Skip to main content
SpringerLink
Log in

Conclusion

  • Chapter
  • First Online:
Book cover Quantitative Security Risk Assessment of Enterprise Networks

Part of the book series: SpringerBriefs in Computer Science ((BRIEFSCOMPUTER))

  • 990 Accesses

Abstract

We have presented an approach to aggregating vulnerability metrics in an enterprise network through attack graphs. Our approach is sound in that, given component metrics which characterize the likelihood that individual vulnerabilities can be successfully exploited, the model computes a numeric value representing the cumulative likelihood for an attacker to succeed in gaining a specific privilege or carrying out an attack in the network. This method can be used to help system administrators decide between risk mitigation options.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Nessus vulnerability scanner. http://www.nessus.org.

    Google Scholar 

  2. Redseal systems. http://www.redseal.net/.

    Google Scholar 

  3. Retina security scanner. http://www.eeye.com/.

    Google Scholar 

  4. Skybox security. http://www.skyboxsecurity.com/.

    Google Scholar 

  5. The systems security engineering capability maturity model. http://www.ssecmm. org/index.html.

    Google Scholar 

  6. Ehab Al-Shaer, Latif Khan, and M. Salim Ahmed. A comprehensive objective network security metric framework for proactive security configuration. In ACM Cyber Security and Information Intelligence Research Workshop, 2008.

    Google Scholar 

  7. Paul Ammann, Duminda Wijesekera, and Saket Kaushik. Scalable, graph-based network vulnerability analysis. In Proceedings of 9th ACM Conference on Computer and Communications Security, Washington, DC, November 2002.

    Google Scholar 

  8. Zahid Anwar, Ravinder Shankesi, and Roy H. Campbell. Automatic security assessment of critical cyber-infrastructures. In Proceedings of the 38th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), July 2008.

    Google Scholar 

  9. Davide Balzarotti, Mattia Monga, and Sabrina Sicari. Assessing the risk of using vulnerable components. In Proceedings of the 2nd ACM workshop on Quality of Protection, 2005.

    Google Scholar 

  10. Elizabeth Chew, Marianne Swanson, Kevin Stine, Nadya Bartol, Anthony Brown, and Will Robinson. Performance Measurement Guide for Information Security. National Institute of Standards and Technology, July 2008. NIST Special Publication 800–55 Revision 1.

    Google Scholar 

  11. F. Cuppens and R. Ortalo. Lambda: A language to model a database for detection of attacks. In Proceedings of the Workshop on Recent Advances in Intrusion Detection, 2000.

    Google Scholar 

  12. J. Dawkins and J. Hale. A systematic approach to multi-stage network attack analysis. In Proceedings of Second IEEE International Information Assurance Workshop, pages 48 – 56, April 2004.

    Google Scholar 

  13. Rinku Dewri, Nayot Poolsappasit, Indrajit Ray, and Darrell Whitley. Optimal security hardening using multi-objective optimization on attack tree models of networks. In 14th ACM Conference on Computer and Communications Security (CCS), 2007.

    Google Scholar 

  14. Marcel Frigault and LingyuWang. Measuring network security using Bayesian network-based attack graphs. In Proceedings of the 3rd IEEE International Workshop on Security, Trust, and Privacy for Software Applications (STPSA’08), 2008.

    Google Scholar 

  15. Marcel Frigault, Lingyu Wang, Anoop Singhal, and Sushil Jajodia. Measuring network security using dynamic Bayesian network. In Proceedings of the 4th ACM workshop on Quality of Protection, 2008.

    Google Scholar 

  16. John Homer and Xinming Ou. SAT-solving approaches to context-aware enterprise network security management. IEEE JSAC Special Issue on Network Infrastructure Configuration, 27(3), April 2009.

    Google Scholar 

  17. John Homer, Xinming Ou, and David Schmidt. A sound and practical approach to quantifying security risk in enterprise networks. Technical report, Kansas State University, 2009.

    Google Scholar 

  18. Kyle Ingols, Matthew Chu, Richard Lippmann, Seth Webster, and Stephen Boyer. Modeling modern network attacks and countermeasures using attack graphs. In 25th Annual Computer Security Applications Conference (ACSAC), 2009.

    Google Scholar 

  19. Kyle Ingols, Richard Lippmann, and Keith Piwowarski. Practical attack graph generation for network defense. In 22nd Annual Computer Security Applications Conference (ACSAC), Miami Beach, Florida, December 2006.

    Google Scholar 

  20. Sushil Jajodia, Steven Noel, and Brian O’Berry. Topological analysis of network attack vulnerability. In V. Kumar, J. Srivastava, and A. Lazarevic, editors, Managing Cyber Threats:

    Google Scholar 

  21. Issues, Approaches and Challanges, chapter 5. Kluwer Academic Publisher, 2003.

    Google Scholar 

  22. A. Jaquith. Security Metrics: Replacing Fear, Uncertainty, and Doubt. Addison Wesley, 2007.

    Google Scholar 

  23. Somesh Jha, Oleg Sheyner, and Jeannette M. Wing. Two formal analyses of attack graphs. In Proceedings of the 15th IEEE Computer Security Foundations Workshop, pages 49–63, Nova Scotia, Canada, June 2002.

