Abstract—Evaluation of network security is an essential step in securing any network. This evaluation can help security professionals in making optimal decisions about how to design security countermeasures, to choose between alternative security architectures, and to systematically modify security configurations in order to improve security. However, the security of a network depends on a number of dynamically changing factors such as emergence of new vulnerabilities and threats, policy structure and network traffic. Identifying, quantifying and validating these factors using security metrics is a major challenge in this area. In this paper, we propose a novel security metric framework that identifies and quantifies objectively the most significant security risk factors, which include existing vulnerabilities, historical trend of vulnerability of the remotely accessible services, prediction of potential vulnerabilities for any general network service and their estimated severity and finally policy resistance to attack propagation within the network. We then describe our rigorous validation experiments using reallife vulnerability data of the past 6 years from National Vulnerability Database (NVD) [10] to show the high accuracy and confidence of the proposed metrics. Some previous works have considered vulnerabilities using code analysis. However, as far as we know, this is the first work to study and analyze these metrics for network security evaluation using publicly available vulnerability information and security policy configuration. 1 I.

Given the increasing dependence of our societies on networked information systems, the overall security of these systems should be measured and improved. Existing security metrics have generally focused on measuring individual vulnerabilities without considering their combined effects. Our previous work tackle this issue by exploring the causal relationships between vulnerabilities encoded in an attack graph. However, the evolving nature of vulnerabilities and networks has largely been ignored. In this paper, we propose a Dynamic Bayesian Networks (DBNs)-based model to incorporate temporal factors, such as the availability of exploit codes or patches. Starting from the model, we study two concrete cases to demonstrate the potential applications. This novel model provides a theoretical foundation and a practical framework for continuously measuring network security in a dynamic environment. Categories and Subject Descriptors D.4.6 [Security and Protection]: Invasive software (e.g., viruses,

Abstract. The anticipation game framework is an extension of attack graphs based on game theory. It is used to anticipate and analyze intruder and administrator interactions with the network. In this paper we extend this framework with cost and reward in order to analyze and find player strategies. Additionally this extension allows to take into account the financial aspect of network security in the analysis. Intuitively a strategy is the best succession of actions that the administrator or the intruder can perform to achieve his objectives. Player objectives range from patching the network efficiently to compromising the most valuable network assets. We prove that finding the optimal strategy is decidable and only requires a linear memory space. Finally we show that finding strategy can be done in practice by evaluating the performance of our analyzer called NetQi. 1

Mitigation of security risk is an important task in enterprise network security management. However it is presently a skill acquired by individual experience, more an art than a science. The biggest challenge in the problem is a quantitative model that objectively measures the likelihood a breach can be accomplished. This paper presents a sound and practical approach to such a quantitative model. We utilize existing work in attack graphs and individual vulnerability metrics, such as CVSS, and apply probabilistic reasoning to produce a sound risk measurement. The problem requires a careful coordination of attack graph data to account for cyclic and shared dependencies. We recognize that networks commonly have many host interconnections and network privileges could be gained in many ways. This factor leads to cycles in an attack graph, which must be identified and properly treated when measuring risk to prevent distortion of the results. We also recognize that multiple attack paths leading to the same network privilege will often share some dependencies and so a valid assessment cannot simply treat these paths as independent. Our approach is provably sound and ensures that shared dependencies have a proportional effect on the final calculation, and that cycles are handled correctly so that privileges are evaluated without any self-referencing effect. We also present preliminary experimental results on our algorithm and identify directions for future improvement. 1

Abstract—Security of a network depends on a number of dynamically changing factors. These include emergence of new vulnerabilities and threats, policy structure and network traffic. Due to the dynamic nature of these factors, identifying security metrics that measure objectively the quality of security configuration pose a major challenge. Moreover, this evaluation must be done dynamically to handle real time changes in the threat toward the network. In this paper, we extend our security metric framework [2] that identifies and quantifies objectively the most significant security risk factors, which include existing vulnerabilities, historical trend of vulnerabilities of remotely accessible services, prediction of potential vulnerabilities for any general network service and their estimated severity and finally propagation of an attack within the network. We have implemented this framework as a user-friendly tool called Risk based prOactive seCurity cOnfiguration maNAger (ROCONA) and showed how this tool simplifies security configuration management using risk measurement and mitigation. I.

