There
are several security metrics developed to protect the computer networks. In
general, common security metrics focus on qualitative and subjective aspects of
networks lacking formal statistical models. In the present study, we propose a
stochastic model to quantify the risk associated with the overall network using
Markovian process in conjunction with Common Vulnerability Scoring System(CVSS)
framework. The model we developed uses host access graph to represent the
network environment. Utilizing the developed model, one can filter the large
amount of information available by making a priority list of vulnerable nodes existing in the network. Once a priority list is prepared, network administrators
can make software patch decisions. Gaining in depth understanding of the risk
and priority level of each host helps individuals to implement decisions like
deployment of security products and to design network topologies.
References
[1]
Jha, S., Sheyner, O. and Wing, J.M. (2002) Minimization and Reliability Analyses of Attack Graphs (No. CMU-CS-02-109). Technical Report, School of Computer Science Carnegie-Mellon University, Pittsburgh.
[2]
Kemmerer, R.A. and Vigna, G. (2002) Intrusion Detection: A Brief History and Overview. IEEE Journals and Magazines, 35, 27-30.
[3]
Rajasooriya, S.M., Tsokos, C.P. and Kaluarachchi, P.K. (2016) Stochastic Modelling of Vulnerability Life Cycle and Security Risk Evaluation. Journal of Information Security, 7, 269-279. https://doi.org/10.4236/jis.2016.74022
[4]
Kaluarachchi, P.K., Tsokos, C.P. and Rajasooriya, S.M. (2016) Cybersecurity: A Statistical Predictive Model for the Expected Path Length. Journal of Information Security, 7, 112-128. https://doi.org/10.4236/jis.2016.73008
[5]
Mell, P., Scarfone, K. and Romanosky, S. (2007) A Complete Guide to the Common Vulnerability Scoring System Version 2.0. FIRST-Forum of Incident Response and Security Teams, 1-23. https://www.first.org/cvss/cvss-v2-guide.pdf
National Vulnerability Database (NVD). https://nvd.nist.gov/
[8]
Bilge, L. and Dumitras, T. (2012) Before We Knew It: An Empirical Study of Zero-Day Attacks in the Real World. Proceedings of the 2012 ACM Conference on Computer and Communications Security, Raleigh, 16-18 October 2012, 833-844. https://doi.org/10.1145/2382196.2382284
[9]
Jha, S., Sheyner, O. and Wing, J. (2002) Two Formal Analyses of Attack Graphs. Proceedings of 15th IEEE Computer Security Foundations Workshop, Cape Breton, 24-26 June 2002, 49-63. https://doi.org/10.1109/CSFW.2002.1021806
[10]
Mehta, V., Bartzis, C., Zhu, H., Clarke, E. and Wing, J. (2006) Ranking Attack Graphs. International Workshop on Recent Advances in Intrusion Detection, Hamburg, 20-22 September 2006, 127-144. https://doi.org/10.1007/11856214_7
[11]
Xie, A., Cai, Z., Tang, C., Hu, J. and Chen, Z. (2009) Evaluating Network Security with Two-Layer Attack Graphs. Annual Computer Security Applications Conference, Honolulu, 7-11 December 2009, 127-136. https://doi.org/10.1109/acsac.2009.22
[12]
Houmb, S.H. and Nunes Leal Franqueira, V. (2009) Estimating ToE Risk Level Using CVSS. Proceeding of the 4th International Conference on Availability, Reliability and Security, Fukuoka, 16-19 March 2009, 718-725.
[13]
Forum of Incident Response and Security Teams (FIRST). https://www.first.org/about
[14]
Bolch, G., Greiner, S., de Meer, H. and Trivedi, K.S. (2006) Queueing Networks and Markov Chains: Modeling and Performance Evaluation with Computer Science Applications. John Wiley & Sons, Somerset.
[15]
Trivedi, K.S. (2002) Probability & Statistics with Reliability, Queuing and Computer Science Applications. John Wiley & Sons, New Work.
[16]
Sahner, R.A., Trivedi, K. and Puliafito, A. (2012) Performance and Reliability Analysis of Computer Systems: An Example-Based Approach Using the SHARPE Software Package. Springer Science & Business Media, Berlin.
[17]
Abraham, S. and Nair, S. (2014) Cyber Security Analytics: A Stochastic Model for Security Quantification Using Absorbing Markov Chains. Journal of Communications, 9, 899-907. https://doi.org/10.12720/jcm.9.12.899-907
Sheyner, O. and Wing, J. (2003) Tools for Generating and Analyzing Attack Graphs. International Symposium on Formal Methods for Components and Objects, Leiden, 4-7 November 2003, 344-371.
[20]
Hewett, R. and Kijsanayothin, P. (2008) Host-Centric Model Checking for Network Vulnerability Analysis. Computer Security Applications Conference, Washington DC, 8-12 December 2008, 225-234. https://doi.org/10.1109/acsac.2008.15
[21]
Ammann, P., Pamula, J., Ritchey, R. and Street, J.D. (2005) A Host-Based Approach to Network Attack Chaining Analysis. Computer Security Applications Conference, Tucson, 5-9 December 2005, 72-84.
