A Unified Framework for Measuring a Network's Mean Time-to-Compromise

Measuring the mean time-to-compromise provides important insights for understanding a network's weaknesses and for guiding corresponding defense approaches. Most existing network security metrics only deal with the threats of known vulnerabilities and cannot handle zero day attacks with consistent semantics. In this paper, we propose a unified framework for measuring a network's mean time-to-compromise by considering both known, and zero day attacks. Specifically, we first devise models of the mean time for discovering and exploiting individual vulnerabilities. Unlike existing approaches, we replace the generic state transition model with a more vulnerability-specific graphical model. We then employ Bayesian networks to derive the overall mean time-to-compromise by aggregating the results of individual vulnerabilities. Finally, we demonstrate the framework's practical application to network hardening through case studies.

[1]  Xinming Ou,et al.  A scalable approach to attack graph generation , 2006, CCS '06.

[2]  John Hale,et al.  A systematic approach to multi-stage network attack analysis , 2004, Second IEEE International Information Assurance Workshop, 2004. Proceedings..

[3]  Miles A. McQueen,et al.  Ideal Based Cyber Security Technical Metrics for Control Systems , 2007, CRITIS.

[4]  Tomas Olovsson,et al.  A Quantitative Model of the Security Intrusion Process Based on Attacker Behavior , 1997, IEEE Trans. Software Eng..

[5]  Wouter Joosen,et al.  Towards a quantitative assessment of security in software architectures , 2008 .

[6]  Ram Dantu,et al.  Risk management using behavior based attack graphs , 2004, International Conference on Information Technology: Coding and Computing, 2004. Proceedings. ITCC 2004..

[7]  Richard Lippmann,et al.  Modeling Modern Network Attacks and Countermeasures Using Attack Graphs , 2009, 2009 Annual Computer Security Applications Conference.

[8]  Jeannette M. Wing,et al.  A Formal Model for a System's Attack Surface , 2011, Moving Target Defense.

[9]  Emden R. Gansner,et al.  Graphviz - Open Source Graph Drawing Tools , 2001, GD.

[10]  John Yen,et al.  Cyber SA: Situational Awareness for Cyber Defense , 2010, Cyber Situational Awareness.

[11]  Stefano Bistarelli,et al.  Defense trees for economic evaluation of security investments , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[12]  Jacques Labelle Recueil de problèmes de probabilité avec solution , 2011 .

[13]  Sushil Jajodia,et al.  A weakest-adversary security metric for network configuration security analysis , 2006, QoP '06.

[14]  Ram Dantu,et al.  Risk Management Using Behavior Based Bayesian Networks , 2005, ISI.

[15]  Samuel N. Hamilton,et al.  The Role of Game Theory in Information Warfare , 2002 .

[16]  May R. Chaffin,et al.  Empirical Estimates and Observations of 0Day Vulnerabilities , 2009, 2009 42nd Hawaii International Conference on System Sciences.

[17]  Sushil Jajodia,et al.  Topological analysis of network attack vulnerability , 2006, PST.

[18]  M. Al-Humaigani,et al.  A model of return on investment for information systems security , 2003, 2003 46th Midwest Symposium on Circuits and Systems.

[19]  Lingyu Wang,et al.  Measuring Network Security Using Bayesian Network-Based Attack Graphs , 2008, 2008 32nd Annual IEEE International Computer Software and Applications Conference.

[20]  Stuart E. Schechter,et al.  Quantitatively Differentiating System Security , 2002 .

[21]  Gregg Schudel,et al.  Adversary work factor as a metric for information assurance , 2001, NSPW '00.

[22]  Duminda Wijesekera,et al.  Scalable, graph-based network vulnerability analysis , 2002, CCS '02.

[23]  Rayford B. Vaughn,et al.  Cluster Security Research Involving the Modeling of Network Exploitations Using Exploitation Graphs , 2006 .

[24]  A. Nur Zincir-Heywood,et al.  VEA-bility Security Metric: A Network Security Analysis Tool , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[25]  Frédéric Cuppens,et al.  Alert correlation in a cooperative intrusion detection framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[26]  尚弘 島影 National Institute of Standards and Technologyにおける超伝導研究及び生活 , 2001 .

[27]  Peng Ning,et al.  Constructing attack scenarios through correlation of intrusion alerts , 2002, CCS '02.

[28]  Yixian Yang,et al.  An attack graph based network security evaluation model for hierarchical network , 2010, 2010 IEEE International Conference on Information Theory and Information Security.

[29]  John D. Hunter,et al.  Matplotlib: A 2D Graphics Environment , 2007, Computing in Science & Engineering.

[30]  Laurent Gallon,et al.  Vulnerability Discrimination Using CVSS Framework , 2011, 2011 4th IFIP International Conference on New Technologies, Mobility and Security.

[31]  Cynthia A. Phillips,et al.  A graph-based system for network-vulnerability analysis , 1998, NSPW '98.

[32]  John A. Major Advanced Techniques for Modeling Terrorism Risk , 2002 .

[33]  Michael Howard,et al.  Measuring Relative Attack Surfaces , 2005 .

[34]  Muhammad Zubair Shafiq,et al.  A large scale exploratory analysis of software vulnerability life cycles , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[35]  Karen A. Scarfone,et al.  A Complete Guide to the Common Vulnerability Scoring System Version 2.0 | NIST , 2007 .

[36]  Rodolphe Ortalo,et al.  Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security , 1999, IEEE Trans. Software Eng..

[37]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[38]  Igor V. Kotenko,et al.  Attacks Against Computer Network: Formal Grammar-Based Framework and Simulation Tool , 2002, RAID.

