Network Attack Surface: Lifting the Attack Surface Concept to Network Level for Evaluating the Resilience against Zero-Day Attacks

The concept of attack surface has seen many applications in various domains, e.g., software security, cloud security, mobile device security, Moving Target Defense (MTD), etc. However, in contrast to the original attack surface metric, which is formally and quantitatively defned for a software, most of the applications at higher abstraction levels (e.g., the network level) are limited to an intuitive and qualitative notion, losing the power of the original concept. In this paper, we lift the attack surface concept to the network level as a security metric for evaluating the resilience of networks against potential zero day attacks. Specifcally, we tackle two main challenges as follows. First, we develop models for addressing the incompatibility between the original attack surface model and the need for average across different resources inside a network. Second, we design heuristic algorithms to signifcantly reduce the complexity of calculating the network attack surface. Finally, we confrm the effectiveness of the proposed algorithms through simulation results.

[1]  Sushil Jajodia,et al.  Network Diversity: A Security Metric for Evaluating the Resilience of Networks Against Zero-Day Attacks , 2016, IEEE Transactions on Information Forensics and Security.

[2]  Laurie A. Williams,et al.  Approximating Attack Surfaces with Stack Traces , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[3]  Sushil Jajodia,et al.  Modeling Network Diversity for Evaluating the Robustness of Networks against Zero-Day Attacks , 2014, ESORICS.

[4]  Indrajit Ray,et al.  Using Attack Surface Entry Points and Reachability Analysis to Assess the Risk of Software Vulnerability Exploitability , 2014, 2014 IEEE 15th International Symposium on High-Assurance Systems Engineering.

[5]  Sushil Jajodia,et al.  k-Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown Vulnerabilities , 2014, IEEE Transactions on Dependable and Secure Computing.

[6]  Wolfgang Schröder-Preikschat,et al.  Attack Surface Metrics and Automated Compile-Time OS Kernel Tailoring , 2013, NDSS.

[7]  Yashwant K. Malaiya,et al.  Relationship between Attack Surface and Vulnerability Density : A Case Study on Apache HTTP Server , 2013 .

[8]  David A. Wagner,et al.  Reducing attack surfaces for intra-application communication in android , 2012, SPSM '12.

[9]  Sushil Jajodia,et al.  Moving Target Defense II: Application of Game Theory and Adversarial Modeling , 2012 .

[10]  Yves Le Traon,et al.  Automatically securing permission-based software by reducing the attack surface: an application to Android , 2012, 2012 Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering.

[11]  Sushil Jajodia,et al.  Moving Target Defense - Creating Asymmetric Uncertainty for Cyber Threats , 2011, Moving Target Defense.

[12]  Hovav Shacham,et al.  Comprehensive Experimental Analyses of Automotive Attack Surfaces , 2011, USENIX Security Symposium.

[13]  Jeannette M. Wing,et al.  An Attack Surface Metric , 2011, IEEE Transactions on Software Engineering.

[14]  Sushil Jajodia,et al.  k-Zero Day Safety: Measuring the Security Risk of Networks against Unknown Attacks , 2010, ESORICS.

[15]  Nils Gruschka,et al.  Attack Surfaces: A Taxonomy for Attacks on Cloud Services , 2010, 2010 IEEE 3rd International Conference on Cloud Computing.

[16]  Richard Lippmann,et al.  Modeling Modern Network Attacks and Countermeasures Using Attack Graphs , 2009, 2009 Annual Computer Security Applications Conference.

[17]  May R. Chaffin,et al.  Empirical Estimates and Observations of 0Day Vulnerabilities , 2009, 2009 42nd Hawaii International Conference on System Sciences.

[18]  Sushil Jajodia,et al.  Measuring network security using dynamic bayesian network , 2008, QoP '08.

[19]  Lingyu Wang,et al.  Measuring Network Security Using Bayesian Network-Based Attack Graphs , 2008, 2008 32nd Annual IEEE International Computer Software and Applications Conference.

[20]  Sushil Jajodia,et al.  An Attack Graph-Based Probabilistic Security Metric , 2008, DBSec.

[21]  Jim Lorenz,et al.  Introducing Routing and Switching in the Enterprise, CCNA Discovery Learning Guide , 2008 .

[22]  David John Leversage,et al.  Estimating a System's Mean Time-to-Compromise , 2008, IEEE Security & Privacy.

[23]  Karen Scarfone,et al.  Common Vulnerability Scoring System , 2006, IEEE Security & Privacy.

[24]  Sushil Jajodia,et al.  A weakest-adversary security metric for network configuration security analysis , 2006, QoP '06.

[25]  John McHugh Quality of protection: measuring the unmeasurable? , 2006, QoP '06.

[26]  Mattia Monga,et al.  Assessing the risk of using vulnerable components , 2006, Quality of Protection.

[27]  Michael Howard,et al.  Measuring Relative Attack Surfaces , 2005 .

[28]  Jeannette M. Wing,et al.  Measuring a System's Attack Surface , 2004 .

[29]  Marianne Swanson,et al.  Security metrics guide for information technology systems , 2003 .

[30]  Z. G. Ruthberg,et al.  Technology Assessment: Methods for Measuring the Level of Computer Security , 1985 .