A New Approach for Security Risk Assessment Caused by Vulnerabilities of System by Considering the D - PDF

Shared by: ijcsis

Tags

IJCSIS, volume 8, No. 2, May 2010, Journal, Computer, Science, Information, Security, Research, issues, google scholar, ArXiV, Cornell University, library, Scirus, call for paper

Stats

views:: 199
posted:: 6/11/2010
language:: English
pages:: 9

Public Domain

Document Sample

(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 8, No. 2, 2010

A New Approach for Security Risk Assessment
Caused by Vulnerabilities of System by Considering
the Dependencies

Mohammad Taromi Mohammad Abdollahi Azgomi (Corresponding Author)
Performance and Dependability Eng. Lab. Performance and Dependability Eng. Lab.
School of Computer Engineering, Iran University of School of Computer Engineering, Iran University of
Science and Technology Science and Technology
Tehran, Iran Tehran, Iran
taromi@comp.iust.ac.ir azgomi@iust.ac.ir

Abstract— Risk estimation is a necessary step in risk limitations in providing patches for specific vulnerabilities, it is
management which is the measurement of impact caused by the impossible to remove all these vulnerabilities. Moreover,
probability of exploiting vulnerabilities recognized in the system. despite using various attacker countermeasures such as
At the moment, the qualitative metrics are used for this purpose firewalls or anti-viruses, the attackers are not easily recognized,
that is believed to suffer subjectivity. The risk caused by a or they are likely to disturb the system’s ordinary operation.
recognized vulnerability is computed using the values of common Therefore, due to the un-patched vulnerabilities and
vulnerabilities scoring system (CVSS) attributes. But the great unrecognized attacks, there might be a security risk in system
challenge in this field is that the dependency between that should be managed [1, 28]. Thus, it is necessary for the
vulnerabilities recognized in the system is not taken into account.
administrator to manage the risk caused by these
In this paper, a new approach to risk assessment for the risks
vulnerabilities. Risk estimation is a necessary step in risk
caused by vulnerabilities of system has been proposed which
considers the dependencies among vulnerabilities. This approach management which is the measurement of impact caused by
consists of three steps. In the first step, after recognizing probability exploiting these vulnerabilities. Such estimation
vulnerabilities of system and configuring the system, an attack could be carried out either quantitatively or qualitatively.
graph is generated for all the critical resources of the system Estimating the quantitative risks using security metrics will be
using MulVAL framework. Using these attack graphs, the more useful than using qualitative metrics that are believed to
dependency among vulnerabilities is extracted. In the second suffer subjectivity [2].
step, using the dependencies extracted among the vulnerabilities
Definition of vulnerability depends on the level of
and estimated impact and exploitability defined based on CVSS
attributes for individual vulnerability, a Markov model is
abstraction and the stage of system development. Vulnerability
generated. In the third step, using the Markov model, the is an internal fault that empowers the external fault in
quantitative security risk is estimated as the attacker keeps damaging the system. In other words, vulnerability is of great
progressing in the system. In this paper we introduce the importance in causing error and probably the resultant failure
proposed approach, a case study demonstrating the above steps produced by the external fault [3]. The vulnerability addressed
and the results of quantitative security risk estimation. throughout this paper is based on the definition given by [4] as
“a bug, flaw, weakness, or exposure of an application, system,
Keywords-Security Risk Assessment; Vulnerability; Attack device, or service that could lead to a failure of confidentiality,
Graph integrity, or availability”. At the moment, it is possible to use
open source scanners like OVAL [5] to recognize
I. INTRODUCTION vulnerabilities in the host. The risk caused by a recognized
Although engineering methods are applied in software vulnerability is computed using the values of common
production, with extending use and increasing complexities vulnerabilities scoring system (CVSS) attributes [4]. To do so,
involved in information systems and market’s requirements in two components of risk assessment that are the exploitability
reducing time and production costs, remarkable vulnerabilities and the impact due to the vulnerabilities are estimated. The
remain unresolved in these systems. Furthermore, due to the advantage of using CVSS is that it employs a common open
intruders’ different motivations in obtaining the resources of framework used by the experts for scoring and that it cannot be
these systems or disturbing their functionality, the number of easily influenced by subjective judgment.
methods exploiting these vulnerabilities is also increasing.
However, to evaluate the scoring of impact and
Despite the patching of vulnerabilities, due to the lack of exploitability in CVSS, the dependency between vulnerabilities
appropriate patches, or the possibility of losing system’s
recognized in the system is not taken into account [4]. To
functionality after system reconfiguration, or even financial estimate the risk due to all vulnerabilities, it is necessary to take

