Journal Title : International Journal of Modern Trends in Engineering and Science


Author’s Name : Sundaresan K | Dineshkumar T | Pugazhenthi Aunnamed

Volume 04 Issue 03 2017

ISSN no:  2348-3121

Page no: 18-23

Abstract – One of the main difficulties in securing computer networks is the lack of means for directly measuring the relative effectiveness of different security solutions in a given network through false positive and false negative measures. In a novel network security metric, issue can be addressed by k-zero day safety.  Roughly speaking, instead of attempting to measure which unknown vulnerabilities are more likely to exist, it start with the worst case assumption that this is not measurable. The metric then simply counts how many zero-day vulnerabilities are required to compromise a network asset. A larger count will indicate a relatively more secure network, because the likelihood of having more unknown vulnerabilities all available at the same time, applicable to the same network, and exploitable by the same attacker, will be lower. It will formally define the k-zero day safety metric based on an abstract model of networks and zero-day attacks. Computing the metric and design heuristic algorithms for addressing this complexity in special cases. It demonstrates the usefulness of the metric by applying it to the evaluation of existing practices in network hardening through a series of case studies.

KeywordsSecurity Metrics, Network Security, Attack Graph, Network Hardening


  1. P. Ammann, D. Wijesekera, and S. Kaushik, “Scalable, Graph-Based Network Vulnerability Analysis,” Proc. Ninth ACM Conf.Computer Comm. Security (CCS ’02), pp. 217-224, 2002.
  2. D. Balzarotti, M. Monga, and S. Sicari, “Assessing the Risk ofUsing Vulnerable Components,” Proc. ACM Second Workshop Quality of Protection (QoP ’05), pp. 65-78, 2005.
  3. S.M. Bellovin, “On the Brittleness of Software and the Infeasibility of Security Metrics,” IEEE Security and Privacy, vol. 4, no. 4, p. 96,July/Aug. 2006.
  4. M. Dacier, “Towards Quantitative Evaluation of Computer
    Security,” PhD thesis, Institut Nat’l Poly technique de Toulouse,1994.
  5. E.W. Dijkstra, “A Note on Two Problems in Connection with Graphs,” Numerische Mathematik, vol. 1, pp. 269-271, 1959.
  6. J. Doob, Measure Theory. Springer-Verlag, 1994.
  7. C. Dwork, “Differential Privacy,” Proc. 33rd Int’l Colloquium Automata, Languages and Programming (ICALP ’06), vol. 2, pp. 1-12, 2006.
  8. N. Falliere, L.O. Murchu, and E. Chien, “W32.Stuxnet Dossier,” Symantec Security Response, 2011.
  9. M. Frigault, L. Wang, A. Singhal, and S. Jajodia, “Measuring Network Security Using Dynamic Bayesian Network,” Proc. Fourth ACM Workshop Quality of Protection (QoP ’08), 2008.
  10. A. Greenberg, “Shopping for Zero-Days: A Price List for Hackers’ Secret Software Exploits,” Forbes, Mar. 2012.
  11. H. Holm, M. Ekstedt, and D. Andersson, “Empirical Analysis of System-Level Vulnerability Metrics through Actual Attacks,” IEEE Trans. Dependable Secure Computing, vol. 9, no. 6, pp. 825-837, Nov. 2012.
  12. J. Homer, X. Ou, and D. Schmidt, “A Sound And Practical Approach to Quantifying Security Risk in Enterprise Networks,”technical report, Kansas State Univ., 2009
  13. N. Idika and B. Bhargava, “Extending Attack Graph-Based Security Metrics and Aggregating Their Application,” IEEE Trans. Dependable and Secure Computing, vol. 9, no. 1, pp. 75-85, Jan./Feb. 2012.K. Ingols, M. Chu, R. Lippmann, S. Webster, and S. Boyer,
  14. “Modeling Modern Network Attacks and Countermeasures Using Attack Graphs,” Proc. Ann. Computer Security Applications Conf. (ACSAC ’09), pp. 117-126, 2009.
  15. S. Jajodia, S. Noel, and B. O’Berry, “Topological Analysis of  Network Attack Vulnerability,” Managing Cyber Threats: Issues, Approaches and Challenges, V. Kumar, J. Srivastava, and A. Lazarevic, eds., Kluwer Academic, 2003.
  16. A. Jaquith, Security Merics: Replacing Fear Uncertainty and Doubt. Addison Wesley, 2007.
  17. S. Jha, O. Sheyner, and J. Wing, “Two Formal Analysis of
    Attack Graph,” Proc. 15th Computer Security Foundation Workshop (CSFW’ 02), 2002.
  18. D. Leversage and E. Byres, “Estimating a System’s Mean Time-to- Compromise,” IEEE Security and Privacy, vol. 6, no. 1, pp. 52-60, Jan./Feb. 2008.
  19. W. Li and R.B. Vaughn, “Cluster Security Research Involving the Modeling of Network Exploitation Using Exploitation Graphs,” Proc. IEEE Sixth Int’l Symp. Cluster Computing and Grid (CCGRID ’06), p. 26, 2006.
  20. R. Lippmann, K. Ingols, C. Scott, K. Piwowarski, K. Kratkiewicz, M. Artz, and R. Cunningham, “Validating and Restoring Defense in Depth Using Attack Graphs,” Proc. IEEE Conf. Military Comm. (MILCOM’ 06), pp. 981-990, 2006.
  21. J. McHugh, “Quality of Protection: Measuring the Unmeasurable?” Proc. ACM Second Workshop Quality Protection (QoP ’06), pp. 1-2, 2006.
  22. M. McQueen, T. McQueen, W. Boyer, and M. Chaffin, “Empirical Estimates and Observations of 0Day Vulnerabilities,” Proc. Hawaii Int’l Conf. System Sciences, pp. 1-12, 2009.
  23. V. Mehta, C. Bartzis, H. Zhu, E. Clarke, and J. Wing, “Ranking Attack Graphs,” Proc. Ninth Int’l Conf. Recent Advances Intrusion Detection, 2006.
  24. P. Mell, K. Scarfone, and S. Romanosky, “Common Vulnerability Scoring System,” IEEE Security and Privacy, vol. 4, no. 6, pp. 85-89, Nov./Dec. 2006.
  25. Nat’l Institute of Standards and Technology, “National Vulnerability Database Version 2.2,” http://www.nvd.org, May 2008.
  26. R. Ortalo, Y. Deswarte, and M. Kaaniche, “Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security,” IEEE Trans. Software Eng., vol. 25, no. 5, pp. 633-650, Sept./Oct. 1999.
  27. X. Ou, W. Boyer, and M. McQueen, “A Scalable Approach to Attack Graph Generation,” Proc. 13th ACM Conf. Computer Comm. Security (CCS’ 06), pp. 336-345, 2006.
  28. J.W.P. Manadhata, “An Attack Surface Metric,” Technical Report CMU-CS-05-155, Carnegie Mellon University, 2005.
  29. J. Pamula, S. Jajodia, P. Ammann, and V. Swarup, “A Weakest- Adversary Security Metric for Network Configuration Security Analysis,” Proc. ACM Second Workshop Quality of Protection (QoP ’06), pp. 31-38, 2006.
  30. C. Phillips and L. Swiler, “A Graph-Based System for Network-Vulnerability Analysis,” Proc. New Security Paradigms Workshop (NSPW ’98), 1998.
  31. N. Poolsappasit, R. Dewri, and I. Ray, “Dynamic Security Risk Management Using Bayesian Attack Graphs,” IEEE Trans. Dependable Secure Computing, vol. 9, no. 1, pp. 61-74, Jan. 2012.
  32. P. Samarati, “Protecting Respondents’ Identities in Micro data Release,” IEEE Trans. Knowledge and Data Eng., vol. 13, no. 6, pp. 1010-1027, Nov./Dec. 2001.
  33. R. Savola, “Towards a Taxonomy for Information Security
    Metrics,” Proc. Third ACM Workshop Quality of Protection
    (QoP ’07), pp. 28-30, 2007.
  34. M. Shahzad, M. Shafiq, and A. Liu, “A Large Scale Exploratory Analysis of Software Vulnerability Life Cycles,” Proc. 34th Int’l Conf. Software Eng. (ICSE ’12), 2012.
  35. O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J. Wing, “Automated Generation and Analysis of Attack Graphs,” Proc.
    IEEE Symp. Security and Privacy (S&P ’02), 2002.
  36. T. Sommestad, H. Holm, and M. Ekstedt, “Effort Estimates for Vulnerability Discovery Projects,” Proc. 45th Hawaii Int’l Conf System Sciences (HICSS ’12), pp. 5564-5573, 2012.
  37. MITRE Corp., “Common Weakness Scoring System (CWSS),” http://cwe.mitre.org/cwss/, 2010.
  38. U.S. Dept. of Homeland Security, “Recommended Practice:
    Improving Industrial Control Systems Cyber security with
    Defense-in-Depth Strategies,” https://www.us-cert.gov/
    control_systems/practices/Recommended_Practices.html, 2009.
  39. V. Verendel, “Quantified Security Is a Weak Hypothesis: A
    Critical Survey of Results and Assumptions,” Proc. Workshop New Security Paradigms Workshop (NSPW ’09), pp. 37-50, 2009.
  40. L. Wang, T. Islam, T. Long, A. Singhal, and S. Jajodia, “An Attack Graph-Based Probabilistic Security Metric,” Proc. 22nd Ann. IFIP WG 11.3 Working Conf. Data and Applications Security, 2008.
  41. L. Wang, S. Jajodia, A. Singhal, and S. Noel, “k-Zero Day Safety: Measuring the Security Risk of Networks against Unknown  Attacks,” Proc. 15th European Conf. Research Computer Security (ESORICS ’10), pp. 573-587, 2010.