论文信息 - An Attack Graph-Based Probabilistic Security Metric

An Attack Graph-Based Probabilistic Security Metric

To protect critical resources in today's networked environments, it is desirable to quantify the likelihood of potential multi-step attacks that combine multiple vulnerabilities. This now becomes feasible due to a model of causal relationships between vulnerabilities, namely, attack graph. This paper proposes an attack graph-based probabilistic metric for network security and studies its efficient computation. We first define the basic metric and provide an intuitive and meaningful interpretation to the metric. We then study the definition in more complex attack graphs with cycles and extend the definition accordingly. We show that computing the metric directly from its definition is not efficient in many cases and propose heuristics to improve the efficiency of such computation.

[1] T. Oyama,et al. WORKSHOP I , 1997 .

[2] Marc Dacier,et al. Models and tools for quantitative assessment of operational security , 1996, SEC.

[3] Somesh Jha,et al. Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[4] Bruce Potter. Wireless Security: GSM Security , 2004 .

[5] Michael Howard,et al. Measuring Relative Attack Surfaces , 2005 .

[6] Sushil Jajodia,et al. Minimum-cost network hardening using attack graphs , 2006, Comput. Commun..

[7] Sushil Jajodia,et al. A weakest-adversary security metric for network configuration security analysis , 2006, QoP '06.

[8] Paul Ammann,et al. Using model checking to analyze network vulnerabilities , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[9] Dieter Gollmann,et al. Computer Security - ESORICS 2005, 10th European Symposium on Research in Computer Security, Milan, Italy, September 12-14, 2005, Proceedings , 2005, ESORICS.

[10] Karen Scarfone,et al. Common Vulnerability Scoring System , 2006, IEEE Security & Privacy.

[11] Z. G. Ruthberg,et al. Technology Assessment: Methods for Measuring the Level of Computer Security , 1985 .

[12] Sushil Jajodia,et al. An Efficient and Unified Approach to Correlating, Hypothesizing, and Predicting Intrusion Alerts , 2005, ESORICS.

[13] Eugene H. Spafford,et al. The COPS Security Checker System , 1990, USENIX Summer.

[14] Jeannette M. Wing,et al. Measuring a System's Attack Surface , 2004 .

[15] Sushil Jajodia,et al. Toward measuring network security using attack graphs , 2007, QoP '07.

[16] Marc Dacier,et al. Quantitative Assessment of Operational Security: Models and Tools * , 1996 .

[17] Sushil Jajodia,et al. Interactive Analysis of Attack Graphs Using Relational Queries , 2006, DBSec.

[18] Karl N. Levitt,et al. NetKuang - A Multi-Host Configuration Vulnerability Checker , 1996, USENIX Security Symposium.

[19] Rodolphe Ortalo,et al. Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security , 1999, IEEE Trans. Software Eng..

[20] Marianne Swanson,et al. Security metrics guide for information technology systems , 2003 .

[21] Lingyu Wang,et al. Measuring Network Security Using Bayesian Network-Based Attack Graphs , 2008, 2008 32nd Annual IEEE International Computer Software and Applications Conference.

[22] Duminda Wijesekera,et al. Scalable, graph-based network vulnerability analysis , 2002, CCS '02.

[23] Sushil Jajodia,et al. Measuring the Overall Security of Network Configurations Using Attack Graphs , 2007, DBSec.

[24] Cynthia A. Phillips,et al. Computer-attack graph generation tool , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[25] Cynthia A. Phillips,et al. A graph-based system for network-vulnerability analysis , 1998, NSPW '98.

[26] Miles McQueen,et al. Measuring the attack surfaces of two FTP daemons , 2006, QoP '06.

[27] Mattia Monga,et al. Assessing the risk of using vulnerable components , 2006, Quality of Protection.

[28] Sushil Jajodia,et al. Efficient minimum-cost network hardening via exploit dependency graphs , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[29] Ketil Stølen,et al. Proceedings of the 2007 ACM workshop on Quality of protection , 2007, CCS 2007.

[30] Andrew Jaquith. Security Metrics: Replacing Fear, Uncertainty, and Doubt , 2007 .

[31] Michael K. Reiter,et al. Authentication metric analysis and design , 1999, TSEC.

[32] Sushil Jajodia,et al. Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts , 2006, Comput. Commun..