338 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 8, No. 2, 2010
the dependence between all vulnerabilities into consideration. described using the values of CVSS attributes and new
By dependency, we mean that the possibility of exploiting definitions for exploitability and impact of vulnerability are
vulnerability, after exploiting the other vulnerabilities, is taken offered. Section 4, introduces how the dependency matrix is
into account. This dependency is usually modeled by attack constructed based on the attack graph of the system. Section 5,
graphs [6]. For this purpose, we have developed a dependency presents how a Markov model is generated based on the
graph based on MulVAL [7] in which the exploitation of any dependency matrix, the impact and exploitability of
vulnerability is possible by a certain privilege in the system. As vulnerabilities. Section 6, using the generated Markov model,
a result of this exploitation, another privilege is provided for the security risk of the system is estimated. Finally, in section
the attacker. The attacker attempts to obtain a critical privilege 7, some concluding remarks are mentioned.
in the system. This graph is easy to understand in analyzing the
vulnerabilities and has a lower presentational complexity then II. RELATED WORKS
that generated in [8]. The study reported in this paper is an In addition to quantitative and qualitative risk assessment,
attempt to estimate the dependency between vulnerabilities in risk assessment methods are categorized into two groups: the
obtaining critical privilege by the attacker. first group (e.g. [9]), to which the method used in presented
The impact of any vulnerability can be estimated based on study belongs, takes into account all the possible sequences or
the security properties (confidentially, availability, integrity), the worst possible sequences as a basis for risk assessment
collateral damage potential (CDP) and distribution target (DT) considering all the vulnerabilities in the system and
by CVSS. A continuous-time Markov chain (CTMC) model is exploitability of them. The second group (e.g. [10]) operates
generated using the impact caused by the exploitability of any taking into consideration the attacks succeeded which are
vulnerability by itself and the dependency obtained between the gathered by intrusion detection system (IDS). The main
vulnerabilities in the system using the attack graph. In each advantage of the first category is that it takes into account all
state of this CTMC there are vulnerabilities whose impacts are the possible sequences of exploitation. The second category, on
similar. Categorizing these vulnerabilities in a particular state the other hand, examines the attacker’s behavior. However, due
into groups is due to the fact that the attacker is charged by the to false positive and false negative problems observed in alerts
minimum cost to obtain privilege or to manipulate the files or received from IDS, the state of system will not be precisely
to deny services with similar impact. Moreover, the attacker specified. Moreover, the more skilled intruders will display a
does not try to exploit a series of vulnerabilities with similar different behavior because of their familiarity with how IDS
impact. As a result, the dependency between these types of operates. As a result, the estimated risk will have a lower
vulnerabilities in risk assessment is of little importance. In the reliability.
