- Email: [email protected]
Improving risk assessment model of cyber security using fuzzy logic inference system
Accepted Manuscript Title: Improving risk assessment model of cyber security using fuzzy logic inference system Author: Mansour Alali, Ahmad Almogren, Mohammad Mehedi Hassan, Iehab A.L. Rassan, Md. Zakirul Alam Bhuiyan PII: DOI: Reference:
S0167-4048(17)30200-6 https://doi.org/doi:10.1016/j.cose.2017.09.011 COSE 1207
To appear in:
Computers & Security
Please cite this article as: Mansour Alali, Ahmad Almogren, Mohammad Mehedi Hassan, Iehab A.L. Rassan, Md. Zakirul Alam Bhuiyan, Improving risk assessment model of cyber security using fuzzy logic inference system, Computers & Security (2017), https://doi.org/doi:10.1016/j.cose.2017.09.011. This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to our customers we are providing this early version of the manuscript. The manuscript will undergo copyediting, typesetting, and review of the resulting proof before it is published in its final form. Please note that during the production process errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.
Improving Risk Assessment Model of Cyber Security Using Fuzzy Logic Inference System Mansour Alali, Ahmad Almogren, Mohammad Mehedi Hassan, Iehab AL Rassan and Md. Zakirul Alam Bhuiyan* 1
College of Computer and Information Sciences, King Saud University, Riyadh 11543, Saudi Arabia * Department of Computer and Information Sciences, Fordham University, New York, USA Email: {434910564, ahalmogren, mmhassan, irassan}@ksu.edu.sa, [email protected]
Abstract. This paper describes the impacts of criminal activities based on the nature of the crime, the victim, and the basis (whether short-term or long-range/term) of the impacts of cybercrime on Internet. Recently many countries are facing numerous cyber threats including DoS (and DDoS), malware, website defamation, spam and phishing email attacks. Due to these cybercrimes evolution, identifying and assessing security risk is crucial to access data from new technologies, and also trying to understand how technologies can be abused. Therefore, there is a need to develop a special cyber security risk assessment model to tackle over these cyber threats. In this paper, we propose to utilize Fuzzy Inference Model (FIS) to produce risk assessment result based on the four risk factors which are: vulnerability, threat, likelihood and impact to specify the range of risks that can threaten any entity and try to solve such issues to proposed entities. We have performed various analysis on this factors and finally, our evaluation results show the viability of our proposed approach. Keywords: Cyber security, Cybercrime, Risk assessment model, Fuzzy logic inference, Risk factors evaluation. 1
Introduction
The modern technology is undergoing undisputed evolution and this can cause more challenging cyber vulnerabilities. Nearly 40% of states throughout the globe are expecting cyberattacks, and this makes cyber security a global matter demanding integral efforts at all levels [13]. Cyber security is a global issue that, according to Information Systems Audit and Control Association (ISACA), can only be faced when all join efforts in closing the global skill gap and prepare cyber security experts with the guidance and knowledge they require [3]. The problem seems somewhat exaggerated in the Middle Eastern regions where cybercrime has been on a notable rise over the last two decades. Experts have predicted a continuous increase of cyber insecurities with regional disturbances such as the Arab Spring that target government websites [6]. The argument gains momentum as regional studies have set off to determine cyber vulnerabilities at a state level and suggest counter strategies to support the power of the global movement to attain higher cyber infection [4]. Risk analysis utilizes techniques that help people to manage uncertain events [50-52]. It is a method that is used to assess factors that lead to a loss or that hinder the success of a project of business. Organizations employ it to decide whether to proceed with a particular decision or not. Through the process of risk estimation, support is provided to help in making decisions [53-55]. 1 Page 1 of 26
Various techniques are used in this attempt to assess and estimate risks of an event. The methods employed here are quantitative, qualitative, or semi-quantitative which depend on the information provided about a loss event to help determine the cost of the particular risk. Quantitative methods depend on statistical approach towards the uncertain event. For instance, sensitivity analysis, Monte Carlo simulation and Failure mode, and effects analysis are the strategies employed in this method. In most cases, the assessment supports the cost-benefit analysis of a risk event and the courses of action that can be taken. It quantifies the possible results of the loss occurrence, which helps to assess the probability of achieving the goals set for a project or business. On the other hand, the qualitative method relies on the judgement of an event rather than on the statistical data such as scenario analysis. It gives an informed decision on the uncertainty of an event and an appropriate guidance that should be followed. An examination of what can cause a loss in the workplace should be conducted to help making decisions concerning the ways of avoiding the risks. The likelihood of such events is scaled on a rating to determine the probability of the occurrence of the event. It also helps to evaluate the necessary precautions or measures to take in order to protect the property in the workplace. Consequently, the probable results are conveyed to the decision makers of an organization to help them initiate accurate measures to avoid risks [53]. Similarly, a semi-quantitative method is employed when the exposure to danger is neither high nor low. This assessment uses a set of principles, methods or rules to evaluate the occurrence of an event using scales or numbers that have values but not maintained in other situations. It provides the benefits of using both the qualitative and quantitative methods of risk assessment. Furthermore, some of the methods employed by semi-quantitative assessment are layers of protection or lines of defense and risk matrix techniques. Among these different approaches, the Fuzzy Inference System (FIS) can be applied to analyze risks of an event. The reason for this is that the analysis is subjective to the loss and is related to vague information. The FIS was introduced in 1965 by Lotfy Zadeh to help dealing with the problems that have vague information. Therefore, exact values are used widely to approximate the reasoning in the events. Recently, the fuzzy logic approach has been employed in risk evaluation process in different situations. It is an important tool that is used to analyze the security of a place. For instance, the approach based on the inference engine was employed to identify possible threats to the computer-based systems. The outcome showed its effectiveness in performing threat modeling. Additionally, a fuzzy rule-based expert determines the risk associated with particular software before its installation. Similarly, government agencies have used the fuzzy risk evaluation methods [56, 57]. For instance, it has been applied to the assessment of risk for the network security which helps to identify the potential threats associated with networking in the government agencies. In addition, Multi Fuzzy Inference System (MFIS) is incorporated in a fuzzy risk evaluation system. It is used to determine the rate of risk of an event with the help of various factors that are connected with the particular event. According to Sallam, the FIS is a computer model that involves the collection of membership functions, set of rules as well as their reasoning. The three commonly known inference systems are Sugeno Fuzzy Models, Mamdani, and Tsukamoto Fuzzy models. For this approach, the Mamdani model will be employed to evaluate and estimate risks. It involves the use of various steps to give the results of the evaluation [54]. Our paper will use FIS approach for utilizing Mamdani Fuzzy model that is the best known suitable approach to implement our methodology.
2 Page 2 of 26
2
Background
In background section, we discuss various modern types of attacks. 2.1
Types of Cyber Attacks
In modern attacks, there are two forms of cyber offences including: 1) Crime implemented through new technologies (especially those targeting data and computer systems) and 2) Traditional misdeeds implemented through technological platforms such as fraud or stealing illegal images. Efforts to describe the short-range effects of cybercrime focus on how the activity can impact the daily operation of a business while those focusing on the long-range repercussion emphasize on pronounced effects such as social outcomes and unrests, national security breaches, and loss of intellectual property. Cyber security is mentioned among the topmost security priorities globally [3]. A close evaluation of cyber-criminal activities reveals numerous areas of concern including cyber vandalism (or defacement), hacking, denial of service attacks (DoS), domain name hijackings, and dissemination of viruses. Efforts to detect and prevent online criminal offences have paved the way for the online crime detection framework for e-business applications that sense online hits such as Cross Site Scripting, SOL Injection, weak authentication frameworks, and buffer overflows. The subsequent facet focuses on the most common forms of cyber-attacks, including DoS, website hacking, malicious software (malware), phishing and spam emails [4]. 2.2
Denial of Service (DoS) Attack
Dos and also distributed denial of services (DDoS) delineate hits where cyber crime try to cut off a network or a website by preventing qualified users from using or gaining access of a specific internet service. DoS attacks can target organizations services’ bandwidth function by sending numerous ICMP or UDP packets to jam the target bandwidth. DoS may further be described as protocol attacks that capitalize on innate design in TCP/IP procedure suite including UDP, ICMP, TCT; SNY flood, for instance, an asymmetric resource depletion hit where the attacker uses TCP SYN packets to flood the victim. Meanwhile, DoS attacks may occur as software vulnerability attacks that uses the weaknesses in the network resource such as web servers [2]. Attacks may take the form of Fragile or Smurf attacks, SYN/ACK floods or Ping flood, which consume the bandwidth intended for an organization’s services and thereby crashing or freezing the system in question. DoS are typically directed towards three principle objectives including: a) To alter or destroy configured information. b) To consume scarce, neo-renewable, or limited resources; or c) To physically alter or destroy network elements [3].
