Measuring the Overall Network Security by Combining CVSS Scores Based on Attack Graphs and Bayesian Networks

  • Marcel Frigault
  • Lingyu WangEmail author
  • Sushil Jajodia
  • Anoop Singhal


Given the increasing dependence of our societies on networked information systems, the overall security of these systems should be measured and improved. This chapter examines several approaches to combining the CVSS scores of individual vulnerabilities into an overall measure for network security. First, we convert CVSS base scores into probabilities and then propagate such probabilities along attack paths in an attack graph in order to obtain an overall metric, while giving special considerations to cycles in the attack graph. Second, we show that the previous approach implicitly assumes the metric values of individual vulnerabilities to be independent, and we remove such an assumption by representing the attack graph and its assigned probabilities as a Bayesian network and then derive the overall metric value through Bayesian inferences. Finally, to address the evolving nature of vulnerabilities, we extend the previous model to dynamic Bayesian networks such that we can make inferences about the security of dynamically changing networks.



Authors with Concordia University were partially supported by the Natural Sciences and Engineering Research Council of Canada under Discovery Grant N01035. Sushil Jajodia was partially supported by the by Army Research Office grants W911NF-13-1-0421 and W911NF-15-1-0576, by the Office of Naval Research grant N00014-15-1-2007, National Institutes of Standard and Technology grant 60NANB16D287, and by the National Science Foundation grant IIP-1266147.


  1. 1.
    P. Ammann, D. Wijesekera, S. Kaushik, Scalable, graph-based network vulnerability analysis, in Proceedings of ACM CCS’02 (2002)Google Scholar
  2. 2.
    S. Jajodia, S. Noel, B. O’Berry, Topological analysis of network attack vulnerability, in Managing Cyber Threats: Issues, Approaches and Challenges, ed. by V. Kumar, J. Srivastava, A. Lazarevic (Kluwer Academic Publisher, Dordrecht, 2003)Google Scholar
  3. 3.
    P. Mell, K. Scarfone, S. Romanosky, Common vulnerability scoring system. IEEE Secur. Priv. 4(6), 85–89 (2006)CrossRefGoogle Scholar
  4. 4.
    National Institute of Standards and Technology, Technology assessment: Methods for measuring the level of computer security. NIST Special Publication 500-133 (1985)Google Scholar
  5. 5.
    National vulnerability database. Available at:, May 9, 2008
  6. 6.
    M.K. Reiter, S.G. Stubblebine, Authentication metric analysis and design. ACM Trans. Inf. Syst. Secur. 2(2), 138–158 (1999)CrossRefGoogle Scholar
  7. 7.
    O. Sheyner, J. Haines, S. Jha, R. Lippmann, J.M. Wing, Automated generation and analysis of attack graphs, in Proceedings of the 2002 IEEE Symposium on Security and Privacy (2002)Google Scholar
  8. 8.
    M. Swanson, N. Bartol, J. Sabato, J. Hash, L. Graffo, Security metrics guide for information technology systems. NIST Special Publication 800-55 (2003)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Marcel Frigault
    • 1
  • Lingyu Wang
    • 1
    Email author
  • Sushil Jajodia
    • 2
  • Anoop Singhal
    • 3
  1. 1.Concordia Institute for Information Systems EngineeringConcordia UniversityMontrealCanada
  2. 2.Center for Secure Information SystemsGeorge Mason UniversityFairfaxUSA
  3. 3.Computer Security DivisionNISTGaithersburgUSA

Personalised recommendations