proposed approach, the assumption is that there is not the In [11] an initial model has been offered for quantitative
possibility of repairing these vulnerabilities dynamically. As a measurement of security and the mean time and effort required
result, it is not possible to transfer from one state with higher for security breaches have been computed. This paper was one
impact to another with lower impact. This assumption is of first papers that put forward the idea of using dependability
completely logical. The reasons are as follows. First, risk in security. The main challenge which using dependability
assessment for a snapshot of the system is performed. Second, analysis methods to achieve the security attributes of the
there is a meaningful time interval between the vulnerability system face is that in dependability analysis it is assumed that
recognized and offering a reliable path from software developer the failure occurred in the system or its components are random
or it is not possible to patch the vulnerability because of or rare events. However, in security analysis we are faced with
interference. Having generated the model the quantitative risk failures caused by humans. The probability of such attacks
assessment is estimated with attacker progress. Based on the depends on human beings’ intelligent behavior and their
results of this risk assessment, one can determine the best time learning through time [12].
to re-evaluate the system. It is worth to mention that model
generation is become possible in a time complexity of O(N3), In [13] the idea of using the attack graph to estimate the
where N is the number of system states. quantitative metric for the networks has been offered. This is
akin to an often used metric of cryptographic strength which
The advantages of the approach proposed in this paper are measures the weakest adversary who can break a cryptographic
as follows. (1) It can be used to assess the risk caused by the scheme. Since in attack graph to exploit a given vulnerability,
threats from several critical parts of the system based on CVSS certain conditions are required, these conditions cannot be
attributes for any vulnerabilities and dependency between them achieved by attacker exploitation. Now, if the minimum
by considering the progresses of the attacker in the system. (2) required conditions to conduct exploitation in a network exceed
In addition, it makes possible security evaluation of the system those in a similar network but with a different configuration, it
considering the data vulnerabilities and real environmental is clear that the first network can better fulfill security
conditions to use the dependability techniques in security conditions than the second. In fact, this method has been
measurement. (3) It is possible to use the existing matured offered to compare the similar networks with different
dependability evaluation techniques. configurations. Similar procedures are followed in [14] to
The rest of this paper is organized as follows. In section 2, hardening the network by achieving the minimum set of
the related works and their challenges and differences with this required conditions to close the paths with which the intruder
paper is discussed. In section 3, the existing methods of risk tries to penetrate the system. In this paper, the severity of
assessment for the risks resulting from any vulnerability are meeting all conditions were assumed to be the same. However,

339 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 8, No. 2, 2010
the main challenge in such papers is that this problem is NP groups based on their impact. Then the groups have been
considering the very conditions. ordered considering the impact of vulnerability. The system
starts with a sound state until it encounters a failure. In our
The attack graph introduced in [15] whose nodes either study, a different method of risk assessment has been proposed
describe the exploitation which are likely to be successful considering the dependencies between vulnerabilities.
given all the conditions are met (as a result, it is called a AND
node) or are pre- or post-conditions of the exploitations that TABLE I. CVSS METRIC GROUPS [4]
could be assumed as OR nodes. According to the logic of these
nodes, and using the intersection and conjunction operators Temporal Metric Environmental
Base Metric Group
Group Metric Group
corresponding to these nodes, and assuming that these Access Confidentiality(E_C)
Confidentiality
conditions are independent of one another, and finally using the Vector(A
impact(B_C)
Exploitability(T_E) , Integrity(E_I),
CVSS metric, the probability of reaching the target node V) Availability(E_A)
Access
examining all the paths available in the graph could be Complexit
Integrity Remediation Level Collateral Damage
impact(B_I) (T_RL) Potential (CDP)
calculated. The difference between dependency graph y(AC)
generated in [16] and the one generated in the presented paper Authentica Availability Report Confidence Target Distribution
tion(Au) impact(B_A) (T_RC) (TD)
is that the graph offered in this study contains a vulnerability
node that, if exploited, enables attacker’s privilege. Therefore, III. CALCULATING THE RISK OF ANY VULNERABILITY
the attack graph introduced in the current paper, the privilege,
and vulnerability node follow the OR logic. CVSS [4] was introduced in 2004 and at the present second
version is supported by Forum of Incident Response and
For the first time in [17], the idea of using web page Security Teams. It assigns a number to each vulnerability
ranking algorithm to score attack graph’s nodes [18] was which is in vulnerability database like NVD [22]. In fact,
proposed. In this algorithm the significance of each node, like CVSS is an open framework to determine the attribute and
the webpage, depends on the number of paths the attacker impact of vulnerability based on predefined and conceptable
could achieve. In [19], the changed web pages ranking values to estimate the security risk due to this vulnerability.
algorithm has been applied onto the attack graph [8] that CVSS is consisted of three groups of metric: basic, temporary,
contains AND and OR nodes. In this way, the priority of each and environmental.
vulnerability for patching along with CVSS privilege is
computed considering the dependency with other The basic group metric is consisted of attributes that
vulnerabilities. In our dependency graph the web page ranking represent the inherent quality of vulnerability. The temporary
algorithm can be employed but with fewer complexities. group displays the attributes that changes over time and the
environmental group shows those attributes that are unique to
In [9], the methodology for risk assessment of a potential the user’s immediate environment. The attributes of each group
threat which has been modeled using an attacker tree, first have been summarized in TABLE I. The metric for each group
computes the dependency between the vulnerabilities to receives a value ranging from 0 to 10 and the content vector
facilitate the exploitation of one vulnerability or another. contains the values assigned to the attributes of the
Generating a dependency graph and the rate of facilitation vulnerability that generate this numerical value.
between two vulnerabilities is determined by the expert. Using
this dependency graph and the rate of facilitating each CVSS offers a common set of attributes for vulnerabilities.
vulnerability based on such an updated exploitability and All these attributes include presupposed qualitative values that
impact, the number of days when the service is not available are needed to select the values of the attributes of the
has been defined, the risk resulting from each vulnerability has vulnerability. For example, the attribute access vector from
been estimated, and finally the total risk of threat has been metric group that represents the way a vulnerability accessed
estimated using the attack tree. The difference between the and exploited, receives L value, this value indicates that the
method used and one introduced in the present study lies in intruder is required to have physical access or a local account
defining dependency. The dependency defined in [9] relies to exploit this vulnerability. The value of A suggests that the
heavily on subjective judgment, whereas the dependency intruder should access local network of the host. Finally, the
defined in the present paper is systematic that can be easily value of N indicates that the intruder can exploit the
computed. In addition, in this paper, to estimate the vulnerability without having a remote local access. To estimate
exploitability and impact due to these vulnerabilities, the CVSS the CVSS scores, for a given qualitative value a quantitative
has been used. The approach taken is able to estimate the risk value has been assigned and using the equations that represent
of several threats. the relationships between these attributes, the basic group
metric (the values of impact, and exploitability separately), the
In [20], through combining the vulnerability attributes of temporary group metric, and the environmental group
CVSS using Bayesian networks, its impact and frequency have metric(along with the adjusted impact) are estimated. To
been estimated. Through combining these components, the estimate these metrics, the CVSS calculator in NVD can be
resulting security risk has been computed. To achieve the total used. Due to the fact that in estimating basic exploitability in
security for a given system, the use of Bayesian’s algorithms CVSS, the attributes of temporary group, all of which can
has been suggested. In [21], a method has been offered to affect the exploitability, are not considered, the exploitability
estimate the total security risk in a system. In this method, the addressed in this paper is defined as follows:
vulnerabilities of the system have been divided into different

340 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 8, No. 2, 2010
Exploitability = BaseExploitability(CVSS ) * generation tools. In [25], approach for the extraction of this pre
(1) and post-condition of several vulnerability database is
T _ E * T _ RL * T _ RC
presented.
Furthermore, in the estimation of adjusted impact, in CVSS,
two attributes of the environmental group, that is, collateral
damage potential and target distribution are not taken into
consideration. For this end, the impact addressed in this paper
has been defined as follows (based on the metric of adjusted
impact and the above-mentioned attributes):

Impact=2*AdjustedImpact(CVSS)*CDP*TD (2) Figure 1. Example of a proposed attack graph

v1 v2 v3 v4 v5
The main problem, however, is that the total score or any
generated metrics for each vulnerability by CVSS, or metric v1  0 0 0 0 0
proposed by other methods [20], take into consideration the v2  0
 0 0 0 0

vulnerability by itself without reference to its dependency with v3  1 0 0 0 0
 
other vulnerabilities. v4  1 0 0 0 0
v5  0
 1 1 1 0

IV. DEPENDENCY EXTRACTION AMONG VULNERABILITIES
A lot of studies have been conducted to generate the attack Figure 2. Dependency matrix of attack graph
graph which shows all the sequences of exploitation of
vulnerabilities in a network to attain critical privilege [6]. To simplify the complexity of presentation of attack graphs,
Recently, the challenge of many studies in this area has been to the attack graph which we generated using attack-traces output
produce attack graphs with high scalability. But, to provide the of MulVAL, only includes the vulnerabilities and privilege
data needed to better generate attack graphs, make it obtained from exploitation of these vulnerabilities. Each
comprehensible, and its use for risk management networks are vulnerability can be exploited by one or more privileges. As a
still hot topic in this field. In [8], using MulVAL [7], the logic result, attacker will obtain a new privilege. Also, using one
based on the framework for vulnerability analysis, an algorithm privilege, the attacker can exploit one or more vulnerabilities.
to generate the attack graph with high scalability is presented. For example, considering attack graph drawn in Figure 1, the
As a result, time complexity of attack graph generation has attacker with privilege P0 can exploit V1 and V2 vulnerabilities.
been reduced to quadratic time. The resultant attack graph has His/her goal is to obtain the privilege P4 on system. By
still presentational complexities which make it difficult to dependency between V1 and V2 , we mean that exploiting V2
comprehend by humans. This challenge is discussed in [23] provides a condition that enables exploiting V1. For example, in
and the exploitation which do not provide deeper privilege on Figure 1, the Vulnerabilities set {V2,V3,V4} which vulnerability
the network to attacker were removed. V5 depends on it, provides privileges P2 and P3 which enable
the attacker in the exploitation of V5. Dependency matrix
MulVAL provides a framework based logic-programming (|V|×|V|) between vulnerabilities was extracted applying
approach to analyze multistage and multi-host attack path due Breath First Search (BFS) on the generated attach graph. This
to software vulnerabilities and misconfigurations. Network dependency matrix belongs to the attack graph given in Figure
configurations, vulnerability specification, exploitation rules, 2.
and a set of privileges on network are specified by logic-
programming language, Datalog. A logic program is a V. THE PROPOSED METHOD
sequence of facts and rules. Facts are information about A system is often faced with vulnerabilities at any level of
network elements, vulnerabilities, and privileges. Rules express security. The intruder can decrease the level of service
how the attacker exploited existing facts to attain new facts provided by the system through exploiting these vulnerabilities.
about the network. Then, an off-the-shelf logic-programming The loss incurred as a result of service level drop which is
engine that can evaluate logic-program efficiently in contrast imposed on the system in exploiting the vulnerabilities,
with security policy violation which presents such “policy depends on the collateral damage potential of the host where
violation (Adversary, Access, Resource)”, results in attack- the vulnerabilities have been observed. In the initial state, the
traces of violation from security policy. Using this attack-traces system includes all the vulnerabilities that can be exploited
attack graph is constructed. directly. The intruder decreases the level of the service
Using OVAL Interpreter [5] vulnerability and the specific provided by the system and it targets at a state where it can
configuration are recognized. One major challenge in this field cause much security failure. Despite these attacks and drop of
is the identification of pre and post-conditions of exploitation service level, the attacks can be tolerated by the system and the
of vulnerabilities. Recently, in [24] on XML-based format system manages to offer its main services accurately. As the
similar to OVAL language has been proposed to express pre exploitation proceeds, it provides the intruders with more
and post-conditions required for the exploitation of opportunities to exploit the vulnerability causing sever security
vulnerabilities with the purpose of using it in attack graphs impact. In addition, it makes the system enter a collateral