3 Page 3 of 26
2.3
Website Attacks
Website attacks target organizations that use their website to offer services, provide information, settle payments, and other important functions. Web-oriented attacks stand to be the highest priority among cyber criminals, especially those organizations that fail to sanitize or check the size of user input, and clear the variable [3]. These activities define weaknesses that cyber criminals use to inject exploits including cross-site scripting, cross-site foreign attacks, and SQL injections. Website defacement and hacking, otherwise termed as cyber vandalism, defines a situation whether the attacker alters the content of a website. Attackers have the tendency of exploiting vulnerabilities such as local file inclusions, SQL injections or cross site scripting before going to defacement [4]. 2.4
Malicious Software (Malware)
Malware is recognized as the highest cyber vulnerability to individuals, businesses, and governments. Cyber criminals initiate malware attacks through distribution channels such as emails, allowing the malware to exploit the host machines by causing malfunctions. The malicious software may also be part of larger botnets that act as zombie which assist the initiator to commit additional crimes such as distributing spam and viruses [6]. To be more direct, malware defines a taxonomy of software that takes the charge of a personal computer to distribute an infection to other social networks or devices. Elements such as works, Trojans, adware, viruses, and spyware all fall under the malware category. Entry points for malware into a network include web browsing, mobile devices, and emails. Current days have seen the development of malware that is capable of immobilizing antivirus solutions and capturing sensitive data. Sophisticated malware prevention strategies include the implementation of network access management solutions to confirm security configurations and system patches before granting access [4]. Nonetheless, outbound traffic, including bulky and unauthorized, must be subjected to thorough inspections while source machines must be identified and isolated from the network. 2.5
Phishing and Spam Emails
Spam defines stray emails sent out of the recipient’s consent. Spammers usually use phishing techniques developed to steal banking details and login credentials using the available individual information in the social media or the internet and social engineering. Phishing is best conceptualized as the criminal act of trying to direct access sensitive details such as credit card information, username, and passwords [2-6]. Two types of phishing attacks exist including malware based phishing and deceptive phishing. Those who initiate malware-enabled phishing spread malware via emails by exploiting security weaknesses of software to the targeted machine (the malware then functions as key logger that stores user input). Meanwhile, attackers who use deceptive phishing uses deceptive emails to direct users into providing sensitive information including passwords, bank accounts, and so forth [2].
4 Page 4 of 26
3
Literature Review
In this section, we will pursue and search between different ideas proposed in literature review with the topic ‘Risk Assessment Management’ including the assessment modeling and we will try to utilize using our risk assessment factors using fuzzy logic. 3.1
Risk Model
Currently, many methods are used to identify and prioritize a risk. Among these methods, threat modeling appears to be the most efficient one. It is a process that identifies, quantifies as well as analyzes the possible risks of a computer-based system. The model identifies the most important assets of a computer application and decomposes it. It also recognizes the threats to each component or asset and respectively ranks them according to their risk probabilities. After rating the risks, strategies that can be used to reduce the chances of risk occurrence are developed and implemented [21]. Risk models describe the risks to be evaluated and the various relationships they have with each other. This helps to classify the risks that tend to be similar in one group. As a result, risk mitigation strategies are employed efficiently with the same type of threats. The risk factors, on the other hand, are the characteristics that are used in the models as input variables. They help to determine the levels of risks during the process of risk assessment. The variables include impact, threat, condition, the probability of occurrence, and vulnerability. They are usually decomposed to more detailed variables, for instance, threats can be decomposed to threat sources or threat events [21]. The common risk factors accommodate likelihood, vulnerability, threat, impact, vulnerability, and utilizing certain conditions as appeared in Fig. 1.
3.1.1
Risk Factors
A threat is the primary risk factor used in the threat model. It refers to any event that has the potential to have adverse effects on the operations in an organization. These circumstances can arise when a certain person gains unauthorized access to an information system which leads to its destruction and denial of network services as well as modification of data. An example of such threats to the information systems are called cyber threats. These are risks whereby individuals have access to a control system without authority of the people in charge of the systems. Mostly, this is done by the trusted users of the system or by unknown people from remote locations that use the same internet protocol. The threats can come from different sources such as terrorists who want to have access to certain information from the government or malicious people. Therefore, it is necessary to have a cyber-barrier that will protect the asset carrying the information. The vulnerability of a system is another variable used in the risk model. It refers to the weak points of a computer-based system, internal control systems, or the procedures employed to maintain security. Most of the systems can be linked to the controlled ones that have been either applied but have weak access or not applied. Three categories of vulnerabilities exist for assets in a company which include weaknesses that are inbuilt in the manufacturing process, weak points resulting from poor installation of the systems, and inadequate protection of the systems due to 5 Page 5 of 26
the poor configuration. Likelihood of an event is a risk factor that is based on the analysis of a probability that a threat will exploit a weak point of a system. It combines the probability of evaluation of an event occurrence with the assessment of the adverse effects it can have when it occurs. Further, an impact is a risk factor that determines the level of effects that a threat has on vulnerability. It determines the magnitude of harm that creates certain manipulations with information, such as unauthorized access to it, can have on the company. These effects can be experienced economically, socially, or physically. Similarly, risk evaluation involves determining how much risk is expected from an individual loss occurrence. Nowadays, attackers break into systems frequently which leads to a huge destruction. Therefore, the system users are now concerned with how much risk is expected to occur because of such event. The risk assessors use a simple approach whereby they multiply the impact of occurrence of a risk [49]. Risk level, on the other hand, is the product of the unsatisfactory consequence of an uncertain event and the impact of the event. Therefore, the two risk factors used to evaluate the levels of risk are “Impact” and “Likelihood." However, this method does not incorporate the capabilities of threats in determining the level of risk. The source of threats depends on the capacity of the systems. For instance, terrorists have different intentions to attack an information system. Additionally, the likelihood of a loss event occurring within a system depends on its weak points. Therefore, the risk level should be evaluated as a function of all vulnerabilities, the likelihood of using them, and the final probability of success. In conclusion, risk analysis helps people to manage uncertain events by identifying the risk factors. These factors include threats, weak access points, impact, and the likelihood of the event occurrence. The analysis can be performed using various methods, such as quantitative method, qualitative or semi-quantitative method. This depends on whether a statistical approach, level of judgement or both are needed to assess the risk. Security risk management is done by the use of SRFT model, which employs the fuzzy set theory to determine the threats and their countermeasures. Risk evaluation assesses how much risk to an information system can occur due to a loss event. It is established by multiplying the overall likelihood of an event, capabilities, and the impact of the loss has on the systems [49]. 3.1.2
Risk Evaluation
Attackers and intruders could possibly penetrate inside systems and cause a considerable measure of decimation, subsequently, clients are currently inspired by expecting the amount of the risk. A simple methodology that is inspected by numerous risk specialists is to add the seriousness (Impact) of results by the probability of their event. The characterization of Risk level results from likelihood of an unsuitable result (Likelihood) and unlucky collecting effects when the result is unacceptable (Impact) [34]. Thus, there are two semantic variables, "Probability" 'and "Impact'', are characterized to compute the general risk level. Be that as it may, this methodology disregards a key part of risk degree. The accomplishment of risk source utilized such system vulnerabilities should rely upon these capabilities. For example, terrorists or extremists as a source of risk have distinctive capabilities, expectation, and the system targeting [29]. Additionally, the targeting probability for a system relied on progress likelihood, vulnerabilities, and probability of abusing these vulnerabilities. The methodology for risk assessment is to assess the risk level as an element of capabilities, impact and likelihood. 6 Page 6 of 26
3.2
Fuzzy concept
In security and safety making decision, due to high level of uncertainty involved in the set of available information, the quantitative information is hard to get and obtain because of various facts, for example, uncommon event of the occasions, human subjectivity and financial contemplations. Regardless of the possibility that the information is accessible, it is regularly erroneous alternately subject to instability. In this way, it is hard to build up sane storage warehouse for wellbeing and security contemplations. The Fuzzy set theory can give a structure in taking care of such uncertainty and instability connected with the information. Bellman and Zadeh [12] introduced a few uses of Fuzzy assumptions and procedures to make a decision for different choices. The FL has been conducted and implemented to tackle some genuine world issues whenever existing of fuzziness. Ability and capability to utilize theory of Fuzzy sets in treating instability and uncertainty for typical sources have been discussed from long time ago. A few researchers and scientist use Fuzzy set theory to handle risk instabilities and make security choices. It is recommended to enhance the utilization of FL theory for testing critical risk and go through risk priority number (RPN) assessment. 4
Proposed Risk Assessment Model
In this section, we will propose a model for risk assessment using Mamdani Fuzzy inference system. From our literature in risk assessment of cybercrime, we show the vulnerability and threats for such a system. The proposal is composed of the following stages: in the first stage, we will present the process of a risk assessment model followed by showing life cycle and proposed risk assessment model. Then we will introduce the different specifications between Mamdani and Sugeno fuzzy methods followed by introducing the matrix of risk assessment aspects and using fuzzy set algorithm to extract the risk assessment based on vulnerability & threat and then end up with simulation of a risk assessment model. 4.1
Risk assessment model
As shown in Fig.1, the model of the risk assessment process was simple, and not fully covered all aspects of cybersecurity and cybercrime's issues. Fig. 2 shows the proposed modified model that starts from sensing the object (data or material) which is vulnerable and then pass it through risk assessment model. Risk assessment model judges the object based on some computation methods, and then delivers it to the next model, which approves it or goes to other directions. If any object is approved, then process ends, which means the object is safe. ÷If any object is not approved, it goes to other models and estimates the vulnerability by calculating the probability based on fuzzy theory; and then pass all information to a reviewer to decide how to mitigate the risk and treat the vulnerability. After that, the object passes through the vulnerability check process again. This process would enhance the existing models that lack human interaction for deciding whether the object goes for risk assessment and tolerates the threat or not. Reviewing process could be one or group of actors and nowadays, many organizations deploy people to monitor security inside their companies, most of the time; they are the part of Security Operation
7 Page 7 of 26
Center(SOC). Fig. 3 shows risk assessment lifecycle in details for risk assessment step showed in Fig. 2
The proposed risk assessment life cycle in Fig. 3 describes exactly what happens when data has been marked as vulnerable to attack. It starts by identifying and inspecting any suspicious activity through HW or SW tools that can exactly determine if such data is vulnerable or not. If data is suspicious, it will move to next part or quit. Suspicious data would move to 1st stage, which is "Review" that consists of 2 parts: identifying the source threat and specifying such probability and occurrence. Fig.4 shows an example of malicious attacks that can be treated using the model shown in fig.3.