Abstract. The anticipation game framework is an extension of attack graphs based on game theory. It is used to anticipate and analyze intruder and administrator concurrent interactions with the network. Like attack-graph-based model checking, the goal of an anticipation game is to prove that a safety property holds. However using this kind of goal is tedious and error prone on large networks because it assumes that the analyst has prior and complete knowledge of critical network services. In this paper we address this issue by introducing a new kind of goal called “strategy objectives”. Strategy objectives mixes logical constraints and numerical ones. In order to achieve these strategy objectives, we have extended the anticipation games framework with cost and reward. Additionally this extension allows us to take into account the financial dimension of attacks during the analysis. We prove that finding the optimal strategy is decidable and only requires linear space. Finally we show that anticipation games with strategy objectives can be used in practice even on large networks by evaluating the performance of our prototype. 1

Abstract. The security risk of a network against unknown zero day attacks has been considered as something unmeasurable since software flaws are less predictable than hardware faults and the process of finding such flaws and developing exploits seems to be chaotic. In this paper, we propose a novel security metric, k-zero day safety, based on the number of unknown zero day vulnerabilities. That is, the metric simply counts how many unknown vulnerabilities would be required for compromising a network asset, regardless of what vulnerabilities those might be. We formally define the metric based on an abstract model of networks and attacks. We then devise algorithms for computing the metric. Finally, we show the metric can quantify many existing practices in hardening a network. 1

Abstract — Security is increasingly becoming an important issue in the design of real-time parallel applications, which are widely used in industry and academic organizations. However, existing resource allocation schemes for real-time parallel jobs on clusters generally do not factor in security requirements when making allocation and scheduling decisions. In this paper, we develop two resource allocation schemes, called TAPADS (Task Allocation for Parallel Applications with Deadline and Security constraints) and SHARP (Security- and Heterogeneity-Aware Resource allocation for Parallel jobs), by taking into account applications ’ timing and security requirements in addition to precedence constraints. We consider two types of computing platforms: homogeneous clusters and heterogeneous clusters. To facilitate the presentation of the new schemes, we build mathematical models to describe a system framework, security overhead, and parallel applications with deadline and security constraints. The proposed schemes are applied to heuristically find resource allocations that maximize the quality of security and the probability of meeting deadlines for parallel applications running on clusters. Extensive experiments using real world applications and traces as well as synthetic benchmarks demonstrate the effectiveness and practicality of the proposed schemes. Index Terms — Security constraints, real-time scheduling, security overhead model, parallel jobs, clusters.

Information technology (IT) is a crucial resource and enabler in almost every part of our society. However, there are severe risks associated with IT that may substantially decrease the potential benefits. To handle these risks, it is essential to be able to judge the security posture of systems. This requires the ability to perform security assessments. However, since security is an abstract, subjective, and non-tangible property, proper security assessment of non-trivial systems is hard. Currently, there is a lack of methods for efficient, reliable, and valid security assessments. In this paper, problems relating to the structural assessment of system security are addressed. In structural security assessments, the security of systems is quantified based on the security qualities of and interrelations between sub-systems. 1

Abstract—Security is increasingly becoming an important issue in the design of real-time parallel applications, which are widely used in the industry and academic organizations. However, existing resource allocation schemes for real-time parallel jobs on clusters generally do not factor in security requirements when making allocation and scheduling decisions. In this paper, we develop two resource allocation schemes, called Task Allocation for Parallel Applications with Deadline and Security constraints (TAPADS) and Security-Aware and Heterogeneity-Aware Resource allocation for Parallel jobs (SHARP), by taking into account applications ’ timing and security requirements in addition to precedence constraints. We consider two types of computing platforms: homogeneous clusters and heterogeneous clusters. To facilitate the presentation of the new schemes, we build mathematical models to describe a system framework, security overhead, and parallel applications with deadline and security constraints. The proposed schemes are applied to heuristically find resource allocations that maximize the quality of security and the probability of meeting deadlines for parallel applications running on clusters. Extensive experiments using real-world applications and traces, as well as synthetic benchmarks, demonstrate the effectiveness and practicality of the proposed schemes. Index Terms—Security constraints, real-time scheduling, security overhead model, parallel jobs, clusters. Ç