Abstract
This chapter describes a suite of metrics for measuring enterprise-wide cybersecurity risk based on a model of multi-step attack vulnerability (attack graphs). The attack graphs are computed through topological vulnerability analysis, which considers the interactions of network topology, firewall effects, and host vulnerabilities. Our metrics are normalized so that metric values can be compared meaningfully across enterprises. To support evaluations at higher levels of abstraction, we define family groups of related metrics, combining individual scores into family scores, and combining family scores into an overall enterprise network score. The Victimization metrics family measures key attributes of inherent risk (existence, exploitability, and impact) over all network vulnerabilities. The Size family is an indication of the relative size of the vulnerability attack graph. The Containment family measures risk in terms of minimizing vulnerability exposure across security protection boundaries. The Topology family measures risk through graph theoretic properties (connectivity, cycles, and depth) of the attack graph. We display these metrics (at the individual, family, and overall levels) in interactive visualizations, showing multiple metrics trends over time.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
S. Noel, E. Harley, K.H. Tam, M. Limiero, M. Share, CyGraph: graph-based analytics and visualization for cybersecurity, in Cognitive Computing: Theory and Applications, Handbook of Statistics, vol. 35, ed. by V. Raghavan, V. Gudivada, V. Govindaraju, C.R. Rao (Elsevier, New York, 2016)
S. Noel, E. Harley, K.H. Tam, G. Gyor, Big-data architecture for cyber attack graphs: representing security relationships in NoSQL Graph Databases, in IEEE Symposium on Technologies for Homeland Security, Boston, Massachusetts, April, 2015
Skybox Security, https://www.skyboxsecurity.com/
RedSeal Cybersecurity Analytics Platform, https://www.redseal.net/
M. Artz, NetSPA: A Network Security Planning Architecture, master’s thesis, Massachusetts Institute of Technology (2002)
S. Jajodia, S. Noel, P. Kalapa, M. Albanese, J. Williams, Cauldron: mission-centric cyber situational awareness with defense in depth, in 30th Military Communications Conference (MILCOM), November 2011
X. Ou, W. Boyer, M. McQueen, A scalable approach to attack graph generation, in 13th ACM Conference on Computer and Communications Security, New York, NY (2006)
S. Jajodia, S. Noel, Topological vulnerability analysis, in Cyber Situational Awareness: Issues and Research, Advances in Information Security, vol. 46, ed. by S. Jajodia, P. Liu, V. Swarup, C. Wang (Springer, Heidelberg, 2010)
NIST, NVD Common Vulnerability Scoring System (CVSS), http://nvd.nist.gov/cvss.cfm
P. Manadhata, An Attack Surface Metric, doctoral dissertation, Carnegie Mellon University, CMU-CS-08-152 (2008)
A. Jaquith, Security Metrics: Replacing Fear, Uncertainty, and Doubt (Addison-Wesley Professional, Reading, MA, 2007)
V. Verendel, Quantified security is a weak hypothesis: a critical survey of results and assumptions, in ACM New Security Paradigms Workshop (2009)
M. Pendleton, R. Garcia-Lebron, J.-H. Cho, S. Xu, A survey on systems security metrics. ACM Comput. Surv. 49(4), 62 (2017)
D. Bodeau, R. Graubart, Cyber Resilience Metrics: Key Observations, The MITRE Corporation, https://www.mitre.org/sites/default/files/publications/pr-16-0779-cyber-resilience-metrics-key-observations.pdf (2016)
S. Musman, S. Agbolosu-Amison, A Measurable Definition of Resiliency Using “Mission Risk” as a Metric, The MITRE Corporation, https://www.mitre.org/sites/default/files/publications/resiliency-mission-risk-14-0500.pdf (2014)
D. Bodeau, R. Graubart, L. LaPadula, P. Kertzner, A. Rosenthal, J. Brennan, Cyber Resiliency Metrics, The MITRE Corporation, https://registerdev1.mitre.org/sr/12_2226.pdf (2012)
S. Noel, W. Heinbockel, An overview of MITRE cyber situational awareness solutions, in NATO Cyber Defence Situational Awareness Solutions Conference, Bucharest, Romania, August, 2015
M. Swanson, N. Bartol, J. Sabato, J. Hash, J. Graffo, Security Metrics Guide for Information Technology Systems, NIST Technical Report 800-55, July 2003
C. Phillips, L.P. Swiler, A graph-based system for network vulnerability analysis, in ACM Workshop on New Security Paradigms, New York, NY, USA, 1998
N. Idika, B. Bhargava, Extending attack graph-based security metrics and aggregating their application. IEEE Trans. Dependable Secure Comput. 9(1), 75–85 (2012)
G. Bopche, B. Mehtre, Graph similarity metrics for assessing temporal changes in attack surface of dynamic networks. Comput. Secur. 64, 16–43 (2017)
R. Lippmann, K. Ingols, C. Scott, K. Piwowarski, K. Kratkiewicz, M. Artz, R. Cunningham, Validating and restoring defense in depth using attack graphs, in IEEE Conference on Military Communications (MILCOM) (2006)
J. Pamula, S. Jajodia, P. Ammann, V. Swarup, A weakest-adversary security metric for network configuration security analysis, in 2nd ACM Workshop on Quality of Protection (2006)
S. Noel, S. Jajodia, L. Wang, A. Singhal, Measuring security risk of networks using attack graphs. Int. J. Next-Gener. Comput. 1, 135–147 (2010)
Z. Huang, Human-Centric Training and Assessment for Cyber Situation Awareness, doctoral dissertation, University of Delaware, ProQuest 10014764 (2015)
L. Wang, S. Jajodia, A. Singhal, P. Cheng, S. Noel, k-Zero day safety: a network security metric for measuring the risk of unknown vulnerabilities. IEEE Trans. Dependable Secure Comput. 11, 30–44 (2013)
M. Tupper, A.N. Zincir-Heywood, VEA-bility security metric: a network security analysis tool, in 3rd International Conference on Availability, Reliability and Security (2008)
S. Noel, E. Robertson, S. Jajodia, Correlating intrusion events and building attack scenarios through attack graph distances, in 20th Annual Computer Security Applications Conference (ACSAC), Tucson, Arizona, December 2004
S. Noel, S. Jajodia, Attack graphs for sensor placement, alert prioritization, and attack response, in Cyberspace Research Workshop, Air Force Cyberspace Symposium, Shreveport, Louisiana, November 2007
S. Noel, Metrics suite for network attack graphs, in 65th Meeting of IFIP Working Group 10.4 on Dependable Computing and Fault Tolerance, Sorrento, Italy, January 2014
S. Noel, S. Jajodia, Metrics suite for network attack graph analytics, in 9th Annual Cyber and Information Security Research Conference, Oak Ridge National Laboratory, Tennessee, April 2014
Acknowledgments
The work of Steven Noel was funded in part by the MITRE Innovation Program (MIP) project CyGraph: Graph-Based Analytics and Visualization for Cybersecurity (project number EPF-14-00341), with George Roelke as MIP Cybersecurity Innovation Area Lead. The work of Sushil Jajodia was supported in part by the Army Research Office under grant numbers W911NF-13-1-0421 and W911NF-15-1-0576, by the Office of Naval Research under grant number N00014-15-1-2007, and by the National Science Foundation under grant number IIP-1266147.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this chapter
Cite this chapter
Noel, S., Jajodia, S. (2017). A Suite of Metrics for Network Attack Graph Analytics. In: Network Security Metrics. Springer, Cham. https://doi.org/10.1007/978-3-319-66505-4_7
Download citation
DOI: https://doi.org/10.1007/978-3-319-66505-4_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-66504-7
Online ISBN: 978-3-319-66505-4
eBook Packages: Computer ScienceComputer Science (R0)