Authors:
Ibifubara Iganibo
1
;
Massimiliano Albanese
1
;
Marc Mosko
2
;
Eric Bier
2
and
Alejandro E. Brito
2
Affiliations:
1
Center for Secure Information Systems, George Mason University, Fairfax, U.S.A.
;
2
Palo Alto Research Center, Palo Alto, U.S.A.
Keyword(s):
Configuration Security, Vulnerability Analysis, Vulnerability Graphs, Metrics.
Abstract:
Vulnerability analysis has long been used to evaluate the security posture of a system, and vulnerability graphs have become an essential tool for modeling potential multi-step attacks and assessing a system’s attack surface. More recently, vulnerability graphs have been adopted as part of a multi-faceted approach to configuration analysis and optimization that aims at leveraging relationships between the components, configuration parameters, and vulnerabilities of a complex system to improve its security while preserving functionality. However, this approach still lacks robust metrics to quantify several important aspects of the system being modeled. To address this limitation, we introduce metrics to enable practical and effective application of graph-based configuration analysis and optimization. Specifically, we define metrics to evaluate (i) the exploitation likelihood of a vulnerability, (ii) probability distributions over the edges of a vulnerability graph, and (iii) exposure
factors of system components to vulnerabilities. Our approach builds upon standard vulnerability scoring systems, and we show that the proposed metrics can be easily extended. We evaluate our approach against the Common Weakness Scoring System (CWSS), showing a high degree of correlation between CWE scores and our metrics.
(More)