have in account this fact. That is the case of the random walkers with spectral jumps with a personalization matrix ˜ whose transition matrix is P = pN + (1 − p)T, ˜ where T,

46

3 Random Walkers

⎛

v11 ⎜ v21 ⎜ T˜ = ⎜ . ⎝ .. vn1

v12 · · · v22 · · · .. . . . . vn2 · · ·

⎞ v1n v2n ⎟ ⎟ .. ⎟ , . ⎠

(3.9)

vnn

satisfying that for each 1 ≤ i, j ≤ n we have that vij is the probability to be teleported from the node i to the node j, in the case that a spectral jump must be made. Hence, for each 1 ≤ i, j ≤ n the condition 0 ≤ vij ≤ 1 is satisfied, and n

∑ vij = 1

(3.10)

j=1

for every 1 ≤ i ≤ n. This matrix T˜ is called personalization matrix of the random walker. The really remarkable of Markov chains theory is that we can compute exactly the frequency we pass through each node with the following theorem, whose proof can be found in [91, 100]:

Theorem 3.1. Let G = (X, E) be a network and a random walker on G whose transition matrix is P. In this conditions, if wi is the frequency by which the random walker pass through the node i for each 1 ≤ i ≤ n and we consider the vector w = (w1 , w2 , · · · , wn ) ∈ Rn , we have that Pwt = wt , where wt is the transpose vector of w (i.e., the vector w put in a column instead of in a row). Therefore wt is an eigenvector of the matrix P whose associated eigenvalue is λ = 1.

The major advantage given by this theorem consists in reducing the computation of the frequencies of each node to the computation of an eigenvector of the matrix P, and this problem has been solved widely as from a theoretical point of view [91] as from a computational point of view [109]. There exist many other alternative random walkers in complex networks, but we should point out here the random walkers in multiplex networks due to their potential applications to the Intentional Risk Analysis. Although we have introduced this concept in Sect. 2.4.2, let us recall some of the main characteristics of this kind of networks (multiplex networks ). When we are modeling real world systems, one of the recent (and principal) decades achievements has been the usage of complex networks [22]. From communications networks to neural networks (as the brain) passing through biological and social networks, the use of statistical mechanics tools

3.2 Different Mathematical Models of Random Walkers

47

Fig. 3.2 A two-layered multiplex network

have been specially useful. A way to build a more general model is to consider that all the links (connections, edges) are not necessarily of the same type (homogeneous systems), but can be different types of links, each one corresponding to a level or layer. For example, if we want to model our social interactions as a network, each person would be a node and two nodes will be connected by an edge if they have interacted with each other. Using the classical model of complex networks it would be impossible to distinguish between the different kinds of social interactions (relatives, neighbours, coworkers, etc.). In order to overcome this limitation a new potent theory is currently developing around the so-called multiplex networks [19], which consist in networks characterized by its edges are distributed amongst several layers. It can be said, in a more rigorously form, a multiplex network is a set of networks Gi = (X, Ei ) (called network’s layers ) whichhave the same set of nodes X. An example of a two-layer (1 and 2 ) multiplex network can be see in Fig. 3.2. These kind of networks have shown to be very useful to get new and more precise information about real-world networks as social networks, biological networks and communications networks [19], and it is nowadays one of the hot points of Complex Networks Analysis that is currently developing by scientific communities. New types of random walkers have been considered in the context of multiplex networks [51, 112, 117]. All of them are analogous to the processes already described in previous subsections, although in each turn, firstly we have to decide in which layer the random walker is placed, being it possible to change between the several layers either to follow navigating in the current layer. An example of a random walker in a three-layer multiplex network is illustrated in Fig. 3.3. More details about the transition matrices and the specific modellization of this kind of random walkers can be obtained in [19, 51, 112]. This idea on navigation through different layers may be useful to model random navigations through the network by using various navigation modes, in function of (for example) different user profiles, in such a way we can define a generalized PageRank by using multiplex networks [117]. Moreover, as we will see in the next section, this random walker model can be very useful to model Dynamic Risk, i.e., we could consider a two-layered multiplex network where a layer corresponds to the authorized accesses and the other corresponds to the potential vulnerability or affinity accesses.

48

3 Random Walkers

Fig. 3.3 A random walker in a three-layered multiplex network

3.3 Applications to Intentional Risk Analysis The use of random walkers in the Intentional Risk Analysis Model [97] is the key piece in the Accessibility study, in the context of both Static Risk and Dynamic Risk. In this section we will present how it is possible to use the random walkers model by using Markov chains in the context of Intentional Risk.

3.3.1 Accessibility and PageRank In Static Intentional Risk analysis we depart from a licit (lawful) connections network obtained after a sniffing, in such a way that for each connection between two nodes we have the explicit registered frequency between them [97]. Based on this information, the accessibility of each element is calculated as the frequency of a uniform random walker with spectral jump in the weighted networks of licit connections where the weights correspond to the number of connections between elements. At this point, several considerations must be taken: 1. If we apply directly the number of times that the random walker pass through each node, as we have explained in previous paragraphs, we are calculating the accessibility of each node, whilst in our model [97] it is needed to calculate the accessibility of each edge. In order to solve this problem two equivalent solutions are proposed in [31]. In both cases, it is needed to introduce a PageRank algorithm for the directed and weighted Line-Graph joint to its relation to the PageRank of the original weighted network. This solution is perfectly suitable with the model we are presented here and all the results may trivially adapted to the PageRank Algorithm for line-graphs, understanding this algorithm as a random walker in the corresponding line-graph.

3.3 Applications to Intentional Risk Analysis

49

2. The spectral jump and the personalization vector interpretation in the uniform random walker consist in considering each teleportation as the end of a communication and the beginning of another communication started in another point of the network (and not as a jump in the communication). This is the reason we propose the personalization vector to distinguish between two different types of nodes: The connections-generator nodes and the non connections-generator nodes. In this way the connections-generator nodes corresponds to elements in which the connections of the system start (Internet accesses, effective accesses of internal staff, etc.), whilst the non connections-generator nodes correspond to the elements where the communication is processed, but none of them starts any connection. The idea is to use personalization vectors v = (v1 , · · · , vn ) ∈ Rn such that if we take a node i from the network, then vi > 0 if i is a connectionsgenerator node, whilst vi = 0 if i is a non connections-generator node. In this way when a spectral jump is made (identified with the end of a connection and the beginning of a new connection), we will jump to a node that effectively can generate a new connection. In order to obtain more reliable results, the value of vi must always be proportional to the number of connections generated by the node i. 3. A more sophisticated alternative consists of calculating the accessibility in the Static Intentional Risk analysis as the frequency of each node in the list of an uniform random walker with spectral jumps based on a personalization matrix. This would suppose that the end of a specific connection on a point of the network (corresponding to a spectral jump) determine the starting point of the new connection. Following the same philosophy underpinning the previous cases, the personalization matrix T = (vij ) should verify the following properties  vij =

> 0, if j is a connections-generator node, 0, if j is a non connections-generator node.

(3.11)

4. The accessibility could be also modelled as the frequency of each node in the list of an uniform random walker without spectral jumps in a two-layered multiplex network. One of the layers would model all the registered connections by the sniffing and the other would model the connections produced due to a spectral jump. The interpretation of this second layer would be as a layer of ending and starting connections.

3.3.2 Dynamic Risk, Random Walkers and Multiplex Networks In Static Intentional Risk analysis, we consider the accessibility of each connection zero cost because the accesses have been by the structure of the network. In the case of Dynamic Intentional Risk each connection or non-designed access increase will entail a cost for the attacker who is seeking access to the valuable information. For a

50

3 Random Walkers

hacker, each new hop in the network increases the cost (effort) and his own risk. This increase in cost results in the following: If we want to model the accessibility as a random walker, this random walker must take into account the cost and the loss or gain of potential profits of each movement entails before going on to the next step of the random walk. This requires the accessibility to be modelled as a biased random walker with spectral jumps, since the random walker will mainly go to the nodes which have an optimal cost/benefit ratio. But, how can we model the potential cost/benefit of each movement of the attacker? In order to study the cost of each movement, we must distinguish between two types of connections: the licit connections detected by the sniffing in the Static Intentional Risk analysis, and the new potential connections that may be established (due to the existence of vulnerabilities or the existence of affinities between two elements). Therefore the cost of the first type of connections is much lower than the second, since first type of connections are given by the structure of the network, whilst the attacker must explore and establish the second type of connections. Related to the potential benefit of each hop through the network, as the attacker’s target is to access to the information placed in the vaults, we think it is reasonable that the random walker is conditioned to make movements approaching to the vaults, avoiding to make movements drifting away from the attacker’s purpose. In order to draw up the previous ideas, we want to model the accessibility in Dynamic Intentional Risk analysis as the frequency of each node in the list of a uniform biased random walker with spectral jumps whose transition matrix P has the following form P = pN + (1 − p)T,

(3.12)

where N = (nij ) is the matrix (which models the navigation through the edges of the network) given by nij = f (i, j)aij , where 1. A = (aij ) is the adjacency matrix of the network of connections (including the licit and authorized connections and the potential connections due to the existence of vulnerabilities and the affinity between elements of the network). αij 1 2. f (i, j) = , where d(j, B) Ci  α , if i −→ j is an existing connection, (a) αij = β , if i −→ j is a potential connection (β < α ). (b) d(j, B) is the Hausdorff distance from node j to the set B of vaults of the network, i.e., d(j, B) = min {d(j, b); b ∈ B is a vault of B} ,

(3.13)

where the distance d(k, b) between two nodes of the network is the lowest possible number of edges which we must travel to go from node k to node b.

3.3 Applications to Intentional Risk Analysis

51

Fig. 3.4 The Accessibility in Dynamic Intentional Risk as a random walker in a three-layered multiplex network

(c) Ci =

n

αik

∑ aik d(k, B) .

k=1

The matrix T corresponding to the spectral jump is built following the same guidelines established in Sect. 3.3.1 for the selection of the personalization vector or the personalization matrix. An alternative for the construction of the coefficient f (i, j) would have in account that the potential benefit for the attacker would be proportional to the potential value for the attacker (instead of the proximity to the vaults). In that case f (i, j) should be proportional to the value V(j) of the node j. In order to finish this section, it is interesting to consider that the accessibility in Dynamic Intentional Risk may be also modelled by using a biased random walker without spectral jumps in a three-layered multiplex networks. Inspired by the proposal models in [117] and the results obtained in [51, 112], the multiplex network would be composed by three layers, as it is illustrated in Fig. 3.4: 1. One layer G1 corresponding to the spectral jumps. This layer would be interpreted as a layer of ending and starting connections 2. One layer G2 corresponding to the existing connections registered by the sniffing. In this layer would appear the licit connections offered by the system. 3. A third layer G3 corresponding to the potential connections due to the existence of both vulnerabilities or affinities between elements. The cost of moving in this layer would be greater than the cost of moving in the previous two layers.

Chapter 4

The Role of Accessibility in the Static and Dynamic Risk Computation

Abstract This chapter is devoted to the description and computation of the Accessibility in Static and Dynamic Risk. As we will see, this parameter is essential for the computation of both types of intentional risks.

4.1 Introduction: Edge’s Accessibility and PageRank As we have explained, the estimation of Intentional Risk (both Static and Dynamic Risks) is based on the computation of three basic variables for each element of the network: anonymity, accessibility and value. In order to compute these variables we use different algorithms, some of them compute these variables for the nodes of the network and some others are employed to calculate these variables for the edges of the network. For example, the anonymity is computed for each edge of the intentionality network, whilst the value (computed by using the algorithm MaxPath, see [97]) and the accessibility are computed for each node. One of the problems we have tackled consists on to know how to export the obtained values of these variables for the nodes (as the accessibility and the value ) to the corresponding values for the edges of the intentionality network and vice versa. A particular case of this problem is related to the accessibility. According to our mathematical model, this parameter must be computed by using the PageRank algorithm on the complex network of intentionality, in such a way that the accessibility of each node i of that network is the PageRank PR(i) of that node. If we want to export the concept of accessibility from nodes to edges in such a way we can define the accessibility of each edge (i, j), we may consider the accessibility of (i, j) as the accessibility of the destination node, i.e., PR(j). By doing this the accessibility of each edge would be the frequency we pass through the destination node, and not the frequency we pass through that edge. This is not a good option if we consider the network of Fig. 4.1. In this case two edges have node 2 as destination: one of them from node 1 and another from node 4. Let us suppose that the rest of the network (possibly with several hundreds of nodes) is connected with the node 4. If we export the concept of accessibility from nodes to edges as has been previously explained, the edges (1, 2) and (4, 2) would have the same accessibility (corresponding to the accessibility of the node 2), while the edge’s frequency of (4, 2) is much greater than the edge’s frequency of (1, 2). © The Author(s) 2015 V. Chapela et al., Intentional Risk Management through Complex Networks Analysis, SpringerBriefs in Optimization, DOI 10.1007/978-3-319-26423-3_4

53

54

4 The Role of Accessibility in the Static and Dynamic Risk Computation

Fig. 4.1 The edge (1, 2) is less accessible than the edge (4, 2)

We can consider similar examples showing we can not export the accessibility from nodes to edges when we understand the concept of accessibility of an edge (i, j) as the centrality of the outcome nodej, so it is needed to use a new way to compute the accessibility of each edge. The basic idea consists of introducing a new definition of accessibility for each edge in an appropriate way. The underlying heuristics behind the concept of accessibility of each element of the intentionality network is the frequency with which that element is used, so it is natural to define the accessibility of an edge (i, j) as the frequency we pass through (i, j) when any type of random walker is walking through the network, and this may be understood as the PageRank of (i, j). This bring us to a more interesting and general problem in the context of complex networks theory:

Problem. Given a complex network G = (X, E), how can we define the PageRank of each edge of G?

We have explored two possible solutions for this problem, by using two different points of view: 1. By computing the PageRank of each edge from the PageRank of its nodes. This approach follows the previous philosophy consisting in exporting the values of the parameters from nodes to edges, although it is needed to find a formula to give us for the real access frequency of each edge. 2. By computing the PageRank (as usual) in a new auxiliar network in which each edge of the original network be a node of the new auxiliar network. This idea leads us to the concept of line-graph of a network, in which each edge of the original network is a node in the associated line-graph, and we put an edge between two nodes of the line-graph if the corresponding edges share a node in the original network. The study of line-graph properties and its relation to the original network has been considered by the scientific community throughout these years (see, for example, [36, 37]) and it has several applications to different fields as urbanism [44, 45], and many others (see [22]). The development of this new approach intends to obtain new results in two different directions: On one

4.2 Mathematical Formulation and Notation

55

hand it should introduce the concept of directed and weighted line-graph and, on the other hand, it should analyze the uses of random walkers and Pagerank algorithm in line-graph, being both problems of high interest for the complex network scientific community. In the following sections, after the introduction of the notation we will use and the basic mathematical models (Sect. 4.2), we will see how to compute the PageRank of each edge from the PageRank of its nodes (Sect. 4.3), how to compute it by using the line-graph (Sect. 4.4) and the relationship between these two approaches. Finally, we establish a result that connects both approaches (Sect. 4.5).

4.2 Mathematical Formulation and Notation Through this section, as usual, we consider a directed network G = (X, E) , where X = {1, . . . , n} and E ⊆ X × X is the set of edges, in this case, ordered pairs as (i, j) ∈ E where i, j ∈ X. In the following sections of this chapter, we will consider a directed and weighted network G = (X, E) joint to a function w : E −→ [0, +∞)in such a way that for each edge (i, j) ∈ E, the coefficient w(i, j) is called weight of (i, j) ∈ E. If we have a directed network G = (X, E) and this network does not have an associated weight-function, then we will say that G is a non weighted network. Given a directed and weighted network G = (X, E) such that for each (i, j) ∈ E its weight is given by w(i, j) , the (weighted) adjacency matrix of G is the matrix A(G) = A = (aij ) ∈ Mn×n given by  aij =

w(i, j), if there exists an edge (i, j) ∈ E, 0, otherwise.

(4.1)

If G = (X, E) is a non-weighted directed graph, its adjacency matrix is the matrix A(G) = A = (aij ) ∈ Mn×n given by  aij =

1, if there exists an edge (i, j) ∈ E, 0, otherwise,

(4.2)

i.e., we interpret each directed non-weighted network as a directed weighted network, by considering, for each (i, j) ∈ E, w(i, j) = 1. A more detailed explanation about this notation for directed and non-directed networks (weighted or nonweighted networks) may be found in [22]. One of the main tools in our model is the PageRank algorithm, one of the cornerstones employed by the Google search engine to order the webpages. We wish to note that the algorithm we show here is the so called Theoretical PageRank algorithm. This algorithm was originally employed by Brin and Page [27, 108] to develop Google, although currently this web browser employ subtle modifications of this algorithm in ordering the webpages. In fact, the Google

56

4 The Role of Accessibility in the Static and Dynamic Risk Computation

developers periodically introduce different changes in the employed algorithms, in such a way that the PageRank algorithm (appropriately modified) is currently only a part of the employed tools in order to obtain a satisfying arrangement of a search on the Internet As we have said, the underlying idea behind PageRank algorithm is the following:

Random Walker Hypothesis: If we move on the network in a random way, we will pass more often through the more accessible nodes.

In order to mathematically model this idea, we must consider a specific type of Markov chains: the random paths in a network. The idea is essentially as follows: 1. We fix a value q ∈ (0, 1). This value is the probability that a random walker does not change its trajectory jumping to other node of the network not connected with the previous one, instead of moving to a node connected directly by an edge with the current node. This value q is usually called damping factor. Characteristically (in the case of Google) q = 0.85. This jump can be interpreted as the current random walker disappears and a new random walker appears in another place (another node) of the network. In the context of PageRank theory this probability represents the case in which an imaginary surfer who is randomly clicking on links will eventually stop clicking. The probability, at any step, that the person will continue is the damping factor (in our case q). 2. In the initial instant t = 0, a node x0 is randomly-chosen and we will place ourselves on it. 3. If in the previous instant we had chosen a node x, in the next instant we move in a random way to another node of X being an immediate neighbour of x. In other words, if in the instant t we were in the node xt , in the next instant t + 1 we choose a node xt+1 in such a way that the edge xt → xt+1 is an edge of G = (X, E). 4. We repeated the process indefinitely for t = 1, t = 2, . . . 5. In the initial instant t = 0, a node is randomly-chosen and we will place ourselves on it. 6. If in the instant t we are on the node j, in the instant t + 1 we move to a neighbour directly connected by an edge with the previous node with a probability q (having in mind that all the neighbours of the current node have the same probability to be chosen), whilst we jump to another node non directly connected with the current node with a probability (1 − q) (considering, also in this case, that all the nodes has the same probability). In other words, for each 1 ≤ i ≤ n, the probability to go from i to j is pij = q

aij 1−q . + a n ∑k ik

(4.3)

4.2 Mathematical Formulation and Notation

57

7. Therefore for each t > 0 we have a vector pt = (pt (1), . . . , pt (n)), in such a way that each pt (i) give us the probability to be in the node i in the instant t. Hence n

pt (i) = ∑ pt−1 (j)pji .

(4.4)

j=1

If we see this in matrix form, the previous expression tell us that if we consider the vector pt = (pt (1), · · · , pt (n)) ∈ Rn , then we have that 1. pt = pt−1Ψ , where Ψ = (ψij ) is the n × n matrix given by

ψij = q

aij 1−q . + n ∑k aik

(4.5)

2. If we navigate through the network in a random way the frequency with which we pass through each node of the network is given by the vector p ∈ Rn , where p = lim pt = lim p0Ψ t . t→∞

t→∞

(4.6)

The existence of this limit is guaranteed by the fact that the matrix Ψ is positive and therefore, by using the Power Method, for each 0 = p0 ∈ Rn such that p0 ≥ 0 this limit exists and has the same value in all the cases (see, for example, [91]). In fact, this limit corresponds to the unique (except normalizations) positive eigenvector of Ψ (corresponding to the eigenvalue 1, since the sum of each column of the matrix B equals 1 and therefore is a row-stochastic matrix ) [91]. In fact, this vector is the one employed in ordering webpages, following the next definition:

Definition 4.1. If G = (X, E) is a (weighted or non weighted) directed network with n nodes, q ∈ (0, 1) and v = (v1 , dots, vn ) ∈ Rn is such that v ≥ 0 and v1 = 1, then we call PageRank vector of G with damping factor q and personalization vector v to the unique vector PR(G, α , v) = PR ∈ Rn such that (i) PR ≥ 0 and PR1 = 1. (ii) PR is an eigenvector (whose associated eigenvalue is 1) of the matrix Ψ = (ψij ) given by

ψij = q

aij + (1 − q)vi , ∑k aik

(4.7)

i.e., PR · Ψ = PR. For each node i ∈ X = {1, · · · n} the PageRank of the node i is the value PR(G, q, v, i) = PR(i) = PR, ei , i.e., the ith coordinate of the vector PR.

58

4 The Role of Accessibility in the Static and Dynamic Risk Computation

Remark 4.1. Each coordinate PR(i) of the PageRank vector is interpreted as the frequency with which a random walker passes through the node i when it is randomly moving through the network, by taking q (at each step) as the probability to follow the network structure through the edges connected to the current node, and by taking the distribution given by the vector v if it jumps unexpectedly to another node of the network. Remark 4.2. The way to order the nodes of a network G = (X, E) according to the PageRank algorithm will be the following: If we have two nodes i, j ∈ X, if PR(i) > PR(j), then the node i is placed before of node j in the arrangement of the nodes. Remark 4.3. The classic PageRank is obtained by taking the vector v = 1n (1, · · · , 1) in the previous definition. Remark 4.4. In general we must consider random walks with positive jumping factor (i.e. q < 1), since in the opposite case the matrix Ψ would be non negative (instead of positive) and for guaranteeing the Power Method operates correctly it is needed to be sure that the adjacency matrix of G is irreducible and primitive. In practice, due to the structure of the hyperlinks between webpages (almost tree-like structures), most of the real networks failure to satisfy this property (Fig. 4.2). A deeper study can be found in the excellent book [82] and also in [109].

4.3 Edge’s PageRank via Classic PageRank In this section we are going to see how to calculate the frequency with which we pass through the edge(i, j) ∈ E when we navigate in a random way carried out with the help of data supplied by the PageRank of each node. Intuitively, if we have a directed network (weighted or not weighted) G = (X, E), the frequency with which we use each edge (i, j) ∈ E is related to the Fig. 4.2 A typical example of network that is not strongly connected, since it has sink node, so we can not study the PageRank algorithm without random jumps (i.e., by taking q = 1)

4.3 Edge’s PageRank via Classic PageRank

59

PageRank of the nodes i and j. In particular, each time we use the edge (i, j) we also pass through the nodes i and j. In fact, to understand in deep the relationship between PR(i), PR(j) and the frequency of use of each edge (i, j), we have to make out the random walker of PageRank as a random walker in a multiplex network but without random jumps (i.e., always following the structure of the network). Specifically, as a random walker in a two-layered network. As we have explained previously, a multiplex network is a network obtained by overlapping several networks (called layers), in such a way that there is a copy of each node of the network in every layer. To simplify, a multiplex network is like the map of a city in which we have the map of the surface and other maps showing the different points of the city in various heights (in the subsoil, in the level of subway, etc.). An example of two-layered multiplex network is shown in Fig. 4.3. With this model, if we have a (classic) network G = (X, E) and we consider the PageRank of this network with damping factor q and personalization vector v, we can understand it as the frequency in which we pass through the nodes of a twolayered multiplex network built as follows: 1. In the top layer we have the original network G. 2. In the lower layer (we can understand it as the “underworld” ) we have a complete network in which all the nodes are connected between them in such a way that the weight of each edge (i, j) is w(i, j) = vj . This layer is used to model the random jumps made by the walker when its movements does not follow the structure of the network.

Fig. 4.3 A PageRank random walker as a walker without random jumps in a two-layered multiplex network

60

4 The Role of Accessibility in the Static and Dynamic Risk Computation

In this multiplex network we consider the following random walker: 1. In each step, we start by choosing the layer where the random walker is going to make the movement. With probability q we will be in the top layer (i.e., the original structure of the layer G) and with probability 1 − q we will be in the lower layer (underworld ). Now, if we fix a node i ∈ X and PR(i) is the PageRank in the network G, then is immediate that   n n aij PR(i) = ∑ qPR(i) (4.8) + ∑ ((1 − q)vj PR(i)) . ∑k aik j=1 j=1 What is really interesting in this expression is that each summand of the first sum computes the frequency with which we pass through the edge (i, j) in the top layer (the layer corresponding to the structure of G), whilst each summand of the second sum show us the frequency with which we pass through the edge (i, j) considered as an edge of the lower (the underworld ). Therefore, if we want to compute the frequency with which the random walker in the original network G pass through the edge (i, j) ∈ E actually is   aij qPR(i) , (4.9) ∑k aik hence by normalizing in order that the sum of all the frequencies equals to 1, by computing all the edges (i, j) ∈ E only in the top layer, we have the following definition:

Definition 4.2. If G = (X, E) is a (weighted or not weighted) directed network, α ∈ [0, 1] and v ∈ Rn such that v ≥ 0 with v1 = 1, for each (i, j) ∈ E we call PageRank of the edge (i, j) with jumping factor q and personalization vector v to the value PR(G, q, v, (i, j)) = PR(i, j) =

aij PR(i). ∑k aik

(4.10)

Remark 4.5. In view of the previous reasoning, for each (i, j) ∈ E, PR(i, j) is the frequency with which we pass through the edge (i, j) when a random walker is walking through the network G, so this result give us a solution for one of the posed problems. In practice in order to compute the accessibility of each edge (i, j) ∈ G, we compute the classical PageRank of each node and we obtain that the accessibility of that edge is PR(i, j) =

aij PR(i). ∑k aik

(4.11)

4.4 Edge’s PageRank Through Line Graph

61

4.4 Edge’s PageRank Through Line Graph In this section we use a different approach to compute the accessibility of each edge in a network G = (X, E). Instead of looking for a relationship between the frequency of access to an edge (i, j) ∈ E and the PageRank of its (income and outcome) nodes (in particular a relationship to the PageRank of i), we define a new auxiliary network in which the nodes are the edges of the original network: The line-graph L(G) of a directed network. This mathematical concept has been widely studied in scientific literature [36, 37] and it is a very useful concept in different contexts (see, for example, [36, 44, 45, 57]). To employ this mathematical tool, we must just carry out one theoretical step that has not yet been developed in depth by the scientific community: The definition of the corresponding line-graph of a directed and weighted network G = (X, E). There are some alternatives in the literature employed for calculating the communities in a network [57, 58], although this approach is not appropriate for the problem we are studying. The option we have chosen in order to extend the line-graph concept to weighted networks is the following: If the weight of each edge is related to the frequency of use of that edge (this idea is inspired by the concept of accessibility in intentional complex networks) and by the fact that each edge of L(G) is identified with a path of length equals 2 in the original network G, then the weight of each edge [(i, j), (j, k)] of L(G) (where (i, j), (j, k) ∈ E) will be related to the frequency of use of the path (i, j) → (j, k), i.e., it will be related to the product of the frequencies of use of the edges (i, j) and (j, k). Following this idea we can give the following definition: Definition 4.3. If G = (X, E) is a directed and weighted network, we call ˜ where directed and weighted line-graph of G to the network L(G) = (E, E), E˜ = {((i, j), (j, k)) ; (i, j), (j, k) ∈ E}

(4.12)

and the weight for each edge ((i, j), (j, k)) ∈ E˜ of L(G) is given by the weighting function w ˜ : E˜ −→ [0, +∞) whose expression is w ˜ ((i, j), (j, k)) = aij ajk .

(4.13)

Remark 4.6. If G = (X, E) is a directed and non-weighted network, the concept of line-graph L(G) as weighted network (with all the weights equal to 1) coincides with the classical concept we can find, for example, in [37], about a directed nonweighted line-graph. Hence the previous definition is an extension of the concept of directed line-graph to the family of weighted networks.

62

4 The Role of Accessibility in the Static and Dynamic Risk Computation

Now we have defined the concept of line-graph L(G) of a directed and weighted network G, the concept of PageRank in L(G) arises in a natural way and makes perfect sense to the frequency with we pass through an edge when we are studying the walk of a random walker on a network, as is shown by the following definition: Definition 4.4. If G = (X, E) is a directed and weighted network with n nodes and m edges, q ∈ (0, 1) and w = (w1 , . . . , wn ) ∈ Rm such that w ≥ 0 y w1 = 1, then we call PageRank vector of the directed and weighted line-graph L(G) with jumping factor (also called damping factor) q and personalization vector w to the unique LPR(G, α , w) = PR ∈ Rw such that (i) LPR ≥ 0 and LPR1 = 1. (ii) PR is an eigenvector (associated to the eigenvalue 1) of the matrix Ψ = (ψij ) given by

ψij = q

bij + (1 − q)wi , ∑k bik

(4.14)

where B = (bij ) is the adjacency matrix of L(G), i.e., LPR · Ψ = LPR. For each node (i, j) ∈ E the PageRank of the edge (i, j) is the value LPR(G, q, w, (i, j)) = LPR(i, j) = LPR, e(i,j) , i.e., it is the (i, j)th coordinate of the vector LPR.

4.5 Classic PageRank vs Line-Graph’s PageRank In this section we show the relationship between the two values obtained for the same edge (i, j) ∈ E in the two previous sections, i.e., we give a solution for the following problem: Problem. If G = (X, E) is a weighted and directed network with n nodes and m edges, q ∈ (0, 1), v ∈ Rn , w ∈ Rm are personalization vectors and we choose (i, j) ∈ E, what is the relationship between PR(G, q, v, (i, j)) and LPR(G, q, w, (i, j))?

4.5 Classic PageRank vs Line-Graph’s PageRank

63

The answer to this problem is given by the following theorem: Theorem 4.1. If G = (X, E) is a weighted and directed network with n nodes and m edges and q ∈ (0, 1), then we have: (i) If v ∈ Rn is a personalization vector, then PR(G, q, v, (i, j)) = LPR(G, q, w, ˜ (i, j)),

(4.15)

where w˜ ∈ Rm is the personalization vector given by w(i, ˜ j) = vi

aij . ∑k aik

(4.16)

(ii) If w ∈ Rm is a personalization vector, then PR(G, q, v, ˜ (i, j)) = LPR(G, qw, (i, j)),

(4.17)

where v˜ ∈ Rn is the personalization vector given by v(i) ˜ = ∑ w(k,i) .

(4.18)

k

Remark 4.7. Last theorem shows that the two approaches studied in the two previous sections are essentially equivalent. Moreover, the point (i) allows to compute the accessibility in L(G) (i.e., the edges’ accessibility) from the accessibility in G (from the nodes’ accessibility) and the point (ii) allows to compute the accessibility in G (i.e., the nodes’ accessibility) from the accessibility in L(G) (i.e., from the edges’ accessibility).

Chapter 5

Mathematical Model I: Static Intentional Risk

Abstract As we have presented in Chap. 1, two different types of risk related to Intentional Risk are identified: The Static Risk and the Dynamic Risk. Roughly speaking, we can summarize their differences as follows: • Static Risk: It is opportunistic risk. Its main feature is that this risk follows authorized paths. A clear example of this type of risk is when employees or contractors take data they have authorized access to and use it for personal gain. • Dynamic Risk: It is the type of directed intentional risk. It can be identified because of its tendency to follow unauthorized paths. The paradigm for this system is represented by the use of a vulnerability in the system to gain technical or administrative accesses. In other words, Dynamic Risk is directly linked to the use of potentially existing paths (but not authorized) in the network. An example of dynamic risk would be an intrusion to a network by external hackers. The difference between the two types of risk is SUBSTANTIAL since in the dynamic risk the attacker is ready to MANIPULATE and MODIFY the system and the paths to ACCESS the intended content/part. On the other hand, the static risk is opportunistic and it only uses the authorized paths. The model introduced in this chapter joins together all the research on intentional attack risk modelled from complex networks concepts and it is based on the information accessibility of each element, on its value and on the anonymity level of the attacker. The proposed model of Static Intentional Risk uses an adapted complex network that allows modeling the risk in complex digital environments such as big corporate networks.

5.1 Intentionality Complex Network for Static Risk In this section, the main definitions related to Static Risk are established and the construction procedure of the collapsed complex network corresponding to Static Risk and the assignation of attributes (anonymity, value, accessibility) to its nodes and edges. Some previous results about these ideas developed by the authors can be found in [96]. In the model we are presenting a complex network is used to represent the system, where the nodes are the different components of the system while the edges represent links between them. The attacker surfs on the complex network in order to © The Author(s) 2015 V. Chapela et al., Intentional Risk Management through Complex Networks Analysis, SpringerBriefs in Optimization, DOI 10.1007/978-3-319-26423-3_5

65

66

5 Mathematical Model I: Static Intentional Risk

get the valuable information contained in the system, but each jump from one node to another has its own cost depending on the characteristics of the target node and the corresponding link. Following the paradigm given by Game Theory, the focus is put on the motivating elements for the attacker. As we have introduced in Chap. 1, they are called anonymity (how easily the identity of the attacker is determined), accessibility (how easily the attack is carried out) and value (how profitable the attack is). In our model, an initial amount of value is supposed to be located at certain nodes of the network, called vaults. It is also assumed that every link in the network has an associated “resistance” capability, which is quantified as a positive real number less or equal than 1. Depending on the scenario, this “resistance” can be thought as a measure of the difficulty for an attacker to get access from one node to another, or also as a representation of the quantity of information located at the end node of the edge that the attacker is able to access from the starting node. In [96] the max-path algorithm is introduced and through this chapter we will see it as an useful tool to estimate how much value is dispersed from the vaults to the rest of the nodes of the network and, therefore, determine which are the most desirable nodes for the attacker.

Definition 5.1. We will call Intentionality complex network for Static Risk to a tuple (G, V, φ , ψ , α , β ), consists of 1. A directed network G = (V, E), where V is the set of nodes and E ⊆ V × V is the set of directed edges. 2. A subset X ⊆ V. The elements of X are the collapsible nodes (i.e., nodes type IP) whilst the elements of Y = V \ X are the non collapsible nodes (i.e., nodes type IP:port). 3. A map φ : E −→ N, so-called connection rate. 4. A map ψ : E −→ [0, 1] ⊆ R, so-called value reduction map. 5. A map α : E −→ N × [0, 1] × (R+ ∪ {0}), so-called edge attributes defined as α = (Anon, Acc, Val), where a. Anon : E −→ N is the edge anonymity. b. Acc : E −→ [0, 1] ⊆ R is the edge accessibility. c. Val : E −→ R+ ∪ {0} is the edge value. 6. A map β : V −→ N × [0, 1] × R, so-called node attributes defined as β = (Anon, Acc, Val), where a. Anon : V −→ N is the node anonymity. b. Acc : V −→ [0, 1] ⊆ R is the node accessibility. c. Val : V −→ R+ ∪ {0} is the node value.

5.1 Intentionality Complex Network for Static Risk

67

Definition 5.2. Let G = (V, E) be a directed networks and v ∈ V. We call successors set of v to the set NG+ (v) = {w ∈ V : (v, w) ∈ E}. In the sequel this set will be denoted as NG+ (v) or simply N + (v) if there exists no possibility of confusion. In the same way, we call predecessors set of v to the set NG− (v) = {w ∈ V : (w, v) ∈ E}. Analogously to the previous case, this set will be denoted as N − (v) if there exists no possibility of confusion.

Remark 5.1. About the Intentionality complex network for Static Risk: 1. The network in the previous definition (together with all of its associated applications) will be the final product of having built the graph from the obtained connections of the real computer network and of having applied several algorithms to make up the different applications in the way we will develop later on. 2. In 2 from the definition a set of nodes is divided into two subsets X and Y. The first one joins together the nodes known as nodes type IP, which will be the origins in outgoing connections while the second includes the IP:port type nodes, that represent the applications or services these connections are directed to. Every node will be labeled with IP or with an IP:PORT pair, or a concatenation of several IPS (when the algorithm of collapse is executed). 3. In point 3 of the previous definition, the application φ represents the number of connections that have been produced within the information system during the studied period of time. We will work with two graphs, one graph with the connections carried out by “average users” and another graph with “technical users” (or “administrators”). This connection rate is the weight of the edges. 4. In point 4 of the previous definition, the application ψ represents how much the value in the destination node of an edge when it has been accessed from the origin node of the edge falls. In other words, which part of value of the destination node is available from the origin node. So, if for an edge e we have ψ (e) = 1, the whole value of the destination node is available from its origin node, if ψ (e) = 0 the available value is 0, and if ψ (e) = 0.25, through this edge a quarter of the value is available. The map value reduction is an edge’s weight. The map ψ takes always the value 1 if we are on the technical users graph.

68

5 Mathematical Model I: Static Intentional Risk

5. The anonymity of points 5 and 6 in the definition takes positive integer values and represents the size of the group of users that could be getting a connection in a way that it is difficult to distinguish which of the users of the is the one who is getting connection. For example, if the anonymity of an edge is 1000 would indicate that there are 1000 different nodes that could have that connection. The node anonymity will make sense for collapsed nodes, although this concept will be defined later on. 6. The accessibility of points 5 and 6 of the definition takes real values in the interval [0, 1] since, as we will develop, will be assigned to the nodes by using the PageRank algorithm, while the edges will inherit the accessibility of the nodes. 7. Value in points 5 and 6 of the definition takes real positive values since it will come from an estimation of the economic value of the contained information in some nodes.

5.2 Collapsed and Nodes and Edges Assignation Algorithms In order to properly define the anonymity, it is needed to consider some basic concepts: Definition 5.3 (Hamming Distance Between Nodes). Let G = (V, E) be a directed network, V = {v1 , . . . , vn }, and A = (A(i, j)) its adjacency matrix. We consider the Hamming distance between the nodes vi and vj as the Hamming distance between the rows i and j of A, i.e.,   d(vi , vj ) = {k ∈ {1, . . . , n} : A(i, k) = A(j, k)}.

(5.1)

Remark 5.2. If d(vi , vj ) = 0 we have that from vi and vj start edges exactly to the same nodes or, what is the same, N + (vi ) = N + (vj ). Proposition 5.1. Given G = (V, E), X ⊆ V and vi , vj ∈ X we will denote vi ∼ vj if d(vi , vj ) = 0. We have that ∼ is an equivalence relation in X.

Proof. An straightforward exercise. Remark 5.3. Given v ∈ X, and the equivalence relation ∼, we will denote by [v]X the equivalence class of v in X, i.e., [v]X = {v ∈ X : d(v, v ) = 0}.

(5.2)

5.2 Collapsed and Nodes and Edges Assignation Algorithms

69

5.2.1 0-Collapsed Algorithm and Anonymity Assignation Input: A directed network G = (V, E) A set of type IP nodes X ⊆ V A connection rate map φ : E −→ N We assume that all the edges have its origin in a node of X and its end in a node of V \ X or viceversa. Particularly, we assume that do not exist loops (selfconnections). • In fact, by construction, our network will have the features described below.

• • • •

– Every edge has its origin in a node of X and its end in a node of V \ X or viceversa. – From each node of w ∈ Y starts exactly an edge (w, v). If w has the label IPi : pj , then v will have the label IPi . – For each node w ∈ Y we have that the sum of the input frequencies equals the sum of the output frequencies, i.e., 

∑

−

φ ((v , w)) = φ (w, v),

(5.3)

v ∈ N (w) where v is the only successor of w. Output: • • • • •

A directed network G = (V  , E ) A subset X  ⊆ V  A connection rate map φ  : E −→ N An edge anonymity map Anon : E −→ N A node anonymity map Anon : V  −→ N

Step 1

(node collapse in X): We consider as the new set of nodes of IP type X  = {[v]X : v ∈ X},

(5.4)

where [v]X = {v ∈ X : d(v, v ) = 0}. If the nodes of the class [v]X had the labels lb1 , . . . , lbm the new node [v]X will have the label (lb1 , . . . , lbm ). Step 2 (new set Y  ): We keep as the set of IP:port type the same we used to have (the IP:port nodes can not be collapsed). Y  = Y = V \ X. Step 3

(5.5)

(new set V  ): We define as the new whole set of nodes V  = X ∪ Y .

(5.6)

70

5 Mathematical Model I: Static Intentional Risk

Step 4

(Definition of E and φ  ): We start with E = ∅.

1. In the first place, we define the edges whose origin are in X  . For each new node [v]X we consider the set of nodes of G that are successors of v NG+ (v) = {w ∈ V : (v, w) ∈ E} ⊆ Y.

(5.7)

Then, for each w ∈ NG+ (v) we add the edge ([v]X , w) to the set E . Now we define the connection rate for the new edge as the sum of the connection rates of all the edges which outcomes from nodes of [v]X and have its end in w

φ  (([v]X , w)) =



∑

φ ((v , w)).

(5.8)

v ∈ [v]X 2. Now we define the edges which outcome from nodes of Y  . For each node w ∈ Y we consider v ∈ X the only successor of w in G. Then, we add the edge (w, [v]X ) to the set E . At this point we define the connection rate of the new edge as the connection rate of the edge (w, v), i.e.,

φ  ((w, [v]X )) = φ ((w, v)). Step 5

(5.9)

(Anon and Anon definitions):

1. We define, for every edge whose origin belongs to X  (i.e., an edge of ([v]X , w) type), its anonymity as the number of nodes that are collapsed into the equivalence class [v]X , i.e.,     Anon(([v]X , w)) = [v]X  = {v ∈ X : d(v, v ) = 0}.

(5.10)

2. All the edges whose origin belongs to Y  , i.e., the edges of (w, [v]X ) type, have anonymity equals 1: Anon((w, [v]X )) = 1.

(5.11)

3. A node inherits its anonymity from any edge who has that node as origin. In other words, if u ∈ V  , we define Anon(u) = Anon((u, u )),

(5.12)

where (u, u ) is any edge who has the node u as its origin. It is remarkable that the definition is not ambiguous since, by construction, all the edges which have a node belonging to V  have the same value of anonymity. Remark 5.4. With this construction the terminal nodes do not have any value of anonymity. On this basis it is natural to assign them the anonymity 1.

5.2 Collapsed and Nodes and Edges Assignation Algorithms

71

Remark 5.5. About the collapsed algorithm and the anonymity assignment: 1. The name 0-collapsed has been put trying to leave open the possibility of collapsing nodes whose Hamming distance be greater than 0 and so on we can talk about 1-collapsed, 2-collapsed, etc. 2. We have constructed the set of nodes of the collapsed network through the steps 1, 2 and 3. Our idea is to keep the nodes of IP:port as they were from the beginning and collapse them into a single node for all the nodes of IP type whose Hamming distance between them is equal to 0. 3. In step 4 we add edges and connection rates to the collapsed network. So, if several nodes of IP type are collapsed to a single node, from this new collapsed node arise the edges corresponding to all the destinations of the original nodes (have in mind that all these nodes are the same for all the original nodes, since that the Hamming distance between them equals 0). The new connection rate for each edge is the sum of the connection rates of all the edges which outcomes from the original nodes and had the same destination. 4. In step 4.2 we have in mind that each node belonging to Y has only a successor belonging to G. If we wanted to apply the collapsed algorithm to a network which did not fulfill this condition, we would substitute the step 4.2 by the following: We define the edges which outcome from nodes of Y  . For every node w ∈ Y  we consider the set of successors of w in G NG+ (w) = {[v]X ∈ G : (w, v) ∈ E} ⊆ X  .

(5.13)

Then, for each collapsed node [v]X ∈ NG+ (w) we add the edge (w, [v]X ) to the set E . Now we define the connection rate for the new edge as the sum of the connection rates of all the edges which outcomes from w and has a node of [v]X as its destination:

φ  ((w, [v]X )) = v

∑

φ ((w, v )).

(5.14)

∈ [v]X (w, v ) ∈ E 5. In step 5 we define the anonymity of each edge. The anonymity of an edge which comes from a collapsed node is the number of original nodes which “compose” the collapsed node. The anonymity of an edge emerging from a node of IP:port type is equal to 1. The anonymity of each node is the anonymity of every edge which emerges from that node. Definition 5.4 (Value Reduction Matrix ). Let G = (V, E) be a directed network, V = {v1 , . . . , vn }, and a value reduction map ψ : E −→ [0, 1] ⊆ R. We will call value reduction matrix of G to the n × n matrix B defined by (continued)

72

5 Mathematical Model I: Static Intentional Risk

Definition 5.4 (continued) B(i, j) =

 ψ ((vi , vj )) if (vi , vj ) ∈ E /E 0 if (vi , vj ) ∈

(5.15)

Remark 5.6. Intuitively, the map ψ assigns to each edge the proportional reduction of value which is lost when the information traverses that edge. Remark 5.7. If x ∈ Rn we denote by x[j] the jth coordinate of x.

5.2.2 “Max-Path” Algorithm Input: • • • • •

A directed network G = (V, E), where V = {v1 , . . . , vn }. An information loss map ψ : E −→ (0, 1] ⊆ R. An initial node vi ∈ V. An initial information amount M ∈ R+ . A stop condition and/or a maximum number Max of iterations. Output:

• A map Vali : V −→ R of the value of each node vj . Step 1 (initial vectors): We consider an initial vector x0 ∈ Rn with value M only in the position that corresponds to the node vi , that is  x0 [j] =

M if j = i 0 if j = i.

(5.16)

We define as well y0 = x0 . Step 2 (k-iteration): Given the vectors xk−1 , yk−1 ∈ Rn we build the vectors xk , yk as follows: 1. Given the vector yk−1 , we decompose it as a sum of vectors that have a single coordinate different from zero: yk−1 =

∑

yk−1 [] = 0

yk−1 [] · e =

∑

yk−1 [] = 0

()

uk−1 ,

(5.17)

where e is the th vector of the canonical basis. 2. We multiply each of those vectors by the matrix BT : ()

()

uk = BT · uk−1 .

(5.18)

5.2 Collapsed and Nodes and Edges Assignation Algorithms

73

3. We settle yk as the maximum, coordinate by coordinate, of the results: ()

yk [j] = max{uk [j]}, 

(5.19)

for each j = 1, . . . , n. 4. In order to build xk , we take maxima in every coordinate: xk [j] = max{xk−1 [j], yk [j]},

(5.20)

for each j = 1, . . . , n. Step 3 (output building): When the maximum number of iterations Max is reached, or the stop condition is fulfilled, no more iterations will be carried out. We denote by xK the last obtained vector. We set Vali (vj ) = xK [j],

(5.21)

for every j = 1, . . . , n. Remark 5.8 (Stop Condition). A naive stop condition for the “max-path” algorithm is related to the diameter of the network from the sources of value (vaults), since the diffusion process is based on the propagation of the value along paths from the vaults (following the “reverse sense” of the edges) and having in mind that the system is finite and the diffusion process is bounded and cumulative. So, the algorithm finishes in a finite number of steps. A more tighter stop condition proposed for the algorithm, as it is shown in [96], is the following: “when xk−1 = xk , stop the algorithm” We emphasize that the algorithm does not need to explicitly compute all these paths in order to get the desired output.

5.2.3 Value Assignment Algorithm Input: • • • • •

A directed network G = (V, E), where V = {v1 , . . . , vn }. A reduction value map ψ : E −→ [0, 1] ⊆ R. A subset of initial value nodes (vaults) {vi1 , . . . , vil }. A set of values associated with that nodes {Mi1 , . . . , Mil } A stop condition and/or a maximum number Max of iterations for the algorithm in Sect. 5.2.2 (“max-path”).

74

5 Mathematical Model I: Static Intentional Risk

Output: • An edges value map Val : E −→ R • A nodes value map Val : V −→ R Step 1 (Value dispersion from each vault): For each pair (vij , Mij ), we execute the algorithm in Sect. 5.2.2 (“max-path”) with the corresponding inputs, thus obtaining the dispersed value map Valvij from the node vij . Step 2 (definition of Val): For each v ∈ V we define l

Val(v) = ∑ Valvij (v),

(5.22)

j=1

i.e., we add the dispersed values associated to each one of the vaults. Step 3 (definition of Val): For each edge (v, w) ∈ E, we define Val((v, w)) = Val(w) · ψ ((v, w)),

(5.23)

i.e., the value of the destination node multiplied by the value reduction of the corresponding edge.

5.2.4 Accessibility Assignment Algorithm Input: • A directed network G = (V, E). • A connection rate map φ : E −→ N. • A damping factor d for the PageRank algorithm. Output: • An accessibility of edges map Acc : E −→ [0, 1] • An accessibility of nodes map Acc : V −→ [0, 1] Step 1 (Construction of the weight of edges matrix W): We define a matrix W in which its entries (edges weights) are given by the connection frequencies, i.e.,  φ ((vi , vj )) si (vi , vj ) ∈ E W(i, j) = /E 0 si (vi , vj ) ∈

(5.24)

Step 2 (definition of Acc): We execute the PageRank algorithm in the weighted network G, where each edge has the weight given by the matrix W, and with damping factor d. For each node v ∈ V we define Acc(v) as the value given by the PageRank algorithm to the node v.

5.3 Static Risk Networks Construction from the Data

75

Step 3 (definition of Acc): For each edge (vi , vj ) ∈ E, following the definition of edge’s accessibility given by Eq. (4.11) in Sect. 4.3, we define Acc((vi , vj )) =

aij Acc(vi ), ∑k aik

(5.25)

where Acc(vi ) = PR(i), i.e., the PageRank of the outcome node. As an alternative definition for Acc((vi , vj )) we can use the expression Acc((vi , vj )) = LPR(G, q, w, (vi , vj )) = LPR(vi , vj ),

(5.26)

(i.e., the (i, j)th coordinate of the vector LPR) given in Definition 4.4 within Sect. 4.4 since, as it has been proven in Theorem 4.1 within Sect. 4.5, both approaches are essentially equivalent.

5.3 Static Risk Networks Construction from the Data Remark 5.9 (Network Construction and Its Connection Rates). Input: • A list of connections with the following format: (IPi1 , IPj1 : pk1 , f1 ) (IPi2 , IPj2 : pk1 , f2 ) ... (IPiN , IPjN : pkN , fN )

(5.27)

where the first component is the Source IP, the second is the pair IP:port (destination port) and the third is the number of connections between them during the established period of time fixed for the data capture. We suppose that there is no duplicated information, i.e., that a connection in the list of connections do not appear more than once from one origin towards the a destination but, if so, they are aggregate. Output: • A directed network G = (V, E). • A set of collapsable nodes X ⊆ V. • A connection rates map φ : E −→ N. Step 1 (Definition of X): We start with X = ∅. For each different origin IPi we have in the list of data, we add a node to X with the label IPi . Additionally, for each destination IPj : pk we have in the list of data, we add a node with the label IPj to X (if you haven’t already done so).

76

5 Mathematical Model I: Static Intentional Risk

Step 2 (Definition of Y): We start with Y = ∅. For each different destination IPj : pk we find in the data list, we add a node with the label IPj : pk to Y. Step 3 (Definition of V): The set of nodes of the network is V = X ∪ Y. Step 4 (Definition of the “real” edges and its connection rates): Firstly we consider the set E1 = ∅. For each list of three elements of the connections list (IPi , IPj : pk , f ), we add an edge e = (v, w) to E1 where v ∈ X is the node labelled with IPi and w ∈ Y is the node labelled with IPj : pk . We define the new edge connection rate as φ (e) = f . Step 5 (Definition of the “synthetic” edges and its connection rates): Initially we consider the set E2 = ∅. For each node w ∈ Y, labelled with IPj : pk , we choose the node v ∈ X with the label IPj . We add the edge e = (w, v) to E2 and we define its connection rate as

φ (e) =

∑

v ∈Ng− (w)

φ ((v , w)).

(5.28)

Step 6 (Definition of E): We consider the set of edges as the union of the two previous sets of edges (“real” and “synthetic’): E = E1 ∪ E2 . Remark 5.10. This division in several steps is a conceptual framework. Possibly the more efficient way to implement be scrolling the connection lists, by adding the new nodes, add the corresponding edge to the “real” connection with its corresponding frequency f and finally add the associated “synthetic” edge with the same frequency if that edge not been added previously; if, on the contrary, we had already added that edge previously to the network, we would add the frequency f to the current frequency of that edge. Now we will describe the construction of two intentionality complex networks for Static Risk, the users intentionality network and the administrators intentionality network. Both constructions follow the scheme given in Fig. 5.1.

5.3.1 Intentionality Network of Users Input: • A list of user connections in the same format as in the construction in Remark 5.9: (IPi1 , IPj1 : pk1 , f1 ) (IPi2 , IPj2 : pk2 , f2 ) ... (IPiN , IPjN : pkN , fN )

(5.29)

5.3 Static Risk Networks Construction from the Data

77

Fig. 5.1 Static Risk Network construction

• A list of initial value nodes (vaults) with its corresponding initial values: (IPl1 , M1 ) (IPl2 , M2 ) ... (IPlL , ML ) (IPm1 : pn1 , ML+1 ) (IPm2 : pn2 , ML+2 ) ... (IPmL : pnL , ML+L )

(5.30)

Output: • An intentionality network for Static Risk of users (G1 , X1 , φ1 , ψ1 , α1 , β1 ). Step 1 (network construction and frequencies): By using the list of connections as input, we consider the construction in Remark 5.9 in order to get a network G = (V, E), a collapsable set of nodes X ⊆ V and a connection rate map φ : E −→ N. Step 2 (Collapsed and anonymity): By using as input G, X and φ , we execute the algorithm in Sect. 5.2.1 (0-collapsed and anonymity assignment) in order to obtain a network G1 = (V1 , E1 ), a set of collapsible nodes X1 , a connection rate map φ1 : E1 −→ N and two anonymity maps Anon : E1 −→ N and Anon : V1 −→ N.

78

Step 3

5 Mathematical Model I: Static Intentional Risk

(value reduction): We define the reduction map ψ1 : E1 −→ [0, 1] as  −1 ψ1 (e) = Anon(e) .

(5.31)

Step 4 (valor): By taking as input the list of vaults together with its initial values, we build a list of vaults {vh1 , . . . , vhN } in V1 together with its corresponding initial values {Mh1 , . . . , MhN }. Then, by using as input this last two list, the network G1 , the map ψ1 and a stop condition for the (“max-path”) algorithm in Sect. 5.2.2, we execute the value assignment algorithm in Sect. 5.2.3 in order to get the value maps Val : E1 −→ R and Val : V1 −→ R. Step 5 (accessibility): By taking as input the network G1 and the damping factor d = 0.15, we execute the algorithm in Sect. 5.2.4 (accessibility assignment) in order to obtain the accessibility maps Acc : E1 −→ [0, 1] y Acc : V1 −→ [0, 1]. Step 6 (Edge’s and node’s attributes): We define the maps α1 and β1 as

α1 = (Anon, Acc, Val)

(5.32)

β1 = (Anon, Acc, Val)

(5.33)

5.3.2 Intentionality Network of Administrators It is completely analogous to the construction in Sect. 5.3.1 on the following understandings: • The list of administrators connection frequencies is used instead of the corresponding list of users. • As all the mathematical objects that compose the administrators network may be different to the corresponding objects that compose the users networks, we denote the output as (G2 , X2 , φ2 , ψ2 , α2 , β2 ) • In the Step 3 we define the value reduction as ψ2 (e) = 1 for every edge e ∈ E2 . • In the Step 5 we use the damping factor d = 0.25.

5.4 Static Risk Intentionality Network Construction Method: An Example In the following example, carefully selected in such a way it contains all the possible singularities we have in mind, we informally describe the construction method of the collapsed intentionality network corresponding to Static Risk and the assignment of attributes (anonymity, value, accessibility) to its edges and nodes. Additionally a small size example (with 18 nodes) is developed to illustrate the construction. In the example we have included a connection (the last one which appears in the table of connection catches) in such a way there exists a cycle in the

5.4 Static Risk Intentionality Network Construction Method: An Example

79

network. This has been done to illustrate the different situations which may arise. In any case, it could be that the real networks do not present any cycle within its topological structure, but the handling of them would be analogous, the cycles do not complicate the model. In the example we will suppose that all the connections are user connections. In all the points concerned with the administrator network which have a different treatment, it is outlined what is that difference in treatment.

5.4.1 Construction Scheme Step 1:

Network construction from the table of connection catches.

• Input: – Table of connection catches together with its frequencies. • Output: – Description of the Static Risk network by means of: · The adjacency matrix A. · The weighted matrix of connections frequencies W. Step 2:

Collapsed and anonymity assignment (for the collapsed network).

• Input: – The network description which appears as output in the step 1. • Output: – Description of the collapsed network by means of: · The adjacency matrix A . · The weighted matrix of connections frequencies W  . – Collapsed network node’s anonymity. – Collapsed network edge’s anonymity. Step 3:

Value assignment (in the collapsed network).

• Input: – The collapsed network description which appears as output in the step 2. – A list of nodes of IP:port type with initial value (the vaults) together with a numerical estimation of their values. • Output: – Nodes’ value of the collapsed network. – Edges’ value of the collapsed network.

80

5 Mathematical Model I: Static Intentional Risk

Step 4:

Accessibility assignment (for the collapsed network).

• Input: – The collapsed network description which appears as output in the step 2. – The damping factor we will use for the PageRank algorithm. • Output: – Node’s accessibility of the collapsed network. – Edge’s accessibility of the collapsed network.

5.4.2 Description of the Method and an Example Step 1:

Network construction from the table of connection catches.

• From the table of connection catches we build the set of network’s nodes, its adjacency matrix A and its weighted matrix of connections frequencies W. The table of connection catches will not have repetitions, i.e., there will not appear a pair (Source IP, IP:port—destination) which appears twice in different rows. We illustrate this situation with an example. Let’s suppose we have the following table of connection catches: • We build the set X of collapsable nodes by adding a node for each Source IP from the first column. We build the set Y of non-collapsable nodes of vertices by adding a node for each IP:port (destination) from the second column. The node’s set of the network is the union of both sets, V = X ∪ Y. • We build the adjacency matrix A and the weighted matrix of connections frequencies. These matrices have the information about the specific edges of the network and the connection frequency of each edge. In order to do that we initialize: – We put 0 in all the entries of W. – We check the table of connection catches row by row. When we find the entry (IPi , IPj : pk , f ) we modify the matrix W as follows: · We link the node IPi to the node IPj : pk through an edge with weight f in the matrix W, i.e., W[IPi , IPj : pk ] = f .

(5.34)

· Hereafter we check if the node IPj belongs to the set X. Then: · If the answer is “no”, we do not have anything to do. · f the answer is “yes”, we add a “synthetic” edge with weight f from the node IPj : pk to the node IPj . If that edge already exists, we add the weight f to its current weight, i.e.,

5.4 Static Risk Intentionality Network Construction Method: An Example

X x1 IP1

x2 IP2

Y y1 IP5:p1

Source IP IP1 IP1 IP1 IP2 IP2 IP2 IP3 IP3 IP4 IP4 IP5 IP5 IP6 IP6 IP8 IP8 IP9 IP9 IP10 IP10 IP11 IP13

IP:port (destination) IP5:p1 IP5:p2 IP6:p3 IP5:p1 IP5:p2 IP6:p3 IP6:p3 IP8:p5 IP7:p4 IP8:p5 IP7:p4 IP8:p5 IP7:p4 IP8:p5 IP12:p6 IP13:p7 IP12:p6 IP13:p7 IP12:p6 IP13:p7 IP13:p7 IP6:p3

x3 IP3

x5 IP5

x4 IP4

y2 IP5:p2

y3 IP6:p3

x6 IP6

y4 IP7:p4

x7 IP8

x8 IP9

y5 IP8:p5

81

Frequency 5 3 4 8 11 4 7 2 7 3 2 10 9 5 3 6 2 8 4 10 5 6

x9 IP10

y6 IP12:p6

x10 IP11

x11 IP13

y7 IP13:p7

W[IPj : pk , IPj ] := W[IPj : pk , IPj ] + f .

(5.35)

– Once built the matrix W we “binarize” it to obtain the matrix A, i.e., A[i, j] =

 1 si W[i, j] > 0 0 si W[i, j] = 0

In our example, the matrices A and W have the following form:

(5.36)

82

5 Mathematical Model I: Static Intentional Risk

1234 5 0000 0 0000 0 0000 0 0000 0 0000 0 0000 0 0000 0 0000 0 W= 0000 0 0000 0 0000 0 0 0 0 0 13 0 0 0 0 14 0000 0 0000 0 0000 0 0000 0 0000 0

X 6 7 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 21 0 0 0 0 20 0 0 0 0

89 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

10 11 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 14

X 1 2 3 4 5 6 7 8 9 10 000000000 0 000000000 0 000000000 0 000000000 0 000000000 0 000000000 0 000000000 0 000000000 0 A= 000000000 0 000000000 0 000000000 0 000010000 0 000010000 0 000001000 0 000000000 0 000000100 0 000000000 0 000000000 0

1 5 8 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

Y 2 34 5 3 40 0 11 4 0 0 0 70 2 0 07 3 0 0 2 10 0 09 5 0 00 0 0 00 0 0 00 0 0 00 0 0 60 0 0 00 0 0 00 0 0 00 0 0 00 0 0 00 0 0 00 0 0 00 0

11 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1

6 0 0 0 0 0 0 6 8 10 0 0 0 0 0 0 0 0 0

7 0 0 0 0 0 0 3 2 4 5 0 0 0 0 0 0 0 0

Y 1234567 1110000 1110000 0010100 0001100 0001100 0001100 0000011 0000011 0000011 0000001 0010000 0000000 0000000 0000000 0000000 0000000 0000000 0000000

(5.37)

(5.38)

5.4 Static Risk Intentionality Network Construction Method: An Example

83

Fig. 5.2 Graphic representation of the network together its edge’s weights

Hereafter we include a graphic representation of the network together its edge’s weights (Fig. 5.2): Step 2:

Collapsed network and anonymity assignment (in the collapsed network).

• The non-collapsable nodes, i.e., the nodes belonging to the set Y, will remain the same. Their anonymity will be 1. • In order to build the type IP collapsed set of nodes Z, we check the set Y; for each node of Y we add a collapsed node to Z composed by all the predecessors of Y. If that predecessors had the labels IPi1 , IPi2 , . . . , IPin , the new collapsed node will have as label the concatenation of them, in short IPi1,i2,...,in . The new collapsed group will have as much anonymity as nodes as units belongs to that group. • For example, in the network of our example we are using to illustrate the procedure, the node IP6 : p3 has the nodes IP1 , IP2 , IP3 , IP13 as predecessors. We add a new labelled node IP1,2,3,13 to the set Z. The anonymity of this node would be 4. • We add an edge from each new collapsed node to the corresponding type IP:port node. The connection frequency of the new edge will be the addition of the connection frequencies of all the nodes we have collapsed. The anonymity of this new edge will be the anonymity of its starting node.

84

5 Mathematical Model I: Static Intentional Risk

• In our example we add an edge from the node IP1,2,3,13 to the node IP6 : p3 with connection frequency 21 (the addition of the incoming frequencies 4, 4, 7, 6) and anonymity equals 4 (the anonymity of its starting node). • Finally we add edges from IP:port type nodes to the collapsed nodes. If the node has the label IPi : pj we add an edge towards each collapsed node which the node IPi is a part. The connection frequency of that edge will be the connection frequency of the previous edge which has the IP:port node as starting node, and its anonymity will be 1. • In our example, the IP6 node is a part of two different collapsed nodes, the node IP4,5,6 and the node IP3,4,5,6 . Therefore we add edges from the node IP6 : p3 towards these two nodes. The connection frequency of these two edges will be 21 (the same connection frequency of the edge whose starting node was IP6 : p3 and whose ending node was IP6 ) and its anonymity will be 1. • Note: The anonymity of an edge always coincides with the anonymity of its starting node. • Note: The connection frequencies of the incoming edges to a type IP:port node coincide with the connection frequencies of the outcoming edges. • Note: The Hamming distance is not already used in the collapsed algorithm. Now we include a graphic representation of the collapsed network together with the connection frequencies of its edges (Fig. 5.3):

Fig. 5.3 Graphic representation of the collapsed network together with the connection frequencies of its edges

5.4 Static Risk Intentionality Network Construction Method: An Example

85

Fig. 5.4 Graphic representation of the collapsed network together with the value of each edge’s anonymity (next to the arrows) and the values of each node’s anonymity

And a representation of the collapsed network together with the value of each edge’s anonymity (next to the arrows) and the values of each node’s anonymity (in parenthesis, next to the corresponding node) (Fig. 5.4) • This is the collapsed nodes list, each one with its anonymity: Name z1 z2 Z z3 z4 z5 z6

Label Anon. IP1,2 2 IP1,2,3,13 4 IP4,5,6 3 IP3,4,5,6 4 IP8,9,10 3 IP8,9,10,11 4

(5.39)

• Connection rate matrix W  and adjacency matrix A of the collapsed network:

86

5 Mathematical Model I: Static Intentional Risk

1 2 0 0 0 0 0 0 0 0 0 0 W = 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 14

3 0 0 0 0 0 0 13 14 21 0 0 0 0

Z 4 5 0 0 0 0 0 0 0 0 0 0 0 0 13 0 14 0 21 0 0 0 0 20 0 0 0 0

6 0 0 0 0 0 0 0 0 0 0 20 0 0

1 13 0 0 0 0 0 0 0 0 0 0 0 0

2 14 0 0 0 0 0 0 0 0 0 0 0 0

Z 123456 000000 000000 000000 000000 000000 A = 0 0 0 0 0 0 001100 001100 001100 000000 000011 000000 010000 Step 3:

3 0 21 0 0 0 0 0 0 0 0 0 0 0

Y 4 0 0 18 0 0 0 0 0 0 0 0 0 0

5 0 0 0 20 0 0 0 0 0 0 0 0 0

6 0 0 0 0 24 0 0 0 0 0 0 0 0

Y 1234567 1100000 0010000 0001000 0000100 0000010 0000001 0000000 0000000 0000000 0000000 0000000 0000000 0000000

7 0 0 0 0 0 14 0 0 0 0 0 0 0

(5.40)

(5.41)

Value assignment (in the collapsed network).

• As inputs we have: – The collapsed network together with the anonymity of each edge. – A type IP:port nodes list with initial values (the vaults) together with a numerical estimation of each one of that values. • Note: As the type IP:port nodes do not collapse, it is the same to consider the initial value is located in the nodes of the original network or in the nodes of the collapsed network.

5.4 Static Risk Intentionality Network Construction Method: An Example

87

• In first place we build the value reduction matrix B. In order to do that, in the users network we substitute each entry equals 1 of the adjacency matrix by the inverse value of the anonymity value of the corresponding edge. In the administrators network we simply use the adjacency matrix because there is no a value reduction. • In the example we are working on, the matrix B would be:

1 0 0 0 0 0 B= 0 0 0 0 0 0 0 0

2 0 0 0 0 0 0 0 0 0 0 0 0 1

Z 34 00 00 00 00 00 00 11 11 11 00 00 00 00

5 0 0 0 0 0 0 0 0 0 0 1 0 0

6 0 0 0 0 0 0 0 0 0 0 1 0 0

1 1/2 0 0 0 0 0 0 0 0 0 0 0 0

2 1/2 0 0 0 0 0 0 0 0 0 0 0 0

3 0 1/4 0 0 0 0 0 0 0 0 0 0 0

Y 4 0 0 1/3 0 0 0 0 0 0 0 0 0 0

5 0 0 0 1/4 0 0 0 0 0 0 0 0 0

1 0 0 0 0 0 ≈ 0 0 0 0 0 0 0 0

2 0 0 0 0 0 0 0 0 0 0 0 0 1

Z 34 00 00 00 00 00 00 11 11 11 00 00 00 00

5 0 0 0 0 0 0 0 0 0 0 1 0 0

6 0 0 0 0 0 0 0 0 0 0 1 0 0

1 0.5 0 0 0 0 0 0 0 0 0 0 0 0

2 0.5 0 0 0 0 0 0 0 0 0 0 0 0

3 0 0.25 0 0 0 0 0 0 0 0 0 0 0

Y 4 0 0 0.33 0 0 0 0 0 0 0 0 0 0

5 0 0 0 0.25 0 0 0 0 0 0 0 0 0

6 0 0 0 0 1/3 0 0 0 0 0 0 0 0

7 0 0 0 0 0 1/4 0 0 0 0 0 0 0

6 0 0 0 0 0.33 0 0 0 0 0 0 0 0

7 0 0 0 0 0 0.25 0 0 0 0 0 0 0

(5.42)

(5.43)

• Then, we distribute the value of each vault throughout the whole set of nodes of the network by using the “max-path” algorithm. In the following paragraph we describe this algorithm:

88

5 Mathematical Model I: Static Intentional Risk

– Let us suppose we are distributing a value M. We build an initial vector v0 which has all its coordinates equals 0 except the corresponding place to the vault in which the value M appears. Also we put w0 := v0 . – In the vector wk we will keep the value that has been flowing through the network during the iterative step k, whilst in the vector vk we will keep the cumulative total value of each node after the iterative step k. – In the iterative step k, given the vector wk−1 , we will decompose it as a sum of vectors each one of them with only a coordinate different from 0: wk−1 =

(j)

∑

wk−1 [j] = 0

uk−1 .

(5.44)

– Then we multiply each one of that vectors by the reduction matrix B: (j)

(j)

uk = B · uk−1 .

(5.45)

(j)

– Implementation note: The vector uk calculation can be done by multiplying the number wk−1 [j] by the j-column of the matrix B. Thus, it is not necessary to do the decomposition explicitly, it is enough to build as many vectors uk as coordinates different from zero has the vector wk−1 . – Now we build wk as the maximum, coordinate by coordinate, of the results: wk = max_cow

k−1 [j] =

0 (uk (j)).

(5.46)

– And also we build vk as the maximum, coordinate by coordinate, j of vk−1 and wk , i.e., vk = max_co(wk , vk−1 ).

(5.47)

– Stop condition: when vk−1 = vk we halt the algorithm. The vector vk coordinates give us the distributed value from the vault to each one of the nodes. • Finally, in each node, we add its corresponding distributed values from all the vaults. • The procedure is illustrated by using our example. Let us suppose we have an initial value in three nodes: Name Label Initial value y1 IP5 : p1 2 y4 IP7 : p4 5 y6 IP12 : p6 10

(5.48)

5.4 Static Risk Intentionality Network Construction Method: An Example

89

• We deal more in detail the dispersion procedure from the node y6 . The operations are carried out using the free software Maxima, with an internal precision calculated with 15 decimals but showing only 2. We build the initial vector v0 and the first two iterations: ⎞ ⎞ ⎛ ⎞ ⎛ ⎛ 0 0 0 ⎜0⎟ ⎜ 0 ⎟ ⎜ 0 ⎟ ⎟ ⎟ ⎜ ⎟ ⎜ ⎜ ⎜0⎟ ⎜ 0 ⎟ ⎜ 0 ⎟ ⎟ ⎟ ⎜ ⎟ ⎜ ⎜ ⎟ ⎟ ⎜ ⎟ ⎜ ⎜ ⎜0⎟ ⎜ 0 ⎟ ⎜ 0 ⎟ ⎟ ⎟ ⎜ ⎟ ⎜ ⎜ ⎜0⎟ ⎜3.33⎟ ⎜3.33⎟ ⎟ ⎟ ⎜ ⎟ ⎜ ⎜ ⎜0⎟ ⎜ 0 ⎟ ⎜ 0 ⎟ ⎟ ⎟ ⎜ ⎟ ⎜ ⎜ ⎟ ⎟ ⎟ w1 = B·w0 = ⎜ v1 = max_co(v0 , w1 ) = ⎜ v0 = w0 = ⎜ ⎜ 0 ⎟; ⎜ 0 ⎟; ⎜ 0 ⎟ ⎜0⎟ ⎜ 0 ⎟ ⎜ 0 ⎟ ⎟ ⎟ ⎜ ⎟ ⎜ ⎜ ⎟ ⎟ ⎜ ⎟ ⎜ ⎜ ⎜0⎟ ⎜ 0 ⎟ ⎜ 0 ⎟ ⎟ ⎟ ⎜ ⎟ ⎜ ⎜ ⎜0⎟ ⎜ 0 ⎟ ⎜ 0 ⎟ ⎟ ⎟ ⎜ ⎟ ⎜ ⎜ ⎜0⎟ ⎜ 0 ⎟ ⎜ 0 ⎟ ⎟ ⎟ ⎜ ⎟ ⎜ ⎜ ⎝10⎠ ⎝ 0 ⎠ ⎝ 10 ⎠ 0 0 0 (5.49)

⎞ 0 ⎜ 0 ⎟ ⎟ ⎜ ⎜ 0 ⎟ ⎟ ⎜ ⎟ ⎜ ⎜ 0 ⎟ ⎟ ⎜ ⎜ 0 ⎟ ⎟ ⎜ ⎜ 0 ⎟ ⎟ ⎜ ⎟ w2 = B · w1 = ⎜ ⎜ 0 ⎟; ⎜ 0 ⎟ ⎟ ⎜ ⎜ 0 ⎟ ⎟ ⎜ ⎟ ⎜ ⎜ 0 ⎟ ⎟ ⎜ ⎜3.33⎟ ⎟ ⎜ ⎝ 0 ⎠ 0 ⎛

⎞ 0 ⎜ 0 ⎟ ⎟ ⎜ ⎜ 0 ⎟ ⎟ ⎜ ⎟ ⎜ ⎜ 0 ⎟ ⎟ ⎜ ⎜3.33⎟ ⎟ ⎜ ⎜ 0 ⎟ ⎟ ⎜ ⎟ v2 = max_co(v1 , w2 ) = ⎜ ⎜ 0 ⎟ ⎜ 0 ⎟ ⎟ ⎜ ⎜ 0 ⎟ ⎟ ⎜ ⎟ ⎜ ⎜ 0 ⎟ ⎟ ⎜ ⎜3.33⎟ ⎟ ⎜ ⎝ 10 ⎠ 0 ⎛

(5.50)

• It is remarkable that in steps 1 and 2 it is not necessary to decompose the vector wk because it has only a coordinate different from zero. So we are going to include, as an example, the step 5, since in this case it is necessary to do the decomposition:

90

5 Mathematical Model I: Static Intentional Risk

⎞ 0 ⎜ 0 ⎟ ⎟ ⎜ ⎜ 0 ⎟ ⎟ ⎜ ⎟ ⎜ ⎜0.83⎟ ⎟ ⎜ ⎜3.33⎟ ⎟ ⎜ ⎜ 0 ⎟ ⎟ ⎜ ⎟ v4 = ⎜ ⎜0.83⎟ ⎜0.83⎟ ⎟ ⎜ ⎟ ⎜ ⎜0.83⎟ ⎟ ⎜ ⎜ 0 ⎟ ⎟ ⎜ ⎜3.33⎟ ⎟ ⎜ ⎝ 10 ⎠ 0 ⎛

(5.51)

⎞ ⎛ ⎞ ⎛ ⎞ ⎞ ⎛ 0 0 0 0 ⎜ 0 ⎟ ⎜ 0 ⎟ ⎜ 0 ⎟ ⎜ 0 ⎟ ⎟ ⎜ ⎟ ⎜ ⎟ ⎟ ⎜ ⎜ ⎜ 0 ⎟ ⎜ 0 ⎟ ⎜ 0 ⎟ ⎜ 0 ⎟ ⎟ ⎜ ⎟ ⎜ ⎟ ⎟ ⎜ ⎜ ⎟ ⎜ ⎟ ⎜ ⎟ ⎟ ⎜ ⎜ ⎜ 0 ⎟ ⎜ 0 ⎟ ⎜ 0 ⎟ ⎜ 0 ⎟ ⎟ ⎜ ⎟ ⎜ ⎟ ⎟ ⎜ ⎜ ⎜ 0 ⎟ ⎜ 0 ⎟ ⎜ 0 ⎟ ⎜ 0 ⎟ ⎟ ⎜ ⎟ ⎜ ⎟ ⎟ ⎜ ⎜ ⎜ 0 ⎟ ⎜ 0 ⎟ ⎜ 0 ⎟ ⎜ 0 ⎟ ⎟ ⎜ ⎟ ⎜ ⎟ ⎟ ⎜ ⎜ (7) (8) (9) ⎟ ⎜ ⎟ ⎜ ⎟ ⎟ ⎜ w4 = ⎜ ⎜0.83⎟ = ⎜0.83⎟ + ⎜ 0 ⎟ + ⎜ 0 ⎟ = u4 + u4 + u4 ⎜0.83⎟ ⎜ 0 ⎟ ⎜0.83⎟ ⎜ 0 ⎟ ⎟ ⎜ ⎟ ⎜ ⎟ ⎟ ⎜ ⎜ ⎜0.83⎟ ⎜ 0 ⎟ ⎜ 0 ⎟ ⎜0.83⎟ ⎟ ⎜ ⎟ ⎜ ⎟ ⎟ ⎜ ⎜ ⎟ ⎜ ⎟ ⎜ ⎟ ⎟ ⎜ ⎜ ⎜ 0 ⎟ ⎜ 0 ⎟ ⎜ 0 ⎟ ⎜ 0 ⎟ ⎟ ⎜ ⎟ ⎜ ⎟ ⎟ ⎜ ⎜ ⎜ 0 ⎟ ⎜ 0 ⎟ ⎜ 0 ⎟ ⎜ 0 ⎟ ⎟ ⎜ ⎟ ⎜ ⎟ ⎟ ⎜ ⎜ ⎝ 0 ⎠ ⎝ 0 ⎠ ⎝ 0 ⎠ ⎝ 0 ⎠ 0 0 0 0 ⎛

⎞ ⎛ 0.41 ⎜ 0 ⎟ ⎟ ⎜ ⎜ 0 ⎟ ⎟ ⎜ ⎟ ⎜ ⎜ 0 ⎟ ⎟ ⎜ ⎜ 0 ⎟ ⎟ ⎜ ⎜ 0 ⎟ ⎟ ⎜ (7) (7) ⎟ u5 = B · u4 = ⎜ ⎜ 0 ⎟; ⎜ 0 ⎟ ⎟ ⎜ ⎟ ⎜ ⎜ 0 ⎟ ⎟ ⎜ ⎜ 0 ⎟ ⎟ ⎜ ⎜ 0 ⎟ ⎟ ⎜ ⎝ 0 ⎠ 0

⎞ 0.41 ⎜ 0 ⎟ ⎟ ⎜ ⎜ 0 ⎟ ⎟ ⎜ ⎟ ⎜ ⎜ 0 ⎟ ⎟ ⎜ ⎜ 0 ⎟ ⎟ ⎜ ⎜ 0 ⎟ ⎟ ⎜ (8) (8) ⎟ u5 = B · u4 = ⎜ ⎜ 0 ⎟ ⎜ 0 ⎟ ⎟ ⎜ ⎟ ⎜ ⎜ 0 ⎟ ⎟ ⎜ ⎜ 0 ⎟ ⎟ ⎜ ⎜ 0 ⎟ ⎟ ⎜ ⎝ 0 ⎠ 0

(5.52)

⎛

(5.53)

5.4 Static Risk Intentionality Network Construction Method: An Example

91

⎞ 0 ⎜0.2⎟ ⎜ ⎟ ⎜0⎟ ⎜ ⎟ ⎜ ⎟ ⎜0⎟ ⎜ ⎟ ⎜0⎟ ⎜ ⎟ ⎜0⎟ ⎜ ⎟ (9) (0) ⎟ u5 = B · u4 = ⎜ ⎜0⎟ ⎜0⎟ ⎜ ⎟ ⎜ ⎟ ⎜0⎟ ⎜ ⎟ ⎜0⎟ ⎜ ⎟ ⎜0⎟ ⎜ ⎟ ⎝0⎠ 0

(5.54)

⎞ ⎛ 0.41 ⎜ 0.2 ⎟ ⎟ ⎜ ⎜ 0 ⎟ ⎟ ⎜ ⎟ ⎜ ⎜ 0 ⎟ ⎟ ⎜ ⎜ 0 ⎟ ⎟ ⎜ ⎜ 0 ⎟ ⎟ ⎜ (7) (8) (9) ⎟ w5 = max_co(u5 , u5 , u5 ) = ⎜ ⎜ 0 ⎟ ⎜ 0 ⎟ ⎟ ⎜ ⎜ 0 ⎟ ⎟ ⎜ ⎟ ⎜ ⎜ 0 ⎟ ⎟ ⎜ ⎜ 0 ⎟ ⎟ ⎜ ⎝ 0 ⎠ 0

(5.55)

⎞ 0.41 ⎜ 0.2 ⎟ ⎟ ⎜ ⎜ 0 ⎟ ⎟ ⎜ ⎟ ⎜ ⎜0.83⎟ ⎟ ⎜ ⎜3.33⎟ ⎟ ⎜ ⎜ 0 ⎟ ⎟ ⎜ ⎟ v5 = max_co(v4 , w5 ) = ⎜ ⎜0.83⎟ ⎜0.83⎟ ⎟ ⎜ ⎟ ⎜ ⎜0.83⎟ ⎟ ⎜ ⎜ 0 ⎟ ⎟ ⎜ ⎜3.33⎟ ⎟ ⎜ ⎝ 10 ⎠ 0

(5.56)

⎛

⎛

92

5 Mathematical Model I: Static Intentional Risk

• The algorithm is stabilised after the 8-iteration. Below is a matrix with the value vectors corresponding to each iteration. Each node’s value is given by the last column:

z1 z2 z3 z4 z5 z6 y1 y2 y3 y4 y5 y6 y7

v0 0 0 0 0 0 0 0 0 0 0 0 10 0

v1 0 0 0 0 3.33 0 0 0 0 0 0 10 0

v2 0 0 0 0 3.33 0 0 0 0 0 3.33 10 0

v3 0 0 0 0.83 3.33 0 0 0 0 0 3.33 10 0

v4 0 0 0 0.83 3.33 0 0.83 0.83 0.83 0 3.33 10 0

v5 0.41 0.2 0 0.83 3.33 0 0.83 0.83 0.83 0 3.33 10 0

• The table of the transmitted value from node y1 :

z1 z2 z3 z4 z5 z6 y1 y2 y3 y4 y5 y6 y7

v0 0 0 0 0 0 0 2 0 0 0 0 0 0

v1 1 0 0 0 0 0 2 0 0 0 0 0 0

v2 1 0 0 0 0 0 2 0 0 0 0 0 0

• From node y4 : • And the final corresponding value to each node is:

v6 0.41 0.2 0 0.83 3.33 0 0.83 0.83 0.83 0 3.33 10 0.2

v7 0.41 0.2 0 0.83 3.33 0.05 0.83 0.83 0.83 0 3.33 10 0.2

v8 0.41 0.2 0 0.83 3.33 0.05 0.83 0.83 0.83 0 3.33 10 0.2

5.4 Static Risk Intentionality Network Construction Method: An Example

z1 z2 z3 z4 z5 z6 y1 y2 y3 y4 y5 y6 y7

v0 0 0 0 0 0 0 0 0 0 5 0 0 0

Node z1 z2 z3 z4 z5 z6 y1 y2 y3 y4 y5 y6 y7

v1 0 0 1.66 0 0 0 0 0 0 5 0 0 0

v2 0 0 1.66 0 0 0 1.66 1.66 1.66 5 0 0 0

Val. from y1 1 0 0 0 0 0 2 0 0 0 0 0 0

v3 0.83 0.41 1.66 0 0 0 1.66 1.66 1.66 5 0 0 0

v4 0.83 0.41 1.66 0 0 0 1.66 1.66 1.66 5 0 0 0.41

Val. from y4 0.83 0.41 1.66 0.02 0 0.1 1.66 1.66 1.66 5 0.1 0 0.41

v5 0.83 0.41 1.66 0 0 0.1 1.66 1.66 1.66 5 0 0 0.41

v6 0.83 0.41 1.66 0 0 0.1 1.66 1.66 1.66 5 0.1 0 0.41

Val. from y6 0.41 0.2 0 0.83 3.33 0.05 0.83 0.83 0.83 0 3.33 10 0.2

v7 0.83 0.41 1.66 0.02 0 0.1 1.66 1.66 1.66 5 0.1 0 0.41

93 v8 0.83 0.41 1.66 0.02 0 0.1 1.66 1.66 1.66 5 0.1 0 0.41

Total value 2.25 0.62 1.66 0.85 3.33 0.15 4.5 2.5 2.5 5 3.43 10 0.62

• Finally we have to assign the value corresponding to each edge. Each edge will have as much value as its outcome node multiplied by the value reduction of that edge (i.e., the inverse of the anonymity value of that edge, since we are working on the users network; for the administrators network the value would be 1). We can condense all this information in a matrix C, obtained by multiplying each column of the reduction matrix B by the total value of the node corresponding to that column. In our example we have:

94

5 Mathematical Model I: Static Intentional Risk

1 2 0 0 0 0 0 0 0 0 0 0 C= 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0.62

3 0 0 0 0 0 0 1.66 1.66 1.66 0 0 0 0

Z 4 0 0 0 0 0 0 0.85 0.85 0.85 0 0 0 0

5 0 0 0 0 0 0 0 0 0 0 3.33 0 0

6 0 0 0 0 0 0 0 0 0 0 0.15 0 0

1 2.25 0 0 0 0 0 0 0 0 0 0 0 0

2 1.25 0 0 0 0 0 0 0 0 0 0 0 0

3 0 0.62 0 0 0 0 0 0 0 0 0 0 0

Y 4 0 0 1.66 0 0 0 0 0 0 0 0 0 0

5 0 0 0 0.85 0 0 0 0 0 0 0 0 0

6 0 0 0 0 3.33 0 0 0 0 0 0 0 0

7 0 0 0 0 0 0.15 0 0 0 0 0 0 0

(5.57)

Graphic representation of the collapsed network together the corresponding values as in the edges as in the nodes. The initial value of the vaults is also included (Fig. 5.5). Step 4:

Accessibility assignment (in the collapsed network).

Fig. 5.5 Graphic representation of the collapsed network together with the corresponding values in the edges and in the nodes

5.4 Static Risk Intentionality Network Construction Method: An Example

95

• We execute the PageRank algorithm in the collapsed graph, taking into account the edges’ weights given by its connection rates, and with damping factor 0.15 for the users network. For the administrators network the damping factor is 0.25. • The accessibility value assigned for the nodes of the collapsed network is obtained by executing the PageRank algorithm in the collapsed network. In our case (calculated by using Gephi) is the following: Node z1 z2 z3 z4 z5 z6 y1 y2 y3 y4 y5 y6 y7

PageRank 0.024 0.094 0.097 0.097 0.069 0.069 0.034 0.034 0.104 0.106 0.106 0.083 0.083

Position 13 6 4 4 9 9 11 11 3 1 1 7 7

• The accessibility of each edge in Fig. 5.6 has been obtained from the accessibility of its income node by using the formula (4.11). Graphic representation of the collapsed network together the corresponding accessibility values as in the edges as in the nodes. We have also represented the position of each node ordered by its accessibility value.

5.4.3 Assignment of Attributes in the Original Network It seems clear that we want to assign the attributes anonymity, value and accessibility to the nodes and edges of the original network. In this respect the following points are particularly interesting: • The edge’s anonymity assignment is direct from the anonymity values of the collapsed network (The anonymity of an edge coincides with the node’s degree of its outcome node). • The node anonymity is not an immediate problem since a node can have different anonymity values depending on the different collapsed groups it belongs to. A solution could be the anonymity of a node to be a vector with as many components as collapsed groups the node belongs to after having applied the

96

5 Mathematical Model I: Static Intentional Risk

Fig. 5.6 Graphic representation of the collapsed network together the corresponding accessibility values in the edges and in the nodes

collapsed algorithm. In any case, this is not a great concern since the anonymity we will use only the anonymity corresponding to the edges. • In order to execute the algorithm of value assignment and the algorithm of accessibility assignment in the original network we only need the edges’ anonymity. On the other hand we have value and accessibility value as in the nodes as in the edges.

