Measuring the Overall Network Security by Combining CVSS Scores Based on Attack Graphs and Bayesian Networks
Given the increasing dependence of our societies on networked information systems, the overall security of these systems should be measured and improved. This chapter examines several approaches to combining the CVSS scores of individual vulnerabilities into an overall measure for network security. First, we convert CVSS base scores into probabilities and then propagate such probabilities along attack paths in an attack graph in order to obtain an overall metric, while giving special considerations to cycles in the attack graph. Second, we show that the previous approach implicitly assumes the metric values of individual vulnerabilities to be independent, and we remove such an assumption by representing the attack graph and its assigned probabilities as a Bayesian network and then derive the overall metric value through Bayesian inferences. Finally, to address the evolving nature of vulnerabilities, we extend the previous model to dynamic Bayesian networks such that we can make inferences about the security of dynamically changing networks.
Authors with Concordia University were partially supported by the Natural Sciences and Engineering Research Council of Canada under Discovery Grant N01035. Sushil Jajodia was partially supported by the by Army Research Office grants W911NF-13-1-0421 and W911NF-15-1-0576, by the Office of Naval Research grant N00014-15-1-2007, National Institutes of Standard and Technology grant 60NANB16D287, and by the National Science Foundation grant IIP-1266147.
- 1.P. Ammann, D. Wijesekera, S. Kaushik, Scalable, graph-based network vulnerability analysis, in Proceedings of ACM CCS’02 (2002)Google Scholar
- 2.S. Jajodia, S. Noel, B. O’Berry, Topological analysis of network attack vulnerability, in Managing Cyber Threats: Issues, Approaches and Challenges, ed. by V. Kumar, J. Srivastava, A. Lazarevic (Kluwer Academic Publisher, Dordrecht, 2003)Google Scholar
- 4.National Institute of Standards and Technology, Technology assessment: Methods for measuring the level of computer security. NIST Special Publication 500-133 (1985)Google Scholar
- 5.National vulnerability database. Available at: http://www.nvd.org, May 9, 2008
- 7.O. Sheyner, J. Haines, S. Jha, R. Lippmann, J.M. Wing, Automated generation and analysis of attack graphs, in Proceedings of the 2002 IEEE Symposium on Security and Privacy (2002)Google Scholar
- 8.M. Swanson, N. Bartol, J. Sabato, J. Hash, L. Graffo, Security metrics guide for information technology systems. NIST Special Publication 800-55 (2003)Google Scholar