[39]  William A. Wulf,et al.  TOWARDS A FRAMEWORK FOR SECURITY MEASUREMENT , 1997 .

[40]  Bharat K. Bhargava,et al.  Extending Attack Graph-Based Security Metrics and Aggregating Their Application , 2012, IEEE Transactions on Dependable and Secure Computing.

[41]  E SchechterStuart Toward Econometric Models of the Security Risk from Remote Attack , 2005, S&P 2005.

[42]  Edmund M. Clarke,et al.  Ranking Attack Graphs , 2006, RAID.

[43]  Ehab Al-Shaer,et al.  Vulnerability analysis For evaluating quality of protection of security policies , 2006, QoP '06.

[44]  Vincent Cheng-Siong Lee,et al.  Estimating Potential IT Security Losses: An Alternative Quantitative Approach , 2006, IEEE Security & Privacy.

[45]  Sushil Jajodia,et al.  k-Zero Day Safety: Measuring the Security Risk of Networks against Unknown Attacks , 2010, ESORICS.

[46]  Miles A. McQueen,et al.  Time-to-Compromise Model for Cyber Risk Reduction Estimation , 2006, Quality of Protection.

[47]  Ulf Lindqvist,et al.  Modeling multistep cyber attacks for scenario recognition , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[48]  Rayford B. Vaughn,et al.  Cluster Security Research Involving the Modeling of Network Exploitations Using Exploitation Graphs , 2006, Sixth IEEE International Symposium on Cluster Computing and the Grid (CCGRID'06).

[49]  Ehab Al-Shaer,et al.  A Novel Quantitative Approach For Measuring Network Security , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[50]  Sushil Jajodia,et al.  An Attack Graph-Based Probabilistic Security Metric , 2008, DBSec.

[51]  Miles McQueen,et al.  Measuring the attack surfaces of two FTP daemons , 2006, QoP '06.

[52]  David John Leversage,et al.  Estimating a System's Mean Time-to-Compromise , 2008, IEEE Security & Privacy.

[53]  Sushil Jajodia,et al.  Measuring network security using dynamic bayesian network , 2008, QoP '08.

[54]  Marc Dacier,et al.  Models and tools for quantitative assessment of operational security , 1996, SEC.

[55]  Mattia Monga,et al.  Assessing the risk of using vulnerable components , 2006, Quality of Protection.

[56]  Peng Liu,et al.  Incentive-based modeling and inference of attacker intent, objectives, and strategies , 2003, CCS '03.

[57]  Sacha Brostoff,et al.  Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security , 2001 .

[58]  Sushil Jajodia,et al.  Toward measuring network security using attack graphs , 2007, QoP '07.

[59]  Vicki M. Bier,et al.  Game-Theoretic and Reliability Methods in Counterterrorism and Security , 2006 .

[60]  Marc Dacier,et al.  Quantitative Assessment of Operational Security: Models and Tools * , 1996 .

[61]  Steven J. Templeton,et al.  A requires/provides model for computer attacks , 2001, NSPW '00.

[62]  J. Homer A Sound and Practical Approach to Quantifying Security Risk in Enterprise Networks ∗ , 2009 .

[63]  Michael M. May,et al.  How much is enough? A risk management approach to computer security , 2000 .

[64]  Kjell Hausken,et al.  Protecting complex infrastructures against multiple strategic attackers , 2011, Int. J. Syst. Sci..

[65]  Uriel G. Rothblum,et al.  Nature plays with dice - terrorists do not: Allocating resources to counter strategic versus probabilistic risks , 2009, Eur. J. Oper. Res..

[66]  Indrajit Ray,et al.  Dynamic Security Risk Management Using Bayesian Attack Graphs , 2012, IEEE Transactions on Dependable and Secure Computing.

[67]  William H. Sanders,et al.  Model-based evaluation: from dependability to security , 2004, IEEE Transactions on Dependable and Secure Computing.

[68]  Mathias Ekstedt,et al.  Effort Estimates for Vulnerability Discovery Projects , 2012, 2012 45th Hawaii International Conference on System Sciences.

[69]  Paul Ammann,et al.  Using model checking to analyze network vulnerabilities , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[70]  Karen Scarfone,et al.  Common Vulnerability Scoring System , 2006, IEEE Security & Privacy.

[71]  Frédéric Cuppens,et al.  LAMBDA: A Language to Model a Database for Detection of Attacks , 2000, Recent Advances in Intrusion Detection.

[72]  Tyler Moore,et al.  The iterated weakest link , 2010, IEEE Security & Privacy.

[73]  Sushil Jajodia,et al.  Time-efficient and cost-effective network hardening using attack graphs , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012).

[74]  Judea Pearl,et al.  Bayesian Networks , 1998, Encyclopedia of Social Network Analysis and Mining. 2nd Ed..

[75]  Andrew W. Appel,et al.  MulVAL: A Logic-based Network Security Analyzer , 2005, USENIX Security Symposium.

[76]  Jeannette M. Wing,et al.  Game strategies in network security , 2005, International Journal of Information Security.

[77]  Miles A. McQueen,et al.  Quantitative Cyber Risk Reduction Estimation Methodology for a Small SCADA Control System , 2006, Proceedings of the 39th Annual Hawaii International Conference on System Sciences (HICSS'06).

[78]  Aric Hagberg,et al.  Exploring Network Structure, Dynamics, and Function using NetworkX , 2008 .

[79]  Mathias Ekstedt,et al.  Empirical Analysis of System-Level Vulnerability Metrics through Actual Attacks , 2012, IEEE Transactions on Dependable and Secure Computing.

[80]  A. Ozment,et al.  Bug Auctions: Vulnerability Markets Reconsidered , 2004 .