The Community for Technology Leaders
RSS Icon
Issue No.01 - Jan.-Feb. (2014 vol.11)
pp: 30-44
Lingyu Wang , Concordia University, Montreal
Sushil Jajodia , George Mason University, Fairfax
Anoop Singhal , National Institute of Standards and Technology, Gaithersburg
Pengsu Cheng , Concordia University, Montreal
Steven Noel , George Mason University, Fairfax
By enabling a direct comparison of different security solutions with respect to their relative effectiveness, a network security metric may provide quantifiable evidences to assist security practitioners in securing computer networks. However, research on security metrics has been hindered by difficulties in handling zero-day attacks exploiting unknown vulnerabilities. In fact, the security risk of unknown vulnerabilities has been considered as something unmeasurable due to the less predictable nature of software flaws. This causes a major difficulty to security metrics, because a more secure configuration would be of little value if it were equally susceptible to zero-day attacks. In this paper, we propose a novel security metric, $(k)$-zero day safety, to address this issue. Instead of attempting to rank unknown vulnerabilities, our metric counts how many such vulnerabilities would be required for compromising network assets; a larger count implies more security because the likelihood of having more unknown vulnerabilities available, applicable, and exploitable all at the same time will be significantly lower. We formally define the metric, analyze the complexity of computing the metric, devise heuristic algorithms for intractable cases, and finally demonstrate through case studies that applying the metric to existing network security practices may generate actionable knowledge.
network hardening, Security metrics, network security, attack graph,
Lingyu Wang, Sushil Jajodia, Anoop Singhal, Pengsu Cheng, Steven Noel, "k-Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown Vulnerabilities", IEEE Transactions on Dependable and Secure Computing, vol.11, no. 1, pp. 30-44, Jan.-Feb. 2014, doi:10.1109/TDSC.2013.24
[1] P. Ammann, D. Wijesekera, and S. Kaushik, "Scalable, Graph-Based Network Vulnerability Analysis," Proc. Ninth ACM Conf. Computer Comm. Security (CCS '02), pp. 217-224, 2002.
[2] D. Balzarotti, M. Monga, and S. Sicari, "Assessing the Risk of Using Vulnerable Components," Proc. ACM Second Workshop Quality of Protection (QoP '05), pp. 65-78, 2005.
[3] S.M. Bellovin, "On the Brittleness of Software and the Infeasibility of Security Metrics," IEEE Security and Privacy, vol. 4, no. 4, p. 96, July/Aug. 2006.
[4] M. Dacier, "Towards Quantitative Evaluation of Computer Security," PhD thesis, Institut Nat'l Polytechnique de Toulouse, 1994.
[5] E.W. Dijkstra, "A Note on Two Problems in Connection with Graphs," Numerische Mathematik, vol. 1, pp. 269-271, 1959.
[6] J. Doob, Measure Theory. Springer-Verlag, 1994.
[7] C. Dwork, "Differential Privacy," Proc. 33rd Int'l Colloquium Automata, Languages and Programming (ICALP '06), vol. 2, pp. 1-12, 2006.
[8] N. Falliere, L.O. Murchu, and E. Chien, "W32.Stuxnet Dossier," Symantec Security Response, 2011.
[9] M. Frigault, L. Wang, A. Singhal, and S. Jajodia, "Measuring Network Security Using Dynamic Bayesian Network," Proc. Fourth ACM Workshop Quality of Protection (QoP '08), 2008.
[10] A. Greenberg, "Shopping for Zero-Days: A Price List for Hackers' Secret Software Exploits," Forbes, Mar. 2012.
[11] H. Holm, M. Ekstedt, and D. Andersson, "Empirical Analysis of System-Level Vulnerability Metrics through Actual Attacks," IEEE Trans. Dependable Secure Computing, vol. 9, no. 6, pp. 825-837, Nov. 2012.
[12] J. Homer, X. Ou, and D. Schmidt, "A Sound And Practical Approach to Quantifying Security Risk in Enterprise Networks," technical report, Kansas State Univ., 2009.
[13] N. Idika and B. Bhargava, "Extending Attack Graph-Based Security Metrics and Aggregating Their Application," IEEE Trans. Dependable and Secure Computing, vol. 9, no. 1, pp. 75-85, Jan./Feb. 2012.
[14] K. Ingols, M. Chu, R. Lippmann, S. Webster, and S. Boyer, "Modeling Modern Network Attacks and Countermeasures Using Attack Graphs," Proc. Ann. Computer Security Applications Conf. (ACSAC '09), pp. 117-126, 2009.
[15] S. Jajodia, S. Noel, and B. O'Berry, "Topological Analysis of Network Attack Vulnerability," Managing Cyber Threats: Issues, Approaches and Challenges, V. Kumar, J. Srivastava, and A. Lazarevic, eds., Kluwer Academic, 2003.
[16] A. Jaquith, Security Merics: Replacing Fear Uncertainity and Doubt. Addison Wesley, 2007.
[17] S. Jha, O. Sheyner, and J. Wing, "Two Formal Analysis of Attack Graph," Proc. 15th Computer Security Foundation Workshop (CSFW' 02), 2002.
[18] D. Leversage and E. Byres, "Estimating a System's Mean Time-to-Compromise," IEEE Security and Privacy, vol. 6, no. 1, pp. 52-60, Jan./Feb. 2008.
