Extending Attack Graph-Based Security Metrics and Aggregating Their Application

Nwokedi Idika; Bharat Bhargava

doi:10.1109/TDSC.2010.61

Publication
2012
Issue No. 1 - January/February
Abstract - Extending Attack Graph-Based Security Metrics and Aggregating Their Application

	This Article
	Subscribers, please Login Purchase article: $19 PDF HTML RSS feed
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan/EndNote
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by Nwokedi Idika Articles by Bharat Bhargava

Extending Attack Graph-Based Security Metrics and Aggregating Their Application

January/February 2012 (vol. 9 no. 1)

pp. 75-85

	ASCII Text	x
	Nwokedi Idika, Bharat Bhargava, "Extending Attack Graph-Based Security Metrics and Aggregating Their Application," IEEE Transactions on Dependable and Secure Computing, vol. 9, no. 1, pp. 75-85, January/February, 2012.

	BibTex	x
	@article{ 10.1109/TDSC.2010.61, author = {Nwokedi Idika and Bharat Bhargava}, title = {Extending Attack Graph-Based Security Metrics and Aggregating Their Application}, journal ={IEEE Transactions on Dependable and Secure Computing}, volume = {9}, number = {1}, issn = {1545-5971}, year = {2012}, pages = {75-85}, doi = {http://doi.ieeecomputersociety.org/10.1109/TDSC.2010.61}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - JOUR JO - IEEE Transactions on Dependable and Secure Computing TI - Extending Attack Graph-Based Security Metrics and Aggregating Their Application IS - 1 SN - 1545-5971 SP75 EP85 EPD - 75-85 A1 - Nwokedi Idika, A1 - Bharat Bhargava, PY - 2012 KW - Network-level security and protection KW - measurement KW - measurement techniques. VL - 9 JA - IEEE Transactions on Dependable and Secure Computing ER -

Nwokedi Idika, Purdue University, West Lafayette

Bharat Bhargava, Purdue University, West Lafayette

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/TDSC.2010.61

The attack graph is an abstraction that reveals the ways an attacker can leverage vulnerabilities in a network to violate a security policy. When used with attack graph-based security metrics, the attack graph may be used to quantitatively assess security-relevant aspects of a network. The Shortest Path metric, the Number of Paths metric, and the Mean of Path Lengths metric are three attack graph-based security metrics that can extract security-relevant information. However, one's usage of these metrics can lead to misleading results. The Shortest Path metric and the Mean of Path Lengths metric fail to adequately account for the number of ways an attacker may violate a security policy. The Number of Paths metric fails to adequately account for the attack effort associated with the attack paths. To overcome these shortcomings, we propose a complimentary suite of attack graph-based security metrics and specify an algorithm for combining the usage of these metrics. We present simulated results that suggest that our approach reaches a conclusion about which of two attack graphs correspond to a network that is most secure in many instances.

[1] SSE-CMM, http://www.sse-cmm.org/metricmetric.asp, 2010.
[2] http:/www.cve.mitre.org, MITRE CVE, July 2010.
[3] G. Vigna and R. Kemmerer, "Netstat: A Network-Based Intrusion Detection System," J. Computer Security, vol. 7, 1999.
[4] S. Noel and S. Jajodia, "Managing Attack Graph Complexity through Visual Hierarchical Aggregation," Proc. ACM Workshop Visualization and Data Mining for Computer Security, pp. 109-118, 2004.
[5] C. Weissman, "System Security Analysis/Certication Methodology and Results," Technical Report SDC SP-3728, 1973.
[6] N. Idika, B. Marshall, and B. Bhargava, "Maximizing Security given a Limited Budget," Proc. TAPIA '09: Richard Tapia Celebration of Diversity in Computing, Apr. 2009.
[7] R. Lippmann, K. Ingols, C. Scott, K. Piwowarski, K. Kratkiewicz, M. Artz, and R. Cunningham, "Validating and Restoring Defense in Depth Using Attack Graphs," Proc. Military Communications Conf., Oct. 2006.
[8] J. Pamula, S. Jajodia, P. Ammann, and V. Swarup, "A Weakest-Adversary Security Metric for Network Configuration Security Analysis," Proc. Second ACM Workshop Quality of Protection, pp. 31-38, 2006.
[9] S. Jha, O. Sheyner, and J. Wing, "Two Formal Analyses of Attack Graphs," Proc. 15th IEEE Computer Security Foundations Workshop, June 2002.
[10] R. Dantu and P. Kolan, "Risk Management Using Behavior Based Bayesian Networks," Intelligence and Security Informatics, pp. 115-126, 2005.
[11] L. Wang, T. Islam, T. Long, A. Singhal, and S. Jajodia, "An Attack Graph-Based Probabilistic Security Metric," Proc. Data and Applications Security (DAS '08), pp. 283-296, 2008.
[12] L. Wang, A. Singhal, and S. Jajodia, "Measuring Overall Security of Network Configurations Using Attack Graphs," Data and Applications Security XXI, vol. 4602, pp. 98-112, Aug. 2007.
[13] P. Mell, K. Scarfone, and S. Romanosky, "Common Vulnerability Scoring System," IEEE Security and Privacy, vol. 4, pp. 85-89, Nov./Dec. 2006.
[14] C. Phillips and L.P. Swiler, "A Graph-Based System for Network-Vulnerability Analysis," NSPW '98: Proc. Workshop New Security Paradigms. pp. 71-79, 1998.
[15] R. Ortalo, Y. Deswarte, and M. Kaaniche, "Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security," IEEE Trans. Software Eng., vol. 25, pp. 633-650, Sept. 1999.
[16] E. Jonsson and T. Olovsson, "A Quantitative Model of the Security Intrusion Process Based on Attacker Behavior," IEEE Trans. Software Eng., Apr. 1997.
[17] G. Schudel and B. Wood, "Adversary Work Factor as a Metric for Information Assurance," Proc. 2000 Workshop New Security Paradigms, pp. 23-30, 2001.
[18] K. Ingols, R. Lippmann, and K. Piwowarski, "Practical Attack Graph Generation for Network Defense," Proc. Computer Security Applications Conf., pp. 121-130, Dec. 2006.
[19] W. Li and R. Vaughn, "Cluster Security Research Involving the Modeling of Network Exploitations Using Exploitation Graphs," Proc. Sixth IEEE Int'l Symp. Cluster Computing and Grid Workshops, May 2006.
[20] S. Noel, M. Jacobs, P. Kalapa, and S. Jajodia, "Multiple Coordinated Views for Network Attack Graphs," Proc. IEEE Workshop Visualization for Computer Security, pp. 99-106, 2005.
[21] P. Dupount, "Laplace and the Indifference Principle in the 'Essai Philosophique Des Probabilits'," Rend. Sem. Mat. Univ. Politec. Torino, vol. 36, pp. 125-137, 1977/78.

Index Terms:

Network-level security and protection, measurement, measurement techniques.

Citation:

Nwokedi Idika, Bharat Bhargava, "Extending Attack Graph-Based Security Metrics and Aggregating Their Application," IEEE Transactions on Dependable and Secure Computing, vol. 9, no. 1, pp. 75-85, Jan.-Feb. 2012, doi:10.1109/TDSC.2010.61

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.