An Attack Graph Based Method for Predictive Risk Evaluation of Zero-Day Attacks

  • Marjan Keramati Faculty member of Semnan University
Keywords: Zero day attack, CVSS, Vulnerability, Risk Assessment, Security Metic, Network Hardening, Intrusion Prevention

Abstract

Performing risk assessment of computer networks is inevitable in the process of network hardening. To do efficient attack prevention, risk evaluation must be done in an accurate and quantitative manner. Such risk assessment requires thorough understanding of attack’s causes or vulnerabilities and their related characteristics. But one major problem is that, there are vulnerabilities that are known by attackers but there is no information about them in databases like NVD (National Vulnerability Database). Such vulnerabilities are referred to as unknown or zero day attacks. Existing standards like NVD ignore the effect of unknown attacks in risk assessment of computer networks. In this paper, by defining some attack graph based security metrics, we proposed an innovative method for risk evaluation of multi-step Zero-Day Attacks. Proposed method by predicting the intrinsic features of Zero-Day attacks makes their risk estimation possible. Considering the effect of Temporal features of vulnerabilities have made our approach a Dynamic Risk Estimator

Downloads

Download data is not yet available.

Author Biography

Marjan Keramati, Faculty member of Semnan University

Marjan Keramati received both her undergraduate and graduate degrees in Computer System Architecture from Iran University of Science and Technology. Currently, she is Faculty Member in Semnan University, Department of Computer Science. Also, she is Editorial Board Member in the International Journal of Cases on Information Technology (USA). Besides, she is the member of National and Technical Commission of Standard Codification and has registered one National Standard in the field of network security in 2017. Publishing papers in International Journals and Conferences, Journal paper reviewing in various prestigious International Journals and being both Scientific and Executive Committee members in International Conferences are the other examples of her academic activities. Her research Interests include: Risk Evaluation, Security Metrics, Security Modeling ,Vulnerability Analysis, Cloud Computing Security, Intrusion Prevention Systems, Intrusion Response Systems.

References

[1] http://www.first.org/cvss/ (accessed December, 13, 2016)
[2] Ghani, H. & Luna, J. & Khelil, A. & Alkadri, N. & Suri, N ”Predictive Vulnerability Scoring in the Context of Insufficient Information Availability. In Proc. of The IEEE International Conference on Risks and Security of Internet and Systems (CRiSIS), 2013, PP.1-8.
[3] J. McHugh. Quality of protection: Measuring the unmeasurable? In Proceedings of the 2nd ACM QoP, pages 1–2, 2006
[4] Wang, L. & Jajodia, S. & Singhal, A. & Noel S. k-zero day safety: measuring the security risk of networks against unknown attacks. Proc. 15th European Conf. Research Computer Security, 2010, pp. 573–587.
[5] Albanese, M. & Jajodia, S. & Singhal, A. & Wang, L. An Efficient Framework for Evaluating the Risk of Zero-Day Vulnerabilities. In E-Business and Telecommunications, Springer, 2014, PP. 322-340.
[6] M. Keramati, "An attack graph based procedure for risk estimation of zero-day attacks," 2016 8th International Symposium on Telecommunications (IST), Tehran, 2016, pp.
723- 728.
[7] http://cwe.mitre.org/cwss/, (accessed May, 25, 2016)
[8] http://www.nvd.org, /, (accessed May, 25, 2016)
[9] Jaquith., Security Metrics: Replacing Fear, Uncertainty, and Doubt. Addison Wesley Publication, 2007.
[10] http://www.nist.gov/computer-security-portal.cfm, (accessed May, 25, 2016)
[11] M. Swanson, N. Bartol, J. Sabato, et al., “Security Metrics Guide for Information Technology Systems”, Technical Report 800-55, National Institute of Standards and Technology, 2003
[12] L. Wang, A. Singhal, S. Jajodia, “Measuring the Overall Security of Network Congurations using Attack Graphs", Proceedings of the Data and Applications Security, Springer-Verlag, pp. 98-112, 2007
[13] C. Feng, D. Liu, J. Su, Y. Zhang, "A Scalable Approach to Analyzing Network Security using Compact Attack Graphs", Journal of Networks, pp. 543-550, 2010.
[14] N. Idika, B. Bhargava, “Extending Attack Graph-based Security Metricsand Aggregating Their Application”, IEEE Transactions On DependableAnd Secure Computing, pp. 1-12, 2010.
[15] Pengsu Cheng, Lingyu Wang, Sushil Jajodia, Anoop Singhal, "Aggregating CVSS base scores for semantics-rich network security metrics,"Proc. 31st International Symposium on Reliable Distributed Systems (SRDS 2012), Irvine, California, October 8-11, 2012.
[16] Sheyner, Oleg Mikhail. “Scenario Graphs and Attack Graphs.”PhDThesis Submitted to School of Computer Science, Computer Science Department, Carnegie Mellon University, 2007.
[17] Sheyner, O., Wing, J.: Tools for Generating and Analyzing Attack Graphs. In: Proc. ofWorkshop on Formal Methods for Comp. and Objects, pp. 344–371 (2004)
[18] Islam, T., and Lingyu Wang. "A Huristic Approach to Minimum Cost Network Hardening Using Attack Graphs." NewTechnologies, Mobility and Security. IEEE, 2008. 1-5..
[19] Noel, Steven, Sushil Jajodia, Brian O'Berry, and Michael Jacobs."Efficient Minimum-Cost Network Hardening Via Exploit Dependency Graphs." 19th Annual Computer Security Applications Conference. IEEE Computer Society, 2003. 86-92.
[20] M. Albanese, S. Jajodia, and S. Noel, “Time-Efficient and Cost-Effective Network Hardening Using Attack Graphs,” in Proceedings of the 42nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012), Boston, Massachusetts, USA, June 25-28, 2012.
[21] Lingyu Wang • Massimiliano Albanese Sushil Jajodia,” Network Hardening, An Automated Approach to Improving Network Security”,Springer,2014
[22] Nzoukou, W & Wang, L & Jajodia, S & Singhal, A, A unified framework for measuring a network's mean time-to-compromise. Proc. 32nd Int'l. Symp. on Reliable Distributed Systems (SRDS).2013, pp. 215-224.
[23] Joh, H. & Malaiya, Y. K. Defining and Assessing Quantitative Security Risk Measures Using Vulnerability Lifecycle and CVSS Metrics. Proc. Int. Conference on Security and Management. 2011, pp. 10-16.
[24] Frei, S. & May, S. & Fiedler, U. & Plattner, B. (2006). Large-scale vulnerability analysis. LSAD ’06: Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense, 2006, pp. 131–138.
An Attack Graph Based Method for Predictive Risk Evaluation of Zero-Day Attacks
Published
2018-02-17
How to Cite
Keramati, M. (2018, February 17). An Attack Graph Based Method for Predictive Risk Evaluation of Zero-Day Attacks. International Journal of Information & Communication Technology Research, 9(3), 7-16. Retrieved from http://journal.itrc.ac.ir/index.php/ijictr/article/view/205