Measuring the Overall Security of Network Configurations Using Attack Graphs

  • Lingyu Wang
  • Anoop Singhal
  • Sushil Jajodia
Conference paper

DOI: 10.1007/978-3-540-73538-0_9

Part of the Lecture Notes in Computer Science book series (LNCS, volume 4602)
Cite this paper as:
Wang L., Singhal A., Jajodia S. (2007) Measuring the Overall Security of Network Configurations Using Attack Graphs. In: Barker S., Ahn GJ. (eds) Data and Applications Security XXI. DBSec 2007. Lecture Notes in Computer Science, vol 4602. Springer, Berlin, Heidelberg


Today’s computer systems face sophisticated intrusions during which multiple vulnerabilities can be combined for reaching an attack goal. The overall security of a network system cannot simply be determined based on the number of vulnerabilities. To quantitatively assess the security of networked systems, one must first understand which and how vulnerabilities can be combined for an attack. Such an understanding becomes possible with recent advances in modeling the composition of vulnerabilities as attack graphs. Based on our experiences with attack graph analysis, we explore different concepts and issues on a metric to quantify potential attacks. To accomplish this, we present an attack resistance metric for assessing and comparing the security of different network configurations. This paper describes the metric at an abstract level as two composition operators with features for expressing additional constraints. We consider two concrete cases. The first case assumes the domain of attack resistance to be real number and the second case represents resistances as a set of initial security conditions. We show that the proposed metric satisfies desired properties and that it adheres to common sense. At the same time, it generalizes a previously proposed metric that is also based on attack graphs. It is our belief that the proposed metric will lead to novel quantitative approaches to vulnerability analysis, network hardening, and attack responses.

Download to read the full conference paper text

Copyright information

© IFIP International Federation for Information Processing 2007

Authors and Affiliations

  • Lingyu Wang
    • 1
  • Anoop Singhal
    • 2
  • Sushil Jajodia
    • 3
  1. 1.Concordia Institute for Information Systems Engineering, Concordia University, Montreal, QC H3G 1M8Canada
  2. 2.Computer Security Division, NIST, Gaithersburg, MD 20899USA
  3. 3.Center for Secure Information Systems, George Mason University, Fairfax, VA 22030-4444USA

Personalised recommendations