Inter-path Diversity Metrics for Increasing Networks Robustness Against Zero-Day Attacks

  • Ghanshyam S. BopcheEmail author
  • Gopal N. Rai
  • B. M. Mehtre
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 969)


Availability of alternate attack paths to an adversary challenges the administrator’s decision of focusing on the single attack path for network hardening. Such single path-based hardening solutions do not stop or deter an adversary from incrementally compromising the network. It is because today’s adversaries are capable of taking alternate attack paths during real-time network intrusion. To evaluate the robustness of a network against the zero-day attacks, researchers have proposed diversity-based metrics. However, there is no way to find out how much portion (in terms of the number of vulnerabilities) an attack path shares with the other available alternate path(s). To what extent they do overlap? To what degree they are unique? In this paper, we propose inter-path diversity metrics namely uniqueness and overlap, to address the said issue. Our objective is to evaluate the quality of each attack path in terms of the resistance posed by each of them during network intrusion. Uniqueness measures the quality of being the novel attack path. Such a novel attack path(s) poses more resistance to the adversary. On the contrary, the overlap measures the degree of overlap in terms of shared resources, attack tools, and techniques, etc., of an attack path with the other paths. Attack paths with highest overlap score act as the focal point for network hardening. We have presented a small case study to demonstrate the applicability of the proposed metrics. The usage of the proposed inter-path diversity metrics generates actionable knowledge that can be utilized for making enterprise network more robust against the zero-day attacks.


Network security and protection Set difference Set intersection Exploit diversity Attack graph Security metrics 


  1. 1.
    Wang, L., Zhang, M., Jajodia, S., Singhal, A., Albanese, M.: Modeling network diversity for evaluating the robustness of networks against zero-day attacks. In: Kutyłowski, M., Vaidya, J. (eds.) ESORICS 2014. LNCS, vol. 8713, pp. 494–511. Springer, Cham (2014). Scholar
  2. 2.
    Shandilya, V., Simmons, C.B., Shiva, S.: Use of attack graphs in security systems. J. Comput. Netw. Commun. 2014, Article no. 818957, 13 pages (2014)Google Scholar
  3. 3.
    Kaynar, K.: A taxonomy for attack graph generation and usage in network security. J. Inf. Secur. Appl. 29, 27–56 (2016)Google Scholar
  4. 4.
    Pendleton, M., Garcia-Lebron, R., Cho, J.H., Xu, S.: A survey on systems security metrics. ACM Comput. Surv. 49, 62:1–62:35 (2016)CrossRefGoogle Scholar
  5. 5.
    Wang, L., Jajodia, S., Singhal, A., Cheng, P., Noel, S.: k-zero day safety: a network security metric for measuring the risk of unknown vulnerabilities. IEEE Trans. Dependable Secur. Comput. 11, 30–44 (2014)CrossRefGoogle Scholar
  6. 6.
    Wang, L., Jajodia, S., Singhal, A., Noel, S.: k-zero day safety: measuring the security risk of networks against unknown attacks. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 573–587. Springer, Heidelberg (2010). Scholar
  7. 7.
    Zhang, M., Wang, L., Jajodia, S., Singhal, A., Albanese, M.: Network diversity: a security metric for evaluating the resilience of networks against zero-day attacks. IEEE Trans. Inf. Forensics Secur. 11, 1071–1086 (2016)CrossRefGoogle Scholar
  8. 8.
    Bopche, G.S., Mehtre, B.M.: Exploiting curse of diversity for improved network security. In: Proceedings of 4th International Conference on Advances in Computing, Communications and Informatics (ICACCI), pp. 1975–1981. IEEE (2015)Google Scholar
  9. 9.
    Manadhata, P.K., Wing, J.M.: An attack surface metric. IEEE Trans. Softw. Eng. 37, 371–386 (2011)CrossRefGoogle Scholar
  10. 10.
    Jha, S., Sheyner, O., Wing, J.: Two formal analysis of attack graphs. In: Proceedings of the 15th IEEE Workshop on Computer Security Foundations, CSFW 2002, Washington, DC, USA, pp. 49–63. IEEE Computer Society (2002)Google Scholar
  11. 11.
    Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.: Automated generation and analysis of attack graphs. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 273–284 (2002)Google Scholar
  12. 12.
    Ou, X., Boyer, W.F.: A scalable approach to attack graph generation. In: Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS), pp. 336–345. ACM Press (2006)Google Scholar
  13. 13.
    Jajodia, S., Noel, S.: Topological vulnerability analysis: a powerful new approach for network attack prevention, detection, and response. In: Algorithms, Architectures, and Information System Security, pp. 285–305. World Scientific (2009)Google Scholar
  14. 14.
    Ghosh, N., Ghosh, S.: A planner-based approach to generate and analyze minimal attack graph. Appl. Intell. 36, 369–390 (2012)CrossRefGoogle Scholar
  15. 15.
    Garcia, M., Bessani, A., Gashi, I., Neves, N., Obelheiro, R.: OS diversity for intrusion tolerance: myth or reality? In: Proceedings of the 2011 IEEE/IFIP 41st International Conference on Dependable Systems & Networks, DSN 2011, Washington, DC, USA, pp. 383–394. IEEE Computer Society (2011)Google Scholar
  16. 16.
    Ou, X., Govindavajhala, S., Appel, A.W.: MulVAL: a logic-based network security analyzer. In: Proceedings of the 14th Conference on USENIX Security Symposium, SSYM 2005, Berkeley, CA, USA, vol. 14, pp. 8–16. USENIX Association (2005)Google Scholar

Copyright information

© Springer Nature Singapore Pte Ltd. 2019

Authors and Affiliations

  • Ghanshyam S. Bopche
    • 1
    • 2
    Email author
  • Gopal N. Rai
    • 2
  • B. M. Mehtre
    • 1
  1. 1.Centre of Excellence in Cyber SecurityIDRBTHyderabadIndia
  2. 2.School of Computer and Information Sciences (SCIS)University of Hyderabad (UOH)HyderabadIndia

Personalised recommendations