Probabilistic reasoning in intelligent systems: networks of plausible inference
Probabilistic reasoning in intelligent systems: networks of plausible inference
Models and tools for quantitative assessment of operational security
Information systems security
A graph-based system for network-vulnerability analysis
Proceedings of the 1998 workshop on New security paradigms
Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security
IEEE Transactions on Software Engineering
Scalable, graph-based network vulnerability analysis
Proceedings of the 9th ACM conference on Computer and communications security
Automated Generation and Analysis of Attack Graphs
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Why the Future Belongs to the Quants
IEEE Security and Privacy
A Systematic Approach to Multi-Stage Network Attack Analysis
IWIA '04 Proceedings of the Second IEEE International Information Assurance Workshop (IWIA'04)
Scenario graphs and attack graphs
Scenario graphs and attack graphs
A logic-programming approach to network security analysis
A logic-programming approach to network security analysis
On the Brittleness of Software and the Infeasibility of Security Metrics
IEEE Security and Privacy
Quality of protection: measuring the unmeasurable?
Proceedings of the 2nd ACM workshop on Quality of protection
Measuring the attack surfaces of two FTP daemons
Proceedings of the 2nd ACM workshop on Quality of protection
A weakest-adversary security metric for network configuration security analysis
Proceedings of the 2nd ACM workshop on Quality of protection
A scalable approach to attack graph generation
Proceedings of the 13th ACM conference on Computer and communications security
Practical Attack Graph Generation for Network Defense
ACSAC '06 Proceedings of the 22nd Annual Computer Security Applications Conference
Minimum-cost network hardening using attack graphs
Computer Communications
MulVAL: a logic-based network security analyzer
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Toward measuring network security using attack graphs
Proceedings of the 2007 ACM workshop on Quality of protection
Optimal security hardening using multi-objective optimization on attack tree models of networks
Proceedings of the 14th ACM conference on Computer and communications security
A comprehensive objective network security metric framework for proactive security configuration
Proceedings of the 4th annual workshop on Cyber security and information intelligence research: developing strategies to meet the cyber security and information intelligence challenges ahead
An Attack Graph-Based Probabilistic Security Metric
Proceeedings of the 22nd annual IFIP WG 11.3 working conference on Data and Applications Security
Measuring Network Security Using Bayesian Network-Based Attack Graphs
COMPSAC '08 Proceedings of the 2008 32nd Annual IEEE International Computer Software and Applications Conference
Extending logical attack graphs for efficient vulnerability analysis
Proceedings of the 15th ACM conference on Computer and communications security
Measuring network security using dynamic bayesian network
Proceedings of the 4th ACM workshop on Quality of protection
Identifying Critical Attack Assets in Dependency Attack Graphs
ESORICS '08 Proceedings of the 13th European Symposium on Research in Computer Security: Computer Security
Bayesian Networks and Decision Graphs
Bayesian Networks and Decision Graphs
Sat-solving approaches to context-aware enterprise network security management
IEEE Journal on Selected Areas in Communications - Special issue on network infrastructure configuration
Modeling Modern Network Attacks and Countermeasures Using Attack Graphs
ACSAC '09 Proceedings of the 2009 Annual Computer Security Applications Conference
Measuring the overall security of network configurations using attack graphs
Proceedings of the 21st annual IFIP WG 11.3 working conference on Data and applications security
IEEE Transactions on Software Engineering
Extending Attack Graph-Based Security Metrics and Aggregating Their Application
IEEE Transactions on Dependable and Secure Computing
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
| Hi-index | 0.00 |
Quantifying security risk is an important and yet difficult task in enterprise network security management. While metrics exist for individual software vulnerabilities, there is currently no standard way of aggregating such metrics. We present a model that can be used to aggregate vulnerability metrics in an enterprise network, producing quantitative metrics that measure the likelihood breaches can occur within a given network configuration. A clear semantic model for this aggregation is an important first step toward a comprehensive network security metric model. We utilize existing work in attack graphs and apply probabilistic reasoning to produce an aggregation that has clear semantics and sound computation. We ensure that shared dependencies between attack paths have a proportional effect on the final calculation. We correctly reason over cycles, ensuring that privileges are evaluated without any self-referencing effect. We introduce additional modeling artifacts in our probabilistic graphical model to capture and account for hidden correlations among exploit steps. The paper shows that a clear semantic model for aggregation is critical in interpreting the results, calibrating the metric model, and explaining insights gained from empirical evaluation. Our approach has been rigorously evaluated using a number of network models, as well as data from production systems.