Abstract
Given the increasing dependence of our societies on networked information systems, the overall security of these systems should be measured and improved. This chapter examines several approaches to combining the CVSS scores of individual vulnerabilities into an overall measure for network security. First, we convert CVSS base scores into probabilities and then propagate such probabilities along attack paths in an attack graph in order to obtain an overall metric, while giving special considerations to cycles in the attack graph. Second, we show that the previous approach implicitly assumes the metric values of individual vulnerabilities to be independent, and we remove such an assumption by representing the attack graph and its assigned probabilities as a Bayesian network and then derive the overall metric value through Bayesian inferences. Finally, to address the evolving nature of vulnerabilities, we extend the previous model to dynamic Bayesian networks such that we can make inferences about the security of dynamically changing networks.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
P. Ammann, D. Wijesekera, S. Kaushik, Scalable, graph-based network vulnerability analysis, in Proceedings of ACM CCS’02 (2002)
S. Jajodia, S. Noel, B. O’Berry, Topological analysis of network attack vulnerability, in Managing Cyber Threats: Issues, Approaches and Challenges, ed. by V. Kumar, J. Srivastava, A. Lazarevic (Kluwer Academic Publisher, Dordrecht, 2003)
P. Mell, K. Scarfone, S. Romanosky, Common vulnerability scoring system. IEEE Secur. Priv. 4(6), 85–89 (2006)
National Institute of Standards and Technology, Technology assessment: Methods for measuring the level of computer security. NIST Special Publication 500-133 (1985)
National vulnerability database. Available at: http://www.nvd.org, May 9, 2008
M.K. Reiter, S.G. Stubblebine, Authentication metric analysis and design. ACM Trans. Inf. Syst. Secur. 2(2), 138–158 (1999)
O. Sheyner, J. Haines, S. Jha, R. Lippmann, J.M. Wing, Automated generation and analysis of attack graphs, in Proceedings of the 2002 IEEE Symposium on Security and Privacy (2002)
M. Swanson, N. Bartol, J. Sabato, J. Hash, L. Graffo, Security metrics guide for information technology systems. NIST Special Publication 800-55 (2003)
Acknowledgements
Authors with Concordia University were partially supported by the Natural Sciences and Engineering Research Council of Canada under Discovery Grant N01035. Sushil Jajodia was partially supported by the by Army Research Office grants W911NF-13-1-0421 and W911NF-15-1-0576, by the Office of Naval Research grant N00014-15-1-2007, National Institutes of Standard and Technology grant 60NANB16D287, and by the National Science Foundation grant IIP-1266147.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this chapter
Cite this chapter
Frigault, M., Wang, L., Jajodia, S., Singhal, A. (2017). Measuring the Overall Network Security by Combining CVSS Scores Based on Attack Graphs and Bayesian Networks. In: Network Security Metrics. Springer, Cham. https://doi.org/10.1007/978-3-319-66505-4_1
Download citation
DOI: https://doi.org/10.1007/978-3-319-66505-4_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-66504-7
Online ISBN: 978-3-319-66505-4
eBook Packages: Computer ScienceComputer Science (R0)