IFIP Annual Conference on Data and Applications Security and Privacy

DBSec 2007: Data and Applications Security XXI pp 98-112

Measuring the Overall Security of Network Configurations Using Attack Graphs

  • Lingyu Wang
  • Anoop Singhal
  • Sushil Jajodia
Conference paper

DOI: 10.1007/978-3-540-73538-0_9

Volume 4602 of the book series Lecture Notes in Computer Science (LNCS)

Abstract

Today’s computer systems face sophisticated intrusions during which multiple vulnerabilities can be combined for reaching an attack goal. The overall security of a network system cannot simply be determined based on the number of vulnerabilities. To quantitatively assess the security of networked systems, one must first understand which and how vulnerabilities can be combined for an attack. Such an understanding becomes possible with recent advances in modeling the composition of vulnerabilities as attack graphs. Based on our experiences with attack graph analysis, we explore different concepts and issues on a metric to quantify potential attacks. To accomplish this, we present an attack resistance metric for assessing and comparing the security of different network configurations. This paper describes the metric at an abstract level as two composition operators with features for expressing additional constraints. We consider two concrete cases. The first case assumes the domain of attack resistance to be real number and the second case represents resistances as a set of initial security conditions. We show that the proposed metric satisfies desired properties and that it adheres to common sense. At the same time, it generalizes a previously proposed metric that is also based on attack graphs. It is our belief that the proposed metric will lead to novel quantitative approaches to vulnerability analysis, network hardening, and attack responses.

Download to read the full conference paper text

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Lingyu Wang
    • 1
  • Anoop Singhal
    • 2
  • Sushil Jajodia
    • 3
  1. 1.Concordia Institute for Information Systems Engineering, Concordia University, Montreal, QC H3G 1M8Canada
  2. 2.Computer Security Division, NIST, Gaithersburg, MD 20899USA
  3. 3.Center for Secure Information Systems, George Mason University, Fairfax, VA 22030-4444USA