Aggregating Vulnerability Metrics in Enterprise Networks using Attack Graphs
John Homer, Su Zhang, Xinming Ou, David Schmidt, Yanhui Du, S. Raj Rajagopalan, Anoop Singhal
Quantifying security risk is an important and yet difficult task in enterprise network security man- agement. While metrics exist for individual software vulnerabilities, there is currently no standard way of aggregating such metrics. We present a model that can be used to aggregate vulnerability metrics in an enterprise network, producing quantitative metrics that measure the likelihood breaches can oc- cur within a given network configuration. A clear semantic model for this aggregation is an important first step towards a comprehensive network security metric model. We utilize existing work in attack graphs and apply probabilistic reasoning to produce an aggregation that has clear semantics and sound computation. We ensure that shared dependencies between attack paths have a proportional effect on the final calculation. We correctly reason over cycles, ensuring that privileges are evaluated without any self-referencing effect. We introduce additional modeling artifacts in our probabilistic graphical model to capture and account for hidden correlations among exploit steps. The paper shows that a clear seman- tics for aggregation is critical in interpreting the results, calibrating the metric model, and explaining insights gained from empirical evaluation. Our approach has been rigorously evaluated using a number of network models, as well as data from production systems.
, Zhang, S.
, Ou, X.
, Schmidt, D.
, Du, Y.
, Rajagopalan, S.
and Singhal, A.
Aggregating Vulnerability Metrics in Enterprise Networks using Attack Graphs, Journal of Computer Security, [online], https://doi.org/10.3233/JCS-130475, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=926022
(Accessed October 2, 2023)