A prediction model of urban counterterrorism based on stochastic strategy

The attacker is the main body of the attack behaviour, and the model of attacker directly affects the performance of the security system. When the attackers launch the factitious attacks, they have to consider many factors, such as the attackers’ experience, knowledge, attack intention and so on. We expect to get the security performance index of the security system in the attack and security damage, which can reflect the overall security performance in a certain period of time. To describe the behaviours of attacker should be based on statistical law and probability analysis. In addition, before and during the attack, the attacker may face a variety of decisions; usually select a plan with high success rate of attack and greatest damage to security [6,7]. Therefore, the decision model of the attacker is also an important aspect of attack modelling.

In the multi-stage attack model, the duration of some security events in each stage can be assumed to be an exponential distribution, and it is easy to adopt the state-based stochastic modelling method, and the security index can be obtained. Exponential distribution is the simplest and most effective assumption. For the attackers, the process of attack behaviour and its quantitative statistical law are analysed, and the behaviour of attackers is divided into three stages: learning stage, basic attack stage and innovation stage. At the learning stage, attackers collect and learn relevant knowledge to prepare for attacks. As attackers improve their skills, the time they spend in the learning phase will gradually decrease. In the basic attack stage, the attacker looks for security vulnerabilities and tries various feasible attacks means to carry out the attack. When the basic attack is tried, the attacker will enter a more complex stage of innovation. They will look for new attack methods and security vulnerabilities, and the success rate of attacks will continue to improve. Attackers with different experiences have different usage times in the three attack stages [8,9] The basic attack stage is the main body of the attacker’s behaviour, and the duration of the attack event is assumed to be exponentially distributed, which makes it easy to refer to the classical trusted physical analysis technology, especially based on Markov process.

This paper divides the attack behaviour into several state stages from the influence of attack, and makes the behaviour of the defender and its interaction with the attacker abstractive. The attack potential is the potential ability of the attacker to successfully carry out a specific security penetration or attack. The attack potential is related to the initial authority, knowledge and experience of the attacker. Selecting appropriate state transfer rate for specific environment and evaluation target can obtain necessary safety index of course, abstract acquisition of model parameters is an important issue. Decision model is also an important branch of attack model. The decision of the attacker has an important influence in the attack model. The attacker tries to explore the vulnerabilities of the security system so as to maximise the impact. As mentioned above, the Markov decision process is introduced into the model to quantify and analyse the attacker’s intrusion path. At the same time, the defender implements the security strategy to ensure that the key target can be protected, and the game relationship between the attacker and the defender is formed [10].

Attack tree and attack graph are the most commonly used methods to describe attacks at present. Attack tree and attack graph models mainly focus on the problem of security damage to the target, and describe the set of events that can lead to the destruction of the security system. Therefore, it is possible simulate all the attacks that a security system may suffer. Using attack tree and attack graph model to analyse the security of the system, it is mainly divided into three stages: generating attack tree and attack graph for specific security system and attack type, giving a specific value to each node in the graph, so as to calculate out the qualitative or quantitative security index. In the attack tree and attack graph model, we use a tree or graph structure to describe the attack on the security system. the root nodes show the attack targets, the leaf nodes shows the different methods used to reach the targets, and the non-leaf nodes represent the sub-target of the attack, including two types of “and” and “or”, respectively, representing the logical relationship between the sub-targets to be satisfied to achieve the attack target [11, 12]. For example, if the attackers would like to achieve the “and” node, they have to meet all corresponding sub-targets, while they only need to meet a sub-target to achieve “or” node. The nodes of the attack tree and the attack graph can be given all kinds of parameter values according to their needs, such as the Boolean value, the success rate, the cost and the possibility of the attack. Through the derivation and calculation of node values, the performance index of security system can be obtained. For “or” node, the calculation rule is to take the maximum value of all child nodes. On the contrary, it shall take the minimum value for “and” node. For example, give the success rate of node attack in the middle of attack tree, the probability of each sub-node and root node being attacked can be deduced according to the above calculation rules.

An attack tree model is shown in Figure 1, where each non-leaf node is a sub-target of the attack, and the node is assigned according to the probability and difficulty of the target success. Finally the probability of attack success can be estimated by the recurrence method from the bottom to top.

Fig. 1

The state-based stochastic model method can describe the security system in detail and clarify the state distribution and the transfer relationship between the states of various security resources after threatened by attacks. By using the state-based stochastic model, we can build the attack model from the influence of the attack on the security system, which not only ignores some unknown behaviour details, but also does not affect the calculation of security evaluation. In addition, unknown attacks can be described and prevented from attack impact. In fact, unknown attacks have become the biggest threat to the current security field. At present, some people have tried to use the state-based stochastic model method to analyse the security of the network system, and to establish the running state set of the system and its transfer relationship under the condition of attack. It is usually assumed that the state residence time is exponentially distributed, so that the corresponding state-based stochastic model has the property of Markov [13, 14]. Based on the state model of Markov process, the Markov income model can be obtained as long as the different income values assigned to each state and other security indexes of the security system can be obtained. Markov chain and Markov income model have been widely used in the evaluation of system reliability.

However, the attacker has purposiveness actions in real scenes, and there may be a specific interrelationships between security events, so that the assumption of exponential distribution is not necessarily reasonable at some time. In this case, we can do two things. One is to select the parameters reasonably, in order to approximate the exponential distribution. For example, to reasonably divide the attack into multiple phases, the time at each stage are assumed to have exponential distribution. The other thing is to select appropriate stochastic variables to characterise the attack behaviour. For example, broaden the residence time in some states to a PH distribution or general distribution; using a semi-Markov process model to build model for security system, and figure out the steady state probability, and calculate the related safety index. Using a semi-Markov process to describe a random model, that is, the residence time of the state is distributed randomly, and the state transfer point is memoryless [15, 16]. Model parameters include the average stay time of the state, showing h=(hg,htr,hA,hF) and the transfer rate matrix between states, showing Pij. Among the formulae, i j ∈ {G,T R,A,F}. First, solve the embedded chain, the steady-state probability distribution of discrete time of Markov chains is showed that v=(vG,vTR,vA,vF). As a result, the steady-state probability of the semi-Markov process model can be expressed as: πi=vihi∑jvihi,i,j∈{G,TR,A,F} {\pi _i} = {{{v_i}{h_i}} \over {\sum\nolimits_j {v_i}{h_i}}},i,j \in \{ G,TR,A,F\}

And the, the steady-state availability of the security system can be calculated as As1-F. From the orifice, “G” means the normal state in a complete attack, “TR” is the attack state, “F” is the attack success and “A” is the alarm information.

In the attack behaviour of real scene, the attack events are often not independent, and there may be interdependence or cooperative relationship between them. Therefore, it may encounter state space explosion issue to take use of thee state-based stochastic model method to analyse large-scale security problems. To solve the state space explosion issue, two methods are always used [17]. One is to reduce the scale of the model by using the state explosion avoidance technology so as to avoid the emergence of the state space coal explosion problem, including the model level and the state level and so on. The second method is to put forward feasible processing techniques for inevitable state explosion to reduce the demand of state space in calculation by using special data structure, including higher level stochastic model method.