An Empirical Study of a Vulnerability Metric Aggregation Method

Zhang, Su; Ou, Xinming; Singhal, Anoop; Homer, John

An Empirical Study of a Vulnerability Metric Aggregation Method

Active / Technical Report | Accession Number: ADA557504 |

Open PDF

Abstract:

Quantifying security risk is an important and yet difficult task in enterprise network risk management, critical for proactive mission assurance. Even though metrics exist for individual vulnerabilities, there is currently no standard way of aggregating such metrics. We developed a quantitative model that can be used to aggregate vulnerability metrics in an enterprise network, with a sound computation model. Our model produces quantitative metrics that measure the likelihood that breaches can occur within a given network configuration, taking into consideration the effects of all possible interplays between vulnerabilities. In order to validate the effectiveness scalability and accuracy of this approach to realistic networks, we present the empirical study results of the approach on a number of system configurations. We use a real network as the test bed to demonstrate the utility of the approach, show that the sound computation model is crucial for interpreting the metric result.

Author(s):

Zhang, Su ; Ou, Xinming ; Singhal, Anoop ; Homer, John

Author Organization(s):

KANSAS STATE UNIV MANHATTAN

Descriptive Note:

Conference paper

Supplementary Note:

In The 2011 International Conference on Security and Management (SAM'11), special track on Mission Assurance and Critical Infrastructure Protection (STMACIP'11), Las Vegas, CA, July 2011. U.S. Government or Federal Rights License

Pagination:

0008

Security Markings

DOCUMENT & CONTEXTUAL SUMMARY

Distribution:

Approved For Public Release

Distribution Statement:

Approved For Public Release; Distribution Is Unlimited.

RECORD

Collection: TR

Identifying Numbers

Contract/Grant Number(s):

FA9550-09-1-0138

Monitor Series:

AFOSR

Subject Terms

Joint Capability Areas:

JCA_6_Net Centric; JCA_6.4.1_Secure Information Exchange; JCA_6.1_Information Transport; JCA_6.4_Information Assurance; JCA_1.2.7_Experimentation; JCA_1.2_Force Preparation; JCA_1_Force Support; JCA_3.2_Engagement; JCA_3_Force Application; JCA_5_Command and Control; JCA_1.2.3_Educating; JCA_3.2.2_Non-Kinetic Means; JCA_8_Building Partnerships

Modernization Areas:

Cyber

Communities of Interest:

Cyber

Descriptor(s):

*DATA TRANSMISSION SECURITY, GRAPHS, METRICS, RISK MANAGEMENT, SYMPOSIA, VULNERABILITY

Field(s)/Group(s):

Computer Systems Management and Standards

Keyword(s):

ENTERPRISE NETWORK SECURITY, ATTACK GRAPH, VULNERABILITY METRICS, QUANTITATIVE RISK ASSESSMENT

Report Date:

2011 Jul 01

Creation Date:

2012 Apr 23