A Suite of Metrics for Network Attack Graph Analytics

  • Steven NoelEmail author
  • Sushil Jajodia


This chapter describes a suite of metrics for measuring enterprise-wide cybersecurity risk based on a model of multi-step attack vulnerability (attack graphs). The attack graphs are computed through topological vulnerability analysis, which considers the interactions of network topology, firewall effects, and host vulnerabilities. Our metrics are normalized so that metric values can be compared meaningfully across enterprises. To support evaluations at higher levels of abstraction, we define family groups of related metrics, combining individual scores into family scores, and combining family scores into an overall enterprise network score. The Victimization metrics family measures key attributes of inherent risk (existence, exploitability, and impact) over all network vulnerabilities. The Size family is an indication of the relative size of the vulnerability attack graph. The Containment family measures risk in terms of minimizing vulnerability exposure across security protection boundaries. The Topology family measures risk through graph theoretic properties (connectivity, cycles, and depth) of the attack graph. We display these metrics (at the individual, family, and overall levels) in interactive visualizations, showing multiple metrics trends over time.



The work of Steven Noel was funded in part by the MITRE Innovation Program (MIP) project CyGraph: Graph-Based Analytics and Visualization for Cybersecurity (project number EPF-14-00341), with George Roelke as MIP Cybersecurity Innovation Area Lead. The work of Sushil Jajodia was supported in part by the Army Research Office under grant numbers W911NF-13-1-0421 and W911NF-15-1-0576, by the Office of Naval Research under grant number N00014-15-1-2007, and by the National Science Foundation under grant number IIP-1266147.


  1. 1.
    S. Noel, E. Harley, K.H. Tam, M. Limiero, M. Share, CyGraph: graph-based analytics and visualization for cybersecurity, in Cognitive Computing: Theory and Applications, Handbook of Statistics, vol. 35, ed. by V. Raghavan, V. Gudivada, V. Govindaraju, C.R. Rao (Elsevier, New York, 2016)Google Scholar
  2. 2.
    S. Noel, E. Harley, K.H. Tam, G. Gyor, Big-data architecture for cyber attack graphs: representing security relationships in NoSQL Graph Databases, in IEEE Symposium on Technologies for Homeland Security, Boston, Massachusetts, April, 2015Google Scholar
  3. 3.
  4. 4.
    RedSeal Cybersecurity Analytics Platform,
  5. 5.
    M. Artz, NetSPA: A Network Security Planning Architecture, master’s thesis, Massachusetts Institute of Technology (2002)Google Scholar
  6. 6.
    S. Jajodia, S. Noel, P. Kalapa, M. Albanese, J. Williams, Cauldron: mission-centric cyber situational awareness with defense in depth, in 30th Military Communications Conference (MILCOM), November 2011Google Scholar
  7. 7.
    X. Ou, W. Boyer, M. McQueen, A scalable approach to attack graph generation, in 13th ACM Conference on Computer and Communications Security, New York, NY (2006)Google Scholar
  8. 8.
    S. Jajodia, S. Noel, Topological vulnerability analysis, in Cyber Situational Awareness: Issues and Research, Advances in Information Security, vol. 46, ed. by S. Jajodia, P. Liu, V. Swarup, C. Wang (Springer, Heidelberg, 2010)Google Scholar
  9. 9.
    NIST, NVD Common Vulnerability Scoring System (CVSS),
  10. 10.
    P. Manadhata, An Attack Surface Metric, doctoral dissertation, Carnegie Mellon University, CMU-CS-08-152 (2008)Google Scholar
  11. 11.
    A. Jaquith, Security Metrics: Replacing Fear, Uncertainty, and Doubt (Addison-Wesley Professional, Reading, MA, 2007)Google Scholar
  12. 12.
    V. Verendel, Quantified security is a weak hypothesis: a critical survey of results and assumptions, in ACM New Security Paradigms Workshop (2009)Google Scholar
  13. 13.
    M. Pendleton, R. Garcia-Lebron, J.-H. Cho, S. Xu, A survey on systems security metrics. ACM Comput. Surv. 49(4), 62 (2017)Google Scholar
  14. 14.
    D. Bodeau, R. Graubart, Cyber Resilience Metrics: Key Observations, The MITRE Corporation, (2016)
  15. 15.
    S. Musman, S. Agbolosu-Amison, A Measurable Definition of Resiliency Using “Mission Risk” as a Metric, The MITRE Corporation, (2014)
  16. 16.
    D. Bodeau, R. Graubart, L. LaPadula, P. Kertzner, A. Rosenthal, J. Brennan, Cyber Resiliency Metrics, The MITRE Corporation, (2012)
  17. 17.
    S. Noel, W. Heinbockel, An overview of MITRE cyber situational awareness solutions, in NATO Cyber Defence Situational Awareness Solutions Conference, Bucharest, Romania, August, 2015Google Scholar
  18. 18.
    M. Swanson, N. Bartol, J. Sabato, J. Hash, J. Graffo, Security Metrics Guide for Information Technology Systems, NIST Technical Report 800-55, July 2003Google Scholar
  19. 19.
    C. Phillips, L.P. Swiler, A graph-based system for network vulnerability analysis, in ACM Workshop on New Security Paradigms, New York, NY, USA, 1998Google Scholar
  20. 20.
    N. Idika, B. Bhargava, Extending attack graph-based security metrics and aggregating their application. IEEE Trans. Dependable Secure Comput. 9(1), 75–85 (2012)CrossRefGoogle Scholar
  21. 21.
    G. Bopche, B. Mehtre, Graph similarity metrics for assessing temporal changes in attack surface of dynamic networks. Comput. Secur. 64, 16–43 (2017)CrossRefGoogle Scholar
  22. 22.
    R. Lippmann, K. Ingols, C. Scott, K. Piwowarski, K. Kratkiewicz, M. Artz, R. Cunningham, Validating and restoring defense in depth using attack graphs, in IEEE Conference on Military Communications (MILCOM) (2006)Google Scholar
  23. 23.
    J. Pamula, S. Jajodia, P. Ammann, V. Swarup, A weakest-adversary security metric for network configuration security analysis, in 2nd ACM Workshop on Quality of Protection (2006)Google Scholar
  24. 24.
    S. Noel, S. Jajodia, L. Wang, A. Singhal, Measuring security risk of networks using attack graphs. Int. J. Next-Gener. Comput. 1, 135–147 (2010)Google Scholar
  25. 25.
    Z. Huang, Human-Centric Training and Assessment for Cyber Situation Awareness, doctoral dissertation, University of Delaware, ProQuest 10014764 (2015)Google Scholar
  26. 26.
    L. Wang, S. Jajodia, A. Singhal, P. Cheng, S. Noel, k-Zero day safety: a network security metric for measuring the risk of unknown vulnerabilities. IEEE Trans. Dependable Secure Comput. 11, 30–44 (2013)CrossRefGoogle Scholar
  27. 27.
    M. Tupper, A.N. Zincir-Heywood, VEA-bility security metric: a network security analysis tool, in 3rd International Conference on Availability, Reliability and Security (2008)Google Scholar
  28. 28.
    S. Noel, E. Robertson, S. Jajodia, Correlating intrusion events and building attack scenarios through attack graph distances, in 20th Annual Computer Security Applications Conference (ACSAC), Tucson, Arizona, December 2004Google Scholar
  29. 29.
    S. Noel, S. Jajodia, Attack graphs for sensor placement, alert prioritization, and attack response, in Cyberspace Research Workshop, Air Force Cyberspace Symposium, Shreveport, Louisiana, November 2007Google Scholar
  30. 30.
    S. Noel, Metrics suite for network attack graphs, in 65th Meeting of IFIP Working Group 10.4 on Dependable Computing and Fault Tolerance, Sorrento, Italy, January 2014Google Scholar
  31. 31.
    S. Noel, S. Jajodia, Metrics suite for network attack graph analytics, in 9th Annual Cyber and Information Security Research Conference, Oak Ridge National Laboratory, Tennessee, April 2014Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.The MITRE CorporationMcLeanUSA
  2. 2.Center for Secure Information SystemsGeorge Mason UniversityFairfaxUSA

Personalised recommendations