ABSTRACT
In recent days, organizational networks are becoming target of sophisticated multi-hop attacks. Attack Graph has been proposed as a useful modeling tool for complex attack scenarios by combining multiple vulnerabilities in causal chains. Analysis of attack scenarios enables security administrators to calculate quantitative security measurements. These measurements justify security investments in the organization. Different security metrics based on attack graph have been introduced for evaluation of comparable security measurements. Studies show that difficulty of exploiting the same vulnerability changes with change of its position in the causal chains of attack graph. In this paper, a new security metric based on attack graph, namely Attack Difficulty has been proposed to include this position factor. The security metrics are classified in two major categories viz. counting metrics and difficulty-based metrics. The proposed Attack Difficulty Metric employs both categories of metrics as the basis for its measurement. Case studies have been presented for demonstrating applicability of the proposed metric. Comparison of this new metric with other attack graph based security metrics has also been included to validate its acceptance in real life situations.
- P. Ammann, D. Wijesekera, and S. Kaushik. 2002. Scalable, graph-based network vulnerability analysis. In 9th ACM conference on Computer and communications security, pages 217--224. Google ScholarDigital Library
- N. Ghosh and S. K. Ghosh. 2009, An approach for security assessment of network configurations using attack graph, in Networks and Communications, 2009. NETCOM'09. First International Conference on, pp. 283--288. Google ScholarDigital Library
- N. Idika and B. Bhargava. 2012. Extending attack graph-based security metrics and aggregating their application. IEEE Transactions on Dependable and Secure Computing, 9:75--85. Google ScholarDigital Library
- A. Singhal and X. Ou. 2011, Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs, Nat. Inst. Sci. Technol., Gaithersburg, MD, USA, Nat. Inst. Sci. Technol. Interagency Rep. 7788.Google Scholar
- G. S. Bopche, B. M. Mehtre. 2017. Graph Similarity Metrics for Assessing Temporal Changes in Attack Surface of Dynamic Networks. In Computer Security, vol. 64, no. C, pp. 16--43. Google ScholarDigital Library
- FIRST. 2015. Forum of Incident Response and Security Teams: Common Vulnerability Scoring System (CVSS) Version 3.0. Retrieved from https://www.first.org/cvss.Google Scholar
- S. Noel and S. Jajodia. 2014. Metrics suite for network attack graph analytics. In Proc. CISR'14. 5--8. Google ScholarDigital Library
- J. Pamula, P. Ammann, S. Jajodia, and V. Swarup. 2006. A weakest-adversary security metric for network configuration security analysis. In ACM 2nd Workshop on Quality of Protection, Alexandria, VA. Google ScholarDigital Library
- L. Wang, A. Singhal, and S. Jajodia. 2007. Measuring the overall security of network configurations using attack graphs. In Proceedings of the 21st Annual IFIP WG 11.3 Working Conference on Data and Application Security, pages 98--112, Redondo Beach, CA,. Google ScholarDigital Library
- L. Wang, T. Islam, T. Long, A. Singhal, and S. Jajodia. 2008. An attack graph-based probabilistic security metric. In Proceedings of the 22nd IFIP DBSec. Google ScholarDigital Library
- N. Fenton and J. Bieman. 2014, Software Metrics A Rigorous & Practical Approach, CRC Press, 3rd edition. Google ScholarDigital Library
- M. Frigault, L. Wang, A. Singhal, and S. Jajodia. 2008. Measuring network security using dynamic Bayesian network. In Proceedings of the 14th ACM Workshop on Quality of Protection, Alexandria, VA. Google ScholarDigital Library
- N. Poolsappasit, R. Dewri, and I. Ray. 2012. Dynamic security risk management using bayesian attack graphs. IEEE Trans. Dependable Secur. Comput, 9(1):61--74. Google ScholarDigital Library
