Abstract
This article aims at proposing a new approach for the quantitative evaluation of information system security. Our approach focuses on system vulnerabilities caused by design and implementation errors and studies how system environment, considering such vulnerabilities, may endanger the system. The two main contributions of this paper are: 1) the identification of the environmental factors which influence the security system state; 2) the development a Stochastic Activity Network model taking into account the system and these environmental factors. Measures resulting from our modeling are aimed at helping the system designers in the assessment of vulnerability exploitation risks.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
U.S. Department of Defence Trusted Computer Security Evaluation Criteria (1985)
European Communities, Information Technology Security Evaluation Criteria (1991)
Common Criteria for Information Technology Security Evaluation (1996)
ISO/IEC 27001:2005, Requirements for Information security management systems (2005)
ISO/IEC 27002:2005, Code of practice for information security management (2005)
Jaquith, A.: Security metrics-Replacing fear, uncertainty, and doubt. Addison Wesley Professional, Reading (2007)
Laprie, J., Arlat, J., Blanquart, J., Costes, A., Deswarte, Y., Fabre, J., Guillermain, H., Kaâniche, M., Kanoun, K., Mazet, C., Powell, D., Rabéjac, C., Thévenod, P.: Guide de la Sûreté de Fonctionnement, Cépaduès (1995)
Brocklehurst, S., Littlewood, B., Olovsson, T., Jonsson, E.: On measurement of operational security. Aerospace and Electronic Systems Magazine, IEEE 9, 7–16 (1994)
Dacier, M.: Vers une évaluation quantitative de la sécurité informatique, Thèse de doctorat LAAS-CNRS (1994) (in french)
Dacier, M., Deswarte, Y., Kaâniche, M.: Quantitative assessment of operational security: models and tools. CNRS-LAAS (1996)
Ortalo, R., Deswarte, Y., Kaaniche, M.: Experimenting with quantitative evaluation tools for monitoring operational security. IEEE Transactions on Software Engineering 25, 633–650 (1999)
Sheyner, O.M.: Scenario Graphs and Attack Graphs, PhD Thesis, Carnegie Mellon University, Pittsburgh, PA (2004)
Jha, S., Sheyner, O., Wing, J.: Two formal analyses of attack graphs. In: Proceedings of 15th IEEE Computer Security Foundations Workshop, 2002, pp. 49–63 (2002)
Swiler, L., Phillips, C., Ellis, D., Chakerian, S.: Computer-attack graph generation tool. In: Proceedings of DARPA Information Survivability Conference & Exposition II, DISCEX 2001, vol. 2, pp. 307–321 (2001)
Balzarotti, D., Monga, M., Sicari, S.: Assessing the risk of using vulnerable component, Quality of Protection, pp. 65–77. Springer, Heidelberg (2006)
McQueen, M.A., Boyer, W.F., Flynn, M.A., Beitel, G.A.: Time-to-Compromise model for cyber risk reduction estimation, Quality of Protection, pp. 49–64. Springer, Heidelberg (2006)
Mell, P., Scarfone, K., Romanovsky, S.: CVSS v2 Complete Documentation. ccvs (June 2007)
Frei, S., May, M., Fiedler, U., Plattner, B.: Large-scale vulnerability analysis. In: Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense, Pisa, Italy, pp. 131–138. ACM, New York (2006)
Jones, J.R.: Estimating Software Vulnerabilities. IEEE Security and Privacy 5, 28–32 (2007)
CVE - Common Vulnerabilities and Exposures (CVE), http://cve.mitre.org/
SecurityFocus, http://www.securityfocus.org
MAFTIA Consortium, Conceptual Model and Architecture of MAFTIA, MAFTIA (Malicious and Accidental Fault Tolerance for Internet Applications) project deliverable D21, LAAS-CNRS Report 03011 (1993)
Frei, S.: 0-day patch - Exposing vendors (In)security Performance, Amsterdam, NL
Fischbach, N.: Le cycle de vie d’une vulnérabilité (2003) (in french)
Microsoft Security Bulletin MS02-039
Computer Security Research - McAfee Avert Labs Blog
Vache, G.: Towards Information System Security Metrics. In: Proceedings of Seventh European Dependable Computing Conference, Kaunas, Lithuania, pp. 41–44 (2008)
Sanders, W.H., Meyer, J.F.: Stochastic Activity Networks: Formal definitions and concepts. Lectures on Formal Methods and Performance Analysis, pp. 315–343. Springer, Heidelberg (2001)
Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: Inside the Slammer worm. Security & Privacy 1, 33–39 (2003)
The Spread of the Sapphire/Slammer Worm, http://www.caida.org/publications/papers/2003/sapphire/sapphire.html
The Mobiüs Tool, http://www.mobius.uiuc.edu/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Vache, G. (2009). Environment Characterization and System Modeling Approach for the Quantitative Evaluation of Security. In: Buth, B., Rabe, G., Seyfarth, T. (eds) Computer Safety, Reliability, and Security. SAFECOMP 2009. Lecture Notes in Computer Science, vol 5775. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04468-7_9
Download citation
DOI: https://doi.org/10.1007/978-3-642-04468-7_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-04467-0
Online ISBN: 978-3-642-04468-7
eBook Packages: Computer ScienceComputer Science (R0)