k-Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown Vulnerabilities

@article{Wang2014kZeroDS,
  title={k-Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown Vulnerabilities},
  author={Lingyu Wang and Sushil Jajodia and Anoop Singhal and Pengsu Cheng and Steven Noel},
  journal={IEEE Transactions on Dependable and Secure Computing},
  year={2014},
  volume={11},
  pages={30-44}
}
By enabling a direct comparison of different security solutions with respect to their relative effectiveness, a network security metric may provide quantifiable evidences to assist security practitioners in securing computer networks. [] Key Result We formally define the metric, analyze the complexity of computing the metric, devise heuristic algorithms for intractable cases, and finally demonstrate through case studies that applying the metric to existing network security practices may generate actionable…
View on IEEE
csrc.nist.gov
138 Citations
Highly Influential Citations
8
Background Citations
73
Methods Citations
23
Results Citations
1

138 Citations

Citation Type

Citation Type

Network Security Metrics: Estimating the Resilience of Networks Against Zero Day Attacks
TLDR
A series of novel network security metrics with a special focus on modeling zero day attacks and study the relationships between software features and vulnerabilities are developed, and a biodiversity-inspired metric based on the effective number of distinct resources is devised.
A Proximity-Based Measure for Quantifying the Risk of Vulnerabilities
TLDR
Experimental results demonstrate that the proposed IRCR metric can be complementary to the current attack graph-based metrics in measuring the influential levels of exploitable vulnerabilities, and compared the efficacy and applicability of the proposed method with the state-of-the-art attack Graphbased metrics such as cumulative attack probability, and cumulative attack resistance.
Diversity-aware, Cost-effective Network Security Hardening Using Attack Graph
TLDR
Experimental results show that the proposed diversity-aware, cost-effective network hardening solution is complementary to the existing attack graph-based networkhardening solutions.
A novel system for quantifying the danger degree of computer network attacks
  • Marjan Keramati
  • Computer Science
    2017 IEEE 4th International Conference on Knowledge-Based Engineering and Innovation (KBEI)
  • 2017
TLDR
Some attack graph based security metrics have been defined that makes risk assessment of multi-step attacks possible and their capability to do quantitative risk assessment instead of qualitatively one which has been achieved by defining security metrics as much as independent from CVSS.
New Vulnerability Scoring System for dynamic security evaluation
  • Marjan Keramati
  • Computer Science
    2016 8th International Symposium on Telecommunications (IST)
  • 2016
TLDR
A Vulnerability Scoring System has developed that assess the risk of each known vulnerability based on its intrinsic and temporal features and a novel method is proposed for the Impact estimation of vulnerability exploiting that improves the diversity of risk scores considerably.
Vulnerability Assessment for ICS system Based on Zero-day Attack Graph
TLDR
This study created a Zero-day attack graph to guide how to harden the system by measuring attack paths that exploiting zero-day vulnerabilities, and identifies the vulnerability assessment method on ICS systems considering Zero- day Vulnerability by zero- day attack graph.
Zero-Day Vulnerability Risk Assessment and Attack Path Analysis Using Security Metric
TLDR
Experimental results show that the proposed method can quantitatively assess risk of single zero-day vulnerability and attack path from multiple dimensionalities.
Data Fusion of Security Logs to Measure Critical Security Controls to Increase Situation Awareness
TLDR
This research seeks to explore how measuring the CIS (formally SANS) Critical Security Controls, through data fusion of security logs, has the potential to increase situation awareness to strategic decision makers, and systems administrators.
Dynamic Risk Assessment System for the Vulnerability Scoring
TLDR
Performing risk assessment by considering the type of the attacker which endangers the network security most is another novelty of this paper that is proposed for Impact estimation of vulnerability exploitation on security parameters of the network.
Attack Difficulty Metric for Assessment of Network Security
TLDR
A new security metric based on attack graph, namely Attack Difficulty has been proposed to include this position factor and comparison of this new metric with other attack graph based security metrics has been included to validate its acceptance in real life situations.
...
...

References

SHOWING 1-10 OF 55 REFERENCES
k-Zero Day Safety: Measuring the Security Risk of Networks against Unknown Attacks
TLDR
A novel security metric, k-zero day safety, based on the number of unknown zero day vulnerabilities is proposed, which simply counts how many unknown vulnerabilities would be required for compromising a network asset, regardless of what vulnerabilities those might be.
A weakest-adversary security metric for network configuration security analysis
TLDR
A novel quantitative metric for the security of computer networks that is based on an analysis of attack graphs is presented, which measures the security strength of a network in terms of the strength of the weakest adversary who can successfully penetrate the network.
A Sound and Practical Approach to Quantifying Security Risk in Enterprise Networks ∗
TLDR
The approach is provably sound and ensures that shared dependencies have a proportional effect on the final calculati on, and that cycles are handled correctly so that privileges are eva luated without any self-referencing effect.
Empirical Analysis of System-Level Vulnerability Metrics through Actual Attacks
TLDR
This paper presents a statistical analysis of how 18 security estimation metrics based on CVSS data correlate with the time-to-compromise of 34 successful attacks, and suggests that models that only use the weakest link (most severe vulnerability) to compose a metric are less promising than those that consider all vulnerabilities.
Minimum-cost network hardening using attack graphs
Topological analysis of network attack vulnerability
TLDR
It is shown how attack graphs can be used to compute actual sets of hardening measures that guarantee the safety of given critical resources, and offer a promising solution for administrators to monitor and predict the progress of an intrusion, and take appropriate countermeasures in a timely manner.
Topological analysis of network attack vulnerability
TLDR
It is shown how attack graphs can be used to compute actual sets of hardening measures that guarantee the safety of given critical resources, and offer a promising solution for administrators to monitor and predict the progress of an intrusion, and take appropriate countermeasures in a timely manner.
Extending Attack Graph-Based Security Metrics and Aggregating Their Application
  • N. Idika, B. Bhargava
  • Computer Science, Mathematics
    IEEE Transactions on Dependable and Secure Computing
  • 2012
TLDR
This work proposes a complimentary suite of attack graph-based security metrics and specifies an algorithm for combining the usage of these metrics and presents simulated results that suggest that the approach reaches a conclusion about which of two attack graphs correspond to a network that is most secure in many instances.
An Attack Surface Metric
TLDR
The notion of a system's attack surface is formalized and an attack surface metric is introduced to measure the attack surface in a systematic manner and is useful in multiple phases of the software development lifecycle.
An Attack Graph-Based Probabilistic Security Metric
TLDR
This paper proposes an attack graph-based probabilistic metric for network security and studies its efficient computation, and defines and proposes heuristics to improve the efficiency of such computation.
...
...