First, the proposed approach calculates risk assessment using Mamdani approach, which is the most used one in fuzzy logic set of theory, then it extends the work to include Sugeno approach. The differences between Mamdani and Sugeno approaches are described in Table 6.
The proposed FIS adopts this model to gain the total risk for such system using the following formula F1=Overall Capabilities = (Capabilities, Intent, Targeting) (1) F2=Overall Likelihood = (Vulnerability, Overall Capabilities) (2) F3=Risk = (Overall Likelihood, Impact) (3),
F1= The result obtained from F1 should be the combination of all possibilities of Intent, Targeting and Capabilities for all set of membership n=1 to n=n F2=
The result obtained from F2 should be the combination of all possibilities of Overall Capabilities and Vulnerabilities for all set of membership n=1 to n=n F3=
8 Page 8 of 26
The result obtained from F3 should be the combination of all possibilities of Overall Likelihood and Impact for all set of membership n=1 to n=n
So,
where x
.
Fig. 5 shows how the risk assessment model looks like.
5.
Evaluation
The four risk factors mentioned previously in 3.1.1 will be implemented as input to the proposed FIS, and the process is to obtain the result that will follow the process described in Fig. 2. With the contribution of NIST800-30 standard to describe the level of risk factors where we apply information to our proposed model described above in Fig. 5. In FIS1, we obtained the result of overall capabilities, which contains the following inputs mentioned previously. Fig. 6 shows the parameters and settings used to extract the output.
Fig. 6 describes the three inputs and outputs used in the proposed model and those inputs has multiple variables, memberships and values. The input values ranging from 0-1 and divided into 3 or 5 segments orderly. Fig. 7 has multiple memberships according to variable used. In first variable: Intent, we used three memberships which are (Low , Medium , High). Those memberships have values (0.00-0.33, 0.34-0.66 , 0.67-1.00). The other variable: Targeting, we used three memberships, which are (Low, Medium, High). Those memberships have values (0.00-0.33, 0.34-0.66, 0.671.00). The last variable: Capabilities, we used five memberships which are (Very Low, Low, Medium, High, Very High). Those memberships have values (0.00-0.20, 0.21-0.40, 0.41-0.60, 0.61-0.8, 0.81-1.00)
Fig. 8 describes the rules used to extract the result of F1, the combination of all memberships multiply by each other to find all possibilities of data received. The rules described how to match the inputs with outputs where they can divide Very Low value between (0.000.20), Low (0.21-0.40), Medium (0.41-0.60), High (0.61-0.80) and Very High (0.81-1.00)
9 Page 9 of 26
The output of FIS1 is shown below in Fig. 9:
Fig. 9 shows the outputs of F1 in 3D consists of the three variables, where we can see clearly that Targeting and Intent has more influence over Capabilities due to major harmful attacks comes from attackers who are smart and have updated tools whereas the limitation of the capabilities limits the attackers power due to updated and strength of victim system.
Fig. 10 shows that there are 45 conditions which satisfy our result. Those conditions varies from Very Low which has 0 value till the max (Very High) which has the full output which are=1. In FIS2, we obtained the overall capabilities as input from previous FIS1 model, then having the vulnerability of five memberships which are (Very Low, Low, Medium, High, Very High). Those memberships have values (0.00-0.20, 0.21-0.40 , 0.41-0.60, 0.61-0.8, 0.81-1.00).To produce our FIS2 which is the overall Likelihood, Fig. 11, 12 and 13 respectively shows FIS2 model.
Fig. 11 describes the two inputs and output we used in our model, those inputs has multiple variable, memberships and values. The input values ranging from 0-1 and divided into 5 memberships.
Fig. 12 has multiple memberships according to variable used. In first variable: Overall Capabilities, we used five memberships which are (Very Low, Low, Medium, High, Very High). Those memberships have values (0.00-0.20, 0.21-0.40, 0.41-0.60, 0.61-0.8, 0.81-1.00) also apply the same for vulnerabilities.
Fig. 13 describes the rules used to extract the result of F2, the combination of all memberships multiplied by each other to find all possibilities of data received. The rules described how to match the inputs with outputs where they can divide Very Low value between (0.00-0.20), Low (0.21-0.40), Medium (0.41-0.60), High (0.61-0.80) and Very High (0.81-1.00). The rules uses AND connection which restrict the result whereas OR connection is not recommended for our 10 Page 10 of 26
case. The reason for that is to have accurate result and to plot the snapshot of result in all cases discussed. The output of FIS2 is shown below in Fig. 14:
Fig. 14 shows the outputs of FIS2 in 3D consists of the two variables, where we can clearly see that both Vulnerability and Overall Capabilities have the same influence for producing overall likelihood since Vulnerability plays the major act for making risk over digital systems.
As we have seen in Fig. 15, we have 25 conditions that can satisfy our result. Those conditions varies from Very Low which has 0 value till the max (Very High) which has the full output which are =1.. The last model F3, which will produce the risk assessment values, consists of two parameters: overall Likelihood and Impact. The Likelihood vulnerability is having five memberships which are (Very Low, Low, Medium, High, Very High). Those memberships have values (0.00-0.20, 0.21-0.40, 0.41-0.60, 0.61-0.8, 0.81-1.00) and Impact is having five memberships which are (Very Low, Low, Medium , High, Very High). Those memberships have values (0.00-0.20, 0.210.40, 0.41-0.60, 0.61-0.8, 0.81-1.00).
Fig. 16 describes the two inputs and outputs we used in our model and those inputs has multiple variables, memberships and values. One of the input values comes as a result from F2, the other is a new one ranging from 0-1 and divided into 5 memberships.
Fig. 17 has multiple memberships according to the variable used. In first variable: Overall Likelihood, we used five memberships which are (Very Low, Low, Medium, High, Very High). Those memberships have values (0.00-0.20, 0.21-0.40, 0.41-0.60, 0.61-0.8, 0.81-1.00) and the same level: Impact has five memberships which are (Very Low, Low, Medium, High, Very High) and memberships have values like (0.00-0.20 , 0.21-0.40, 0.41-0.60, 0.61-0.8, 0.81-1.00). Fig. 18 describes the rules used to extract the result of F3, the combination of all memberships multiplied by each other to find all possibilities of data received. The rules described how to match the inputs with outputs where they can divide Very Low value between (0.00-0.20), Low (0.21-0.40), Medium (0.41-0.60), High (0.61-0.80) and Very High (0.81-1.00).
11 Page 11 of 26
The result of our Risk Assessment Model is shown in Fig. 19, 20 respectively, which include all the situations of risk estimation starting from Very Low until Very High risk situation.
6.
Discussion and Conclusion
As we have seen in the evaluation, we have 25 conditions to satisfy our output. The overall likelihood played in these potential factors is to determine the result obtained as the consequences of previous models. We have implemented examples depending on the cases for any attack of resources: So the risk assessment result is 53.8% which is Medium and it needs to be treated. We can conclude risk assessment approach for every system relies on the ability of its components to keep actively engaged in the multi-functional communications within the environment and to ensure that the end user's needs to get met. To that effect, every system must have its components working under controlled risk to avoid malfunctioning of the target resources (servers, workstations, VMware devices, cloud storage, etc.) and even the loss of valuable data. The Sugeno-type and Mamdani-type Fuzzy inference system are the based controllers for the risk assessment. Acknowledgement The authors extend their appreciation to the Deanship of Scientific Research at King Saud University for funding this work through research group no (RGP- 1437-35). References 1.
2. 3. 4.
5. 6. 7. 8. 9.
Almadhoob A & Valverde R, (July 10, 2014), “Cybercrime Prevention in the Kingdom Of Bahrain Via It Security Audit Plans”, Department of Supply Chain and Business Technology Management, Concordia, Montreal, Canada. Vol. 65 No.1. 2014. Jaques, N. ( Jnuary 01, 2015). “Saudi Cybersecurity Threat Landscape: More Intense and Complex Than Ever”, Computer, 67, 8, 45-56 Kshetri, N. (July 01, 2015). “Recent US Cybersecurity Policy Initiatives: Challenges and Implications”, Computer, 48, 7, 64-69. Lewis, J. A., Neuneck, ., United Nations Institute for Disarmament Research,, Center for Strategic and International Studies ( ashington, D.C.),, & Universit t amburg. (2013). The cyber index: International security trends and realities. Minisatry of Information and Commuation Technology. (2009). Developing National Information Security Strategy for the Kingdom of Saudi Arabia. ABC-CLIO. Vagoun, T., & Strawn, G. O. (April 01, 2015). Implementing the Federal Cybersecurity R&D Strategy. Computer, 48, 4, 45-55. Valenzano, A. (January 01, 2014). Industrial cybersecurity: Improving security through access control policy models. Ieee Industrial Electros Magazine, 8, 2, 6-17. Stephens J, & Valverde R, (2013). Security of E-Procurement Transactions in Supply Chain Reengineering. Computer & Information Science, 6(3). UK ome Office, (2012), “Cyber Crime Strategy” Jan 10, 2012.
12 Page 12 of 26
10. Choo K-K R et all. (2011), The cyber threat landscape: Challenges and future research directions. Computers & Security, 30(8), 719-731. 11. Burden, K., & Palmer, C. (2003). Internet crime:Cyber Crime,A new breed of criminal. Computer Law & Security Review, 19(3), 222-227. 12. Massa D and Valverde R (2014), A fraud detection system based on anomaly intrusion detection for Ecommerce applications, Computer and Information Science, 7 (2). 13. Thomas, R. (2001). Managing the Threat of Denial-of-Service Attacks. CERT Coordination Center. 14. SANS (2011) “Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines (CAG), (Apr/27/2012) 15. KPM (2011) “Cyber Crime , A rowing Challenge for overnments” March 10,2012 16. Sophos (2012) “Security Threat Report”, March 10, 2012 17. Loganathan M, & Kirubakaran E,(2011)A Study on Cyber Crimes and protection International Journal of Computer Science, 8 New filtering approaches for phishing email. Journal of computer security, 18(1), 735. 18. National Institute of Standards and Technology (NIST) (2001), Standard reference Database Number 69, July 2001, Gaithersburg, MD 20899. 19. Merhout, J. W., & Havelka, D. (2008). Information technology auditing: A value-added IT governance partnership between IT management and audit. Commutations of the Association for Information Systems, 23(1), 26. 20. National Institute of Standards and Technology NIST (Feb. 2012), Framework for Improving Critical Infrastructure Cyber security, Version 1.0 21. National Institute of Standards and Technology NIST Special Publication 800-39, March 2011, Joint Task Force Transformation Initiative, Managing Information Security Risk: Organization, Mission, and Information System View. 22. U.S. Department of Energy, Electricity Subsector Cyber security Risk Management Process, DOE/OE0003, May 2012. 23. M.H. Zirakja, R. Samizadeh, (2011)Risk Analysis in E-commerce via Fuzzy Logic, Int. J. Manag. Bus. Res., 1 (3), 99-112,. 24. Zadeh, L. A. Fuzzy sets. Information and Control, 1965 25. Sodiya, A.S., Longe, H.O.D. and Fasan, O.M., (2007),Software Security Risk Analysis using Fuzzy Expert System, In Journal of INFOCOMP: Journal of Computer Science, Brazil, Vol. 7, No. 3, 70—77, 2007. 26. Rahul Choudhary and Abhishek Raghuvanshi, "Fuzzy Based Evaluation Model of a Systems Security", International Journal of Advanced Research in Computer Science and Software Engineering, 2, 9, 012. 27. Sonia, A. Singhal, H. Banati, "Fuzzy Logic Approach for Threat Prioritization in Agile Security Framework using DREAD model", IJCSI International Journal of Computer Science Issues, Vol. 8, Issue 4, No. 1, July 2011, Mauritius. 28. National Institute of Standards and Technology NIST Special Publication 800-30 rev. 1 (Sep. 2012), Guide for Conducting Risk Assessments. 29. ISO/IEC 27005: 2011 Information Technology, Security techniques, Information security risk management (second edition). 30. National Institute of Standards and Technology NIST (2006), Guide for Developing Security Plans for Federal Information Systems. 31. Wonderware Invensys Systems, , Securing Industrial Control Systems, A guide forproperly securing Industrial Control Systems operating in a Microsoft Windows environment. Inc Revision 1.4, (2007) 32. Homeland, Report, (2011), Common Cyber security Vulnerabilities in Industrial Control Systems. 33. Ming-Chang Lee, "Information Security Risk Analysis Methods and Research Trends: AHP and Fuzzy Comprehensive Method", International Journal of Computer Science & Information Technology (IJCSIT) Vol 6, No1, pages 29-45, February 2014 34. E.W.T. Ngai, and F.K.T. Wat,"Fuzzy decision support system for risk analysis in e-commerce development", Elsevier, Decision Support Systems 40 (2005) 235–255. 35. R. Nait-Said, F.Zidani, and N.Ouzraoui. “Fuzzy Risk raph Model for Determining Safety Integrity Level” by indawi Publishing Corporation. Volume 2008, Article ID 263895.
13 Page 13 of 26
36. L. POKORÁDI, Új Honvédségi Szemle, Budapest, (1999) p130–136. 37. S. Bajpai, J.P. Gupta, Securing oil and gas infrastructure, J. Pet. Sci. Eng. 55 (2007),p174–186. 38. S. Bajpai, J.P. Gupta, Site security for chemical process industries, J. Loss Prev. Process. Ind. 18 (2005) 301–309. 39. American Petroleum Institute (API), Security Guidelines for the Petroleum Industry, Washington, DC, 2003. 40. P. Baybutt, (2003) , Process security management: set up your plant’s program", Chem.Eng. 110 (1) p48– 56. 41. M. Webster, (1994),"The Merriam-Webster Dictionary", Merriam-Webster, Springfield, MA. 42. D. White, (1995) ,"Application of systems thinking to risk management: a review of the literature, Management Decision" 3,10, 35 – 45. 43. C.A. Ropar,( 1999)," Risk Management for Security Professionals", Butterworth Heinemann, New Delhi, 44. United States of America Department of Justice (USDOJ), (2000),"Assessment of the Increased Risk of Terrorist or Other Criminal Activity Associated with Posting Off-Site Consequence Analysis Information on the Internet",23–24. 45. Synthetic Organic Chemical Manufacturers Association,Chlorine Institute, and American Chemistry Council,( 2001)," Site Security Guidelines for the US Chemical Industry, Washington DC. 46. BASF, orkshop Bieleschweig. “Risk Matrix as a Tool for Risk Assessment”. 15/9.2004 47. Almadhoob & Valverde ,"Cybercrime prevention in the kingdom of Bahrain via it security audit plans". Department of Supply Chain and Business Technology Management, Concordia, Montreal, Canada. 10th July 2014. Vol. 65 No.1 48. Hany Sallam, "Cyber Security Risk Assessment Using Multi Fuzzy Inference System", International Journal of Engineering and Innovative Technology (IJEIT) 4, 8, February 2015 49. F. Martin McNeill and Ellen Thro. “FUZZY LO IC A PRACTICAL APPROAC ” by Academic Press Professional. San Diego, CA, USA, 1994 50. Ab Rahman N H, Cahyani N D W and Choo K-K R (2017). Cloud incident handling and forensic-bydesign: Cloud storage as a case study. Concurrency and Computation: Practice and Experience, 2017, DOI: 10.1002/cpe.3868 51. Ab Rahman N H and Choo K-K R (2015). A survey of information security incident handling in the cloud. Computers & Security 49: 45–69 52. Ab Rahman N H, Glisson W B, Yang Y and Choo K-K R 2016. Forensic-by-design framework for cyberphysical cloud systems. IEEE Cloud Computing 3(1): 50–59 53. Mani D, Choo K-K R and Mubarak S 2014. Information Security in the South Australian Real Estate Industry: A Study of 40 Real Estate Organisations. Information Management & Computer Security 22(1): 24–41 54. Mani D, Heravi A, Choo KKR and Mubarak S 2015. Information Privacy Concerns of Real Estate Customers and Information Security in the Real Estate Industry: an Empirical Analysis. In Proceedings of Australasian Information Security Conference (ACSW-AISC 2015), pp. 53–56, Sydney, New South Wales, Volume 161 of the ACS Conferences in Research and Practice in Information Technology (CRPIT) series, Australian Computer Society, 27 – 30 January. 55. Mani D, Heravi A, Mubarak S and Choo K-K R 2015. Employees’ Intended Information Security Behaviour in Real Estate Organisations: a Protection Motivation Perspective. In Proceedings of 21st Americas Conference on Information Systems (AMCIS 2015), 13–15 August 2015, Association for Information Systems. 56. Borgman B, Mubarak D and Choo K-K R 2015. Cyber Security Readiness in the South Australian Government. Computer Standards & Interfaces 37:1–8 57. Devi, R., Jha, R.K., Gupta, A., Jain, S. and Kumar, P. Implementation of Intrusion Detection System using Adaptive Neuro-Fuzzy Inference System for 5G wireless communication network. AEU-International Journal of Electronics and Communications, Vol. 74, pp.94-106, 2017
14 Page 14 of 26
Fig.1. Risk Assessment Model [49]
15 Page 15 of 26
Fig. 2: Proposed Risk Assessment Process
16 Page 16 of 26
Fig. 3. Proposed Risk Assessment Life Cycle.
Fig. 4. Treating malicious attacks
17 Page 17 of 26
Fig.5. Proposed Risk Assessment Model
Fig. 6. F1 parameters and Settings
18 Page 18 of 26
Fig. 7. F1 Membership Function
Fig. 8. F1 rules
19 Page 19 of 26
Fig. 9. Surface Output of FIS1
Fig. 10. Rule Viewer Output of FIS1
20 Page 20 of 26
Fig. 11. F2 parameters and Settings
Fig. 12. Membership Function of FIS2
21 Page 21 of 26
Fig. 13. F2 rules
Fig. 14. Surface Output of FIS2.
22 Page 22 of 26
Fig. 15. Rule Viewer Output of FIS2
Fig. 16. F3 parameters and Settings
23 Page 23 of 26
Fig. 17. Membership Function of FIS3
Fig. 18. F3 rules
24 Page 24 of 26
Fig. 19. Risk Assessment Simulation Result-Surface Viewer
Fig. 20. Risk Assessment Simulation Result-Rule Viewer
25 Page 25 of 26
Table 6. Differences between Mamdani and Sugeno Fuzzy approaches Mamdani It is axiomatic. It produces fuzzy logic. (linguistic) It is accepted worldwide.
It is human friendly input.
Sugeno It is an efficient method. It operates good with linear methods. It operates good with optimization and adaptive methods. It has definite stability of the output surface. It is good and suitable for scientific analysis.
26 Page 26 of 26
S0167-4048(17)30200-6 https://doi.org/doi:10.1016/j.cose.2017.09.011 COSE 1207
To appear in:
Computers & Security
Please cite this article as: Mansour Alali, Ahmad Almogren, Mohammad Mehedi Hassan, Iehab A.L. Rassan, Md. Zakirul Alam Bhuiyan, Improving risk assessment model of cyber security using fuzzy logic inference system, Computers & Security (2017), https://doi.org/doi:10.1016/j.cose.2017.09.011. This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to our customers we are providing this early version of the manuscript. The manuscript will undergo copyediting, typesetting, and review of the resulting proof before it is published in its final form. Please note that during the production process errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.
Improving Risk Assessment Model of Cyber Security Using Fuzzy Logic Inference System Mansour Alali, Ahmad Almogren, Mohammad Mehedi Hassan, Iehab AL Rassan and Md. Zakirul Alam Bhuiyan* 1
College of Computer and Information Sciences, King Saud University, Riyadh 11543, Saudi Arabia * Department of Computer and Information Sciences, Fordham University, New York, USA Email: {434910564, ahalmogren, mmhassan, irassan}@ksu.edu.sa, [email protected]
Abstract. This paper describes the impacts of criminal activities based on the nature of the crime, the victim, and the basis (whether short-term or long-range/term) of the impacts of cybercrime on Internet. Recently many countries are facing numerous cyber threats including DoS (and DDoS), malware, website defamation, spam and phishing email attacks. Due to these cybercrimes evolution, identifying and assessing security risk is crucial to access data from new technologies, and also trying to understand how technologies can be abused. Therefore, there is a need to develop a special cyber security risk assessment model to tackle over these cyber threats. In this paper, we propose to utilize Fuzzy Inference Model (FIS) to produce risk assessment result based on the four risk factors which are: vulnerability, threat, likelihood and impact to specify the range of risks that can threaten any entity and try to solve such issues to proposed entities. We have performed various analysis on this factors and finally, our evaluation results show the viability of our proposed approach. Keywords: Cyber security, Cybercrime, Risk assessment model, Fuzzy logic inference, Risk factors evaluation. 1
Introduction
The modern technology is undergoing undisputed evolution and this can cause more challenging cyber vulnerabilities. Nearly 40% of states throughout the globe are expecting cyberattacks, and this makes cyber security a global matter demanding integral efforts at all levels [13]. Cyber security is a global issue that, according to Information Systems Audit and Control Association (ISACA), can only be faced when all join efforts in closing the global skill gap and prepare cyber security experts with the guidance and knowledge they require [3]. The problem seems somewhat exaggerated in the Middle Eastern regions where cybercrime has been on a notable rise over the last two decades. Experts have predicted a continuous increase of cyber insecurities with regional disturbances such as the Arab Spring that target government websites [6]. The argument gains momentum as regional studies have set off to determine cyber vulnerabilities at a state level and suggest counter strategies to support the power of the global movement to attain higher cyber infection [4]. Risk analysis utilizes techniques that help people to manage uncertain events [50-52]. It is a method that is used to assess factors that lead to a loss or that hinder the success of a project of business. Organizations employ it to decide whether to proceed with a particular decision or not. Through the process of risk estimation, support is provided to help in making decisions [53-55]. 1 Page 1 of 26
Various techniques are used in this attempt to assess and estimate risks of an event. The methods employed here are quantitative, qualitative, or semi-quantitative which depend on the information provided about a loss event to help determine the cost of the particular risk. Quantitative methods depend on statistical approach towards the uncertain event. For instance, sensitivity analysis, Monte Carlo simulation and Failure mode, and effects analysis are the strategies employed in this method. In most cases, the assessment supports the cost-benefit analysis of a risk event and the courses of action that can be taken. It quantifies the possible results of the loss occurrence, which helps to assess the probability of achieving the goals set for a project or business. On the other hand, the qualitative method relies on the judgement of an event rather than on the statistical data such as scenario analysis. It gives an informed decision on the uncertainty of an event and an appropriate guidance that should be followed. An examination of what can cause a loss in the workplace should be conducted to help making decisions concerning the ways of avoiding the risks. The likelihood of such events is scaled on a rating to determine the probability of the occurrence of the event. It also helps to evaluate the necessary precautions or measures to take in order to protect the property in the workplace. Consequently, the probable results are conveyed to the decision makers of an organization to help them initiate accurate measures to avoid risks [53]. Similarly, a semi-quantitative method is employed when the exposure to danger is neither high nor low. This assessment uses a set of principles, methods or rules to evaluate the occurrence of an event using scales or numbers that have values but not maintained in other situations. It provides the benefits of using both the qualitative and quantitative methods of risk assessment. Furthermore, some of the methods employed by semi-quantitative assessment are layers of protection or lines of defense and risk matrix techniques. Among these different approaches, the Fuzzy Inference System (FIS) can be applied to analyze risks of an event. The reason for this is that the analysis is subjective to the loss and is related to vague information. The FIS was introduced in 1965 by Lotfy Zadeh to help dealing with the problems that have vague information. Therefore, exact values are used widely to approximate the reasoning in the events. Recently, the fuzzy logic approach has been employed in risk evaluation process in different situations. It is an important tool that is used to analyze the security of a place. For instance, the approach based on the inference engine was employed to identify possible threats to the computer-based systems. The outcome showed its effectiveness in performing threat modeling. Additionally, a fuzzy rule-based expert determines the risk associated with particular software before its installation. Similarly, government agencies have used the fuzzy risk evaluation methods [56, 57]. For instance, it has been applied to the assessment of risk for the network security which helps to identify the potential threats associated with networking in the government agencies. In addition, Multi Fuzzy Inference System (MFIS) is incorporated in a fuzzy risk evaluation system. It is used to determine the rate of risk of an event with the help of various factors that are connected with the particular event. According to Sallam, the FIS is a computer model that involves the collection of membership functions, set of rules as well as their reasoning. The three commonly known inference systems are Sugeno Fuzzy Models, Mamdani, and Tsukamoto Fuzzy models. For this approach, the Mamdani model will be employed to evaluate and estimate risks. It involves the use of various steps to give the results of the evaluation [54]. Our paper will use FIS approach for utilizing Mamdani Fuzzy model that is the best known suitable approach to implement our methodology.
2 Page 2 of 26
2
Background
In background section, we discuss various modern types of attacks. 2.1
Types of Cyber Attacks
In modern attacks, there are two forms of cyber offences including: 1) Crime implemented through new technologies (especially those targeting data and computer systems) and 2) Traditional misdeeds implemented through technological platforms such as fraud or stealing illegal images. Efforts to describe the short-range effects of cybercrime focus on how the activity can impact the daily operation of a business while those focusing on the long-range repercussion emphasize on pronounced effects such as social outcomes and unrests, national security breaches, and loss of intellectual property. Cyber security is mentioned among the topmost security priorities globally [3]. A close evaluation of cyber-criminal activities reveals numerous areas of concern including cyber vandalism (or defacement), hacking, denial of service attacks (DoS), domain name hijackings, and dissemination of viruses. Efforts to detect and prevent online criminal offences have paved the way for the online crime detection framework for e-business applications that sense online hits such as Cross Site Scripting, SOL Injection, weak authentication frameworks, and buffer overflows. The subsequent facet focuses on the most common forms of cyber-attacks, including DoS, website hacking, malicious software (malware), phishing and spam emails [4]. 2.2
Denial of Service (DoS) Attack
Dos and also distributed denial of services (DDoS) delineate hits where cyber crime try to cut off a network or a website by preventing qualified users from using or gaining access of a specific internet service. DoS attacks can target organizations services’ bandwidth function by sending numerous ICMP or UDP packets to jam the target bandwidth. DoS may further be described as protocol attacks that capitalize on innate design in TCP/IP procedure suite including UDP, ICMP, TCT; SNY flood, for instance, an asymmetric resource depletion hit where the attacker uses TCP SYN packets to flood the victim. Meanwhile, DoS attacks may occur as software vulnerability attacks that uses the weaknesses in the network resource such as web servers [2]. Attacks may take the form of Fragile or Smurf attacks, SYN/ACK floods or Ping flood, which consume the bandwidth intended for an organization’s services and thereby crashing or freezing the system in question. DoS are typically directed towards three principle objectives including: a) To alter or destroy configured information. b) To consume scarce, neo-renewable, or limited resources; or c) To physically alter or destroy network elements [3].
3 Page 3 of 26
2.3
Website Attacks
Website attacks target organizations that use their website to offer services, provide information, settle payments, and other important functions. Web-oriented attacks stand to be the highest priority among cyber criminals, especially those organizations that fail to sanitize or check the size of user input, and clear the variable [3]. These activities define weaknesses that cyber criminals use to inject exploits including cross-site scripting, cross-site foreign attacks, and SQL injections. Website defacement and hacking, otherwise termed as cyber vandalism, defines a situation whether the attacker alters the content of a website. Attackers have the tendency of exploiting vulnerabilities such as local file inclusions, SQL injections or cross site scripting before going to defacement [4]. 2.4
Malicious Software (Malware)
Malware is recognized as the highest cyber vulnerability to individuals, businesses, and governments. Cyber criminals initiate malware attacks through distribution channels such as emails, allowing the malware to exploit the host machines by causing malfunctions. The malicious software may also be part of larger botnets that act as zombie which assist the initiator to commit additional crimes such as distributing spam and viruses [6]. To be more direct, malware defines a taxonomy of software that takes the charge of a personal computer to distribute an infection to other social networks or devices. Elements such as works, Trojans, adware, viruses, and spyware all fall under the malware category. Entry points for malware into a network include web browsing, mobile devices, and emails. Current days have seen the development of malware that is capable of immobilizing antivirus solutions and capturing sensitive data. Sophisticated malware prevention strategies include the implementation of network access management solutions to confirm security configurations and system patches before granting access [4]. Nonetheless, outbound traffic, including bulky and unauthorized, must be subjected to thorough inspections while source machines must be identified and isolated from the network. 2.5
Phishing and Spam Emails
Spam defines stray emails sent out of the recipient’s consent. Spammers usually use phishing techniques developed to steal banking details and login credentials using the available individual information in the social media or the internet and social engineering. Phishing is best conceptualized as the criminal act of trying to direct access sensitive details such as credit card information, username, and passwords [2-6]. Two types of phishing attacks exist including malware based phishing and deceptive phishing. Those who initiate malware-enabled phishing spread malware via emails by exploiting security weaknesses of software to the targeted machine (the malware then functions as key logger that stores user input). Meanwhile, attackers who use deceptive phishing uses deceptive emails to direct users into providing sensitive information including passwords, bank accounts, and so forth [2].
4 Page 4 of 26
3
Literature Review
In this section, we will pursue and search between different ideas proposed in literature review with the topic ‘Risk Assessment Management’ including the assessment modeling and we will try to utilize using our risk assessment factors using fuzzy logic. 3.1
Risk Model
Currently, many methods are used to identify and prioritize a risk. Among these methods, threat modeling appears to be the most efficient one. It is a process that identifies, quantifies as well as analyzes the possible risks of a computer-based system. The model identifies the most important assets of a computer application and decomposes it. It also recognizes the threats to each component or asset and respectively ranks them according to their risk probabilities. After rating the risks, strategies that can be used to reduce the chances of risk occurrence are developed and implemented [21]. Risk models describe the risks to be evaluated and the various relationships they have with each other. This helps to classify the risks that tend to be similar in one group. As a result, risk mitigation strategies are employed efficiently with the same type of threats. The risk factors, on the other hand, are the characteristics that are used in the models as input variables. They help to determine the levels of risks during the process of risk assessment. The variables include impact, threat, condition, the probability of occurrence, and vulnerability. They are usually decomposed to more detailed variables, for instance, threats can be decomposed to threat sources or threat events [21]. The common risk factors accommodate likelihood, vulnerability, threat, impact, vulnerability, and utilizing certain conditions as appeared in Fig. 1.
3.1.1
Risk Factors
A threat is the primary risk factor used in the threat model. It refers to any event that has the potential to have adverse effects on the operations in an organization. These circumstances can arise when a certain person gains unauthorized access to an information system which leads to its destruction and denial of network services as well as modification of data. An example of such threats to the information systems are called cyber threats. These are risks whereby individuals have access to a control system without authority of the people in charge of the systems. Mostly, this is done by the trusted users of the system or by unknown people from remote locations that use the same internet protocol. The threats can come from different sources such as terrorists who want to have access to certain information from the government or malicious people. Therefore, it is necessary to have a cyber-barrier that will protect the asset carrying the information. The vulnerability of a system is another variable used in the risk model. It refers to the weak points of a computer-based system, internal control systems, or the procedures employed to maintain security. Most of the systems can be linked to the controlled ones that have been either applied but have weak access or not applied. Three categories of vulnerabilities exist for assets in a company which include weaknesses that are inbuilt in the manufacturing process, weak points resulting from poor installation of the systems, and inadequate protection of the systems due to 5 Page 5 of 26
the poor configuration. Likelihood of an event is a risk factor that is based on the analysis of a probability that a threat will exploit a weak point of a system. It combines the probability of evaluation of an event occurrence with the assessment of the adverse effects it can have when it occurs. Further, an impact is a risk factor that determines the level of effects that a threat has on vulnerability. It determines the magnitude of harm that creates certain manipulations with information, such as unauthorized access to it, can have on the company. These effects can be experienced economically, socially, or physically. Similarly, risk evaluation involves determining how much risk is expected from an individual loss occurrence. Nowadays, attackers break into systems frequently which leads to a huge destruction. Therefore, the system users are now concerned with how much risk is expected to occur because of such event. The risk assessors use a simple approach whereby they multiply the impact of occurrence of a risk [49]. Risk level, on the other hand, is the product of the unsatisfactory consequence of an uncertain event and the impact of the event. Therefore, the two risk factors used to evaluate the levels of risk are “Impact” and “Likelihood." However, this method does not incorporate the capabilities of threats in determining the level of risk. The source of threats depends on the capacity of the systems. For instance, terrorists have different intentions to attack an information system. Additionally, the likelihood of a loss event occurring within a system depends on its weak points. Therefore, the risk level should be evaluated as a function of all vulnerabilities, the likelihood of using them, and the final probability of success. In conclusion, risk analysis helps people to manage uncertain events by identifying the risk factors. These factors include threats, weak access points, impact, and the likelihood of the event occurrence. The analysis can be performed using various methods, such as quantitative method, qualitative or semi-quantitative method. This depends on whether a statistical approach, level of judgement or both are needed to assess the risk. Security risk management is done by the use of SRFT model, which employs the fuzzy set theory to determine the threats and their countermeasures. Risk evaluation assesses how much risk to an information system can occur due to a loss event. It is established by multiplying the overall likelihood of an event, capabilities, and the impact of the loss has on the systems [49]. 3.1.2
Risk Evaluation
Attackers and intruders could possibly penetrate inside systems and cause a considerable measure of decimation, subsequently, clients are currently inspired by expecting the amount of the risk. A simple methodology that is inspected by numerous risk specialists is to add the seriousness (Impact) of results by the probability of their event. The characterization of Risk level results from likelihood of an unsuitable result (Likelihood) and unlucky collecting effects when the result is unacceptable (Impact) [34]. Thus, there are two semantic variables, "Probability" 'and "Impact'', are characterized to compute the general risk level. Be that as it may, this methodology disregards a key part of risk degree. The accomplishment of risk source utilized such system vulnerabilities should rely upon these capabilities. For example, terrorists or extremists as a source of risk have distinctive capabilities, expectation, and the system targeting [29]. Additionally, the targeting probability for a system relied on progress likelihood, vulnerabilities, and probability of abusing these vulnerabilities. The methodology for risk assessment is to assess the risk level as an element of capabilities, impact and likelihood. 6 Page 6 of 26
3.2
Fuzzy concept
In security and safety making decision, due to high level of uncertainty involved in the set of available information, the quantitative information is hard to get and obtain because of various facts, for example, uncommon event of the occasions, human subjectivity and financial contemplations. Regardless of the possibility that the information is accessible, it is regularly erroneous alternately subject to instability. In this way, it is hard to build up sane storage warehouse for wellbeing and security contemplations. The Fuzzy set theory can give a structure in taking care of such uncertainty and instability connected with the information. Bellman and Zadeh [12] introduced a few uses of Fuzzy assumptions and procedures to make a decision for different choices. The FL has been conducted and implemented to tackle some genuine world issues whenever existing of fuzziness. Ability and capability to utilize theory of Fuzzy sets in treating instability and uncertainty for typical sources have been discussed from long time ago. A few researchers and scientist use Fuzzy set theory to handle risk instabilities and make security choices. It is recommended to enhance the utilization of FL theory for testing critical risk and go through risk priority number (RPN) assessment. 4
Proposed Risk Assessment Model
In this section, we will propose a model for risk assessment using Mamdani Fuzzy inference system. From our literature in risk assessment of cybercrime, we show the vulnerability and threats for such a system. The proposal is composed of the following stages: in the first stage, we will present the process of a risk assessment model followed by showing life cycle and proposed risk assessment model. Then we will introduce the different specifications between Mamdani and Sugeno fuzzy methods followed by introducing the matrix of risk assessment aspects and using fuzzy set algorithm to extract the risk assessment based on vulnerability & threat and then end up with simulation of a risk assessment model. 4.1
Risk assessment model
As shown in Fig.1, the model of the risk assessment process was simple, and not fully covered all aspects of cybersecurity and cybercrime's issues. Fig. 2 shows the proposed modified model that starts from sensing the object (data or material) which is vulnerable and then pass it through risk assessment model. Risk assessment model judges the object based on some computation methods, and then delivers it to the next model, which approves it or goes to other directions. If any object is approved, then process ends, which means the object is safe. ÷If any object is not approved, it goes to other models and estimates the vulnerability by calculating the probability based on fuzzy theory; and then pass all information to a reviewer to decide how to mitigate the risk and treat the vulnerability. After that, the object passes through the vulnerability check process again. This process would enhance the existing models that lack human interaction for deciding whether the object goes for risk assessment and tolerates the threat or not. Reviewing process could be one or group of actors and nowadays, many organizations deploy people to monitor security inside their companies, most of the time; they are the part of Security Operation
7 Page 7 of 26
Center(SOC). Fig. 3 shows risk assessment lifecycle in details for risk assessment step showed in Fig. 2
The proposed risk assessment life cycle in Fig. 3 describes exactly what happens when data has been marked as vulnerable to attack. It starts by identifying and inspecting any suspicious activity through HW or SW tools that can exactly determine if such data is vulnerable or not. If data is suspicious, it will move to next part or quit. Suspicious data would move to 1st stage, which is "Review" that consists of 2 parts: identifying the source threat and specifying such probability and occurrence. Fig.4 shows an example of malicious attacks that can be treated using the model shown in fig.3.
First, the proposed approach calculates risk assessment using Mamdani approach, which is the most used one in fuzzy logic set of theory, then it extends the work to include Sugeno approach. The differences between Mamdani and Sugeno approaches are described in Table 6.
The proposed FIS adopts this model to gain the total risk for such system using the following formula F1=Overall Capabilities = (Capabilities, Intent, Targeting) (1) F2=Overall Likelihood = (Vulnerability, Overall Capabilities) (2) F3=Risk = (Overall Likelihood, Impact) (3),
F1= The result obtained from F1 should be the combination of all possibilities of Intent, Targeting and Capabilities for all set of membership n=1 to n=n F2=
The result obtained from F2 should be the combination of all possibilities of Overall Capabilities and Vulnerabilities for all set of membership n=1 to n=n F3=
8 Page 8 of 26
The result obtained from F3 should be the combination of all possibilities of Overall Likelihood and Impact for all set of membership n=1 to n=n
So,
where x
.
Fig. 5 shows how the risk assessment model looks like.
5.
Evaluation
The four risk factors mentioned previously in 3.1.1 will be implemented as input to the proposed FIS, and the process is to obtain the result that will follow the process described in Fig. 2. With the contribution of NIST800-30 standard to describe the level of risk factors where we apply information to our proposed model described above in Fig. 5. In FIS1, we obtained the result of overall capabilities, which contains the following inputs mentioned previously. Fig. 6 shows the parameters and settings used to extract the output.
Fig. 6 describes the three inputs and outputs used in the proposed model and those inputs has multiple variables, memberships and values. The input values ranging from 0-1 and divided into 3 or 5 segments orderly. Fig. 7 has multiple memberships according to variable used. In first variable: Intent, we used three memberships which are (Low , Medium , High). Those memberships have values (0.00-0.33, 0.34-0.66 , 0.67-1.00). The other variable: Targeting, we used three memberships, which are (Low, Medium, High). Those memberships have values (0.00-0.33, 0.34-0.66, 0.671.00). The last variable: Capabilities, we used five memberships which are (Very Low, Low, Medium, High, Very High). Those memberships have values (0.00-0.20, 0.21-0.40, 0.41-0.60, 0.61-0.8, 0.81-1.00)
Fig. 8 describes the rules used to extract the result of F1, the combination of all memberships multiply by each other to find all possibilities of data received. The rules described how to match the inputs with outputs where they can divide Very Low value between (0.000.20), Low (0.21-0.40), Medium (0.41-0.60), High (0.61-0.80) and Very High (0.81-1.00)
9 Page 9 of 26
The output of FIS1 is shown below in Fig. 9:
Fig. 9 shows the outputs of F1 in 3D consists of the three variables, where we can see clearly that Targeting and Intent has more influence over Capabilities due to major harmful attacks comes from attackers who are smart and have updated tools whereas the limitation of the capabilities limits the attackers power due to updated and strength of victim system.
Fig. 10 shows that there are 45 conditions which satisfy our result. Those conditions varies from Very Low which has 0 value till the max (Very High) which has the full output which are=1. In FIS2, we obtained the overall capabilities as input from previous FIS1 model, then having the vulnerability of five memberships which are (Very Low, Low, Medium, High, Very High). Those memberships have values (0.00-0.20, 0.21-0.40 , 0.41-0.60, 0.61-0.8, 0.81-1.00).To produce our FIS2 which is the overall Likelihood, Fig. 11, 12 and 13 respectively shows FIS2 model.
Fig. 11 describes the two inputs and output we used in our model, those inputs has multiple variable, memberships and values. The input values ranging from 0-1 and divided into 5 memberships.
Fig. 12 has multiple memberships according to variable used. In first variable: Overall Capabilities, we used five memberships which are (Very Low, Low, Medium, High, Very High). Those memberships have values (0.00-0.20, 0.21-0.40, 0.41-0.60, 0.61-0.8, 0.81-1.00) also apply the same for vulnerabilities.
Fig. 13 describes the rules used to extract the result of F2, the combination of all memberships multiplied by each other to find all possibilities of data received. The rules described how to match the inputs with outputs where they can divide Very Low value between (0.00-0.20), Low (0.21-0.40), Medium (0.41-0.60), High (0.61-0.80) and Very High (0.81-1.00). The rules uses AND connection which restrict the result whereas OR connection is not recommended for our 10 Page 10 of 26
case. The reason for that is to have accurate result and to plot the snapshot of result in all cases discussed. The output of FIS2 is shown below in Fig. 14:
Fig. 14 shows the outputs of FIS2 in 3D consists of the two variables, where we can clearly see that both Vulnerability and Overall Capabilities have the same influence for producing overall likelihood since Vulnerability plays the major act for making risk over digital systems.
As we have seen in Fig. 15, we have 25 conditions that can satisfy our result. Those conditions varies from Very Low which has 0 value till the max (Very High) which has the full output which are =1.. The last model F3, which will produce the risk assessment values, consists of two parameters: overall Likelihood and Impact. The Likelihood vulnerability is having five memberships which are (Very Low, Low, Medium, High, Very High). Those memberships have values (0.00-0.20, 0.21-0.40, 0.41-0.60, 0.61-0.8, 0.81-1.00) and Impact is having five memberships which are (Very Low, Low, Medium , High, Very High). Those memberships have values (0.00-0.20, 0.210.40, 0.41-0.60, 0.61-0.8, 0.81-1.00).
Fig. 16 describes the two inputs and outputs we used in our model and those inputs has multiple variables, memberships and values. One of the input values comes as a result from F2, the other is a new one ranging from 0-1 and divided into 5 memberships.
Fig. 17 has multiple memberships according to the variable used. In first variable: Overall Likelihood, we used five memberships which are (Very Low, Low, Medium, High, Very High). Those memberships have values (0.00-0.20, 0.21-0.40, 0.41-0.60, 0.61-0.8, 0.81-1.00) and the same level: Impact has five memberships which are (Very Low, Low, Medium, High, Very High) and memberships have values like (0.00-0.20 , 0.21-0.40, 0.41-0.60, 0.61-0.8, 0.81-1.00). Fig. 18 describes the rules used to extract the result of F3, the combination of all memberships multiplied by each other to find all possibilities of data received. The rules described how to match the inputs with outputs where they can divide Very Low value between (0.00-0.20), Low (0.21-0.40), Medium (0.41-0.60), High (0.61-0.80) and Very High (0.81-1.00).
11 Page 11 of 26
The result of our Risk Assessment Model is shown in Fig. 19, 20 respectively, which include all the situations of risk estimation starting from Very Low until Very High risk situation.
6.
Discussion and Conclusion
As we have seen in the evaluation, we have 25 conditions to satisfy our output. The overall likelihood played in these potential factors is to determine the result obtained as the consequences of previous models. We have implemented examples depending on the cases for any attack of resources: So the risk assessment result is 53.8% which is Medium and it needs to be treated. We can conclude risk assessment approach for every system relies on the ability of its components to keep actively engaged in the multi-functional communications within the environment and to ensure that the end user's needs to get met. To that effect, every system must have its components working under controlled risk to avoid malfunctioning of the target resources (servers, workstations, VMware devices, cloud storage, etc.) and even the loss of valuable data. The Sugeno-type and Mamdani-type Fuzzy inference system are the based controllers for the risk assessment. Acknowledgement The authors extend their appreciation to the Deanship of Scientific Research at King Saud University for funding this work through research group no (RGP- 1437-35). References 1.
2. 3. 4.
5. 6. 7. 8. 9.
Almadhoob A & Valverde R, (July 10, 2014), “Cybercrime Prevention in the Kingdom Of Bahrain Via It Security Audit Plans”, Department of Supply Chain and Business Technology Management, Concordia, Montreal, Canada. Vol. 65 No.1. 2014. Jaques, N. ( Jnuary 01, 2015). “Saudi Cybersecurity Threat Landscape: More Intense and Complex Than Ever”, Computer, 67, 8, 45-56 Kshetri, N. (July 01, 2015). “Recent US Cybersecurity Policy Initiatives: Challenges and Implications”, Computer, 48, 7, 64-69. Lewis, J. A., Neuneck, ., United Nations Institute for Disarmament Research,, Center for Strategic and International Studies ( ashington, D.C.),, & Universit t amburg. (2013). The cyber index: International security trends and realities. Minisatry of Information and Commuation Technology. (2009). Developing National Information Security Strategy for the Kingdom of Saudi Arabia. ABC-CLIO. Vagoun, T., & Strawn, G. O. (April 01, 2015). Implementing the Federal Cybersecurity R&D Strategy. Computer, 48, 4, 45-55. Valenzano, A. (January 01, 2014). Industrial cybersecurity: Improving security through access control policy models. Ieee Industrial Electros Magazine, 8, 2, 6-17. Stephens J, & Valverde R, (2013). Security of E-Procurement Transactions in Supply Chain Reengineering. Computer & Information Science, 6(3). UK ome Office, (2012), “Cyber Crime Strategy” Jan 10, 2012.
12 Page 12 of 26
10. Choo K-K R et all. (2011), The cyber threat landscape: Challenges and future research directions. Computers & Security, 30(8), 719-731. 11. Burden, K., & Palmer, C. (2003). Internet crime:Cyber Crime,A new breed of criminal. Computer Law & Security Review, 19(3), 222-227. 12. Massa D and Valverde R (2014), A fraud detection system based on anomaly intrusion detection for Ecommerce applications, Computer and Information Science, 7 (2). 13. Thomas, R. (2001). Managing the Threat of Denial-of-Service Attacks. CERT Coordination Center. 14. SANS (2011) “Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines (CAG), (Apr/27/2012) 15. KPM (2011) “Cyber Crime , A rowing Challenge for overnments” March 10,2012 16. Sophos (2012) “Security Threat Report”, March 10, 2012 17. Loganathan M, & Kirubakaran E,(2011)A Study on Cyber Crimes and protection International Journal of Computer Science, 8 New filtering approaches for phishing email. Journal of computer security, 18(1), 735. 18. National Institute of Standards and Technology (NIST) (2001), Standard reference Database Number 69, July 2001, Gaithersburg, MD 20899. 19. Merhout, J. W., & Havelka, D. (2008). Information technology auditing: A value-added IT governance partnership between IT management and audit. Commutations of the Association for Information Systems, 23(1), 26. 20. National Institute of Standards and Technology NIST (Feb. 2012), Framework for Improving Critical Infrastructure Cyber security, Version 1.0 21. National Institute of Standards and Technology NIST Special Publication 800-39, March 2011, Joint Task Force Transformation Initiative, Managing Information Security Risk: Organization, Mission, and Information System View. 22. U.S. Department of Energy, Electricity Subsector Cyber security Risk Management Process, DOE/OE0003, May 2012. 23. M.H. Zirakja, R. Samizadeh, (2011)Risk Analysis in E-commerce via Fuzzy Logic, Int. J. Manag. Bus. Res., 1 (3), 99-112,. 24. Zadeh, L. A. Fuzzy sets. Information and Control, 1965 25. Sodiya, A.S., Longe, H.O.D. and Fasan, O.M., (2007),Software Security Risk Analysis using Fuzzy Expert System, In Journal of INFOCOMP: Journal of Computer Science, Brazil, Vol. 7, No. 3, 70—77, 2007. 26. Rahul Choudhary and Abhishek Raghuvanshi, "Fuzzy Based Evaluation Model of a Systems Security", International Journal of Advanced Research in Computer Science and Software Engineering, 2, 9, 012. 27. Sonia, A. Singhal, H. Banati, "Fuzzy Logic Approach for Threat Prioritization in Agile Security Framework using DREAD model", IJCSI International Journal of Computer Science Issues, Vol. 8, Issue 4, No. 1, July 2011, Mauritius. 28. National Institute of Standards and Technology NIST Special Publication 800-30 rev. 1 (Sep. 2012), Guide for Conducting Risk Assessments. 29. ISO/IEC 27005: 2011 Information Technology, Security techniques, Information security risk management (second edition). 30. National Institute of Standards and Technology NIST (2006), Guide for Developing Security Plans for Federal Information Systems. 31. Wonderware Invensys Systems, , Securing Industrial Control Systems, A guide forproperly securing Industrial Control Systems operating in a Microsoft Windows environment. Inc Revision 1.4, (2007) 32. Homeland, Report, (2011), Common Cyber security Vulnerabilities in Industrial Control Systems. 33. Ming-Chang Lee, "Information Security Risk Analysis Methods and Research Trends: AHP and Fuzzy Comprehensive Method", International Journal of Computer Science & Information Technology (IJCSIT) Vol 6, No1, pages 29-45, February 2014 34. E.W.T. Ngai, and F.K.T. Wat,"Fuzzy decision support system for risk analysis in e-commerce development", Elsevier, Decision Support Systems 40 (2005) 235–255. 35. R. Nait-Said, F.Zidani, and N.Ouzraoui. “Fuzzy Risk raph Model for Determining Safety Integrity Level” by indawi Publishing Corporation. Volume 2008, Article ID 263895.
13 Page 13 of 26
36. L. POKORÁDI, Új Honvédségi Szemle, Budapest, (1999) p130–136. 37. S. Bajpai, J.P. Gupta, Securing oil and gas infrastructure, J. Pet. Sci. Eng. 55 (2007),p174–186. 38. S. Bajpai, J.P. Gupta, Site security for chemical process industries, J. Loss Prev. Process. Ind. 18 (2005) 301–309. 39. American Petroleum Institute (API), Security Guidelines for the Petroleum Industry, Washington, DC, 2003. 40. P. Baybutt, (2003) , Process security management: set up your plant’s program", Chem.Eng. 110 (1) p48– 56. 41. M. Webster, (1994),"The Merriam-Webster Dictionary", Merriam-Webster, Springfield, MA. 42. D. White, (1995) ,"Application of systems thinking to risk management: a review of the literature, Management Decision" 3,10, 35 – 45. 43. C.A. Ropar,( 1999)," Risk Management for Security Professionals", Butterworth Heinemann, New Delhi, 44. United States of America Department of Justice (USDOJ), (2000),"Assessment of the Increased Risk of Terrorist or Other Criminal Activity Associated with Posting Off-Site Consequence Analysis Information on the Internet",23–24. 45. Synthetic Organic Chemical Manufacturers Association,Chlorine Institute, and American Chemistry Council,( 2001)," Site Security Guidelines for the US Chemical Industry, Washington DC. 46. BASF, orkshop Bieleschweig. “Risk Matrix as a Tool for Risk Assessment”. 15/9.2004 47. Almadhoob & Valverde ,"Cybercrime prevention in the kingdom of Bahrain via it security audit plans". Department of Supply Chain and Business Technology Management, Concordia, Montreal, Canada. 10th July 2014. Vol. 65 No.1 48. Hany Sallam, "Cyber Security Risk Assessment Using Multi Fuzzy Inference System", International Journal of Engineering and Innovative Technology (IJEIT) 4, 8, February 2015 49. F. Martin McNeill and Ellen Thro. “FUZZY LO IC A PRACTICAL APPROAC ” by Academic Press Professional. San Diego, CA, USA, 1994 50. Ab Rahman N H, Cahyani N D W and Choo K-K R (2017). Cloud incident handling and forensic-bydesign: Cloud storage as a case study. Concurrency and Computation: Practice and Experience, 2017, DOI: 10.1002/cpe.3868 51. Ab Rahman N H and Choo K-K R (2015). A survey of information security incident handling in the cloud. Computers & Security 49: 45–69 52. Ab Rahman N H, Glisson W B, Yang Y and Choo K-K R 2016. Forensic-by-design framework for cyberphysical cloud systems. IEEE Cloud Computing 3(1): 50–59 53. Mani D, Choo K-K R and Mubarak S 2014. Information Security in the South Australian Real Estate Industry: A Study of 40 Real Estate Organisations. Information Management & Computer Security 22(1): 24–41 54. Mani D, Heravi A, Choo KKR and Mubarak S 2015. Information Privacy Concerns of Real Estate Customers and Information Security in the Real Estate Industry: an Empirical Analysis. In Proceedings of Australasian Information Security Conference (ACSW-AISC 2015), pp. 53–56, Sydney, New South Wales, Volume 161 of the ACS Conferences in Research and Practice in Information Technology (CRPIT) series, Australian Computer Society, 27 – 30 January. 55. Mani D, Heravi A, Mubarak S and Choo K-K R 2015. Employees’ Intended Information Security Behaviour in Real Estate Organisations: a Protection Motivation Perspective. In Proceedings of 21st Americas Conference on Information Systems (AMCIS 2015), 13–15 August 2015, Association for Information Systems. 56. Borgman B, Mubarak D and Choo K-K R 2015. Cyber Security Readiness in the South Australian Government. Computer Standards & Interfaces 37:1–8 57. Devi, R., Jha, R.K., Gupta, A., Jain, S. and Kumar, P. Implementation of Intrusion Detection System using Adaptive Neuro-Fuzzy Inference System for 5G wireless communication network. AEU-International Journal of Electronics and Communications, Vol. 74, pp.94-106, 2017
14 Page 14 of 26
Fig.1. Risk Assessment Model [49]
15 Page 15 of 26
Fig. 2: Proposed Risk Assessment Process
16 Page 16 of 26
Fig. 3. Proposed Risk Assessment Life Cycle.
Fig. 4. Treating malicious attacks
17 Page 17 of 26
Fig.5. Proposed Risk Assessment Model
Fig. 6. F1 parameters and Settings
18 Page 18 of 26
Fig. 7. F1 Membership Function
Fig. 8. F1 rules
19 Page 19 of 26
Fig. 9. Surface Output of FIS1
Fig. 10. Rule Viewer Output of FIS1
20 Page 20 of 26
Fig. 11. F2 parameters and Settings
Fig. 12. Membership Function of FIS2
21 Page 21 of 26
Fig. 13. F2 rules
Fig. 14. Surface Output of FIS2.
22 Page 22 of 26
Fig. 15. Rule Viewer Output of FIS2
Fig. 16. F3 parameters and Settings
23 Page 23 of 26
Fig. 17. Membership Function of FIS3
Fig. 18. F3 rules
24 Page 24 of 26
Fig. 19. Risk Assessment Simulation Result-Surface Viewer
Fig. 20. Risk Assessment Simulation Result-Rule Viewer
25 Page 25 of 26
Table 6. Differences between Mamdani and Sugeno Fuzzy approaches Mamdani It is axiomatic. It produces fuzzy logic. (linguistic) It is accepted worldwide.
It is human friendly input.
Sugeno It is an efficient method. It operates good with linear methods. It operates good with optimization and adaptive methods. It has definite stability of the output surface. It is good and suitable for scientific analysis.
26 Page 26 of 26