Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Aggregating Vulnerability Metrics in Enterprise Networks using Attack Graphs



John Homer, Su Zhang, Xinming Ou, David Schmidt, Yanhui Du, S. Raj Rajagopalan, Anoop Singhal


Quantifying security risk is an important and yet difficult task in enterprise network security man- agement. While metrics exist for individual software vulnerabilities, there is currently no standard way of aggregating such metrics. We present a model that can be used to aggregate vulnerability metrics in an enterprise network, producing quantitative metrics that measure the likelihood breaches can oc- cur within a given network configuration. A clear semantic model for this aggregation is an important first step towards a comprehensive network security metric model. We utilize existing work in attack graphs and apply probabilistic reasoning to produce an aggregation that has clear semantics and sound computation. We ensure that shared dependencies between attack paths have a proportional effect on the final calculation. We correctly reason over cycles, ensuring that privileges are evaluated without any self-referencing effect. We introduce additional modeling artifacts in our probabilistic graphical model to capture and account for hidden correlations among exploit steps. The paper shows that a clear seman- tics for aggregation is critical in interpreting the results, calibrating the metric model, and explaining insights gained from empirical evaluation. Our approach has been rigorously evaluated using a number of network models, as well as data from production systems.
Journal of Computer Security


risk assessment, vulnerability metrics, attack graphs, enterprise network security management


Homer, J. , Zhang, S. , Ou, X. , Schmidt, D. , Du, Y. , Rajagopalan, S. and Singhal, A. (2013), Aggregating Vulnerability Metrics in Enterprise Networks using Attack Graphs, Journal of Computer Security, [online],, (Accessed June 21, 2024)


If you have any questions about this publication or are having problems accessing it, please contact

Created September 19, 2013, Updated October 12, 2021