Skip to main content
SpringerLink
Log in

Objective Risk Evaluation for Automated Security Management

  • Published:
Journal of Network and Systems Management Aims and scope Submit manuscript

Abstract

Network security depends on a number of factors. And a common characteristic of these factors is that they are dynamic in nature. Such factors include new vulnerabilities and threats, the network policy structure and traffic. These factors can be divided into two broad categories. Network risk and service risk. As the name implies, the former one corresponds to risk associated with the network policy whereas the later one depends on the services and software running on the system. Therefore, evaluating security from both the service and policy perspective can allow the management system to make decisions regarding how a system should be changed to enhance security as par the management objective. Such decision making includes choosing between alternative security architectures, designing security countermeasures, and to systematically modify security configurations to improve security. As there may be real time changes to the network threat, this evaluation must be done dynamically to handle such changes. In this paper, we provide a security metric framework that quantifies objectively the most significant security risk factors, which include existing vulnerabilities, historical trend of vulnerabilities of the remotely accessible services, prediction of potential vulnerabilities for these services and their estimated severity, unused address space and finally propagation of an attack within the network. These factors cover both the service aspect and the network aspect of risk toward a system. We have implemented this framework as a user-friendly tool called Risk based prOactive seCurity cOnfiguration maNAger (ROCONA) and showed how this tool simplifies security configuration management of services and policies in a system using risk measurement and mitigation. We also combine all the components into one single metric and present validation experiments using real-life vulnerability data from National Vulnerability Database (NVD) and show comparison with two existing risk measurement tools.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Similar content being viewed by others

Notes

  1. We exclude here spurious traffic that might be forwarded only to Honeynets or sandboxes for analysis purpose.

References

  1. Alhazmi, O.H., Malaiya Y.K.: Prediction capabilities of vulnerability discovery models. In: Proceedings of reliability and maintainability symposium, Jan 2006, pp. 86–91

  2. National institute of science and technology (nist), http://nvd.nist.gov

  3. Lee, S.C., Davis, L.B.: Learning from experience: operating system vulnerability trends, IT Professional, 5(1), Jan/Feb 2003

  4. Abedin, M., Nessa, S., Al-Shaer, E., Khan, L.: Vulnerability analysis for evaluating quality of protection of security policies, In: 2nd ACM CCS workshop on quality of protection, Alexandria, Virginia, Oct 2006

  5. Bock, F.: An algorithm to construct a minimum directed spanning tree in a directed network, In: Developments in Operations Research. Gordon and Breach, pp. 29–44 (1971)

  6. Al-Shaer, E., Hamed, H.: Discovery of policy anomalies in distributed firewalls. In: Proceedings of IEEE INFOCOM’04, March 2004

  7. Hamed, H., Al-Shaer, E., Marrero, W.: Modeling and verification of ipsec and vpn security policies. In Proceedings of IEEE ICNP’2005, Nov 2005

  8. Aol software to improve pc security, http://www.timewarner.com/corp/newsroom/pr/0,20812,1201969,00.html

  9. Schiffman, M.: A complete guide to the common vulnerability scoring system (cvss). http://www.first.org/cvss/cvss-guide.html, June 2005

  10. Rogers, R., Fuller, E., Miles, G., Hoagberg, M., Schack, T. Dykstra, T., Cunningham, B.: Network Security Evaluation Using the NSA IEM, 1st ed. Syngress Publishing, Inc., Aug 2005

  11. Swanson, M., Bartol, N., Sabato, J., Hash, J., Graffo, L.: Security Metrics Guide for Information Technology Systems. National Institute of Standards and Technology, Gaithersburg, MD 20899-8933, July 2003

  12. ”10 network security assessment tools you can’t live without” http://www.windowsitpro.com/Article/ArticleID/47648/47648.html?Ad=1

  13. Kamara, S., Fahmy, S., Schultz, E., Kerschbaum, F., Frantzen, M.: Analysis of vulnerabilities in internet firewalls. Comput. Secur. 22(3), 214–232 (2003)

    Article  Google Scholar 

  14. Ammann, P., Wijesekera, D., Kaushik, S.: Scalable, graph-based network vulnerability analysis. In: CCS ’02: Proceedings of the 9th ACM conference on computer and communications security, pp. 217–224, ACM Press, New York, NY, USA (2002)

  15. Phillips, C., Swiler, L.P.: A graph-based system for network-vulnerability analysis. In: NSPW ’98: Proceedings of the 1998 workshop on new security paradigms, pp. 71–79, ACM Press, New York, NY, USA (1998)

  16. Feng, C., Jin-Shu, S.: A flexible approach to measuring network security using attack graphs. In: International symposium on electronic commerce and security, April 2008

  17. Mehta, C.B.V., Zhu, H., Clarke, E., Wing, J.: Ranking attack graphs. In: Recent Advances in Intrusion Detection 2006, Hamburg, Germany, Sept 2006

  18. Manadhata, P. Wing, J.: An attack surface metric. In: First Workshop on Security Metrics, Vancouver, BC, August 2006

  19. Howard, M., Pincus, J., Wing, J.M.: Measuring relative attack surfaces. In: Workshop on Advanced Developments in Software and Systems Security, Taipei, Dec 2003

  20. Atzeni, A., Lioy, A., Tamburino, L.: A generic overall framework for network security evaluation. In: Congresso Annuale AICA 2005, Oct 2005, pp. 605–615

  21. Atzeni, A., Lioy, A.: Why to adopt a security metric? A little survey. In: QoP-2005: Quality of protection workshop. Sept 2005

  22. Pamula, J., Ammann, P., Jajodia, S., Swarup, V.: A weakest-adversary security metric for network configuration security analysis. In: ACM 2nd workshop on quality of protection 2006, Alexandria, VA, Oct 2006

  23. Alhazmi, O.H., Malaiya, Y.K.: Modeling the vulnerability discovery process. In: Proceedings of international symposium on software reliability engineering, Nov 2005

  24. Wang, L., Noel, S., Jajodia, S.: Minimum-cost network hardening using attack graphs. In: Computer Communications. Alexandria, VA, Nov 2006

  25. Wang, L., Liu, A., Jajodia, S.: Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts. In: Computer Communications, Sept 2006

  26. Noel, S., Jajodia, S., O’Berry, B., Jacobs, M.: Efficient minimum-cost network hardening via exploit dependency graphs. In: 19th annual computer security applications conference, Las Vegas, Nevada, Dec 2003

  27. Sahinoglu, M.: Security meter: a practical decision-tree model to quantify risk. In: IEEE Security and Privacy, June 2005

  28. Sahinoglu, M.: Quantitative risk assessment for dependent vulnerabilities. In: Reliability and maintainability symposium, June 2005

  29. Ahmed, M.S., Al-Shaer, E., Khan, L.: A novel quantitative approach for measuring network security. In: INFOCOM’08, April 2008

Download references

Acknowledgments

The authors would like to thank Muhammad Abedin and Syeda Nessa of The University of Texas at Dallas for their help with the formalization and experiments making this work possible.

Author information

Authors and Affiliations

  1. University of Texas at Dallas, Richardson, TX, 75080, USA

    Mohammad Salim Ahmed & Latifur Khan

  2. University of North Carolina Charlotte, Charlotte, NC, 28223, USA

    Ehab Al-Shaer

  3. DePaul University, Chicago, IL, 60604, USA

    Mohamed Taibah

Authors
  1. Mohammad Salim Ahmed
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ehab Al-Shaer
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mohamed Taibah
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Latifur Khan
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mohammad Salim Ahmed.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Ahmed, M.S., Al-Shaer, E., Taibah, M. et al. Objective Risk Evaluation for Automated Security Management. J Netw Syst Manage 19, 343–366 (2011). https://doi.org/10.1007/s10922-010-9177-6

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10922-010-9177-6

Keywords

Search

Navigation