5.5 Final Formula and Summary of Static Risk Model As we have explained, in the context of Static Risk, we consider two different networks: the users network and the administrators network. The development procedure to assign the three attributes (Accessibility, Anonymity and Value) to each one of the elements of these networks is the following: • A “sniffing” is executed in order to obtain the connections between the nodes IP and the nodes IP:port. • On the basis of this information we build the users network and the administrators network by considering the port and applications they have been connecting to. Based on the sniffing we get the number of users who use each one of the edges. We put the inverse of that integer number as the label of each edge and, on this labelled network, we execute the max-path algorithm to distribute the Value from the vaults to all the nodes of the network, by putting the inverse of the number of

5.5 Final Formula and Summary of Static Risk Model

97

users in each edge as a reduction value factor. So, the more the number of users who access a node, the more value reduction the potential attackers will have that node but the more Anonymity. The increase of Anonymity does not compensate the value reduction in the case of the users network, but it may be compensate the value reduction in the case of the administrators network, since in the latter case the value is not divided. We can interpret this situation in the sense that the final users access to a proportional part of the Value, and the administrators access the total Value when they are connected. For calculating each node accessibility we label (by putting a weight on) each edge with the frequency (number of accesses, independently of the number of users, i.e., if an user has used that edge 500 times, the label would be 500 instead of counting it as a unique user). On this new weighted network we calculate the PageRank for each edge. The value obtained will be the Accessibility of that edge. In other words, when we compute the Accessibility we are evaluating the probability for the risk to materialize from the access frequency in different elements of the network. So, the more is the access frequency (by one, or several or many users or administrators), the more is the probability that someone (administrator or simple user) will choose to misuse the information. At this point Static Risk define as the Profitability associated to the Attacker Risk (PAR-attacker), although should be stressed the following: • The greater the PAR-attacker of an element of the Static Risk Network is, the greater the motivation for the attacker. • Attacker-income (Value): Is the calculated Value for each element of the network. • Attack probability: Within the context of Static Risk, is directly proportional to the Accessibility. • Risk for the attacker: Is directly proportional to the inverse number of the corresponding value of Anonymity. In short, we have gone from the traditional formula Risk = Impact · Probability

(5.58)

to a new formula in which will we identify the following elements: Impact

=

Value,

(5.59)

Probability

=

Accessibility,

(5.60)

1 = Deterrent risk for the attacker. Anonymity

(5.61)

Static Risk is mainly related to employees, suppliers and customers. In general with that people who has (temporary or not) authorization to access information contained in the network.

98

5 Mathematical Model I: Static Intentional Risk

In the following formula to compute the risk of each element e of the network, we consider as an element a pair NODE −→ EDGE. The Value of each element e resides in the NODE and the Anonymity of each element resides in the EDGE. The Static Risk of each element is calculated by using the following formula: PARe = Valuee · (Acce ) · ( =

Valuee · (Acce ) k Anone

Anone ) k

,

(5.62) (5.63)

where PARe = PARelement ,

(5.64)

Acce = Accessibilityelement ,

(5.65)

Valuee = Valueelement ,

(5.66)

Anone = Anonymityelement ,

(5.67)

and where k is a standard constant which depends on the homogeneous group of legal consequences for the potential attacker (it depends on the country where the network is placed, the employees, the subcontracted companies and the customers that have access to the information contained in the network) and it represents the potential punishment probability for the attacker. The Network Static Risk of a network G = (X, E) is defined as the maximum of all the element risk values (i.e., the profitability for the attacker) which configure the network, i.e., Static − RiskG = max({PARe |e ∈ X × E}).

(5.68)

It is remarkable that the main parameter in the framework of Static Risk is the Value. The Accessibility of an edge is the PageRank of that edge calculated on the linegraph network, as it has been explained in Chap. 3, and it is directly proportional to the frequency of use of that edge, in such a way that the sum of the accessibilities equals 1. However, the Accessibility plays a minor role in the context of lowprivilege users network, since the accessed value is always a comparatively small value. In the case of administrators network the Static Risk may be meaningfully increased due to the Accessibility of the corresponding element, and it may therefore be representative in the computation risk.

Chapter 6

Mathematical Model II: Dynamic Intentional Risk

Abstract In this chapter we establish the main definitions related to Dynamical Risk. We build the Dynamic Risk Model by assigning the corresponding attribute (Anonymity, Value, Accessibility) to each element of the new network. In this chapter we also compare both models, Static Risk Model and Dynamic Risk Model, pointing out the differences between them. It is important to highlight here that zero-day attacks are not integrated into the model.

6.1 Comparative Analysis: Static Risk vs Dynamic Risk Within the framework of Static Risk the value is the most important single attribute. However, in the case of Dynamic Risk the most important single attribute is the accessibility. In static risk an attacker uses his authorized access without manipulating or exploiting the technology. Therefore the quantity of value he has access to determines most of his risk equation. Similarly, because he will normally have authorized access, he is also bound to some type of contract and therefore has a higher level of personal risk perception. Therefore, his lack of anonymity will be a deterrent. In the context of Static Risk the greater is the number of users, the greater his perceived Anonymity. But a sophisticated technical attacker can impersonate other users or processes, or can even hop through different networks and jurisdictions. Therefore Anonymity is not a deterrent in Dynamic Risk. This changes the profit mental calculation for the two types of attackers in Static and Dynamic Risk. In the environment of Static Risk the value depends on the percentage of value accessible by the user. In the environment of Dynamic Risk the hacker tries to take access the entire value. Within the framework of Dynamic Risk, since for most external attackers there is no risk at all, and internal technical attackers continue to be legally bound and can be slightly deterred, the anonymity is related to the hacker’s physical location and his perception of the risk. We will consider only three values for anonymity in the context of Dynamic Risk: 1. INTERNET: Anonymity = 1 2. Internal WIFI (802;1X), providers: Anonymity = 0.5 3. Intranet: Anonymity = 0. © The Author(s) 2015 V. Chapela et al., Intentional Risk Management through Complex Networks Analysis, SpringerBriefs in Optimization, DOI 10.1007/978-3-319-26423-3_6

99

100

6 Mathematical Model II: Dynamic Intentional Risk

6.1.1 Accessibility in the Context of Dynamic Risk Within the framework of Static Risk the accessibility has no cost (cost = 0) since we assume the access has been previously authorized and granted. Within the framework of Dynamic Risk each jump (or non authorized access) from one element to another increases the cost for the attacker. It is difficult, for a hacker, to get access through a new non authorized access (hop) because it also increases his personal the risk in addition to the cost (effort). The more distance to the value, the more difficult and costly the attack is. Therefore, for the Dynamic Risk construction, we start by doing a vulnerability scanning of the network to get all the non authorized paths (by detecting the unused but open ports, by fingerprinting the different applications, underlying operative system as well as by finding any known vulnerabilities). This vulnerability scan allows us to create two new types of potential connections between the nodes: vulnerabilities and affinities. If two nodes have the same operating system and the same open ports a new connection is established between them due to their affinity. Because of our experience in ethical hacking, we found that almost always we could also hack into computers with the same or similar configurations. This is a consequence of them many times sharing some of the administrative or technical user accesses or by having similar configuration errors. So we assume that an attacker, once he has administrative privileges to server, he may easily hop to a similar server depending on its level of affinity. Additionally, any critical vulnerability that is found is also assumed to be a valid connection, allowing attackers to connect to that port through that known vulnerability. For the accessibility computation we will use a biased version of the PageRank algorithm which includes all the non authorized paths, and a combination of the damping factor and the customization vector in such a way that: • Wherever a random jump is executed the destination is one of the external nodes (by using the personalization vector, dangling nodes). • We must take into account (in order to compute the accessibility computation) the distance (number of jumps or hops) from the external nodes to the vaults, and the possible critical access through vulnerabilities and affinities. • Finally, we must take into account if the connection is one that already exists, is authorized and in use (Static Risk). How can we model it? A possible way to deal with this from a mathematical point of view is by considering a stochastic process (Markov Chain) defined by the following transition matrix P = (pij ): if you are in the node i, the probability of a jumping from the node i to the node j is given by the following expression:

6.2 Dynamic Risk Model

101

f (i, j) d(j, B) , pij = p(i −→ j) = f (i, k) ∑k∈N aik d(k, B) aij

(6.1)

where • A = (aij ) the adjacency matrix of the network with all the connections, • f (i, j) = α if i −→ j is an existing connection, and f (i, j) = β if i −→ j is a potential connection, 0 < β < α , • β is inversely proportional to the effort that the hacker must make to create the new link (connection), • d(j, B) is the Haussdorff distance (distance between a node and a set) from node j to the vaults set B. The inequality 0 < β < α can be explained intuitively by the fact that it is more easy for a hacker to use an existing edge than a “potential edge” (new connection by affinity or the existence of a vulnerability), and therefore it is more likely that an existing edge be used by a hacker Instead him having to create a new edge (in any case, it depends on the effort that must be made by the hacker to create it and the risk of the attack being identified that these new connections generate). So, for example, the easier for the hacker is to attack by affinity, the greater the value of β and, also, a hacker is more likely to use an edge if it allows the attacker get closer to a vault than in the case that the edge moves the hacker further away from the vaults.

6.2 Dynamic Risk Model In order to build the Dynamic Risk model we depart from the network obtained as the union (see Sect. 2.2.2) of the user network and the administrators network. As we will see, we will add new edges to this network related to the affinities and vulnerabilities existence, ultimately obtaining the Dynamic Risk Network. This will be an implementable formulation of the Dynamic Risk concept where, as we have said before, the anonymity does not play any role in Dynamic Risk, but the accessibility is the main parameter to consider for the computation of this kind of Risk, at global level as well as locally. In order to build the Dynamic Risk network we depart from a port and vulnerability scan with the aim of identifying the unused open ports and the network vulnerabilities (port scanning is sometimes also performed by hackers and crackers to find out if a network can be compromised). Every open IP:port which have affinities with other open IP:port will be connected with the IP:origin of every device with the same open IP:port and reciprocally. For each affinity we add the corresponding edges in both directions. Similarly, all the IPs (origin) will be directly connected with each one of the network vulnerabilities (by adding the corresponding edges).

102

6 Mathematical Model II: Dynamic Intentional Risk

The result of this construction is a new network (in fact, a weighted network) called the Dynamic Risk Network. Each edge of this network has an associated weight bearing in mind that an application can have incorporated several vulnerabilities (high risk vulnerability), since if a connection between two nodes was incorporated after we have done the union of the users and administrators network, the weight of that edge would be doubled if there exists an affinity between the income node and the outcome node, and that weight would triple if there exists a vulnerability in the outcome node, and so on if there are more than one vulnerability. Therefore Dynamic Risk Network is a network with a specific weight into each of its edges. With which we can approximate a complete Dynamic Risk definition: The Dynamic Risk of an element of the network is the potential profit for the attacker (hacker) obtained after reaching that element. It is important to point out that the hacker’s main target is to get one hundred per cent of the Value. So, the risk will depend mostly on the time and effort employed by the attacker to gain access to the information. Therefore, the basic and main parameter to consider in the framework of Dynamic Risk is Accessibility. In particular, the Anonymity is irrelevant in the context of Dynamic Risk, since the existence of vulnerabilities within the system involves a value maximum of Anonymity. And, since the anonymity is not relevant in the context of Dynamic Risk, it is not necessary to collapse its associated network. The nodes’ value in the context of Dynamic Risk is different from the node’s value obtained in the context of Static Risk, so it is necessary to recalculate it. In order to do that, we will use the algorithm max − path again but using a new concept of Accessibility in the context of Dynamic Risk. The Accessibility of an element of the Dynamic Risk Network is the value we get for the relative frequency of a biased random walker through that element in the sense we have introduced in Chap. 3. The Dynamic Risk of an element “e” of the network is defined as (Dynamic − Risk)e = Valuee · Accessibilitye .

(6.2)

The Dynamic Risk of the network G = (X, E) is defined as the maximum of the Dynamic Risk of its elements, i.e., (Dynamic − Risk)G = max({(Dynamic − Risk)e |e ∈ (X ∪ E)}).

(6.3)

In some cases it may be useful to consider the “Dynamic Risk Average” of the network given by the expression: (Dynamic − Risk − Average)G = Value · (Accessibility − Average)G ,

(6.4)

where Value is the total value (the sum of the values we can find in the vaults of G) and (Accessibility − Average)G is an average (the root mean square) of all the accessibilities associated to elements of G in the context of Dynamic Risk, In order to offset the sites and areas which have high levels of accessibility with other which have low level of accessibility.

Chapter 7

Towards the Implementation of the Model

Abstract As part of our research, we built a Proof of Concept (PoC) software application using real data to model real world computer networks and different types of known risks. Implementing a model most times involves a new set of detailed definitions and procedures that were not required for the high level mathematical model. Our goal was to be able to automate as much as possible the data collection and model generation. We wanted our results to have the least amount possible of human interpretation in the generation of the risk scores. We also wanted to use as inputs of our PoC application existing Open Source network vulnerability scanners and sniffers so that a complete solution could be deployed afterwards in real world scenarios. In this chapter we will go through the new detailed definitions we tested and used in our software as part of the process of building and testing our PoC.

7.1 Modeling Access 7.1.1 IP Source and Destination Port One of the fundamental pieces of our risk model was to be able to determine which users or processes had access to each node. For this purpose the first distinction we had to make was between the source and destination of the different accesses. For this purpose we defined two types of nodes: IP Source and Destination Port.

7.1.2 IP Source (e.g. 192.168.1.105) → Destination Port (e.g. 192.168.1.250:23) In this example, we are mapping an access from a source host with the IP address 192.168.1.105 to the destination Telnet application on host 192.168.1.250. A default Telnet application will listen on port 23. So we assume that host 105 in that subnet can access or has accessed Telnet on port 23 of host 250.

© The Author(s) 2015 V. Chapela et al., Intentional Risk Management through Complex Networks Analysis, SpringerBriefs in Optimization, DOI 10.1007/978-3-319-26423-3_7

103

104

7 Towards the Implementation of the Model

The rationale behind this definition was that the port number would only give valuable information when used as a destination since source ports are almost always generated randomly. On the other hand, open destination ports, are almost always bound to a specific type of application. Therefore, the initial destination ports will almost always provide accurate information to which application is listening on that host, whereas source ports do not add any information. Therefore this definition allowed us to map access as relation between which host or hosts are connecting or could connect to a specific application. The complex network is therefore divided into two types of elements, Hosts and Applications. But since Applications will almost always be hosted in an operating system, our model assumes that all destination ports will be hosted at that same IP which in turn becomes a source for new connections. IP Source → Destinat. Port → IP Source → Destinat. Port → IP Source 192.168.1.105→ 192.168.1.250:22→192.168.1.250 → 10.1.1.1:22→10.1.1.1 In this example host 105 accesses through SSH host 250 that then accesses via SSH host 10.1.1.1. From an attacker’s perspective, this also means that once unrestricted access to an application has been secured, he can most times achieve unrestricted access to the underlying operating system.

7.1.3 Restricted and Unrestricted Access Levels The second definition we had to make in relation to access was based on the level of privileges of each access (end user vs. administrator level). Privileges in each type of access are very important in determining risk since the potential attacker is bound to the privileges he has or can obtain at each destination port. The higher the level of privilege, the more information and functionality an attacker can access. In all operating systems and applications there are many levels of access. From an almost risk-free calendar application access, to a very high-risk administrator access to the central database. And there are many levels in between that could be analyzed separately, but that would have not been feasible for our model data collection and would have added a large level of complexity for our models. From the start, our design goal was to simplify as much as possible both the data collection requirements, as well as the mathematical model itself so that it would be useful in generating a probabilistic value for nodes and routes. If we were to add all the granularity of access privileges it would have been useless in real world scenarios. Therefore we decided to differentiate only between two types of access levels:

7.1 Modeling Access

105

• Restricted End User Access: Any type of access that is bound by the application itself and that does not allow the user to abuse his privileges for personal gain. We assume this type of access is always authorized explicitly or implicitly by the organization. These accesses are considered low risk since they only allow the user to access a restricted amount of data of functionality. • Unrestricted Technical Access: Any type of access that can potentially allow a technical user or an external hacker to have unrestricted access to functionality, code, configuration or data. This access can either be authorized by the organization or gained through an exploit. In either case, it is equally high risk since a user that has or gains administrative access to an application can in most cases escalate privileges to gain control over the server and network. Sophisticated attackers will always try to obtain this type of access. At first we tried to determine access levels by querying each individual server but when we tried that in real world computer networks, it turned out to be very difficult since most organizations do not have a centralized capability to query or download types of connections and connections privileges for each of their hosts. We realized we could infer the privilege level from the scanner and sniffer data. To do so, we classified different destination ports based on the default use and access privileges they would grant. Therefore all administrative access ports to operating systems and applications were classified as unrestricted and we get: • Restricted End User Access: Ports generally used to browse the Internet or internal web based applications, as well as email, name resolution, internal end user services or internal applications. Example ports: 80 http, 443 https, 53 dns, 25 smtp, 547 dhcp server, 110 pop3, etc. • Unrestricted Technical Access: Ports generally used to configure, administrate or execute applications. Example ports: 22 ssh, 23 telnet, 1433 sql server, 5900 vnc, 3389 ms terminal services, 513 rlogin, etc. As can be deduced by these few examples, there is some overlap between unrestricted and restricted uses of some of the ports. For example, an administrator could manage a firewall through a Web based interface listening in port 443 https. Or end users could be using Microsoft’s terminal server to access to a very restricted virtualized environment. Another potential problem would be applications that were purposely obfuscated and changed to a different port to avoid been easily found by hackers. We were aware of these imprecisions in the model, some of which could be easily handled if the port was additionally fingerprinted by the network vulnerability scanner. And yet some others would maybe require a manual correction. It was determined that for this initial proof of concept we wanted to verify how resilient our model was to incomplete or inaccurate information. And deemed that the missing or incorrect labeling of some ports should not significantly change the main inferred risks. In any case, adding host awareness (instead of only port and application) to the classification of access levels would prevent most of these inaccuracies.

