Browse > Article
http://dx.doi.org/10.9708/jksci.2018.23.12.095

Survey on the use of security metrics on attack graph  

Lee, Gyung-Min (Graduate School of Information Security, Korea University)
Kim, Huy-Kang (Graduate School of Information Security, Korea University)
Publication Information
Journal of the Korea Society of Computer and Information / v.23, no.12, 2018 , pp. 95-105 More about this Journal
Abstract
As the IT industry developed, the information held by the company soon became a corporate asset. As this information has value as an asset, the number and scale of various cyber attacks which targeting enterprises and institutions is increasing day by day. Therefore, research are being carried out to protect the assets from cyber attacks by using the attack graph to identify the possibility and risk of various attacks in advance and prepare countermeasures against the attacks. In the attack graph, security metric is used as a measure for determining the importance of each asset or the risk of an attack. This is a key element of the attack graph used as a criterion for determining which assets should be protected first or which attack path should be removed first. In this survey, we research trends of various security metrics used in attack graphs and classify the research according to application viewpoints, use of CVSS(Common Vulnerability Scoring System), and detail metrics. Furthermore, we discussed how to graft the latest security technologies, such as MTD(Moving Target Defense) or SDN(Software Defined Network), onto the attack graphs.
Keywords
Attack Graph; CVSS; Security Metric; Moving Target Defense; Survey;
Citations & Related Records
Times Cited By KSCI : 1  (Citation Analysis)
연도 인용수 순위
1 Frigault, Marcel, and Lingyu Wang. "Measuring network security using bayesian network-based attack graphs," Annual IEEE International Computer Software and Applications Conference. IEEE, pp. 698-703, August, 2008.
2 Poolsappasit, Nayot, Rinku Dewri, and Indrajit Ray. "Dynamic security risk management using bayesian attack graphs," IEEE Transactions on Dependable and Secure Computing, Vol. 9, No. 1, pp. 61-74, June, 2012.   DOI
3 Liu, Si-chao, and Yuan Liu. "Network security risk assessment method based on HMM and attack graph model," 2016 17th IEEE/ACIS International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing (SNPD). IEEE, pp. 517-522, June, 2016.
4 Sawilla, Reginald E., and Xinming Ou. "Identifying critical attack assets in dependency attack graphs," European Symposium on Research in Computer Security, Vol. 5283, pp. 18-34, 2008.
5 Hui, Wang, Chen Fuwang, and Wang Yunfeng. "An Approach of Security Risk Evaluation Based on the Bayesian Attack Graph," Open Cybernetics & Systemics Journal, Vol. 9, pp. 953-960, 2015.   DOI
6 Noel, Steven, and Sushil Jajodia. "Metrics suite for network attack graph analytics," Proceedings of the 9th Annual Cyber and Information Security Research Conference. ACM, pp. 5-8, April, 2014.
7 Moon, Young Hoon, et al. "Hybrid Attack Path Enumeration System Based on Reputation Scores," Computer and Information Technology (CIT), 2016 IEEE International Conference on. IEEE, pp. 241-248, December, 2016.
8 Ghosh, Nirnay, and Soumya K. Ghosh. "An approach for security assessment of network configurations using attack graph," Networks and Communications, 2009. NETCOM'09. First International Conference on. IEEE, pp. 283-288, December, 2009.
9 Homer, John, et al. "Aggregating vulnerability metrics in enterprise networks using attack graphs," Journal of Computer Security Vol. 21, No. 4, pp. 561-597, September, 2013.   DOI
10 Ministry of Science and ICT, http://www.index.go.kr/potal/main/EachDtlPageDetail.do?idx_cd=1363
11 Schneier, Bruce. "Attack trees." Dr. Dobb's journal 24.12 (1999): 21-29.
12 Phillips, Cynthia, and Laura Painton Swiler. "A graph-based system for network-vulnerability analysis," Proceedings of the 1998 workshop on New security paradigms. pp. 71-79, Charlottesville, Virginia, USA, September, 1998.
13 National Institute of Standards and Technology Glossary, https://csrc.nist.gov/glossary/term/vulnerability
14 Hong, Jin Bum, and Dong Seong Kim. "Assessing the effectiveness of moving target defenses using security models," IEEE Transactions on Dependable and Secure Computing, Vol. 13, No. 2, pp. 163-177, April, 2016.   DOI
15 Ge, Mengmeng, Huy Kang Kim, and Dong Seong Kim. "Evaluating Security and Availability of Multiple Redundancy Designs when Applying Security Patches." Dependable Systems and Networks Workshop (DSN-W), 2017 47th Annual IEEE/IFIP International Conference on. IEEE, pp. 53-60, June, 2017.
16 Singh, Umesh Kumar, and Chanchala Joshi. "Quantifying security risk by critical network vulnerabilities assessment," International Journal of Computer Applications, Vol. 156, No. 13, pp. 26-33, December, 2016.
