Abstract
With the rapid development of network, network security issues become increasingly important. It is a tough challenge to evaluate the network security due to the increasing vulnerabilities. In this paper, we propose a quantitative method for evaluating network security based on attack graph. We quantify the importance of nodes and the maximum reachable probability of nodes, and construct a security evaluation function to calculate the security risk score. Our approach focuses on the attacker’s view and considers the most important factors that may affect the network security. The parameters we use are easily to be acquired in any network. Thus, the assessment score gotten through the evaluation function can comprehensively reflect the security level. According to the security risk value, security professionals can take appropriate countermeasures to harden the network. Experimental results prove that this model solves the security evaluation problem efficiently.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Phillips, C.A., Swiler, L.P.: A graph-based system for network vulnerability analysis. In: Workshop on New Security Paradigms, pp. 71–79 (1998)
Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.M.: Automated generation and analysis of attack graphs. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, pp. 254–265 (2002)
Swiler, L., Phillips, C., Ellis, D., Chakerian, S.: Computer attack graph generation tool. In: Proceedings of DARPA Information Survivability Conference and Exposition II (2001)
Ritchey, R.W., Ammann, P.: Using model checking to analyze network vulnerabilities. In: IEEE Symposium on Security and Privacy, pp. 156–165 (2000)
Ou, X., McQueen, A.: A scalable approach to attack graph generation. In: Proceedings of the 13th ACM Conference on Computer and Communications Security (2006)
Sheyner, O.M.: Scenario graphs and attack graphs. Ph.D. dissertation, Pittsburgh, PA, USA, chair-Jeannette Wing (2004)
Ammann, P., Wijesekera, D., Kaushik, S.: Scalable, graph-based network vulnerability analysis. In: CCS 2002: Proceedings of the 9th ACM Conference on Computer and Communications Security, pp. 217–224. ACM, New York (2002)
Jajodia, S., Noel, S., O’Berry, B.: Topological analysis of network attack vulnerability. In: Kumar, V., Srivastava, J., Lazarevic, A. (Eds.) Managing Cyber Threats: Issues, Approaches and Challenges. Kluwer Academic Publisher (2003)
Noel, S., Jajodia, S., O’Berry, B., Jacobs, M.: Efficient minimum-cost network hardening via exploit dependency graphs. In: ACSAC, pp. 86–95. IEEE Computer Society (2003)
Wang, L., Islam, T., Long, T., Singhal, A., Jajodia, S.: An attack graph-based probabilistic security metric. In: Atluri, V. (ed.) DBSec 2008. LNCS, vol. 5094, pp. 283–296. Springer, Heidelberg (2008). doi:10.1007/978-3-540-70567-3_22
Pamula, J., Jajodia, S., Ammann, P., Swarup, V.: A weakest-adversary security metric for network configuration security analysis. In: Karjoth, G., Massacci, F. (Eds.) QoP, pp. 31–38. ACM (2006)
Frigault, M., Wang, L., Singhal, A., Jajodia, S.: Measuring network security using dynamic bayesian network. In: Ozment, A., Stølen, K. (Eds.) QoP, pp. 23–30. ACM (2008)
Mehta, V., Bartzis, C., Zhu, H., Clarke, E., Wing, J.: Ranking attack graphs. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 127–144. Springer, Heidelberg (2006). doi:10.1007/11856214_7
NVD Homepage, CVSS. http://nvd.nist.gov/cvss.cfm. Accessed 09 Jun 2017
Scarfone, K., Mell, P.: An analysis of CVSS version 2 vulnerability scoring. In: Proceedings of the 3rd International Symposium on Empirical Software Engineering and Measurement, pp. 516–525 (2009)
Mantrach, A.: The sum-over-paths covariance kernel: a novel covariance measure between nodes of a directed graph. IEEE Trans. Pattern Anal. Mach. Intell. 32, 1112–1126 (2010)
Acknowledgments
This paper is partially supported by the Basic Scientific Research Program of Chinese Ministry of Industry and Information Technology (Grant No. JCKY2016602B001) and National Key R&D Program of China (Grant No. 2016YFB0800700)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Zheng, Y., Lv, K., Hu, C. (2017). A Quantitative Method for Evaluating Network Security Based on Attack Graph. In: Yan, Z., Molva, R., Mazurczyk, W., Kantola, R. (eds) Network and System Security. NSS 2017. Lecture Notes in Computer Science(), vol 10394. Springer, Cham. https://doi.org/10.1007/978-3-319-64701-2_25
Download citation
DOI: https://doi.org/10.1007/978-3-319-64701-2_25
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-64700-5
Online ISBN: 978-3-319-64701-2
eBook Packages: Computer ScienceComputer Science (R0)