论文信息 - Towards autonomic risk-aware security configuration

Towards autonomic risk-aware security configuration

Security of a network depends on a number of dynamically changing factors. These include emergence of new vulnerabilities and threats, policy structure and network traffic. Due to the dynamic nature of these factors, identifying security metrics that measure objectively the quality of security configuration pose a major challenge. Moreover, this evaluation must be done dynamically to handle real time changes in the threat toward the network. In this paper, we extend our security metric framework that identifies and quantifies objectively the most significant security risk factors, which include existing vulnerabilities, historical trend of vulnerabilities of remotely accessible services, prediction of potential vulnerabilities for any general network service and their estimated severity and finally propagation of an attack within the network. We have implemented this framework as a user-friendly tool called Risk based prOactive seCurity cOnfiguration maNAger (ROCONA) and showed how this tool simplifies security configuration management using risk measurement and mitigation.

Ehab Al-Shaer | Latifur Khan | Muhammad Arshad Ul Abedin | Mohammad Salim Ahmed | Mohamed Mahmoud Taibah

[1] Ehab Al-Shaer,et al. Discovery of policy anomalies in distributed firewalls , 2004, IEEE INFOCOM 2004.

[2] Ehab Al-Shaer,et al. Vulnerability analysis For evaluating quality of protection of security policies , 2006, QoP '06.

[3] Ehab Al-Shaer,et al. A Novel Quantitative Approach For Measuring Network Security , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[4] Mehmet Sahinoglu,et al. Security meter: a practical decision-tree model to quantify risk , 2005, IEEE Security & Privacy Magazine.

[5] Duminda Wijesekera,et al. Scalable, graph-based network vulnerability analysis , 2002, CCS '02.

[6] Ehab Al-Shaer,et al. Modeling and verification of IPSec and VPN security policies , 2005, 13TH IEEE International Conference on Network Protocols (ICNP'05).

[7] Sushil Jajodia,et al. A weakest-adversary security metric for network configuration security analysis , 2006, QoP '06.

[8] Cynthia A. Phillips,et al. A graph-based system for network-vulnerability analysis , 1998, NSPW '98.