    Google Scholar 

  24. Daniel Geer Jr., Kevin Soo Hoo, and Andrew Jaquith. Information security: Why the future belongs to the quants. IEEE SECURITY & PRIVACY, 2003.

    Google Scholar 

  25. Wei Li, Rayford B. Vaughn, and Yoginder S. Dandass. An approach to model network exploitations using exploitation graphs. SIMULATION, 82(8):523–541, 2006.

    Article  Google Scholar 

  26. Richard Lippmann, Kyle Ingols, Chris Scott, Keith Piwowarski, Kendra Kratkiewicz, Mike Artz, and Robert Cunningham. Validating and restoring defense in depth using attack graphs. In Military Communications Conference (MILCOM),Washington, DC, U.S.A., October 2006.

    Google Scholar 

  27. Richard Lippmann and Kyle W. Ingols. An annotated review of past papers on attack graphs. Technical report, MIT Lincoln Laboratory, March 2005.

    Google Scholar 

  28. Richard P. Lippmann, Kyle W. Ingols, Chris Scott, Keith Piwowarski, Kendra Kratkiewicz, Michael Artz, and Robert Cunningham. Evaluating and strengthening enterprise network security using attack graphs. Technical Report ESC-TR-2005-064, MIT Lincoln Laboratory, October 2005.

    Google Scholar 

  29. Pratyusa Manadhata, Jeannette Wing, Mark Flynn, and Miles McQueen. Measuring the attack surfaces of two FTP daemons. In Proceedings of the 2nd ACM workshop on Quality of Protection, 2006.

    Google Scholar 

  30. John McHugh. Quality of protection: measuring the unmeasurable? In Proceedings of the 2nd ACM workshop on Quality of Protection (QoP), Alexandria, Virginia, USA, 2006.

    Google Scholar 

  31. John McHugh and James Tippett, editors. Workshop on Information-Security-System Rating and Ranking (WISSRR). Applied Computer Security Associates, May 2001.

    Google Scholar 

  32. PeterMell, Karen Scarfone, and Sasha Romanosky. A Complete Guide to the Common Vulnerability Scoring System Version 2.0. Forum of Incident Response and Security Teams (FIRST), June 2007.

    Google Scholar 

  33. National Institute of Standards and Technology. Technology assessment: Methods for measuring the level of computer security, 1985. NIST Special Publication 500–133.

    Google Scholar 

  34. S. Noel and J. Jajodia. Understanding complex network attack graphs through clustered adjacency matrices. In Proceedings of the 21st Annual Computer Security Applications Conference, 2005.

    Google Scholar 

  35. S. Noel and S. Jajodia. Proactive intrusion prevention and response via attack graphs. In Ryan Trost, editor, Practical Intrusion Detection. Addison-Wesley Professional, 2009.

    Google Scholar 

  36. Steven Noel and Sushil Jajodia. Managing attack graph complexity through visual hierarchical aggregation. In VizSEC/DMSEC ’04: Proceedings of the 2004 ACMworkshop on Visualization and data mining for computer security, pages 109–118, New York, NY, USA, 2004. ACM Press.

    Google Scholar 

  37. Steven Noel, Sushil Jajodia, Brian O’Berry, and Michael Jacobs. Efficient minimum-cost network hardening via exploit dependency graphs. In 19th Annual Computer Security Applications Conference (ACSAC), December 2003.

    Google Scholar 

  38. Xinming Ou. A logic-programming approach to network security analysis. PhD thesis, Princeton University, 2005.

    Google Scholar 

  39. Xinming Ou, Wayne F. Boyer, and Miles A. McQueen. A scalable approach to attack graph generation. In 13th ACM Conference on Computer and Communications Security (CCS), pages 336–345, 2006.

    Google Scholar 

  40. Xinming Ou, Sudhakar Govindavajhala, and Andrew W. Appel. MulVAL: A logic-based network security analyzer. In 14th USENIX Security Symposium, 2005.

    Google Scholar 

  41. Joseph Pamula, Sushil Jajodia, Paul Ammann, and Vipin Swarup. A weakest-adversary security metric for network configuration security analysis. In Proceedings of the 2nd ACM workshop on Quality of Protection, 2006.

    Google Scholar 

  42. Cynthia Phillips and Laura Painton Swiler. A graph-based system for network-vulnerability analysis. In NSPW ’98: Proceedings of the 1998 workshop on New security paradigms, pages 71–79. ACM Press, 1998.

