The concept of attack surface has seen many applications in various domains, e.g., software security, cloud security, mobile device security, Moving Target Defense (MTD), etc. However, in contrast to the original attack surface metric, which is formally and quantitatively defined for a software, most of the applications at higher abstraction levels, such as the network level, are limited to an intuitive and qualitative notion, losing the modeling power of the original concept. In this paper, we lift the attack surface concept to the network level as a formal security metric for evaluating the resilience of networks against zero day attacks. Specifically, we first develop novel models for aggregating the attack surface of different network resources. We then design heuristic algorithms to estimate the network attack surface while reducing the effort spent on calculating attack surface for individual resources. Finally, the proposed methods are evaluated through experiments.
IEEE Transactions on Dependable and Secure Computing
, Wang, L.
, Jajodia, S.
and Singhal, A.
Network Attack Surface: Lifting the Attack Surface Concept to Network Level for Evaluating the Resilience against Zero-Day Attacks, IEEE Transactions on Dependable and Secure Computing, [online], https://doi.org/10.1109/TDSC.2018.2889086, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=921183
(Accessed March 2, 2024)