A graph-based system for network-vulnerability analysis
Proceedings of the 1998 workshop on New security paradigms
Scalable, graph-based network vulnerability analysis
Proceedings of the 9th ACM conference on Computer and communications security
Learning from Experience: Operating System Vulnerability Trends
IT Professional
Efficient Minimum-Cost Network Hardening Via Exploit Dependency Graphs
ACSAC '03 Proceedings of the 19th Annual Computer Security Applications Conference
Security Meter: A Practical Decision-Tree Model to Quantify Risk
IEEE Security and Privacy
Modeling and Verification of IPSec and VPN Security Policies
ICNP '05 Proceedings of the 13TH IEEE International Conference on Network Protocols
Modeling the Vulnerability Discovery Process
ISSRE '05 Proceedings of the 16th IEEE International Symposium on Software Reliability Engineering
A weakest-adversary security metric for network configuration security analysis
Proceedings of the 2nd ACM workshop on Quality of protection
Vulnerability analysis For evaluating quality of protection of security policies
Proceedings of the 2nd ACM workshop on Quality of protection
Network Security Evaluation: Using the NSA IEM
Network Security Evaluation: Using the NSA IEM
Minimum-cost network hardening using attack graphs
Computer Communications
Quantitative risk assessment for dependent vulnerabilities
RAMS '06 Proceedings of the RAMS '06. Annual Reliability and Maintainability Symposium, 2006.
Prediction capabilities of vulnerability discovery models
RAMS '06 Proceedings of the RAMS '06. Annual Reliability and Maintainability Symposium, 2006.
A Flexible Approach to Measuring Network Security Using Attack Graphs
ISECS '08 Proceedings of the 2008 International Symposium on Electronic Commerce and Security
Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts
Computer Communications
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
On synthesizing distributed firewall configurations considering risk, usability and cost constraints
Proceedings of the 7th International Conference on Network and Services Management
Live digital, remember digital: State of the art and research challenges
Computers and Electrical Engineering
| Hi-index | 0.00 |
Network security depends on a number of factors. And a common characteristic of these factors is that they are dynamic in nature. Such factors include new vulnerabilities and threats, the network policy structure and traffic. These factors can be divided into two broad categories. Network risk and service risk. As the name implies, the former one corresponds to risk associated with the network policy whereas the later one depends on the services and software running on the system. Therefore, evaluating security from both the service and policy perspective can allow the management system to make decisions regarding how a system should be changed to enhance security as par the management objective. Such decision making includes choosing between alternative security architectures, designing security countermeasures, and to systematically modify security configurations to improve security. As there may be real time changes to the network threat, this evaluation must be done dynamically to handle such changes. In this paper, we provide a security metric framework that quantifies objectively the most significant security risk factors, which include existing vulnerabilities, historical trend of vulnerabilities of the remotely accessible services, prediction of potential vulnerabilities for these services and their estimated severity, unused address space and finally propagation of an attack within the network. These factors cover both the service aspect and the network aspect of risk toward a system. We have implemented this framework as a user-friendly tool called Risk based prOactive seCurity cOnfiguration maNAger (ROCONA) and showed how this tool simplifies security configuration management of services and policies in a system using risk measurement and mitigation. We also combine all the components into one single metric and present validation experiments using real-life vulnerability data from National Vulnerability Database (NVD) and show comparison with two existing risk measurement tools.