Journal of the Korea Society of Computer and Information (한국컴퓨터정보학회논문지)

Korean Society of Computer Information (한국컴퓨터정보학회)
권호 표지
DOI QR코드

DOI QR Code

Survey on the use of security metrics on attack graph

  • Lee, Gyung-Min (Graduate School of Information Security, Korea University) ;
  • Kim, Huy-Kang (Graduate School of Information Security, Korea University)
  • Received : 2018.08.27
  • Accepted : 2018.11.26
  • Published : 2018.12.31
Download PDF
⟨ Previous Next ⟩

Abstract

As the IT industry developed, the information held by the company soon became a corporate asset. As this information has value as an asset, the number and scale of various cyber attacks which targeting enterprises and institutions is increasing day by day. Therefore, research are being carried out to protect the assets from cyber attacks by using the attack graph to identify the possibility and risk of various attacks in advance and prepare countermeasures against the attacks. In the attack graph, security metric is used as a measure for determining the importance of each asset or the risk of an attack. This is a key element of the attack graph used as a criterion for determining which assets should be protected first or which attack path should be removed first. In this survey, we research trends of various security metrics used in attack graphs and classify the research according to application viewpoints, use of CVSS(Common Vulnerability Scoring System), and detail metrics. Furthermore, we discussed how to graft the latest security technologies, such as MTD(Moving Target Defense) or SDN(Software Defined Network), onto the attack graphs.

Keywords

CPTSCQ_2018_v23n12_95_f0001.png 이미지

Fig. 1. CVSS scoring process

CPTSCQ_2018_v23n12_95_f0002.png 이미지

Fig. 2. Example of attack graph

Table 1. Metrics classification based on application perspective

CPTSCQ_2018_v23n12_95_t0001.png 이미지

Table 2. Metrics classification based on CVSS usage

CPTSCQ_2018_v23n12_95_t0002.png 이미지

Table 3. Metrics classification based on detailed metric

CPTSCQ_2018_v23n12_95_t0003.png 이미지

Table 4. Evaluation of 5 aspects in security metrics

CPTSCQ_2018_v23n12_95_t0004.png 이미지

References

  1. Ministry of Science and ICT, http://www.index.go.kr/potal/main/EachDtlPageDetail.do?idx_cd=1363
  2. Schneier, Bruce. "Attack trees." Dr. Dobb's journal 24.12 (1999): 21-29.
  3. Phillips, Cynthia, and Laura Painton Swiler. "A graph-based system for network-vulnerability analysis," Proceedings of the 1998 workshop on New security paradigms. pp. 71-79, Charlottesville, Virginia, USA, September, 1998.
  4. National Institute of Standards and Technology Glossary, https://csrc.nist.gov/glossary/term/vulnerability
  5. CVE, https://cve.mitre.org/
  6. CVSS, https://www.first.org/cvss
  7. Ou, Xinming, Sudhakar Govindavajhala, and Andrew W. Appel. "MulVAL: A Logic-based Network Security Analyzer," USENIX Security Symposium. Vol. 8, 2005.
  8. Ingols, Kyle, Richard Lippmann, and Keith Piwowarski. "Practical attack graph generation for network defense," Computer Security Applications Conference, pp. 121-130, December, 2006.
  9. Ortalo, Rodolphe, Yves Deswarte, and Mohamed Kaaniche. "Experimenting with quantitative evaluation tools for monitoring operational security," IEEE Transactions on Software Engineering Vol. 25, No. 5, pp. 633-650, September, 1999 https://doi.org/10.1109/32.815323
  10. Mehta, Vaibhav, et al. "Ranking attack graphs," International Workshop on Recent Advances in Intrusion Detection. pp. 127-144, 2006.
  11. Idika, Nwokedi, and Bharat Bhargava. "Extending attack graph-based security metrics and aggregating their application," IEEE Transactions on Dependable and Secure Computing Vol. 9, No. 1, pp. 75-85, January, 2012. https://doi.org/10.1109/TDSC.2010.61
  12. National Institute of Standards and Technology, https://www.nist.gov
  13. Balzarotti, Davide, Mattia Monga, and Sabrina Sicari. "Assessing the risk of using vulnerable components," Quality of Protection, pp. 65-77, 2006.
  14. Wang, Lingyu, et al. "An attack graph-based probabilistic security metric," IFIP Annual Conference on Data and Applications Security and Privacy, Vol. 5094. pp. 283-296, 2008.
  15. Gallon, Laurent, and Jean Jacques Bascou. "Using CVSS in attack graphs," Availability, Reliability and Security, 2011 Sixth International Conference on. IEEE, pp. 59-66, 2011.
  16. Wang, Lingyu, Anoop Singhal, and Sushil Jajodia. "Measuring the overall security of network configurations using attack graphs," IFIP Annual Conference on Data and Applications Security and Privacy, Vol. 4602, pp. 98-112, 2007.
  17. Suh-Lee, Candace, and Juyeon Jo. "Quantifying security risk by measuring network risk conditions," Computer and Information Science (ICIS), 2015 IEEE/ACIS 14th International Conference on. IEEE, pp. 9-14, July, 2015.
  18. National Vulnerability Database, https://nvd.nist.gov
  19. Pamula, Joseph, et al. "A weakest-adversary security metric for network configuration security analysis," Proceedings of the 2nd ACM workshop on Quality of protection. ACM, pp. 31-38, October, 2006.
  20. Noel, Steven, et al. "Measuring security risk of networks using attack graphs," International Journal of Next-Generation Computing, Vol. 1, No. 1, pp. 135-147, July, 2010.
  21. Tupper, Melanie, and A. Nur Zincir-Heywood. "VEA-bility security metric: A network security analysis tool," Availability, Reliability and Security, 2008. ARES 08. Third International Conference on. IEEE, pp. 950-957, March, 2008.
  22. Keramati, Marjan, Ahmad Akbari, and Mahsa Keramati. "CVSS-based security metrics for quantitative analysis of attack graphs," Computer and Knowledge Engineering (ICCKE), 2013 3th International eConference on. IEEE, pp. 178-183, November, 2013.
  23. Dai, Fangfang, et al. "Exploring risk flow attack graph for security risk assessment," IET Information Security Vol. 9, No. 6, pp. 344-353, November, 2015. https://doi.org/10.1049/iet-ifs.2014.0272
  24. Singhal, Anoop, and Xinming Ou. "Security risk analysis of enterprise networks using probabilistic attack graphs," Network Security Metrics, pp.53-73, November, 2017.
  25. Xie, Lixia, Xiao Zhang, and Jiyong Zhang. "Network Security Risk Assessment Based on Attack Graph," Journal of Computers Vol. 8, No. 9, pp. 2339-2347, September, 2013.
  26. Homer, John, et al. "Aggregating vulnerability metrics in enterprise networks using attack graphs," Journal of Computer Security Vol. 21, No. 4, pp. 561-597, September, 2013. https://doi.org/10.3233/JCS-130475
  27. Frigault, Marcel, and Lingyu Wang. "Measuring network security using bayesian network-based attack graphs," Annual IEEE International Computer Software and Applications Conference. IEEE, pp. 698-703, August, 2008.
  28. Poolsappasit, Nayot, Rinku Dewri, and Indrajit Ray. "Dynamic security risk management using bayesian attack graphs," IEEE Transactions on Dependable and Secure Computing, Vol. 9, No. 1, pp. 61-74, June, 2012. https://doi.org/10.1109/TDSC.2011.34
  29. Liu, Si-chao, and Yuan Liu. "Network security risk assessment method based on HMM and attack graph model," 2016 17th IEEE/ACIS International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing (SNPD). IEEE, pp. 517-522, June, 2016.
  30. Sawilla, Reginald E., and Xinming Ou. "Identifying critical attack assets in dependency attack graphs," European Symposium on Research in Computer Security, Vol. 5283, pp. 18-34, 2008.
  31. Hui, Wang, Chen Fuwang, and Wang Yunfeng. "An Approach of Security Risk Evaluation Based on the Bayesian Attack Graph," Open Cybernetics & Systemics Journal, Vol. 9, pp. 953-960, 2015. https://doi.org/10.2174/1874110X01509010953
  32. Noel, Steven, and Sushil Jajodia. "Metrics suite for network attack graph analytics," Proceedings of the 9th Annual Cyber and Information Security Research Conference. ACM, pp. 5-8, April, 2014.
  33. Moon, Young Hoon, et al. "Hybrid Attack Path Enumeration System Based on Reputation Scores," Computer and Information Technology (CIT), 2016 IEEE International Conference on. IEEE, pp. 241-248, December, 2016.
  34. Ghosh, Nirnay, and Soumya K. Ghosh. "An approach for security assessment of network configurations using attack graph," Networks and Communications, 2009. NETCOM'09. First International Conference on. IEEE, pp. 283-288, December, 2009.
  35. Ge, Mengmeng, Huy Kang Kim, and Dong Seong Kim. "Evaluating Security and Availability of Multiple Redundancy Designs when Applying Security Patches." Dependable Systems and Networks Workshop (DSN-W), 2017 47th Annual IEEE/IFIP International Conference on. IEEE, pp. 53-60, June, 2017.
  36. Singh, Umesh Kumar, and Chanchala Joshi. "Quantifying security risk by critical network vulnerabilities assessment," International Journal of Computer Applications, Vol. 156, No. 13, pp. 26-33, December, 2016.
  37. Zhang, Mengyuan, et al. "Network diversity: a security metric for evaluating the resilience of networks against zero-day attacks," IEEE Transactions on Information Forensics and Security, Vol. 11, No. 5, pp. 1071-1086, January, 2016. https://doi.org/10.1109/TIFS.2016.2516916
  38. Jessica Steinberger et al. "DDoS defense using MTD and SDN," IEEE Network Operations and Management Symposium 2018 on. IEEE, April, 2018.
  39. Zhuang, Rui, et al. "Investigating the application of moving target defenses to network security," Resilient Control Systems (ISRCS), 2013 6th International Symposium on. IEEE, pp. 162-169, August, 2013.
  40. Hong, Jin Bum, and Dong Seong Kim. "Assessing the effectiveness of moving target defenses using security models," IEEE Transactions on Dependable and Secure Computing, Vol. 13, No. 2, pp. 163-177, April, 2016. https://doi.org/10.1109/TDSC.2015.2443790
  41. Chowdhary, Ankur, Sandeep Pisharody, and Dijiang Huang. "Sdn based scalable mtd solution in cloud network," Proceedings of the 2016 ACM Workshop on Moving Target Defense. ACM, pp. 27-36, October, 2016.
  42. Yusuf, Simon Enoch, et al. "Security Modelling and Analysis of Dynamic Enterprise Networks." Computer and Information Technology (CIT), 2016 IEEE International Conference on. IEEE, pp.249-256, December, 2016.
  43. Joo Yeon Moon, Taekyu Kim, Insung Kim, and Huy Kang Kim. "An attack graph model for dynamic network environment," Journal of The Korea Institute of Information Security & Cryptology, Vol. 28, No. 2, pp. 485-500, April, 2018. https://doi.org/10.13089/JKIISC.2018.28.2.485