An Empirical Study of a Vulnerability Metric Aggregation Method

Abstract

Quantifying security risk is an important and yet difficult task in enterprise network risk management, critical for proactive mission assurance. Even though metrics exist for individual vulnerabilities, there is currently no standard way of aggregating such metrics. We developed a quantitative model that can be used to aggregate vulnerability metrics in an enterprise network, with a sound computation model. Our model produces quantitative metrics that measure the likelihood that breaches can occur within a given network configuration, taking into consideration the effects of all possible interplays between vulnerabilities. In order to validate the effectiveness (scalability and accuracy) of this approach to realistic networks, we present the empirical study results of the approach on a number of system configurations. We use a real network as the test bed to demonstrate the utility of the approach, show that the sound computation model is crucial for interpreting the metric result.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Jul 01, 2011
Accession Number
ADA557504

Entities

People

  • Anoop Singhal
  • John Homer
  • Su Zhang
  • Xinming Ou

Organizations

  • Kansas State University

Tags

Communities of Interest

  • Cyber

DTIC Thesaurus Topics

  • Algorithms
  • Artifacts
  • Business Administration
  • Databases
  • Generators
  • Internet
  • Language
  • Network Topology
  • Networks
  • Operating Systems
  • Probability
  • Risk
  • Risk Analysis
  • Security
  • Standards
  • Vulnerability
  • Web Browsers

Fields of Study

  • Computer science

Readers

  • Computational Modeling and Simulation
  • Cybersecurity.