Browse > Article
http://dx.doi.org/10.13089/JKIISC.2015.25.5.1281

Which country's end devices are most sharing vulnerabilities in East Asia?  

Kim, Kwangwon (School of Information Security, Korea University)
Won, Yoon Ji (School of Information Security, Korea University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.25, no.5, 2015 , pp. 1281-1291 More about this Journal
Abstract
Compared to the past, people can control end devices via open channel. Although this open channel provides convenience to users, it frequently turns into a security hole. In this paper, we propose a new human-centered security risk analysis method that puts weight on the relationship between end devices. The measure derives from the concept of entropy rate, which is known as the uncertainty per a node in a network. As there are some limitations to use entropy rate as a measure in comparing different size of networks, we divide the entropy rate of a network by the maximum entropy rate of the network. Also, we show how to avoid the violation of irreducible, which is a precondition of the entropy rate of a random walk on a graph.
Keywords
Information security; Security risk analysis method; Quantitative risk analysis; Entropy rate-based risk analysis; Risk model; CVE based risk analysis;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Peltier and Thomas R, Information security risk analysis, 2nd Ed., CRC press, Taylor & Francis Group 6000, Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742, pp. 77-80, 2005.
2 Cavusoglu, Huseyin, Birendra Mishra, and Srinivasan Raghunathan, "A model for evaluating IT security investments," Communications of the ACM, vol. 47, no. 7, pp. 87-92, Jul. 2004.   DOI
3 Joh, HyunChul, and Y.K. Malaiya, "Defining and assessing quantitative security risk measures using vulnerability lifecycle and cvss metrics," SAM'11, pp. 10-16, Jul. 2011
4 Stoneburner, Gary, A.Y. Goguen, and Alexis Feringa, "Sp 800-30. risk management guide for information technology systems," NIST, Jul. 2002
5 Karabacak, Bilge, and Ibrahim Sogukpinar, "ISRAM: information security risk analysis method," Computers & Security, vol. 24, no. 2, pp. 147-159, Mar. 2005   DOI
6 Mell, Peter, Karen Scarfone, and Sasha Romanosky, "Common vulnerability scoring system," Security & Privacy, vol. 4, no. 6, pp. 85-89, Nov. 2006   DOI
7 Kotenko, Igor, and Mikhail Stepashkin. "Attack graph based evaluation of network security." Communications and Multimedia Security. Springer Berlin Heidelberg, Jan. 2006.
8 Phillips, Cynthia, and L.P. Swiler, "A graph-based system for network vulnerability analysis," Proceedings of the 1998 workshop on New security paradigms, ACM, pp. 71-79, Sep. 1998.
9 L.P. Swiler, Cynthia Phillips, and Timothy Gaylor, "A graph-based network-vulnerability analysis system," Sandia National Labs, Jan. 1998.
10 Singhal, Anoop, and Xinming Ou, "Security risk analysis of enterprise networks using probabilistic attack graphs," NIST, Aug. 2011.
11 Wang, Lingyu, Anoop Singhal, and Sushil Jajodia, "Measuring the overall security of network configurations using attack graphs," Data and Applications Security XXI, Springer, pp. 98-112, Jul. 2007
12 NVD: Common Vulnerability and Exposure (CVE), http://cve.mitre.org/about/index.html
13 Shodan:Shodan http://www.shodanhq.com/help