    Google Scholar 

  43. Prasad Rao, Konstantinos F. Sagonas, Terrance Swift, David S. Warren, and Juliana Freire. XSB: A system for efficiently computing well-founded semantics. In Proceedings of the 4th International Conference on Logic Programming and Non-Monotonic Reasoning (LPNMR’ 97), pages 2–17, Dagstuhl, Germany, July 1997. Springer Verlag.

    Google Scholar 

  44. R. Ritchey and P. Ammann. Using model checking to analyze network vulnerabilities. In Proceedings of the IEEE Symposium on Security and Privacy, 2000.

    Google Scholar 

  45. Diptikalyan Saha. Extending logical attack graphs for efficient vulnerability analysis. In Proceedings of the 15th ACM conference on Computer and Communications Security (CCS), 2008.

    Google Scholar 

  46. Mohamed Salim, Ehab Al-Shaer, and Latif Khan. A novel quantitative approach for measuring network security. In INFOCOM 2008 Mini Conference, 2008.

    Google Scholar 

  47. Oleg Sheyner. Scenario Graphs and Attack Graphs. PhD thesis, Carnegie Mellon, April 2004.

    Google Scholar 

  48. Oleg Sheyner, Joshua Haines, Somesh Jha, Richard Lippmann, and Jeannette M.Wing. Automated generation and analysis of attack graphs. In Proceedings of the 2002 IEEE Symposium on Security and Privacy, pages 254–265, 2002.

    Google Scholar 

  49. G. Stoneburner, C. Hayden, and A Feringa. Engineering principles for information technology security. Technical Report 800–27 (Rev A), National Institute of Standards and Technology, June 2004.

    Google Scholar 

  50. M. Swanson, N. Bartol, J. Sabato, J Hash, and L. Graffo. Security metrics guide for information technology systems. Technical Report 800–55, National Institute of Standards and Technology, July 2003.

    Google Scholar 

  51. Laura P. Swiler, Cynthia Phillips, David Ellis, and Stefan Chakerian. Computer-attack graph generation tool. In DARPA Information Survivability Conference and Exposition (DISCEX II’01), volume 2, June 2001.

    Google Scholar 

  52. Steven J. Templeton and Karl Levitt. A requires/provides model for computer attacks. In Proceedings of the 2000 workshop on New security paradigms, pages 31–38. ACM Press, 2000.

    Google Scholar 

  53. T. Tidwell, R. Larson, K. Fitch, and J. Hale. Modeling Internet attacks. In Proceedings of the 2001 IEEE Workshop on Information Assurance and Security, West Point, NY, June 2001.

    Google Scholar 

  54. L.Wang, A. Singhal, and S. Jajodia. Measuring the overall security of network configurations using attack graphs. In Proceedings of the 21st IFIP WG 11.3 Working Conference on Data and Applications Security. Springer-Verlag, 2007.

    Google Scholar 

  55. Lingyu Wang, Tania Islam, Tao Long, Anoop Singhal, and Sushil Jajodia. An attack graphbased probabilistic security metric. In Proceedings of The 22nd Annual IFIP WG 11.3Working Conference on Data and Applications Security (DBSEC’08), 2008.

    Google Scholar 

  56. LingyuWang, Steven Noel, and Sushil Jajodia. Minimum-cost network hardening using attack graphs. Computer Communications, 29:3812–3824, November 2006.

    Google Scholar 

  57. Lingyu Wang, Anoop Singhal, and Sushil Jajodia. Measuring network security using attack graphs. In Third Workshop on Quality of Protection (QoP), 2007.

    Google Scholar 

  58. Lingyu Wang, Anoop Singhal, and Sushil Jajodia. Measuring the overall security of network configurations using attack graphs. In Proceedings of 21th IFIP WG 11.3 Working Conference on Data and Applications Security (DBSEC’07), 2007.

    Google Scholar 

  59. Anming Xie, Zhuhua Cai, Cong Tang, Jianbin Hu, and Zhong Chen. Evaluating network security with two-layer attack graphs. In 25th Annual Computer Security Applications Conference (ACSAC), 2009.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Computing and Information Sciences Kansas State University, Manhattan, Kansas, USA

    Xinming Ou

  2. Computer Security Division, National Institute of Standards and Technology (NIST), Gaithersburg, Maryland, USA

    Anoop Singhal

Authors
  1. Xinming Ou
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Anoop Singhal
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Xinming Ou .

Rights and permissions

Reprints and permissions

Copyright information

© 2012 The Author(s)

About this chapter

Cite this chapter

Ou, X., Singhal, A. (2012). Conclusion. In: Quantitative Security Risk Assessment of Enterprise Networks. SpringerBriefs in Computer Science. Springer, New York, NY. https://doi.org/10.1007/978-1-4614-1860-3_5

Download citation

  • DOI: https://doi.org/10.1007/978-1-4614-1860-3_5

  • Published:

  • Publisher Name: Springer, New York, NY

  • Print ISBN: 978-1-4614-1859-7

  • Online ISBN: 978-1-4614-1860-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation