NOTICE: Due to a lapse in annual appropriations, most of this website is not being updated. Learn more.

Form submissions will still be accepted but will not receive responses at this time. Sections of this site for programs using non-appropriated funds (such as NVLAP) or those that are excepted from the shutdown (such as CHIPS and NVD) will continue to be updated.

U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

PUBLICATIONS

An Empirical Study of a Vulnerability Metric Aggregation Method

Published

Author(s)

Su Zhang, Xinming Ou, Anoop Singhal, John Homer

Abstract

Quantifying security risk is an important and yet difficult task in enterprise network risk management, critical for proactive mission assurance. Even though metrics exist for individual vulnerabilities, there is currently no standard way of aggregating such metrics. We developed a quantitative model that can be used to aggregate vulnerability metrics in an enterprise network, with a sound computation model. Our model produces quantitative metrics that measure the likelihood that breaches can occur within a given network configuration, taking into consideration the effects of all possible interplays between vulnerabilities. In order to validate the effectiveness scalability and accuracy) of this approach to realistic networks, we present the empirical study results of the approach on a number of system configurations. We use a real network as the test bed to demonstrate the utility of the approach, showing that the sound computation model is crucial for interpreting the metric result.
Proceedings Title
Mission Assurance and Critical Infrastructure Protection
Volume
I
Conference Dates
July 18-21, 2011
Conference Location
Las Vegas, NV, US
Conference Title
2011 World Congress in Computer Science
Pub Type
Conferences

Download Paper

Local Download

Keywords

attack detection, attack graphs, computer networks, security risk
Information technology and Cybersecurity and privacy

Citation

Zhang, S. , Ou, X. , Singhal, A. and Homer, J. (2011), An Empirical Study of a Vulnerability Metric Aggregation Method, Mission Assurance and Critical Infrastructure Protection, Las Vegas, NV, US, [online], https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=908558 (Accessed October 9, 2025)

Issues

If you have any questions about this publication or are having problems accessing it, please contact [email protected].

Created August 17, 2011, Updated October 12, 2021
Was this page helpful?