- W. Li and R. Vaughn. 2006, Cluster Security Research Involving the Modeling of Network Exploitations Using Exploitation Graphs, Proc. Sixth IEEE Int'l Symp. Cluster Computing and Grid Workshops. Google ScholarDigital Library
- X. Ou, S. Govindavajhala, and A. W. Appel. 2005. Mulval: a logic-based network security analyzer. In Proceedings of the 14th conference on USENIX Security Symposium, pages 113--128, Baltimore, MD. Google ScholarDigital Library
- K. Ingols, M. Chu, R. Lippmann, S. Webster, and S. Boyer. 2009. Modeling modern network attacks and countermeasures using attack graphs. In 2009 Annual Computer Sec. Applic. Conf. (ACSAC), Austin, TX, pp. 117--126. Google ScholarDigital Library
- C. Phillips and L. Swiler. 1998. A graph-based system for network-vulnerability analysis. In Proceedings of the New Security Paradigms Workshop, pages 71--79, Charlottesville, VA. Google ScholarDigital Library
- O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J. M. Wing. 2002. Automated generation and analysis of attack graphs. In Proceedings of the 2002 IEEE Symposium on Security and Privacy, pages 254--265. Google ScholarDigital Library
- L. Munoz-Gonzalez, D. Sgandurra, A. Paudice, and E. C. Lupu. 2017. Efficient attack graph analysis through approximate inference. In ACM Transactions on Privacy and Security (TOPS), Vol. 20(3). Google ScholarDigital Library
- R. Ortalo, Y. Deswarte, and M. Kaâniche. 1999. Experimenting with quantitative evaluation tools for monitoring operational security. IEEE Trans. Software Eng., 25(5):633--650. Google ScholarDigital Library
- R. Lippmann, K. Ingols, C. Scott, K. Piwowarski, K. Kratkiewicz, M. Artz, and R. Cunningham. 2006. Validating and restoring defense in depth using attack graphs. In MILCOM 2006, Washington, DC, U.S.A. Google ScholarDigital Library
- H. Holm and K. K. Afridi. 2015. An expert-based investigation of the common vulnerability scoring system. Computers & Security; 53:18--30 Google ScholarDigital Library
- A. Jaquith. 2007. Security metrics: replacing fear, uncertainty, and doubt. Addis on-Wesley Professional. Google ScholarDigital Library
- W. Jansen. 2009. Directions in security metrics research. NISTIR 7564. U.S. National Institute of Standards and Technology.Google Scholar
- SSE-CMM: Systems Security Engineering Capability Maturity Model, International Systems Security Engineering Association (ISSEA).Google Scholar
- L. Wang, S. Jajodia, A. Singhal, P. Cheng, S. Noel. 2014, k-zero day safety: A network security metric for measuring the risk of unknown vulnerabilities, IEEE Trans. Depend. Sec. Comput., vol. 11, no. 1, pp. 30--44. Google ScholarDigital Library
- National vulnerability database. available at: http://www.nvd.org.Google Scholar
- The MITRE Corporation. Common weakness scoring system 2010. http://cwe.mitre.org/cwss/.Google Scholar
- M. Dacier, Y. Deswarte and M. Kaaniche. 1996, Quantitative Assessment of Operational Security: Models and Tools, LAAS Research Report 96493.Google Scholar
Recommendations
k-Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown Vulnerabilities
By enabling a direct comparison of different security solutions with respect to their relative effectiveness, a network security metric may provide quantifiable evidences to assist security practitioners in securing computer networks. However, research ...
An Approach for Security Assessment of Network Configurations Using Attack Graph
NETCOM '09: Proceedings of the 2009 First International Conference on Networks & CommunicationsWith increasing network security threats, the network vulnerability must consider exploits in the context of multistage, multi-host attack scenarios. The general approach to this problem is to construct an attack graph for a given network configuration. ...
Exploring attack graph for cost-benefit security hardening
The increasing complexity of today's computer systems, together with the rapid emergence of novel vulnerabilities, make security hardening a formidable challenge for security administrators. Although a large variety of tools and techniques are available ...
Comments