Singhal, A.
and Ou, X.
(2011),
Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs, NIST Interagency/Internal Report (NISTIR), National Institute of Standards and Technology, Gaithersburg, MD, [online], https://doi.org/10.6028/NIST.IR.7788
(Accessed October 8, 2025)
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (
) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs
Published
Author(s)
, Xinming Ou
Abstract
Today's information systems face sophisticated attackers who combine multiple vulnerabilities to penetrate networks with devastating impact. The overall security of an enterprise network cannot be determined by simply counting the number of vulnerabilities. To accurately assess the security of enterprise systems one must understand how vulnerabilities can be combined to stage an attack. We model such composition of vulnerabilities through probabilistic attack graphs, which show all paths of attacks that allow incremental network penetration. We propagate attack likelihoods through the attack graph, yielding a novel way to measure the security risk of enterprise systems. We use this metric for risk mitigation analysis to maximize the security of enterprise systems. We believe that our methodology based on probabilistic attack graphs can be used to evaluate and strengthen the overall security of enterprise networks.Citation
NIST Interagency/Internal Report (NISTIR) - 7788
Report Number
7788
NIST Pub Series
Pub Type
NIST Pubs
Download Paper
Keywords
attack detection, attack graphs, computer networks, security risk
Citation
Issues
If you have any questions about this publication or are having problems accessing it, please contact [email protected].
Created August 1, 2011, Updated November 10, 2018