106

7 Towards the Implementation of the Model

7.1.4 Static and Dynamic Risk Access Levels Static and dynamic risks are fundamentally different in relation the type of access privileges that are being modeled. As mentioned before, static risk is modeling the probability that an authorized user will decide to steal data or abuse functionality for personal gain. In static risk, we are trying to model the authorized access that each user already has, including technical users and administrators. On the other hand, dynamic risk tries to model the access that potential attacker may have if he decides to change configurations, code, escalate privileges and exploit vulnerabilities. The main difference is that in static risk we model employees, external contractors and even customers that have existing authorized access. In dynamic risk, we are modeling a sophisticated hacker that will—in addition to whatever access he may initially have—jump from the application to the operating system and from that node to the next, in trying to get closer and obtain access to the high value data or functionality. These dissimilarities required us to use to different data sources to calculate each type of model.

7.1.5 Static Risk with Network Protocol Analyzer Sniffers For static risk we needed to find which accesses were already authorized and normal. We decided for this purpose to use network sniffers to monitor one or several network segments and with that extract the anomalous connections that would happen in a specific period of time. These connections (a.k.a. sockets) would give us a long list of all the originating IP sources, as well all the destination ports that were being accessed in that network segment. The frequency of connections for each socket would also give us information of which were the busiest routes and how many different hosts were accessing a specific application. Again, this can never be a complete representation of all authorized accesses but we were aiming to have a statistically accurate enough model of which hosts or groups of hosts connected to which applications and with which frequency. Network sniffers generate a log of all the connections that traversed the network at a given point. They will generally be setup to record the network traffic in mirror ports at the hub or switch level. As our Open Source network sniffer we used Wireshark protocol analyzer.

7.1.6 Dynamic Risk with Network Vulnerability Scanners For dynamic risk, in addition to mapping the frequently used sockets, we wanted to also model the potential routes that a hacker might find and exploit. For an attacker, sockets that are used normally are desirable since they are more anonymous

7.1 Modeling Access

107

and attract less attention but most times they have restricted access to data or functionality. Therefore, an attacker will try to find the best route by pondering different alternatives. Attackers will choose routes where he can obtain the most privileges, with the least effort and while getting the closest to their end goal. To do so, they consider stealing password to impersonate legitimate users (preferably administrators), exploiting software to escalate privileges or impersonate processes, as well as using exploring configuration similarities to find password or software vulnerabilities in similar hosts. We wanted to emulate the way a sophisticated hacker thinks and to do so we needed more information from our sources. We determined that the best and easiest way to gather this information was through vulnerability scanners, sometimes used by attackers themselves to find and assess their next hop through the network. A vulnerability port scanner tests each host for open ports and then tries to determine the specific name and version for each application that is listening. If it successfully fingerprints the version it can then link that version to known vulnerabilities. For our tests we were using the open source vulnerability scanner Nessus. To build the dynamic risk network we use the static network and overlap it with what the Vulnerability Scanner has identified. Some ports are in use and had already been identified; some ports may be new and had not been accessed before in our data. Additionally, some ports that were classified as end user applications may have vulnerabilities that would allow an attacker to remotely connect as an unrestricted administrator. Therefore the vulnerability scanner’s log is used to populate new application nodes and new potential accesses. The new potential accesses are generated on top of the static and dynamic nodes. We assume that each critical or remote execution vulnerability can be accessed from any other host. And therefore we generate all the new high-risk sockets and include them as links. Similarly, those hosts that have the same ports open with the same application versions are also linked among each other to account for the relative easiness of hopping to a server that is configured in the same way. Most times two very similar servers will have the same vulnerabilities and will share some of the same passwords. High privilege access to one of them can most times easily be escalated to access another similar host. This process generates many new potential access routes that may have never being used before. These new links allow the model to evaluate potential routes that could exist based on host similarities or known vulnerabilities. One limitation of this approach is that it does not currently account for unknown vulnerabilities, also called zero day vulnerabilities. But again, this model intends to generate a probabilistic approach to risk and not a deterministic model. Based on our tests, it manages to find the most significant known risks in hosts and routes. Unknown risks are not within the scope of our model.

108

7 Towards the Implementation of the Model

7.2 Modeling Anonymity Modeling anonymity is particularly important in determining Static Risk. Employees, external contractors and customers generally are legally bound and have serious personal risks if caught. This becomes an important deterrent unless they feel anonymous. Therefore anonymity in static risk is an important part of the incentives against stealing data or using functionality for personal gain. Whereas in dynamic risk, sophisticated hackers (most commonly external and legally unbound persons or entities) are capable of anonymizing their access; and even if they were identified, they can be accessing from anywhere in the Internet. By potentially being abroad or hopping through untraceable servers, sophisticated hackers can completely mitigate their personal risk. Because of this, anonymity is not an effective deterrent in dynamic risk networks. To calculate the anonymity perception of potential attackers, we need to determine how anonymous they feel. To do so, we assume that the more users that are authorized to access the same application, the more anonymous they perceive themselves to be. And in contrast, if they are the only ones connecting to a specific port and application, they perceive themselves to be fully identifiable and with a very low anonymity. So to calculate anonymity within the static risk network we need to collapse all the IP Sources that connect to the same Port Destination. Anonymity for each of the collapsed IP Sources accessing an individual port is then calculated as the inverse of the sum of the IP sources collapsed.

7.3 Determining Value Value represents how much the data or functionality is worth for the attacker within any given node. As explained before, value is dispersed within the network from the initial vault nodes based on accessibility. But to create the initial network model, it is necessary to have an initial value set for those vault nodes. We tried to use a network property to calculate these vault values but did not find any that would accurately or even remotely reflect the real world monetary value. Since the value for an attacker that accesses information or functionality is not intrinsic to the network nor to the nodes, value has to be placed manually into those vault nodes that store it.

7.4 Development of the Proof of Concept Software The objectives set for developing the proof of concept (PoC) software were to: • use real Sniffer protocol analyzer data to generate a static network model, • use real Vulnerability Scanner data to generate a dynamic network model, • collapse nodes and links to calculate anonymity,

7.4 Development of the Proof of Concept Software

109

• calculate node, link and network values for source anonymity, distributed value and accessibility, • allow for basic “what if” simulation scenarios introducing changes in the networks, • use open source libraries and software. The scope of the PoC development was to implement the algorithms using test data obtained from a real corporate network. It was designed to visually display the relation of the nodes and the result of the risk algorithms through complex networks graphics, tables and matrices. We identified the required modules and designed an overall system architecture to support them: • Upload Import Module: Uploaded and imported the sniffer’s network traffic dump files and the vulnerability scanner logs in different formats: text, pcap, zip, xml, gefx (Gephi). Incorporated data structures and internal databases for storage and processing. Also included export capabilities of the processed data, matrixes and graphs as xml, text or gefx files. • Graph Generator Module: Generated the graph and the associated data structures for both static and dynamic risk. It included the assembly of the graph for static risk, the adjacency matrixes, the matrix for connection frequency, the collapsed graph, as well as, the dynamic risk graph and the dynamic risk matrixes. • Calculation Module: Calculated each step of the static and dynamic risk models, including the collapsed graph, anonymity, accessibility and value, as well as the dynamic risk determined by the vulnerabilities and affinities between nodes. It also included functionality to save settings and to make “what if” analysis by varying parameters of the graph or controls within the network. • Visualization Module: Displayed of the graphical representation of the network and its risk variables: anonymity, accessibility and value of information. The visualization shows the graph identifying with colors, icons, arrows and text labels the key attributes of the model. Allowed the manipulation and relocation of nodes within the graph area. It also included graphical representation of the security controls in the network, as well as a representation of the collapsed nodes.

7.4.1 Software Architecture The software was built as a web application to run from a web browser. The initial version of the application was only compatible with the Firefox browser. The software was built under the GNU General Public GPL V3 that allows users to share and change the code.

110

7 Towards the Implementation of the Model

User

Sniffing log .csv.zip

Upload file

Complex Networks Application

Upload manager Visual render UI/UX Assign user type to destination ports Edge frequency Server Side Controllers

Javascript libreries

Pagerank Edge weight Graph generator Matrix generator

Export

JSON Data

MySQL Database

Fig. 7.1 Software architecture

The application was mounted on Amazon EC2 Ubuntu operating systems. The server technology was LAMP (Linux, Apache, MySQL, PHP). It used the GMP extension for mathematical calculations. On the client side JavaScript v1.5 was used. The server side application consists of a series of modules in PHP that implement the various features and that resides in an APACHE server. The data generated by the application for processing and storage of information is stored in three types of structures. JSON files were used to store graph representations that could be easily manipulated by the JavaScript and Ajax libraries. The network sniffer and scanner files were stored in text files and data tables within MySQL. This prototype had a simple architecture for only one user and did not support concurrency (Fig. 7.1).

7.5 Proof of Concept The starting point for the analysis of the PoC was to upload the output files from the sniffer or vulnerability scanner. The input source for the application were both a packet capture file obtained via a packet analyzer tool (Wireshark), as well as a network vulnerability scanner (Nessus). To keep the file size to a minimum, sniffing should be filtered to not store the payload within the IP packets. The easiest way was to create a .csv file

7.5 Proof of Concept

111

Fig. 7.2 Upload/load data module of the software

(Comma Separated Values) from Wireshark with the following headers: timestamp, ipOri, ipDest, portDest. The file could be then compressed for upload using a .zip format (Fig. 7.2). Uploading a file would trigger the following processes: 1. LOAD DATA. The ZIP file uploaded to the application is decompressed. The structure of the file is validated and the contents loaded into a MySQL table. 2. ASSIGN USER TYPE. The application marks each destination port as either: (a) a restricted end user port or (b) an unrestricted technical user port, based on the IP protocol and port number. 3. LINK FREQUENCY. Frequency is calculated for each of the links 4. ACCESSIBILITY. Accessibility is calculated for each of the nodes for both types of accesses (end user restricted and unrestricted technical). 5. WEIGHT EDGE. The weight of each link is calculated. 6. GRAPH GENERATOR. The graph representing the network is generated internally. JSON data structure for graph is generated. 7. MATRIX GENERATOR. The adjacency matrix and frequency matrix of the graph are generated. A JSON data structure is generated the matrix.

112

7 Towards the Implementation of the Model

Fig. 7.3 Report of the results obtained by the calculation module of the software

7.5.1 Visualization The Graph tab displays the directional graph data loaded into the application, showing all nodes that represent devices with IP addresses or ports. The links are then drawn (Figs. 7.3, 7.4, and 7.5).

7.5.2 Collapse/Expand The collapse algorithm collapses the Source IPs that connect to the same Destination port. A new icon representing multiple hosts is included. Both End User and Tech User graphs are calculated separately and are shown in separate views (Fig. 7.6).

7.5.3 Anonymity, Accessibility and Value To calculate Value distribution initial values had to be set. This was done manually by selecting the Vault Nodes and setting the initial monetary value (Fig. 7.7).

7.5 Proof of Concept

113

Fig. 7.4 Representation of the nodes in de visualization module of the software

Having collapsed the Source IP nodes to calculate Anonymity and once Vault Node monetary values were entered, the PoC would calculate and propagate the full network values. The whole process was fast (few seconds at most) even for the largest networks we tested. The values shown on each the directional link were connection frequency with the letter f, Anonymity with the letter n and Accessibility with the letter c. The value of the node is displayed with the label “value” (Figs. 7.8 and 7.9). For visualization purposes different algorithms were tested to make larger networks easier to read and analyze (Figs. 7.10 and 7.11). Direct access to all the data was also enabled through the data laboratory tab (Figs. 7.12 and 7.13).

7.5.4 Further Work for the PoC A couple of things that we would like to develop in the future would be: • Arbitrary collapse and expand of the nodes to show the network and its risk values at different levels of detail. For example, to collapse into subnetworks and determine the risk level for each or expand into individual ports and figure out which application represents the highest external threat.

114

7 Towards the Implementation of the Model

Fig. 7.5 Representation of the links in de visualization module of the software

• Implement the capability to insert and remove different Security Controls and Policies to enable modeling of the best protection strategy within the each computer network.

7.5 Proof of Concept

Fig. 7.6 A visualization of the collapse of a graph

Fig. 7.7 Setting of the vaults nodes and their value

115

116

7 Towards the Implementation of the Model

Fig. 7.8 An expanded view of all the attributes of a sample network

7.5 Proof of Concept

Fig. 7.9 A collapsed view of all the attributes of a sample network

117

118

7 Towards the Implementation of the Model

Fig. 7.10 View of a sample network after a star graph visualization algorithm

7.5 Proof of Concept

Fig. 7.11 View of a sample network after a Zone Grid visualization algorithm

Fig. 7.12 Visualization of the (logs) data in the data laboratory section

119

120

7 Towards the Implementation of the Model

Fig. 7.13 Visualization in the data laboratory section of the network metrics obtained in de computation module

References

1. Agarwal, J., Blockley, D.I. and Woodman, N.J.: Vulnerability of systems. Civil Eng. and Env. Syst. 18, 14165 (2001) 2. Agarwal, J., Blockley, D.I. and Woodman, N.J.: Vulnerability of structural systems. Structural Safety 25, 263286 (2003) 3. Albert, R., Albert, I., Nakarado, G.L.: Structural vulnerability of the North American power grid. Phys. Rev. E 69, 025103 (2004) 4. Albert, R., Jeong, H. and Barabási, A.L.: Diameter of the world-wide web. Nature 401, 130–131 (1999) 5. Albert, R., Jeong, H. and Barabási, A.L.: Error and attack tolerance of complex networks. Nature 406, 378(2000) 6. Albert, R. and Barabási, A.L.: Statistical mechanics of complex networks. Rev. Mod. Phys. 74, 47–97 (2002). 7. Amaral, L. A. N. and Ottino, J. M.: Complex networks. European Physical Journal B, 38, 147–162 (2004). 8. Amaral, L. A. N. , Scala, A., Barthelemy, M. and Stanley, H.E. : Classes of small-world networks. PNAS 97, 11149–11152 (2000). 9. Anez,J., De La Barra, T. and Perez, B.: Dual graph representation of transport networks, Trans. Res. B 30, 209–216,(1996). 10. Arenas, A., Danon, L., Díaz-Guilera, A., Gleiser, P.M. and Guimerá, R.: Community analysis in social networks. Eur. Phys. Journal B, 38 373–380 (2004) 11. Arulselvan, A., Commander, C.W., Elefteriadou, L. and Pardalos, P.M.: Detecting critical nodes in sparse graphs. Computers and Operations Research 36, (7), 2193–2200 (2009). 12. Bao, Z.J., Cao, Y.J., Ding, L.J. and Wang, G.Z.: Comparison of cascading failures in smallworld and scale-free networks subject to vertex and edge attacks. Physica A, 388, 4491–4498 (2009) 13. Barabási, A. L. and Albert, R.: Emergence of scaling in random networks, Science 286, 509–512 (1999) 14. Barefoot, C. A., Entringer, R. and Swart, H.: Vulnerability in graphs a comparative survey. J.Comb.Math.and Comb.Comput. 1, 13–22 (1987) 15. Barrat, A. and Weigt, M.: On the properties of small-world network models, Eur. Phys. J. B., vol. 13, 547–560 (2000). 16. Bar-Yam, Y.: Dynamics of Complex Systems. Addison-Wesley, 1997. 17. Berdica, K.: An introduction to road vulnerability: what has been done, is done and should be done. Transport Policy 9 (2), 117–127 (2002). 18. Biggs, N.: Algebraic Graph Theory, 2nd Edition. Cambridge University Press, 1993.

© The Author(s) 2015 V. Chapela et al., Intentional Risk Management through Complex Networks Analysis, SpringerBriefs in Optimization, DOI 10.1007/978-3-319-26423-3

121

122

References

19. Boccaletti, S., Bianconi, G., Criado, R., Y., Del Genio, C.I., Gómez-Gardeñes, J. , Romance, M., Sendiña-Nadal, I. Wang, Z., Zanin, M.: The Structure and Dynamics of Multilayer Networks. Phys. Rep, 544, 1, (2014). 20. Boccaletti, S., Buldú, J., Criado, R., Flores, J., Latora, V., Pello, J., Romance, M.: Multi-scale Vulnerability of Complex Networks. Chaos 17, 043110 (2007) 21. Boccaletti, S., Criado, R., Pello, J., Romance, M., Vela-Pérez, M.: Vulnerability and fall of efficiency in complex networks: A new approach with computational advantages. Int. J. Bifurcat. Chaos 19 (2),727–735(2009). 22. Boccaletti, S., Latora, V., Moreno, Y., Chavez, M., Hwang, D. U. : Complex Networks: Structure and Dynamics. Phys. Rep, 424, 175 (2006). 23. Boguña, M., Serrano, M.: Generalized percolation in random directed networks. Phys. Rev. E 72, 016106 (2005). 24. Bollobás, B.: Random graphs, 2nd edn. Cambridge University Press, Cambridge, 2001. 25. Bonacich, P.: Factoring and weighing approaches to status scores and clique information. J. Math. Soc. 2, 113 (1972) 26. Bonacich, P., Lloyd, P.: Eigenvectors-like measures of centrality for asymmetric relations. Soc. Netw. 23, 191 (2001) 27. Brin, S., Page, L.: The anatomy of a large-scale hypertextual Web search engine. Comput. Netw. 30, 107 (1998). 28. Chapela,V.: Tips for Managing Intentional Risk, ISACA, 11 (2011), available on-line at http:// www.isaca.org/About-ISACA/-ISACA-Newsletter/ 29. Chen, N., Litvak, N. and Olvera-Cravioto, M.: “PageRank in Scale-Free Random Graphs”. LNCS 8882, pp 120–131, Springer (2014). 30. Chung, F.R.K.: Spectral Graph Theory. Conference Board of the Mathematical Sciences, AMS, Providence, RI, 92 (1997) 31. CIGTR, URJC: PageRank de aristas y su aplicación al cálculo de la accesibilidad, ITechnical Report (2014). 32. Cohen, R., Erez, K., ben-Avraham, D., Havril, S.: Resilience of the internet to random breakdowns. Phys. Rev. Lett. 85 (21), 4626 (2000) 33. Cohen, R., Erez, K., ben-Avraham, D., Havril, S.: Breakdown of the internet under intentional attacks. Phys. Rev. Lett. 86 (16), 3682 (2001) 34. Criado, R., Romance, M.: “Structural Vulnerability and Robustness in Complex Networks: Different Approaches and Relationships Between them”. Handbook of Optimization in Complex Networks, pp. 3–36, Springer, 2012. 35. Criado, R., Flores, J., González-Vasco, M.I., Pello, J.: Locating a leader node on a complex network. J. Comput. Appl. Math. 204, 10 (2007) 36. Criado, R., Flores, J., García del Amo, A., Romance, M.: Analytical relationships between metric and centrality measures of a network and its dual. J. Comput. Appl. Math. 235, 1775–1780 (2011) 37. Criado, R., Flores, J., García del Amo, A., Romance, M.: Structural properties of the linegraphs associated to directed networks. Netw. and Heterog. Media 7, 3, 373–384 (2012). 38. Criado, R., Flores, J., García del Amo, A., Gómez-Gardeñes, J., Romance, M.: A mathematical model for networks with structures in the mesoscale. Int. J. of Computer Math. 89, 3, 291–309 (2012). 39. Criado, R., García del Amo, A., Hernández-Bermejo, B., Romance, M.: New results on computable efficiency and its stability for complex networks. J. Comput. Appl. Math. 192, 59 (2006). 40. Criado, R., Flores, J., Hernández-Bermejo, B., Pello, J., Romance, M.: Effective measurement of network vulnerability under random and intentional attacks. J. Math. Model. Alg. 4, 307–316 (2005) 41. Criado, R., Pello, J., Romance, M., Vela-Pérez, M.: A node-based multiscale vulnerability of complex networks. Int. J. Bifurcat. Chaos 19 (2),703–710 (2009). 42. Crucitti, P., Latora, V., Marchiori, M., Rapisarda, A.: Efficiency of Scale-Free Networks: Error and Attack Tolerance. Physica A, 320, 622 (2003)

References

123

43. Crucitti, P., Latora V., Marchiori, M.: Error and attack tolerance of complex networks. Physica A 340 388–394 (2004) 44. Crucitti, P., Latora, V., Porta, S., “Centrality in networks of urban streets”, Chaos 16, 015113, (2006). 45. Crucitti, P., Latora, V., Porta, S., “Centrality Measures in Spatial Networks of Urban Streets”, Phys. Rev. E 73, 036125, (2006). 46. Crucitti, P., Latora, V., Porta, S.,“Network analysis of urban streets”, Physica A 369, 0411241, (2006). 47. Csató, L.: Distance-based accessibility indices. ArXiv 1507.01465 (2015). 48. Cvetkovic, D., Doob, M., Gutman, I., Torgasev, A.: Recent Results in the Theory of Graph Spectra, North-Holland, Amsterdam, 1988. 49. Cvetkovic, D.M., Doob, M., Sachs, H.: Spectra of Graphs, Theory and Applications, 3rd edn. Johann Ambrosius Barth, Heidelberg, 1995 50. Cvetkovic, D., Rowlinson, P. S. K. Simic: Eigenspaces of Graphs. Cambridge University Press, Cambridge, 1997. 51. De Domenico, M., Solé, A., Gómez, S. and Arenas, A. : Random Walks on Multiplex Networks, ArXiv 1306.0519 (2013). 52. Dekker, A.H., Colbert, B.D.: Network Robustness and Graph Topology. Proc. ACSC04, the 27th Australasian Computer Science Conference (18–22 January 2004), Dunedin, New Zealand (2004) 53. Diestel, R.: Graph Theory. Springer-Verlag (2005) 54. Dorogovtsev, S.N., Mendes J.F.F.: Evolution of networks. Adv. Phys. 51, 10791187 (2002) 55. Erdös, P. and Rénji, A.: “On random graphs”, Publicationes Mathematicae Debrecen 6, 290–297 (1959). 56. Erdös, P. and Rénji, A.: “On the evolution of random graphs”, Publications of the Mathematical Institute of the Hungarian Academy of Sciences 5, 17–61 (1960). 57. Evans, T.S., Lambiotte, R.: Line graphs, link partitions, and overlapping communities, Phys.Rev. E 80 (2009), 016105. 58. Evans, T.S., Lambiotte, R.: Line graphs of weighted networks for overlapping communities, Eur. Phys. J. B 77 (2010), 265–272. 59. Everett, M.G. and Borgatti, S.P.: The centrality of groups and classes. The Journal of Mathematical Sociology 23, 3, 181–201 (1999) . 60. Fiedler, M.: Algebraic Connectivity of Graphs. Czech. Math. J. 23, 298 (1973) 61. Fontoura Costa, L. et al: Characterization of Complex Networks: A Survey of measurements. Advances in Physics, 56, 167–242 (2007) 62. Fontoura Costa, L. et al: Analyzing and Modeling Real-World Phenomena with Complex Networks: A Survey of Applications. arXiv:0711.3199v3 [physics.soc-ph] (2008) 63. Freeman, L.C.: A set of measures of centrality based on betweenness. Sociometry 40, 35–41, 1977. 64. Gago, S.: Spectral Techniques in Complex Networks. Selectec Topics on Applications of Graph Spectra, Matematicki Institut SANU, Beograd, 14 (22), 63–84, 2011. 65. Gibbons, A.: Algorithmic Graph Theory. Cambridge University Press (1985) 66. Girvan, M., Newman, M.E.J.: Community structure in social and biological networks. Proc. Natl. Acad. Sci. USA 99, 7821–7826 (2002) 67. Godsil, C.D. and Royle, G.: Algebraic Graph Theory. Springer, 2001. 68. Goh, K.-I. Kahng, B. and Kim, D.: Spectra and eigenvectors of scale-free networks. Physical Review E, 64:051903 (2001) 69. Goldshtein, V., Koganov, G.A and Surdutovich, G.I.: Vulnerability and hierarchy of complex networks. cond-mat/0409298 (2004) 70. Gross, CJ. L., Yellen, J. (eds.): Handbook of graph theory. CRC Press, New Jersey (2004). 71. Guellner, C. and Costa, C.H.: A Framework for Vulnerability Management in Complex Networks. IEEE Ultra Modern Telecommunications, ICUMT.09, 1–8 (2009). 72. Harary, F.: Graph Theory. Perseus, Cambridge, MA. (1995).

124

References

73. Hemminger, R. L. and Beinek, L. W., “Line graphs and line digraphs, Selected Topics in Graph Theory (W. B. Lowell and R. J. Wilson, eds.,” Academic Press, New York,, (1978) pp. 271–305. 74. Holme, P., Beom Jun Kim, Chang No Yoon, Seung Kee Han: Attack vulnerability of complex networks. Phys. Rev. E 65, 056109 (2002) 75. Holmgren, J.: Using graph models to analyze the vulnerability of electric power networks. Risk Anal. 26 (4), (2006) 76. Hua, M-B., Jianga, R., Wang,R., Wu, Q-S. “Urban traffic simulated from the dual representation: Flow, crisis and congestion” Physics Letters A 3732007–2011, (2009). 77. Husdal, J.: Reliability and vulnerability versus cost and benefits. Proc. 2nd Int. Symp. Transportation Network Reliability (INSTR). Christchurch, New Zealand,180–186 (2004). 78. Ishakian, V., Erdös, D., Terzi, E. and Bestavros, A.: A framework for the evaluation and management of network centrality. Proc. of the 2012 SIAM International Conference of Data Mining, 427–438 (2012). 79. Jamakovic, A., Van Mieghem, P.: On the robustness of complex networks by using the algebraic connectivity. NETWORKING 2008, LCNS 4892, 183–194, 2008. 80. Jamakovic, A., Uhlig, S.: On the relationship between the algebraic connectivity and graphs robustness to node and link failures, Proc. 3rd EURO-NGI Conf. Next Generation Internet Network, Trondheim, Norway, 96–102 (2007). 81. Kivela, M., Arenas, A., Bathelemy, M., Gleeson, J.P., Moreno, Y., Porter, M.A.: Multilayer networks. J. of Complex Net. 2 203–271, (2014). 82. Langville, A.N. and Meyer C.D.: Google’s PageRank and Beyond: The Science of Search Engine Ranks, Princeton Univ. Press, Princeton (2006). 83. Latora, V., Marchiori, M.: Efficient Behavior of Small-World Networks. Phys. Rev. Lett. 87, 198701 (2001). 84. Latora, V., Marchiori, M.: How the science of complex networks can help developing strategies against terrorism. Chaos Solitons Fract. 20, 69 (2004) 85. Latora, V., Marchiori, M.: Vulnerability and protection of critical infrastructures. Phys Rev E 71,015103 (2004) 86. Latora, V., Marchiori, M.: A measure of centrality based on the network efficiency. New J. Phys. 9, 188 (2007) 87. Latora, V., Marchiori, M.: Economic small-world behavior in weighted networks. The European Physical Journal B 32, 249–263 (2003). 88. Mcafee (Report): Net Losses: Estimating the Global Cost of Cybercrime. Economic impact of cybercrime II, Center for Strategic and International Studies, June 2014. 89. Menger, K.: Zur allgemeinen Kurventheorie. Fund. Math. 10, 96–115, (1927). 90. Mehta, M. L.: Random Matrices. Academic Press, 1991. 91. Meyer, C.D.: Matrix Analysis and Applied Linear Algebra, SIAM, Philadelphia, 2000. 92. Mohar, B.: The Laplacian spectrum of graphs. Graph Theory, Combinatorics and Applications 2, 871–898 (1991) 93. Mohar, B.: Eigenvalues, diameter and mean distance in graphs. Graphs Combin. 7, 53–64 (1991) 94. Mohar, B.: Laplace eigenvalues of graphs: a survey. Discrete Mathematics 109, 198, 171–183 (1992) 95. Mohar, B., Hahn, G., Sabidussi, G.: Some applications of Laplace eigenvalues of graphs. Graph Symmetry: Algebraic Methods and Applications, NATO ASI Ser. C 497, 225–275 (1997) 96. Moral, S., Chapela, V., Criado, R., Pérez, A., Romance, M.: Efficient algorithms for estimating loss of information in a complex network: Applications to intentional risk analysis, Networks and Heterogeneous Media (AIMS) 10, 1, 195–208, (2015), doi:10.3934/nhm.2015.10.195 97. Moral, S., Chapela, V., Criado, R., Pérez, A., Romance, M.: Towards a Complex Networks’ based Model for Intentional Technological Risk Analysis, Int.J.Comp.Syst.Sci. 3(1) (2013), 45–54.

References

125

98. Motter, A.E., Lai, Y-C.: Cascade-based attacks on complex networks. Phys. Rev. E 66, 065102(R)(2002) 99. Motter, A.E.: Cascade control and defense in complex networks. Phys. Rev. Lett. 93,098701 (R)(2004) 100. Norris, J.R.: Markov Chains, Cambridge University Press, New York, 1997. 101. Newman, M.E.J.: Scientific collaboration networks I. Network construction and fundamental results. Phys. Rev. E 64, 016131 (2001). 102. Newman, M.E.J.: The structure and function of complex networks. SIAM Review 45, 167–256 (2003) 103. Newman, M.E.J.: Networks: An Introduction. Oxford Univ. Press, Oxford, 2010 104. Newman, M.E.J., Barabási, A.L., Watts, D.J.: The Structure and Dynamics of Networks. Princeton Univ. Press, Princeton, New Jersey (2006) 105. Newman, M.E.J.: Finding community structure in networks using the eigenvectors of matrices. Phys. Rev. E 74, 036104 (2006) 106. Newman, M.E.J., Girvan, M.: Finding and evaluating community structure in networks. Phys. Rev. E 69, 026113 (2004) 107. Noh, J. D., Rieger, H. : Random walks on complex networks. Phys. Rev. Lett. 92, 118701 (2004). 108. Page, L., Brin, S., Motwani, R. ,Winograd, T.: The PageRank citation ranking: Bringing order to the web, Technical Report, Standford InfoLab, 1999. 109. Pedroche, F.: Métodos de cálculo del vector PageRank, Bol. Soc. Esp. Mat. Apl. 39 (2007), 7–30. 110. Porta, S., Crucitti, P., Latora, V.: The network analysis of urban streets: a primal approach, Environment and Planning B: Planning and Design 33(5),(2006),705–725. 111. Praprotnik, S., Batagelj, V.: Spectral centrality measures in temporal networks. Ars Mathematica Contemporanea 11, 11–33, (2016) (available at http://amc-journal.eu) . 112. Romance, M., Solá, L., Flores, J., García, E., García del Amo, A. and Criado, R.: A PerronFrobenius theory for block matrices and tensor calculus of multiplex networks, Chaos, Solitons and Fractals 72 (2015) 77–89. 113. Rosato, V. and Tiriticco,F.: Growth mechanisms of the AS-level internet network. Europhysics Letters, 66(4):471–477 (2004) 114. Rudnick, J., and Gaspari, G.: Elements of the Random Walk, Cambridge University Press, Cambridge, 2004. 115. Seary, A. J. and Richards, W.D.: Spectral methods for analyzing and visualizing networks: an introduction. In Dynamic Social Network Modeling and Analysis, pages 209–228. National Academy Press, 2003. 116. Sinatra, R., Gómez-Gardeñes, J., Lambiotte, R., Nicosia, V. and Latora, V.: Maximal-Entropy Random Walks in Complex Networks with Limited Information, PRE 83 (2011), 030103(R). 117. Solá L. and Romance, M.: Multiplex PageRank on monoplex and multiplex network, Preprint (2015), 1–12. 118. Strogatz, S.H.: Exploring complex networks. Nature 410, 268–276 (2001) 119. Thay M. T. and Pardalos P.M. (Eds): Handbook of Optimization in Complex Networks. Springer Optimization and Its Applications 58, Springer, 2010. 120. Tetali, P.: Random walks and the effective resistance of networks. J. Theor. Probab. 4, 101–109 (1991). 121. Trpevski, D., Smilkov, D., Mishkovski, I. and Kocarev, L.: Vulnerability of labeled networks. Physica A 389, 23, 5538–5549(2010) 122. Van Mieghem, P.: Performance Analysis of Communications Networks and Systems. Cambridge University Press, Cambridge, 2006. 123. Veremyev, A., Prokopyev, O.A., Pasiliao, E.L.: An integer programming framework for critical elements detection in graphs. Journal of Combinatorial Optimization 28, 1, 233–273 (2014). 124. Veremyev, A., Prokopyev, O.A., Pasiliao, E.L.: Critical Nodes for Distance-Based Connectivity and Related Problems in Graphs. Networks (2015), DOI: 10.1002/net.21622.

126

References

125. Vogiatzis, C., Veremyev, A., Pasiliao, E.L., Pardalos, P.M.: An integer programming approach for finding the most and the least central cliques. Optimization Letters 9 (4), 615–633 (2014). 126. Volchenkov, D., and Lanchard, Ph., Transport networks revisited: Why dual graphs?, arXiv0710.5494. 127. Walteros, J.L. and Pardalos, P.M.: “Selected topics in critical element detection”. Springer Optimization and Its Applications 71, pp. 9–36, 2012. 128. Wang,Y., Chakrabarti, D., Wang, C., Faloutsos,C.: Epidemic spreading in real networks: An eigenvalue viewpoint. 22nd Symp. Reliable Distributed Computing, Florence, Italy, Oct. 68, 2003. 129. Wang, X.F. and Chen, G.: Complex networks: small-world, scale-free and beyond. Circuits and Systems Magazine, IEEE, vol 3, 1, 6–20 (2003). 130. Wasserman, S., Faust, K.: Social Networks Analysis. Cambridge Univ. Press (1994). 131. Watts, D.J., Strogatz, S.H.: Collective dynamics of small-world networks. Nature 393, 440–442 (1998). 132. Wehmuth, K. et al: On the joint dynamics of network diameter and spectral gap under node removal. Latin-American Workshop on Dynamic Networks, Buenos Aires (2010) 133. Whitney,S. H. , “Congruent graphs and the connectivity of graphs”, American Journal of Mathematics 54 (1), 150–168 (1932), doi:10.2307/2371086, JSTOR 2371086. 134. Wilson, R. J.: Introduction to graph theory, vol. 111. Academic Press New York, 1972. 135. Wu, J., Deng, H. Z., Tan, Y. J. and Zhu, D. Z.: Vulnerability of complex networks under intentional attack with incomplete information. Journal of Physics A: Mathematical and Theoretical, 40, 11, 2665–2671 (2007). 136. Yang, S.-J.: Exploring complex networks by walking on them. Phys. Rev. E 71, 016107 (2005).