TWiki> Repository Web>WeeklyPapersSum08>MeasureNwkSecAhmed (29 May 2008, AndrewBlaich)EditAttach

A Novel Quantitative Approach For Measuring Network Security

Authors: Mohammad Salim Ahmed, Ehad Al-Shaer, and Latifur Khan

Complete Citation

A Novel Quantitative Approach For Measuring Network Security Ahmed, M. S.; Al-Shaer, E.; Khan, L.; INFOCOM 2008. The 27th Conference on Computer Communications. IEEE 13-18 April 2008 Page(s):1957 - 1965 Digital Object Identifier 10.1109/INFOCOM.2007.260

Abstract

Abstract—Evaluation of network security is an essential step in securing any network. This evaluation can help security professionals in making optimal decisions about how to design security coun- termeasures, to choose between alternative security architectures, and to systematically modify security configurations in order to improve security. However, the security of a network depends on a number of dynamically changing factors such as emergence of new vulnerabilities and threats, policy structure and network traffic. Identifying, quantifying and validating these factors using security metrics is a major challenge in this area. In this paper, we propose a novel security metric framework that identities and quantifies objectively the most significant security risk factors, which include existing vulnerabilities, historical trend of vulnerability of the remotely accessible services, prediction of potential vulnerabilities for any general network service and their estimated severity and finally policy resistance to attack propagation within the network.

We then describe our rigorous validation experiments using real- life vulnerability data of the past 6 years from National Vulnerability Database (NVD) [10] to show the high accuracy and confidence of the proposed metrics. Some previous works have considered vulnerabilities using code analysis. However, as far as we know, this is the first work to study and analyze these metrics for network security evaluation using publicly available vulnerability information and security policy configuration.

Annotations

Framework for network security policy evaluation that can quantitvely measure the security of a network based on two critical risk aspects:
  • the risk of having a successful attack
  • the risk of the this attack being propagated within the network

Network Risk Measurement Framework:
Picture_1.png

This solution is different from past work in that it tries to predict future vulnerabilities without inside knowledge of the studied software.

All currently existing systems do not represent the total picture as they predominantly try to find existing risk and do not address how risk the system will be in the near future or how policy structure or network traffic would impact security.

Network Service Risk Analysis

Comprised of:
  • Exiting Vulnerability Measure (EVM): un-patched services, time between vulnerability existence and patch existence, measure of how server the existing vulnerabilities are within the network.
  • Historical Vulnerability Measure (HVM): measures how vulnerability prone a given service has been in the past. A service with a high frequency of vulnerabilities in the near past has a high HVM. Vulnerabilities for services are binned into high, medium and low risk groups. These are weighted depending on how new they are, since an older problem has a higher probability of being patched.
  • Probabilistic Vulnerability Measure (PVM): combines the probability of a vulnerability being discovered in the next period of time and the expected severity of that vulnerability to give an indication of the risk faced by the network in the near future.

Network Policy Risk Analysis

The network policies determine the extent to which a network will be exposed to the outside world. The degree to which a policy allows an attack to spread within the network is given by the Attack Propagation (AP) metric (how difficult it is for an attacker to propagate an attack through the network using service vulnerabilities as well as policy vulnerabilities).

Results

If a service has a high vulnerability prone history, then there is a higher probability that the service will become vulnerable again in the near future. The National Vulnerability Database (NVD) was used, where part of the data was used for training, and the rest was used to validate predictions.

  • results 1:
    Picture_2.png

  • Results 2:
    Picture_3.png

-- AndrewBlaich - 29 May 2008

Attachments Attachments
Topic attachments
I Attachment Action Size Date Who Comment
pngpng Picture_1.png manage 150.7 K 29 May 2008 - 13:21 AndrewBlaich Network Risk Measurement Framework
pngpng Picture_2.png manage 126.7 K 29 May 2008 - 14:00 AndrewBlaich results 1
pngpng Picture_3.png manage 108.4 K 29 May 2008 - 14:00 AndrewBlaich Results 2
Edit | Attach | Print version | History: r1 | Backlinks | Raw View | More topic actions
Topic revision: r1 - 29 May 2008 - 14:02:30 - AndrewBlaich
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback