Skip to main content
SpringerLink
Log in

Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs

  • Chapter
  • First Online:
Network Security Metrics

Abstract

Today’s information systems face sophisticated attackers who combine multiple vulnerabilities to penetrate networks with devastating impact. The overall security of an enterprise network cannot be determined by simply counting the number of vulnerabilities. To more accurately assess the security of enterprise systems, one must understand how vulnerabilities can be combined and exploited to stage an attack. Composition of vulnerabilities can be modeled using probabilistic attack graphs, which show all paths of attacks that allow incremental network penetration. Attack likelihoods are propagated through the attack graph, yielding a novel way to measure the security risk of enterprise systems. This metric for risk mitigation analysis is used to maximize the security of enterprise systems. This methodology based on probabilistic attack graphs can be used to evaluate and strengthen the overall security of enterprise networks.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 139.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Computer Emergency Response Team, http://www.cert.org/.

References

  1. A. Jaquith, Security Metrics: Replacing Fear, Uncertainty, and Doubt (Addison Wesley, Upper Saddle River, 2007)

    Google Scholar 

  2. S. Noel, J. Jajodia, Understanding complex network attack graphs through clustered adjacency matrices, in Proceedings of the 21st Annual Computer Security Applications Conference (2005)

    Google Scholar 

  3. S. Noel, S. Jajodia, Managing attack graph complexity through visual hierarchical aggregation, in Proceedings of the ACM CCS Workshop on Visualization and Data Mining for Computer Security (2004)

    Google Scholar 

  4. S. Jajodia, S. Noel, B. O’Berry, Topological analysis of network attack vulnerability, in Managing Cyber Threats: Issues, Approaches and Challenges, ed. by V. Kumar, J. Srivastava, A. Lazarevic (Springer, New York, 2005)

    Google Scholar 

  5. K. Ingols, R. Lippmann, K. Piwowarski, Practical attack graph generation for network defense, in Proceedings of ACSAC Conference (2006)

    Google Scholar 

  6. K. Ingols, M. Chu, R. Lippmann, S. Webster, S. Boyer, Modeling modern network attacks and countermeasures using attack graphs, in Proceedings of ACSAC Conference (2009)

    Google Scholar 

  7. X. Ou, W.F. Boyer, M.A. McQueen, A scalable approach to attack graph generation, in Proceedings of 13th ACM CCS Conference (2006), pp. 336–345

    Google Scholar 

  8. X. Ou, S. Govindavajhala, A.W. Apple, MULVAL: a logic based network security analyzer, in 14th USENIX Security Symposium (2005)

    Google Scholar 

  9. Skybox Security, http://www.skyboxsecurity.com/

  10. RedSeal Systems, http://www.redseal.net/

  11. Nessus Vulnerability Scanner, http://www.nessus.org

  12. Retina Security Scanner, http://www.eeye.com/

  13. L. Wang, A. Singhal, S. Jajodia, Measuring the overall security of network configurations using attack graphs, in Proceedings of the 21st IFIP WG 11.3 Working Conference on Data and Applications Security (Springer-Verlag, 2007)

    Google Scholar 

  14. J. Pamula, S. Jajodia, P. Ammann, V. Swarup, A weakest-adversary security metric for network configuration security analysis, in Proceedings of the 2nd ACM Workshop on Quality of Protection (ACM Press, 2006)

    Google Scholar 

  15. The Systems Security Engineering Capability Maturity Model, http://www.sse-cmm.org/index.html

  16. M. Swanson, N. Bartol, J. Sabato, J. Hash, L. Graffo, Security Metrics Guide for Information Technology Systems, Special Publication 800-55 (National Institute of Standards and Technology, 2003)

    Google Scholar 

  17. G. Stoneburner, C. Hayden, A. Feringa, Engineering Principles for Information Technology Security, Special Publication 800-27 (Rev A) (National Institute of Standards and Technology, 2004)

    Google Scholar 

  18. Joint Task Force Transformation Initiative, NIST Special Publication 800-39, Managing Information Security Risk, Organization, Mission and Information System Review (2011)

    Google Scholar 

  19. E. Chew, M. Swanson, K. Stine, N. Bartol, A. Brown, W. Robinson, NIST Special Publication 800-55 Revision 1, Performance Measurement Guide for Information Security (2008)

    Google Scholar 

  20. G. Stoneburner, A. Goguen, A. Feringa, NIST Special Publication 800-30, Risk Management Guide for Information Technology Systems (2001)

    Google Scholar 

  21. P. Mell, K. Scarforne, S. Romanosky, A Complete Guide to the Common Vulnerability Scoring System (CVSS) Version 2.0, http://www.first.org/cvss/cvss-guide.html

  22. R. Ritchey, P. Ammann, Using model checking to analyze network vulnerabilities, in Proceedings of the IEEE Symposium on Security and Privacy (2000)

    Google Scholar 

  23. O. Sheyner, J. Haines, S. Jha, R. Lippmann, J. Wing, Automated generation and analysis of attack graphs, in Proceedings of the IEEE Symposium on Security and Privacy (2002)

    Google Scholar 

  24. P. Ammann, D. Wijesekera, S. Kaushik, Scalable, graph-based network vulnerability analysis, in Proceedings of the ACM Conference on Computer and Communications Security (2002)

    Google Scholar 

  25. R. Lippmann, K. Ingols, C. Scott, K. Piwowarski, K. Kratkiewicz, M. Artz, R. Cunningham, Validating and restoring defense in depth using attack graphs, in MILCOM Military Communications Conference (2006)

    Google Scholar 

  26. S. Noel, S. Jajodia, Advanced vulnerability analysis and intrusion detection through predictive attack graphs, in Critical Issues in C4I, Armed Forces Communications and Electronics Association (AFCEA) Solutions Series (2009)

    Google Scholar 

  27. S. Noel, S. Jajodia, Proactive intrusion prevention and response via attack graphs, in Practical Intrusion Detection, ed. by R. Trost Addison-Wesley Professional, (2009)

    Google Scholar 

  28. F. Cuppens, R. Ortalo, LAMBDA: a language to model a database for detection of attacks, in Proceedings of the Workshop on Recent Advances in Intrusion Detection (2000)

    Google Scholar 

  29. S. Templeton, K. Levitt, A requires/provides model for computer attacks, in Proceedings of the New Security Paradigms Workshop (2000)

    Google Scholar 

  30. R. Ritchey, B. O’Berry, S. Noel, Representing TCP/IP connectivity for topological analysis of network security, in Proceedings of the 18th Annual Computer Security Applications Conference (2002)

    Google Scholar 

  31. R. Lippmann, K. Ingols, An Annotated Review of Past Papers on Attack Graphs, Lincoln Laboratory Technical Report ESC-TR-2005-054 (2005)

    Google Scholar 

  32. M. Frigault, L. Wang, A. Singhal, S. Jajodia, Measuring network security using dynamic bayesian network, in 2008 ACM Workshop on Quality of Protection, October 2008

    Google Scholar 

  33. L. Wang, T. Islam, T. Long, A. Singhal, S. Jajodia, An attack graph based probabilistic security metrics, in Proceedings of 22nd IFIP WG 11.3 Working Conference on Data and Application Security (DBSEC 2008), London, UK, July 2008

    Google Scholar 

  34. A. Singhal, S. Xou, Techniques for enterprise network security metrics, in Proceedings of 2009 Cyber Security and Information Intelligence Research Workshop, Oakridge National Labs, Oakridge, April 2009

    Google Scholar 

  35. P. Manadhata, J. Wing, M. Flynn, M. McQueen, Measuring the attack surface of two FTP daemons, in Proceedings of 2nd ACM Workshop on Quality of Protection (2006)

    Google Scholar 

  36. J. Homer, X. Ou, D. Schmidt, A Sound and Practical Approach to Quantifying Security Risk in Enterprise Networks,” Technical report, Kansas State University, Computing and Information Sciences Department (2009)

    Google Scholar 

  37. J. Wang, N. Singhal, K Zero day safety: measuring the security of networks against unknown attacks, in European Symposium on Research in Computer Security (ESORICS), September 2010

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Computer Security Division, NIST, Gaithersburg, MD, 20899, USA

    Anoop Singhal

  2. Department of Computer Science and Engineering, University of South Florida, Tampa, FL, USA

    Xinming Ou

Authors
  1. Anoop Singhal
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Xinming Ou
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Anoop Singhal .

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Singhal, A., Ou, X. (2017). Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs. In: Network Security Metrics. Springer, Cham. https://doi.org/10.1007/978-3-319-66505-4_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-66505-4_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-66504-7

  • Online ISBN: 978-3-319-66505-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation