Abstract
To protect critical resources in today’s networked environments, it is desirable to quantify the likelihood of potential multi-step attacks that combine multiple vulnerabilities. This now becomes feasible due to a model of causal relationships between vulnerabilities, namely, attack graph. This paper proposes an attack graph-based probabilistic metric for network security and studies its efficient computation. We first define the basic metric and provide an intuitive and meaningful interpretation to the metric. We then study the definition in more complex attack graphs with cycles and extend the definition accordingly. We show that computing the metric directly from its definition is not efficient in many cases and propose heuristics to improve the efficiency of such computation.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Ammann, P., Wijesekera, D., Kaushik, S.: Scalable, graph-based network vulnerability analysis. In: Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS 2002) (2002)
A.C.S. Associates. Workshop on Information Security System Scoring and Ranking (2001)
Balzarotti, D., Monga, M., Sicari, S.: Assessing the risk of using vulnerable components. In: Proceedings of the 1st Workshop on Quality of Protection (2005)
Balzarotti, P., Monga, M., Sicari, S.: Assessing the risk of using vulnerable components. In: Proceedings of the 2nd ACM workshop on Quality of protection (2005)
Dacier, M.: Towards quantitative evaluation of computer security. Ph.D. Thesis, Institut National Polytechnique de Toulouse (1994)
Dacier, M., Deswarte, Y., Kaaniche, M.: Quantitative assessment of operational security: Models and tools. Technical Report 96493 (1996)
Farmer, D., Spafford, E.: The COPS security checker system. In: USENIX Summer, pp. 165–170 (1990)
Frigault, M., Wang, L.: Measuring network security using bayesian network-based attack graphs. In: Proceedings of The 3rd IEEE International Workshop on Security, Trust, and Privacy for Software Applications (STPSA 2008) (2008)
Hoo, K.: Metrics of network security. White Paper (2004)
Howard, M., Pincus, J., Wing, J.: Measuring relative attack surfaces. In: Workshop on Advanced Developments in Software and Systems Security (2003)
Jaquith, A.: Security Merics: Replacing Fear Uncertainity and Doubt. Addison Wesley, Reading (2007)
Manadhata, K., Wing, J., Flynn, M., McQueen, M.: Measuring the attack surfaces of two ftp daemons. In: Quality of Protection Workshop (2006)
Mell, P., Scarfone, K., Romanosky, S.: Common vulnerability scoring system. IEEE Security & Privacy Magazine 4(6), 85–89 (2006)
National Institute of Standards and Technology. Technology assessment: Methods for measuring the level of computer security. NIST Special Publication 500-133 (1985)
Noel, S., Jajodia, S., O’Berry, B., Jacobs, M.: Efficient minimum-cost network hardening via exploit dependency graphs. In: Proceedings of the 19th Annual Computer Security Applications Conference (ACSAC 2003) (2003)
Ortalo, R., Deswarte, Y., Kaaniche, M.: Experimenting with quantitative evaluation tools for monitoring operational security. IEEE Trans. Software Eng. 25(5), 633–650 (1999)
Manadhata, J.W.P.: Measuring a system’s attack surface. Technical Report CMU-CS-04-102 (2004)
Manadhata, J.W.P.: An attack surface metric. Technical Report CMU-CS-05-155 (2005)
Manadhata, J.W.P.: An attack surface metric. In: First Workshop on Security Metrics (MetriCon) (2006)
Pamula, J., Jajodia, S., Ammann, P., Swarup, V.: A weakest-adversary security metric for network configuration security analysis. In: Proceedings of the 2nd ACM workshop on Quality of protection, pp. 31–38. ACM Press, New York (2006)
Phillips, C., Swiler, L.: A graph-based system for network-vulnerability analysis. In: Proceedings of the New Security Paradigms Workshop (NSPW 1998) (1998)
Reiter, M., Stubblebine, S.: Authentication metric analysis and design. ACM Transactions on Information and System Security 2(2), 138–158 (1999)
Ritchey, R., Ammann, P.: Using model checking to analyze network vulnerabilities. In: Proceedings of the 2000 IEEE Symposium on Research on Security and Privacy (S&P 2000), pp. 156–165 (2000)
Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.: Automated generation and analysis of attack graphs. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy (S&P 2002) (2002)
Swanson, M., Bartol, N., Sabato, J., Hash, J., Graffo, L.: Security metrics guide for information technology systems. NIST Special Publication 800-55 (2003)
Swiler, L., Phillips, C., Ellis, D., Chakerian, S.: Computer attack graph generation tool. In: Proceedings of the DARPA Information Survivability Conference & Exposition II (DISCEX 2001) (2001)
Wang, L., Liu, A., Jajodia, S.: An efficient and unified approach to correlating, hypothesizing, and predicting intrusion alerts. In: di Vimercati, S.d.C., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 247–266. Springer, Heidelberg (2005)
Wang, L., Liu, A., Jajodia, S.: Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts. Computer Communications 29(15), 2917–2933 (2006)
Wang, L., Noel, S., Jajodia, S.: Minimum-cost network hardening using attack graphs. Computer Communications 29(18), 3812–3824 (2006)
Wang, L., Singhal, A., Jajodia, S.: Measuring network security using attack graphs. In: Proceedings of the 3rd ACM workshop on Quality of protection (QoP 2007). ACM Press, New York (2007)
Wang, L., Singhal, A., Jajodia, S.: Measuring the overall security of network configurations using attack graphs. In: Proceedings of 21th IFIP WG 11.3 Working Conference on Data and Applications Security (DBSec 2007) (2007)
Wang, L., Yao, C., Singhal, A., Jajodia, S.: Interactive analysis of attack graphs using relational queries. In: Proceedings of 20th IFIP WG 11.3 Working Conference on Data and Applications Security (DBSec 2006), pp. 119–132 (2006)
Zerkle, D., Levitt, K.: Netkuang - a multi-host configuration vulnerability checker. In: Proceedings of the 6th USENIX Unix Security Symposium (USENIX 1996) (1996)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 IFIP International Federation for Information Processing
About this paper
Cite this paper
Wang, L., Islam, T., Long, T., Singhal, A., Jajodia, S. (2008). An Attack Graph-Based Probabilistic Security Metric. In: Atluri, V. (eds) Data and Applications Security XXII. DBSec 2008. Lecture Notes in Computer Science, vol 5094. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-70567-3_22
Download citation
DOI: https://doi.org/10.1007/978-3-540-70567-3_22
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-70566-6
Online ISBN: 978-3-540-70567-3
eBook Packages: Computer ScienceComputer Science (R0)