Vulnerabilities inherent in a cyber network can be exploited by individuals with malicious intent. Thus, machines on the network are at risk. Formally, security specialists seek to mitigate the risk of intrusion events through network reconfiguration and defense. Comparison between configuration alternatives may be difficult if an event is sufficiently rare; risk estimates may of be questionable quality making definitive inferences unattainable. Furthermore, that which constitutes a “rare” event can imply different rates of occurrence, depending on network complexity. To measure rare events efficiently without the risk of doing damage to a cyber network, special rare-event simulation techniques can be employed, such as splitting or importance sampling. In particular, importance sampling has shown promise when modeling an attacker moving through a network with intent to steal data. The importance sampling technique amplifies certain aspects of the network in order to cause a rare event to happen more frequently. Output statistics collected under these amplified conditions must then be scaled back to the context of the original network to produce meaningful results. This thesis successfully tailors the importance sampling methodology to scenarios where an attacker must search a network. Said tailoring takes the attacker’s successes and failures as well as the attacker’s targeting choices into account. The methodology is shown to be more computationally efficient and can produce higher quality estimates of risk when compared to standard simulation.
Industrial and Systems Engineering (MS)
Department, Program, or Center
Industrial and Systems Engineering (KGCOE)
Michael E. Kuhl
Shanchieh J. Yang
Krall, Alexander Leon, "Comparing Cyber Defense Alternatives Using Rare-Event Simulation Techniques to Compute Network Risk" (2018). Thesis. Rochester Institute of Technology. Accessed from
RIT – Main Campus