Measuring the Overall Security of Network Configurations Using Attack Graphs

Today's computer systems face sophisticated intrusions during which multiple vulnerabilities can be combined for reaching an attack goal. The overall security of a network system cannot simply be determined based on the number of vulnerabilities. To quantitatively assess the security of networked systems, one must first understand which and how vulnerabilities can be combined for an attack. Such an understanding becomes possible with recent advances in modeling the composition of vulnerabilities as attack graphs. Based on our experiences with attack graph analysis, we explore different concepts and issues on a metric to quantify potential attacks. To accomplish this, we present an attack resistance metric for assessing and comparing the security of different network configurations. This paper describes the metric at an abstract level as two composition operators with features for expressing additional constraints. We consider two concrete cases. The first case assumes the domain of attack resistance to be real number and the second case represents resistances as a set of initial security conditions. We show that the proposed metric satisfies desired properties and that it adheres to common sense. At the same time, it generalizes a previously proposed metric that is also based on attack graphs. It is our belief that the proposed metric will lead to novel quantitative approaches to vulnerability analysis, network hardening, and attack responses.

[1]  Miss A.O. Penney (b) , 1974, The New Yale Book of Quotations.

[2]  Z. G. Ruthberg,et al.  Technology Assessment: Methods for Measuring the Level of Computer Security , 1985 .

[3]  Eugene H. Spafford,et al.  The COPS Security Checker System , 1990, USENIX Summer.

[4]  Thomas Beth,et al.  Valuation of Trust in Open Networks , 1994, ESORICS.

[5]  Dieter Gollmann,et al.  Computer Security — ESORICS 94 , 1994, Lecture Notes in Computer Science.

[6]  Karl N. Levitt,et al.  NetKuang - A Multi-Host Configuration Vulnerability Checker , 1996, USENIX Security Symposium.

[7]  Marc Dacier,et al.  Quantitative Assessment of Operational Security: Models and Tools * , 1996 .

[8]  Marc Dacier,et al.  Models and tools for quantitative assessment of operational security , 1996, SEC.

[9]  Cynthia A. Phillips,et al.  A graph-based system for network-vulnerability analysis , 1998, NSPW '98.

[10]  Michael K. Reiter,et al.  Authentication metric analysis and design , 1999, TSEC.

[11]  Rodolphe Ortalo,et al.  Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security , 1999, IEEE Trans. Software Eng..

[12]  Paul Ammann,et al.  Using model checking to analyze network vulnerabilities , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[13]  尚弘 島影 National Institute of Standards and Technologyにおける超伝導研究及び生活 , 2001 .

[14]  Cynthia A. Phillips,et al.  Computer-attack graph generation tool , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[15]  Duminda Wijesekera,et al.  Scalable, graph-based network vulnerability analysis , 2002, CCS '02.

[16]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[17]  C. R. Ramakrishnan,et al.  Model-Based Analysis of Configuration Vulnerabilities , 2002, J. Comput. Secur..

[18]  Sushil Jajodia,et al.  Efficient minimum-cost network hardening via exploit dependency graphs , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[19]  Marianne Swanson,et al.  Security metrics guide for information technology systems , 2003 .

[20]  Bruce Potter Wireless Security: GSM Security , 2004 .

[21]  Jeannette M. Wing,et al.  Measuring a System's Attack Surface , 2004 .

[22]  Sushil Jajodia,et al.  Correlating intrusion events and building attack scenarios through attack graph distances , 2004, 20th Annual Computer Security Applications Conference.

[23]  Michael Howard,et al.  Measuring Relative Attack Surfaces , 2005 .

[24]  Xiaoyang Sean Wang,et al.  Risk assessment in distributed authorization , 2005, FMSE '05.

[25]  Sushil Jajodia,et al.  An Efficient and Unified Approach to Correlating, Hypothesizing, and Predicting Intrusion Alerts , 2005, ESORICS.

[26]  Mattia Monga,et al.  Assessing the risk of using vulnerable components , 2006, Quality of Protection.

[27]  Sushil Jajodia,et al.  Interactive Analysis of Attack Graphs Using Relational Queries , 2006, DBSec.

[28]  Miles McQueen,et al.  Measuring the attack surfaces of two FTP daemons , 2006, QoP '06.

[29]  Sushil Jajodia,et al.  A weakest-adversary security metric for network configuration security analysis , 2006, QoP '06.

[30]  Sushil Jajodia,et al.  Minimum-cost network hardening using attack graphs , 2006, Comput. Commun..

[31]  Sushil Jajodia,et al.  Topological analysis of network attack vulnerability , 2006, PST.

[32]  Sushil Jajodia,et al.  Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts , 2006, Comput. Commun..

[33]  Edmund M. Clarke,et al.  Ranking Attack Graphs , 2006, RAID.

[34]  Ketil Stølen,et al.  Proceedings of the 2007 ACM workshop on Quality of protection , 2007, CCS 2007.

[35]  Yunheung Paek,et al.  Advances in Computer Systems Architecture , 2008 .

[36]  Aaas News,et al.  Book Reviews , 1893, Buffalo Medical and Surgical Journal.