[19] W. Li and R.B. Vaughn, "Cluster Security Research Involving the Modeling of Network Exploitations Using Exploitation Graphs," Proc. IEEE Sixth Int'l Symp. Cluster Computing and Grid (CCGRID '06), p. 26, 2006.
[20] R. Lippmann, K. Ingols, C. Scott, K. Piwowarski, K. Kratkiewicz, M. Artz, and R. Cunningham, "Validating and Restoring Defense in Depth Using Attack Graphs," Proc. IEEE Conf. Military Comm. (MILCOM' 06), pp. 981-990, 2006.
[21] J. McHugh, "Quality of Protection: Measuring the Unmeasurable?" Proc. ACM Second Workshop Quality Protection (QoP '06), pp. 1-2, 2006.
[22] M. McQueen, T. McQueen, W. Boyer, and M. Chaffin, "Empirical Estimates and Observations of 0Day Vulnerabilities," Proc. Hawaii Int'l Conf. System Sciences, pp. 1-12, 2009.
[23] V. Mehta, C. Bartzis, H. Zhu, E. Clarke, and J. Wing, "Ranking Attack Graphs," Proc. Ninth Int'l Conf. Recent Advances Intrusion Detection, 2006.
[24] P. Mell, K. Scarfone, and S. Romanosky, "Common Vulnerability Scoring System," IEEE Security and Privacy, vol. 4, no. 6, pp. 85-89, Nov./Dec. 2006.
[25] Nat'l Institute of Standards and Tech nology, "National Vulnerability Database Version 2.2," http:/, May 2008.
[26] R. Ortalo, Y. Deswarte, and M. Kaaniche, "Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security," IEEE Trans. Software Eng., vol. 25, no. 5, pp. 633-650, Sept./Oct. 1999.
[27] X. Ou, W. Boyer, and M. McQueen, "A Scalable Approach to Attack Graph Generation," Proc. 13th ACM Conf. Computer Comm. Security (CCS' 06), pp. 336-345, 2006.
[28] J.W.P. Manadhata, "An Attack Surface Metric," Technical Report CMU-CS-05-155, Carnegie Mellon University, 2005.
[29] J. Pamula, S. Jajodia, P. Ammann, and V. Swarup, "A Weakest-Adversary Security Metric for Network Configuration Security Analysis," Proc. ACM Second Workshop Quality of Protection (QoP '06), pp. 31-38, 2006.
[30] C. Phillips and L. Swiler, "A Graph-Based System for Network-Vulnerability Analysis," Proc. New Security Paradigms Workshop (NSPW '98), 1998.
[31] N. Poolsappasit, R. Dewri, and I. Ray, "Dynamic Security Risk Management Using Bayesian Attack Graphs," IEEE Trans. Dependable Secure Computing, vol. 9, no. 1, pp. 61-74, Jan. 2012.
[32] P. Samarati, "Protecting Respondents' Identities in Microdata Release," IEEE Trans. Knowledge and Data Eng., vol. 13, no. 6, pp. 1010-1027, Nov./Dec. 2001.
[33] R. Savola, "Towards a Taxonomy for Information Security Metrics," Proc. Third ACM Workshop Quality of Protection (QoP '07), pp. 28-30, 2007.
[34] M. Shahzad, M. Shafiq, and A. Liu, "A Large Scale Exploratory Analysis of Software Vulnerability Life Cycles," Proc. 34th Int'l Conf. Software Eng. (ICSE '12), 2012.
[35] O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J. Wing, "Automated Generation and Analysis of Attack Graphs," Proc. IEEE Symp. Security and Privacy (S&P '02), 2002.
[36] T. Sommestad, H. Holm, and M. Ekstedt, "Effort Estimates for Vulnerability Discovery Projects," Proc. 45th Hawaii Int'l Conf. System Sciences (HICSS '12), pp. 5564-5573, 2012.
[37] MITRE Corp., "Common Weakness Scoring System (CWSS)," http://cwe.mitre.orgcwss/, 2010.
[38] U.S. Dept. of Homeland Security, "Recommended Practice: Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies," control_systems/ practicesRecommended_Practices.html, 2009.
[39] V. Verendel, "Quantified Security Is a Weak Hypothesis: A Critical Survey of Results and Assumptions," Proc. Workshop New Security Paradigms Workshop (NSPW '09), pp. 37-50, 2009.
[40] L. Wang, T. Islam, T. Long, A. Singhal, and S. Jajodia, "An Attack Graph-Based Probabilistic Security Metric," Proc. 22nd Ann. IFIP WG 11.3 Working Conf. Data and Applications Security, 2008.
[41] L. Wang, S. Jajodia, A. Singhal, and S. Noel, "k-Zero Day Safety: Measuring the Security Risk of Networks against Unknown Attacks," Proc. 15th European Conf. Research Computer Security (ESORICS '10), pp. 573-587, 2010.
[42] L. Wang, S. Noel, and S. Jajodia, "Minimum-Cost Network Hardening Using Attack Graphs," Computer Comm., vol. 29, no. 18, pp. 3812-3824, 2006.
[43] L. Wang, A. Singhal, and S. Jajodia, "Measuring Network Security Using Attack Graphs," Proc. ACM Third Workshop (QoP '07), 2007.
42 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool