Abstract
Network security depends on a number of factors. And a common characteristic of these factors is that they are dynamic in nature. Such factors include new vulnerabilities and threats, the network policy structure and traffic. These factors can be divided into two broad categories. Network risk and service risk. As the name implies, the former one corresponds to risk associated with the network policy whereas the later one depends on the services and software running on the system. Therefore, evaluating security from both the service and policy perspective can allow the management system to make decisions regarding how a system should be changed to enhance security as par the management objective. Such decision making includes choosing between alternative security architectures, designing security countermeasures, and to systematically modify security configurations to improve security. As there may be real time changes to the network threat, this evaluation must be done dynamically to handle such changes. In this paper, we provide a security metric framework that quantifies objectively the most significant security risk factors, which include existing vulnerabilities, historical trend of vulnerabilities of the remotely accessible services, prediction of potential vulnerabilities for these services and their estimated severity, unused address space and finally propagation of an attack within the network. These factors cover both the service aspect and the network aspect of risk toward a system. We have implemented this framework as a user-friendly tool called Risk based prOactive seCurity cOnfiguration maNAger (ROCONA) and showed how this tool simplifies security configuration management of services and policies in a system using risk measurement and mitigation. We also combine all the components into one single metric and present validation experiments using real-life vulnerability data from National Vulnerability Database (NVD) and show comparison with two existing risk measurement tools.
Similar content being viewed by others
Notes
We exclude here spurious traffic that might be forwarded only to Honeynets or sandboxes for analysis purpose.
References
Alhazmi, O.H., Malaiya Y.K.: Prediction capabilities of vulnerability discovery models. In: Proceedings of reliability and maintainability symposium, Jan 2006, pp. 86–91
National institute of science and technology (nist), http://nvd.nist.gov
Lee, S.C., Davis, L.B.: Learning from experience: operating system vulnerability trends, IT Professional, 5(1), Jan/Feb 2003
Abedin, M., Nessa, S., Al-Shaer, E., Khan, L.: Vulnerability analysis for evaluating quality of protection of security policies, In: 2nd ACM CCS workshop on quality of protection, Alexandria, Virginia, Oct 2006
Bock, F.: An algorithm to construct a minimum directed spanning tree in a directed network, In: Developments in Operations Research. Gordon and Breach, pp. 29–44 (1971)
Al-Shaer, E., Hamed, H.: Discovery of policy anomalies in distributed firewalls. In: Proceedings of IEEE INFOCOM’04, March 2004
Hamed, H., Al-Shaer, E., Marrero, W.: Modeling and verification of ipsec and vpn security policies. In Proceedings of IEEE ICNP’2005, Nov 2005
Aol software to improve pc security, http://www.timewarner.com/corp/newsroom/pr/0,20812,1201969,00.html
Schiffman, M.: A complete guide to the common vulnerability scoring system (cvss). http://www.first.org/cvss/cvss-guide.html, June 2005
Rogers, R., Fuller, E., Miles, G., Hoagberg, M., Schack, T. Dykstra, T., Cunningham, B.: Network Security Evaluation Using the NSA IEM, 1st ed. Syngress Publishing, Inc., Aug 2005
Swanson, M., Bartol, N., Sabato, J., Hash, J., Graffo, L.: Security Metrics Guide for Information Technology Systems. National Institute of Standards and Technology, Gaithersburg, MD 20899-8933, July 2003
”10 network security assessment tools you can’t live without” http://www.windowsitpro.com/Article/ArticleID/47648/47648.html?Ad=1
Kamara, S., Fahmy, S., Schultz, E., Kerschbaum, F., Frantzen, M.: Analysis of vulnerabilities in internet firewalls. Comput. Secur. 22(3), 214–232 (2003)
Ammann, P., Wijesekera, D., Kaushik, S.: Scalable, graph-based network vulnerability analysis. In: CCS ’02: Proceedings of the 9th ACM conference on computer and communications security, pp. 217–224, ACM Press, New York, NY, USA (2002)
Phillips, C., Swiler, L.P.: A graph-based system for network-vulnerability analysis. In: NSPW ’98: Proceedings of the 1998 workshop on new security paradigms, pp. 71–79, ACM Press, New York, NY, USA (1998)
Feng, C., Jin-Shu, S.: A flexible approach to measuring network security using attack graphs. In: International symposium on electronic commerce and security, April 2008
Mehta, C.B.V., Zhu, H., Clarke, E., Wing, J.: Ranking attack graphs. In: Recent Advances in Intrusion Detection 2006, Hamburg, Germany, Sept 2006
Manadhata, P. Wing, J.: An attack surface metric. In: First Workshop on Security Metrics, Vancouver, BC, August 2006
Howard, M., Pincus, J., Wing, J.M.: Measuring relative attack surfaces. In: Workshop on Advanced Developments in Software and Systems Security, Taipei, Dec 2003
Atzeni, A., Lioy, A., Tamburino, L.: A generic overall framework for network security evaluation. In: Congresso Annuale AICA 2005, Oct 2005, pp. 605–615
Atzeni, A., Lioy, A.: Why to adopt a security metric? A little survey. In: QoP-2005: Quality of protection workshop. Sept 2005
Pamula, J., Ammann, P., Jajodia, S., Swarup, V.: A weakest-adversary security metric for network configuration security analysis. In: ACM 2nd workshop on quality of protection 2006, Alexandria, VA, Oct 2006
Alhazmi, O.H., Malaiya, Y.K.: Modeling the vulnerability discovery process. In: Proceedings of international symposium on software reliability engineering, Nov 2005
Wang, L., Noel, S., Jajodia, S.: Minimum-cost network hardening using attack graphs. In: Computer Communications. Alexandria, VA, Nov 2006
Wang, L., Liu, A., Jajodia, S.: Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts. In: Computer Communications, Sept 2006
Noel, S., Jajodia, S., O’Berry, B., Jacobs, M.: Efficient minimum-cost network hardening via exploit dependency graphs. In: 19th annual computer security applications conference, Las Vegas, Nevada, Dec 2003
Sahinoglu, M.: Security meter: a practical decision-tree model to quantify risk. In: IEEE Security and Privacy, June 2005
Sahinoglu, M.: Quantitative risk assessment for dependent vulnerabilities. In: Reliability and maintainability symposium, June 2005
Ahmed, M.S., Al-Shaer, E., Khan, L.: A novel quantitative approach for measuring network security. In: INFOCOM’08, April 2008
Acknowledgments
The authors would like to thank Muhammad Abedin and Syeda Nessa of The University of Texas at Dallas for their help with the formalization and experiments making this work possible.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Ahmed, M.S., Al-Shaer, E., Taibah, M. et al. Objective Risk Evaluation for Automated Security Management. J Netw Syst Manage 19, 343–366 (2011). https://doi.org/10.1007/s10922-010-9177-6
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10922-010-9177-6