论文信息 - A Novel Quantitative Approach For Measuring Network Security

A Novel Quantitative Approach For Measuring Network Security

Evaluation of network security is an essential step in securing any network. This evaluation can help security professionals in making optimal decisions about how to design security countermeasures, to choose between alternative security architectures, and to systematically modify security configurations in order to improve security. However, the security of a network depends on a number of dynamically changing factors such as emergence of new vulnerabilities and threats, policy structure and network traffic. Identifying, quantifying and validating these factors using security metrics is a major challenge in this area. In this paper, we propose a novel security metric framework that identifies and quantifies objectively the most significant security risk factors, which include existing vulnerabilities, historical trend of vulnerability of the remotely accessible services, prediction of potential vulnerabilities for any general network service and their estimated severity and finally policy resistance to attack propagation within the network. We then describe our rigorous validation experiments using real- life vulnerability data of the past 6 years from National Vulnerability Database (NVD) [10] to show the high accuracy and confidence of the proposed metrics. Some previous works have considered vulnerabilities using code analysis. However, as far as we know, this is the first work to study and analyze these metrics for network security evaluation using publicly available vulnerability information and security policy configuration.

Ehab Al-Shaer | Latifur Khan | Mohammad Salim Ahmed

[1] Sonia Fahmy,et al. Analysis of vulnerabilities in Internet firewalls , 2003, Comput. Secur..

[2] Sushil Jajodia,et al. A weakest-adversary security metric for network configuration security analysis , 2006, QoP '06.

[3] Y.K. Malaiya,et al. Prediction capabilities of vulnerability discovery models , 2006, RAMS '06. Annual Reliability and Maintainability Symposium, 2006..

[4] S. Radack. The Common Vulnerability Scoring System (CVSS) , 2007 .

[5] Ehab Al-Shaer,et al. Conflict classification and analysis of distributed firewall policies , 2005, IEEE Journal on Selected Areas in Communications.

[6] Mehmet Sahinoglu,et al. Security meter: a practical decision-tree model to quantify risk , 2005, IEEE Security & Privacy Magazine.

[7] Duminda Wijesekera,et al. Scalable, graph-based network vulnerability analysis , 2002, CCS '02.

[8] Bryan Cunningham,et al. Network Security Evaluation Using the NSA IEM , 2005 .

[9] Ehab Al-Shaer,et al. Modeling and verification of IPSec and VPN security policies , 2005, 13TH IEEE International Conference on Network Protocols (ICNP'05).

[10] Ehab Al-Shaer,et al. Vulnerability analysis For evaluating quality of protection of security policies , 2006, QoP '06.

[11] Antonio Lioy,et al. Why to adopt a security metric? A brief survey , 2006, Quality of Protection.

[12] Ehab Al-Shaer,et al. Discovery of policy anomalies in distributed firewalls , 2004, IEEE INFOCOM 2004.