17 Zhang, Mengyuan, et al. "Network diversity: a security metric for evaluating the resilience of networks against zero-day attacks," IEEE Transactions on Information Forensics and Security, Vol. 11, No. 5, pp. 1071-1086, January, 2016.   DOI
18 Jessica Steinberger et al. "DDoS defense using MTD and SDN," IEEE Network Operations and Management Symposium 2018 on. IEEE, April, 2018.
19 Zhuang, Rui, et al. "Investigating the application of moving target defenses to network security," Resilient Control Systems (ISRCS), 2013 6th International Symposium on. IEEE, pp. 162-169, August, 2013.
20 Chowdhary, Ankur, Sandeep Pisharody, and Dijiang Huang. "Sdn based scalable mtd solution in cloud network," Proceedings of the 2016 ACM Workshop on Moving Target Defense. ACM, pp. 27-36, October, 2016.
21 Yusuf, Simon Enoch, et al. "Security Modelling and Analysis of Dynamic Enterprise Networks." Computer and Information Technology (CIT), 2016 IEEE International Conference on. IEEE, pp.249-256, December, 2016.
22 Joo Yeon Moon, Taekyu Kim, Insung Kim, and Huy Kang Kim. "An attack graph model for dynamic network environment," Journal of The Korea Institute of Information Security & Cryptology, Vol. 28, No. 2, pp. 485-500, April, 2018.   DOI
23 Mehta, Vaibhav, et al. "Ranking attack graphs," International Workshop on Recent Advances in Intrusion Detection. pp. 127-144, 2006.
24 Ou, Xinming, Sudhakar Govindavajhala, and Andrew W. Appel. "MulVAL: A Logic-based Network Security Analyzer," USENIX Security Symposium. Vol. 8, 2005.
25 Ingols, Kyle, Richard Lippmann, and Keith Piwowarski. "Practical attack graph generation for network defense," Computer Security Applications Conference, pp. 121-130, December, 2006.
26 Ortalo, Rodolphe, Yves Deswarte, and Mohamed Kaaniche. "Experimenting with quantitative evaluation tools for monitoring operational security," IEEE Transactions on Software Engineering Vol. 25, No. 5, pp. 633-650, September, 1999   DOI
27 Idika, Nwokedi, and Bharat Bhargava. "Extending attack graph-based security metrics and aggregating their application," IEEE Transactions on Dependable and Secure Computing Vol. 9, No. 1, pp. 75-85, January, 2012.   DOI
28 National Institute of Standards and Technology, https://www.nist.gov
29 Balzarotti, Davide, Mattia Monga, and Sabrina Sicari. "Assessing the risk of using vulnerable components," Quality of Protection, pp. 65-77, 2006.
30 Wang, Lingyu, et al. "An attack graph-based probabilistic security metric," IFIP Annual Conference on Data and Applications Security and Privacy, Vol. 5094. pp. 283-296, 2008.
31 CVE, https://cve.mitre.org/
32 CVSS, https://www.first.org/cvss
33 Noel, Steven, et al. "Measuring security risk of networks using attack graphs," International Journal of Next-Generation Computing, Vol. 1, No. 1, pp. 135-147, July, 2010.
34 Gallon, Laurent, and Jean Jacques Bascou. "Using CVSS in attack graphs," Availability, Reliability and Security, 2011 Sixth International Conference on. IEEE, pp. 59-66, 2011.
35 Wang, Lingyu, Anoop Singhal, and Sushil Jajodia. "Measuring the overall security of network configurations using attack graphs," IFIP Annual Conference on Data and Applications Security and Privacy, Vol. 4602, pp. 98-112, 2007.
36 Suh-Lee, Candace, and Juyeon Jo. "Quantifying security risk by measuring network risk conditions," Computer and Information Science (ICIS), 2015 IEEE/ACIS 14th International Conference on. IEEE, pp. 9-14, July, 2015.
37 National Vulnerability Database, https://nvd.nist.gov
38 Pamula, Joseph, et al. "A weakest-adversary security metric for network configuration security analysis," Proceedings of the 2nd ACM workshop on Quality of protection. ACM, pp. 31-38, October, 2006.
39 Tupper, Melanie, and A. Nur Zincir-Heywood. "VEA-bility security metric: A network security analysis tool," Availability, Reliability and Security, 2008. ARES 08. Third International Conference on. IEEE, pp. 950-957, March, 2008.
40 Keramati, Marjan, Ahmad Akbari, and Mahsa Keramati. "CVSS-based security metrics for quantitative analysis of attack graphs," Computer and Knowledge Engineering (ICCKE), 2013 3th International eConference on. IEEE, pp. 178-183, November, 2013.
41 Dai, Fangfang, et al. "Exploring risk flow attack graph for security risk assessment," IET Information Security Vol. 9, No. 6, pp. 344-353, November, 2015.   DOI
42 Singhal, Anoop, and Xinming Ou. "Security risk analysis of enterprise networks using probabilistic attack graphs," Network Security Metrics, pp.53-73, November, 2017.
43 Xie, Lixia, Xiao Zhang, and Jiyong Zhang. "Network Security Risk Assessment Based on Attack Graph," Journal of Computers Vol. 8, No. 9, pp. 2339-2347, September, 2013.