Skip to main content
SpringerLink
Log in

Environment Characterization and System Modeling Approach for the Quantitative Evaluation of Security

  • Conference paper
Computer Safety, Reliability, and Security (SAFECOMP 2009)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 5775))

Included in the following conference series:

Abstract

This article aims at proposing a new approach for the quantitative evaluation of information system security. Our approach focuses on system vulnerabilities caused by design and implementation errors and studies how system environment, considering such vulnerabilities, may endanger the system. The two main contributions of this paper are: 1) the identification of the environmental factors which influence the security system state; 2) the development a Stochastic Activity Network model taking into account the system and these environmental factors. Measures resulting from our modeling are aimed at helping the system designers in the assessment of vulnerability exploitation risks.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. U.S. Department of Defence Trusted Computer Security Evaluation Criteria (1985)

    Google Scholar 

  2. European Communities, Information Technology Security Evaluation Criteria (1991)

    Google Scholar 

  3. Common Criteria for Information Technology Security Evaluation (1996)

    Google Scholar 

  4. ISO/IEC 27001:2005, Requirements for Information security management systems (2005)

    Google Scholar 

  5. ISO/IEC 27002:2005, Code of practice for information security management (2005)

    Google Scholar 

  6. Jaquith, A.: Security metrics-Replacing fear, uncertainty, and doubt. Addison Wesley Professional, Reading (2007)

    Google Scholar 

  7. Laprie, J., Arlat, J., Blanquart, J., Costes, A., Deswarte, Y., Fabre, J., Guillermain, H., Kaâniche, M., Kanoun, K., Mazet, C., Powell, D., Rabéjac, C., Thévenod, P.: Guide de la Sûreté de Fonctionnement, Cépaduès (1995)

    Google Scholar 

  8. Brocklehurst, S., Littlewood, B., Olovsson, T., Jonsson, E.: On measurement of operational security. Aerospace and Electronic Systems Magazine, IEEE 9, 7–16 (1994)

    Article  Google Scholar 

  9. Dacier, M.: Vers une évaluation quantitative de la sécurité informatique, Thèse de doctorat LAAS-CNRS (1994) (in french)

    Google Scholar 

  10. Dacier, M., Deswarte, Y., Kaâniche, M.: Quantitative assessment of operational security: models and tools. CNRS-LAAS (1996)

    Google Scholar 

  11. Ortalo, R., Deswarte, Y., Kaaniche, M.: Experimenting with quantitative evaluation tools for monitoring operational security. IEEE Transactions on Software Engineering 25, 633–650 (1999)

    Article  Google Scholar 

  12. Sheyner, O.M.: Scenario Graphs and Attack Graphs, PhD Thesis, Carnegie Mellon University, Pittsburgh, PA (2004)

    Google Scholar 

  13. Jha, S., Sheyner, O., Wing, J.: Two formal analyses of attack graphs. In: Proceedings of 15th IEEE Computer Security Foundations Workshop, 2002, pp. 49–63 (2002)

    Google Scholar 

  14. Swiler, L., Phillips, C., Ellis, D., Chakerian, S.: Computer-attack graph generation tool. In: Proceedings of DARPA Information Survivability Conference & Exposition II, DISCEX 2001, vol. 2, pp. 307–321 (2001)

    Google Scholar 

  15. Balzarotti, D., Monga, M., Sicari, S.: Assessing the risk of using vulnerable component, Quality of Protection, pp. 65–77. Springer, Heidelberg (2006)

    Google Scholar 

  16. McQueen, M.A., Boyer, W.F., Flynn, M.A., Beitel, G.A.: Time-to-Compromise model for cyber risk reduction estimation, Quality of Protection, pp. 49–64. Springer, Heidelberg (2006)

    Google Scholar 

  17. Mell, P., Scarfone, K., Romanovsky, S.: CVSS v2 Complete Documentation. ccvs (June 2007)

    Google Scholar 

  18. Frei, S., May, M., Fiedler, U., Plattner, B.: Large-scale vulnerability analysis. In: Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense, Pisa, Italy, pp. 131–138. ACM, New York (2006)

    Chapter  Google Scholar 

  19. Jones, J.R.: Estimating Software Vulnerabilities. IEEE Security and Privacy 5, 28–32 (2007)

    Article  Google Scholar 

  20. CVE - Common Vulnerabilities and Exposures (CVE), http://cve.mitre.org/

  21. SecurityFocus, http://www.securityfocus.org

  22. MAFTIA Consortium, Conceptual Model and Architecture of MAFTIA, MAFTIA (Malicious and Accidental Fault Tolerance for Internet Applications) project deliverable D21, LAAS-CNRS Report 03011 (1993)

    Google Scholar 

  23. Frei, S.: 0-day patch - Exposing vendors (In)security Performance, Amsterdam, NL

    Google Scholar 

  24. Fischbach, N.: Le cycle de vie d’une vulnérabilité (2003) (in french)

    Google Scholar 

  25. Microsoft Security Bulletin MS02-039

    Google Scholar 

  26. Computer Security Research - McAfee Avert Labs Blog

    Google Scholar 

  27. Vache, G.: Towards Information System Security Metrics. In: Proceedings of Seventh European Dependable Computing Conference, Kaunas, Lithuania, pp. 41–44 (2008)

    Google Scholar 

  28. Sanders, W.H., Meyer, J.F.: Stochastic Activity Networks: Formal definitions and concepts. Lectures on Formal Methods and Performance Analysis, pp. 315–343. Springer, Heidelberg (2001)

    MATH  Google Scholar 

  29. Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: Inside the Slammer worm. Security & Privacy 1, 33–39 (2003)

    Article  Google Scholar 

  30. The Spread of the Sapphire/Slammer Worm, http://www.caida.org/publications/papers/2003/sapphire/sapphire.html

  31. The Mobiüs Tool, http://www.mobius.uiuc.edu/

Download references

Author information

Authors and Affiliations

  1. CNRS; LAAS; Université de Toulouse, 7, Avenue du colonel Roche, F-31077, Toulouse, France

    Geraldine Vache

  2. Université de Toulouse ; UPS, INSA, INP ; LAAS , F-31077, Toulouse, France

    Geraldine Vache

Authors
  1. Geraldine Vache
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Informatik, Faculty TI, HAW Hamburg, Hamburg, Germany

    Bettina Buth

  2. Competence Center Digital I&C Systems, SEELAB Software and Engineering Laboratory, TÜV Nord SysTec GmbH & Co. KG, Hamburg, Germany

    Gerd Rabe  & Till Seyfarth  & 

Rights and permissions

Reprints and permissions

Copyright information

© 2009 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Vache, G. (2009). Environment Characterization and System Modeling Approach for the Quantitative Evaluation of Security. In: Buth, B., Rabe, G., Seyfarth, T. (eds) Computer Safety, Reliability, and Security. SAFECOMP 2009. Lecture Notes in Computer Science, vol 5775. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04468-7_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-04468-7_9

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-04467-0

  • Online ISBN: 978-3-642-04468-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation