To protect critical resources in today's networked environments, it is desirable to quantify the likelihood of potential multi-step attacks that combine multiple vulnerabilities. This now becomes feasible due to a model of causal relationships between vulnerabilities, namely, attack graph. This paper proposes an attack graph-based probabilistic metric for network security and studies its efficient computation. We first define the basic metric and provide an intuitive and meaningful interpretation to the metric. We then study the definition in more complex attack graphs with cycles and extend the definition accordingly. We show that computing the metric directly from its definition is not efficient in many cases and propose heuristics to improve the efficiency of such computation.
Proceedings Title: Data and Applications Security XXII (Lecture Notes in Computer Science)
Conference Dates: July 13-16, 2008
Conference Location: London, -1
Conference Title: 22nd Annual IFIP WG 11.3 Working Conference on Data and Applications Security
Pub Type: Conferences
graphs, network security, security metrics, vulnerability assessment