Skip to main content
SpringerLink
Log in
SpringerLink
Log in

A Quantitative Method for Evaluating Network Security Based on Attack Graph

  • Conference paper
  • First Online:
Network and System Security (NSS 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10394))

Included in the following conference series:

Abstract

With the rapid development of network, network security issues become increasingly important. It is a tough challenge to evaluate the network security due to the increasing vulnerabilities. In this paper, we propose a quantitative method for evaluating network security based on attack graph. We quantify the importance of nodes and the maximum reachable probability of nodes, and construct a security evaluation function to calculate the security risk score. Our approach focuses on the attacker’s view and considers the most important factors that may affect the network security. The parameters we use are easily to be acquired in any network. Thus, the assessment score gotten through the evaluation function can comprehensively reflect the security level. According to the security risk value, security professionals can take appropriate countermeasures to harden the network. Experimental results prove that this model solves the security evaluation problem efficiently.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Phillips, C.A., Swiler, L.P.: A graph-based system for network vulnerability analysis. In: Workshop on New Security Paradigms, pp. 71–79 (1998)

    Google Scholar 

  2. Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.M.: Automated generation and analysis of attack graphs. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, pp. 254–265 (2002)

    Google Scholar 

  3. Swiler, L., Phillips, C., Ellis, D., Chakerian, S.: Computer attack graph generation tool. In: Proceedings of DARPA Information Survivability Conference and Exposition II (2001)

    Google Scholar 

  4. Ritchey, R.W., Ammann, P.: Using model checking to analyze network vulnerabilities. In: IEEE Symposium on Security and Privacy, pp. 156–165 (2000)

    Google Scholar 

  5. Ou, X., McQueen, A.: A scalable approach to attack graph generation. In: Proceedings of the 13th ACM Conference on Computer and Communications Security (2006)

    Google Scholar 

  6. Sheyner, O.M.: Scenario graphs and attack graphs. Ph.D. dissertation, Pittsburgh, PA, USA, chair-Jeannette Wing (2004)

    Google Scholar 

  7. Ammann, P., Wijesekera, D., Kaushik, S.: Scalable, graph-based network vulnerability analysis. In: CCS 2002: Proceedings of the 9th ACM Conference on Computer and Communications Security, pp. 217–224. ACM, New York (2002)

    Google Scholar 

  8. Jajodia, S., Noel, S., O’Berry, B.: Topological analysis of network attack vulnerability. In: Kumar, V., Srivastava, J., Lazarevic, A. (Eds.) Managing Cyber Threats: Issues, Approaches and Challenges. Kluwer Academic Publisher (2003)

    Google Scholar 

  9. Noel, S., Jajodia, S., O’Berry, B., Jacobs, M.: Efficient minimum-cost network hardening via exploit dependency graphs. In: ACSAC, pp. 86–95. IEEE Computer Society (2003)

    Google Scholar 

  10. Wang, L., Islam, T., Long, T., Singhal, A., Jajodia, S.: An attack graph-based probabilistic security metric. In: Atluri, V. (ed.) DBSec 2008. LNCS, vol. 5094, pp. 283–296. Springer, Heidelberg (2008). doi:10.1007/978-3-540-70567-3_22

    Chapter  Google Scholar 

  11. Pamula, J., Jajodia, S., Ammann, P., Swarup, V.: A weakest-adversary security metric for network configuration security analysis. In: Karjoth, G., Massacci, F. (Eds.) QoP, pp. 31–38. ACM (2006)

    Google Scholar 

  12. Frigault, M., Wang, L., Singhal, A., Jajodia, S.: Measuring network security using dynamic bayesian network. In: Ozment, A., Stølen, K. (Eds.) QoP, pp. 23–30. ACM (2008)

    Google Scholar 

  13. Mehta, V., Bartzis, C., Zhu, H., Clarke, E., Wing, J.: Ranking attack graphs. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 127–144. Springer, Heidelberg (2006). doi:10.1007/11856214_7

    Chapter  Google Scholar 

  14. NVD Homepage, CVSS. http://nvd.nist.gov/cvss.cfm. Accessed 09 Jun 2017

  15. Scarfone, K., Mell, P.: An analysis of CVSS version 2 vulnerability scoring. In: Proceedings of the 3rd International Symposium on Empirical Software Engineering and Measurement, pp. 516–525 (2009)

    Google Scholar 

  16. Mantrach, A.: The sum-over-paths covariance kernel: a novel covariance measure between nodes of a directed graph. IEEE Trans. Pattern Anal. Mach. Intell. 32, 1112–1126 (2010)

    Article  Google Scholar 

Download references

Acknowledgments

This paper is partially supported by the Basic Scientific Research Program of Chinese Ministry of Industry and Information Technology (Grant No. JCKY2016602B001) and National Key R&D Program of China (Grant No. 2016YFB0800700)

Author information

Authors and Affiliations

  1. School of Software, Beijing Institute of Technology, Beijing, China

    Yukun Zheng, Kun Lv & Changzhen Hu

Authors
  1. Yukun Zheng
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Kun Lv
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Changzhen Hu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Kun Lv .

Editor information

Editors and Affiliations

  1. Xidian University, Xi’an, China

    Zheng Yan

  2. Eurecom, Sophia Antipolos, Valbonne, France

    Refik Molva

  3. Warsaw University of Technology, Warsaw, Poland

    Wojciech Mazurczyk

  4. Aalto University, Espoo, Finland

    Raimo Kantola

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Zheng, Y., Lv, K., Hu, C. (2017). A Quantitative Method for Evaluating Network Security Based on Attack Graph. In: Yan, Z., Molva, R., Mazurczyk, W., Kantola, R. (eds) Network and System Security. NSS 2017. Lecture Notes in Computer Science(), vol 10394. Springer, Cham. https://doi.org/10.1007/978-3-319-64701-2_25

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-64701-2_25

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-64700-5

  • Online ISBN: 978-3-319-64701-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation