skip to main content
10.1145/1179494.1179502acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
Article

A weakest-adversary security metric for network configuration security analysis

Published: 30 October 2006 Publication History

Abstract

A security metric measures or assesses the extent to which a system meets its security objectives. Since meaningful quantitative security metrics are largely unavailable, the security community primarily uses qualitative metrics for security. In this paper, we present a novel quantitative metric for the security of computer networks that is based on an analysis of attack graphs. The metric measures the security strength of a network in terms of the strength of the weakest adversary who can successfully penetrate the network. We present an algorithm that computes the minimal sets of required initial attributes for the weakest adversary to possess in order to successfully compromise a network; given a specific network configuration, set of known exploits, a specific goal state, and an attacker class (represented by a set of all initial attacker attributes). We also demonstrate, by example, that diverse network configurations are not always beneficial for network security in terms of penetrability.

References

[1]
P. Ammann, J. Pamula, R. Ritchey, and J. Street. A host-basedapproach to network attack chaining analysis. In Proceedings of the 21st Annual Computer Security Applications Conference (ACSAC '05), pages 72--84, Tucson, AZ, December 2005.
[2]
P. Ammann, D. Wijesekera, and S. Kaushik. Scalable graph-based vulnerability analysis. In Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS '02), pages 217--224, Washington, DC, November 2002.
[3]
Applied Computer Security Associates. Workshop on Information Security System Scoring and Ranking, 2001.
[4]
Common Vulnerabilities & Exposures (CVE). The standard for information security vulnerability names. http://cve.mitre.org.
[5]
M. Dacier, Y. Deswartes, and M. Kaaniche. Models and tools for quantitative assessment of operational security. In 12th IFIP/SEC: Information Systems Security Conference, pages 177--186, 1996.
[6]
Marc Dacier. Towards Quantitative Evaluation of Computer Security. PhD thesis, Institut National Polytechnique de Toulouse, 1994.
[7]
M. Howard, J. Pincus, and J. M. Wing. Measuring relative attack surfaces. In Proceedings of the Workshop on Advanced Developments in Software and Systems Security, August 2003.
[8]
S. Jajodia, S. Noel, and B. O'Berry. Topological analysis of network attack vulnerability. In Managing Cyber Threats: Issues, Approaches and Challenges, pages 248--266. V. Kumar, J. Srivastava and A. Lazarevic (Eds.), Springer-Verlag, 2005.
[9]
S. Jha, O. Sheyner, and J. Wing. Two formal analyses of attack graphs. In Proceedings of the 15th IEEE Computer Security Foundations Workshop (CSFW-15 2002), pages 49--63, Cape Breton, Nova Scotia, Canada, June 2002.
[10]
S. Jha, O. Sheyner, and J. M. Wing. Minimization and reliability analysis of attack graphs. Technical Report CMU-CS-02-109, School of Computer Science, Carnegie Mellon University, February 2002.
[11]
National Institute of Standards and Technology. Security Metrics Guide for Information Technology Systems, number 800-55 in NIST Special Publication, 2003.
[12]
S. Noel, S. Jajodia, B. O'Berry, and M. Jacobs. Efficient minimum-cost network hardening via exploit dependency graphs. In Proceedings of the 19th Annual Computer Security Applications Conference (ACSAC '03), pages 86--95, Las Vegas, December 2003.
[13]
R. Ortalo, Y. Deswarte, and M. Kaâniche. Experimenting with quantitative evaluation tools for monitoring operational security. IEEE Transactions on Software Engineering, 25(5):633--650, September/October 1999.
[14]
Cynthia Phillips and Laura Painton Swiler. A graph-based system for network-vulnerability analysis. In Proceedings of the 1998 workshop on New Security Paradigms (NSPW '98), pages 71--79, Charlottesville, VA, 1998.
[15]
Ronald W. Ritchey and Paul Ammann. Using model checking to analyze network vulnerabilities. In Proceedings of the 2000 IEEE Symposium on Security and Privacy (S&P '00), pages 156--165, Oakland, CA, May 2000.
[16]
O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J. M. Wing. Automated generation and analysis of attack graphs. In Proceedings of the 2002 IEEE Symposium on Security and Privacy (S&P '02), pages 254--265, Oakland, CA, May 2002.
[17]
Oleg Sheyner and Jeannette Wing. Tools for generating and analyzing attack graphs. In Proceedings of International Symposium on Formal Methods for Components and Objects, Lecture Notes in Computer Science 3188, pages 344--371, 2004.
[18]
V. Swarup, S. Jajodia, and J. Pamula. Rule-based topological vulnerability analysis. In Proceedings of the 3rd International Workshop on Mathematical Methods, Models, and Architectures for Computer Network Security (MMM-ACNS 2005), pages 23--37, St. Petersburg, Russia, September 2005.
[19]
L. Swiler, C. Phillips, D. Ellis, and S. Chakerian. Computer-attack graph generation tool. In Proceedings of the DARPA Information Survivability Conference & Exposition II (DISCEX '01), pages 307--321, June 2001.

Cited By

View all
  • (2024)Threat modelling in Internet of Things (IoT) environments using dynamic attack graphsFrontiers in the Internet of Things10.3389/friot.2024.13064653Online publication date: 30-May-2024
  • (2024)Attack graph-based security metrics: Concept, taxonomy, challenges and open issuesBIO Web of Conferences10.1051/bioconf/2024970008597(00085)Online publication date: 5-Apr-2024
  • (2023)GRAPH4: A Security Monitoring Architecture Based on Data Plane Anomaly Detection Metrics Calculated over Attack GraphsFuture Internet10.3390/fi1511036815:11(368)Online publication date: 15-Nov-2023
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
QoP '06: Proceedings of the 2nd ACM workshop on Quality of protection
October 2006
70 pages
ISBN:1595935533
DOI:10.1145/1179494
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 October 2006

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. attack graphs
  2. exploit
  3. network security
  4. quantitative measure
  5. security metric
  6. vulnerability

Qualifiers

  • Article

Conference

CCS06
Sponsor:

Upcoming Conference

CCS '25

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)27
  • Downloads (Last 6 weeks)3
Reflects downloads up to 16 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Threat modelling in Internet of Things (IoT) environments using dynamic attack graphsFrontiers in the Internet of Things10.3389/friot.2024.13064653Online publication date: 30-May-2024
  • (2024)Attack graph-based security metrics: Concept, taxonomy, challenges and open issuesBIO Web of Conferences10.1051/bioconf/2024970008597(00085)Online publication date: 5-Apr-2024
  • (2023)GRAPH4: A Security Monitoring Architecture Based on Data Plane Anomaly Detection Metrics Calculated over Attack GraphsFuture Internet10.3390/fi1511036815:11(368)Online publication date: 15-Nov-2023
  • (2023)Boolean Similarity Measure for Assessing Temporal Variation in the Network Attack Surface2023 15th International Conference on COMmunication Systems & NETworkS (COMSNETS)10.1109/COMSNETS56262.2023.10041303(31-36)Online publication date: 3-Jan-2023
  • (2023)Attack graph analysisComputers and Security10.1016/j.cose.2022.103081126:COnline publication date: 1-Mar-2023
  • (2023)Detection and Hardening Strategies to Secure an Enterprise NetworkInformation Systems Security10.1007/978-3-031-49099-6_6(91-108)Online publication date: 9-Dec-2023
  • (2022)Consider the ConsequencesSecurity and Communication Networks10.1155/2022/34556472022Online publication date: 1-Jan-2022
  • (2022)Predicting the severity and exploitability of vulnerability reports using convolutional neural netsProceedings of the 3rd International Workshop on Engineering and Cybersecurity of Critical Systems10.1145/3524489.3527298(1-8)Online publication date: 16-May-2022
  • (2022)Security Countermeasures Selection Using the Meta Attack Language and Probabilistic Attack GraphsIEEE Access10.1109/ACCESS.2022.320060110(89645-89662)Online publication date: 2022
  • (2022)A Survey on the Cyber Security of Small-to-Medium Businesses: Challenges, Research Focus and RecommendationsIEEE Access10.1109/ACCESS.2022.319789910(85701-85719)Online publication date: 2022
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media