341 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 8, No. 2, 2010
damage potential whose impact cannot be easily endured by the exploitability of the vulnerabilities (ExState). As a result, a
system or it is more likely to enter from these states into a higher possibility of success for the attacker (a higher risk for
complete failure state. the system) is taken into account in case there are more
A. Generating the Markov Model vulnerabilities in a state.
Having estimated the vulnerabilities recognized in the
Ex( A) * Ex(B) Ex(v)
system, the impact and exploitability defined in section 2 for Ex(v) = (Ex( A) + Ex(B) + )* ; for | ascendents of v |= 2 (3)
10 10
the vulnerability are estimated using CVSS attributes
vulnerabilities. All the vulnerabilities except for the ones
recognized in the initial state are categorized into N groups 3) In the third step, the transfers between these states and
based on the impact they place on the system per se and the their rates are determined such that. The attacker can transfer
system’s requirements. A group is a state of the system where from Si to Sj only if exploitability of at least one of the
the exploitation of any vulnerability recognized in the system vulnerabilities of Si allows the exploitation of at least one of
has similar impact. The number of state (N) is equal to the the vulnerabilities in Sj.
number of mission tasks, or the number of user group’s 4) And finally, from a state whose impact is above the
privilege, or the number of subsystems which can be attacked tolerable threshold, a transfer is made to the failure state. In
by the intruder. The justification for such a grouping is that the the process, to make sure that the states are reachable from the
intruders select the easiest and most likely vulnerability to
initial state, and it is possible to access the failure from any
exploit the vulnerabilities that provide them with similar
results. Moreover, because the vulnerabilities of a particular state, all the rows and columns of the transition-state matrix
state result in a similar impact, the dependency between them is should be examined. In case there is not any transfer to any
of little importance and they are not taken into account in risk state except for the initial state, or there is no possibility of
assessment. In fact, this type of grouping is considered to be transfer to another state except for the failure state, the
better than the grouping based on subsystems, privilege, and corresponding row and column of this state are removed from
etc. to decrease the complexity involved in vulnerability the transition-state matrix. Afterwards, the transition-state
analysis because it is conducted with reference to the matrix is re-examined to ensure that such conditions are not
component where the vulnerability is observed. present. In the worst case, the examination and removal of
The transition rate between the two states is assumed to be unreachable states from the initial state N-1 is repeated.
the exploitability estimated of each vulnerability which is easy Moreover, the examination and removal of these states, has
and more likely to exploit compared to the other vulnerabilities. the complexity of O(N2).
Furthermore, the transfer between any two states occurs when The time complexity of an algorithm in proportion to the
the attacker can exploit the vulnerabilities of the new state. To number of states is O (N3). The attacker will not transfer from a
achieve the transfer rate between these states, the dependency state with a higher impact to another with a lower impact. This
matrix introduced in section IV will be used. The assumption is completely logical because the attacker is not naturally
that intruder exploits the easiest vulnerability to transfer to willing to transfer to a state where it has higher possible impact
another state provides the worst realistic estimation of the to another state where it has lower impact. In addition, as it was
security risk and does not contradict the unpredictability of mentioned earlier, we do not consider dynamic reparability.
intruder’s behavior. Consequently, the resulting graph is directed acyclic graph
(DAG).
The model generating algorithm has been generated using
the impact due to the exploitation of vulnerabilities, the VI. RISK ASSESSMENT
dependency matrix between them, and the threshold tolerable
impact for the system. The vulnerabilities that are exposed to As it has been mentioned in many of the existing work on
the attacker directly are categorized into the initial state, and risk assessment, risk is the possibility of impact due to
the remaining vulnerabilities are categorized into the N states probability of exploiting the vulnerabilities in the system. It is
according to the impact due to them. This algorithm consists of obvious that the intruder should be able to access these
the following four steps: vulnerabilities during risk assessment. Therefore, the risk due
to the vulnerabilities that are not accessible to the intruder does
1) In the first step, for any state, the ascendents of each not incur any risks to the system. For example, let us assume
vulnerability in states which have fewer impact are extracted that the possibility of exploiting V1 depends on exploiting V2
using the dependency matrix. and the mean time needed to exploit V2 is t1. Therefore, in t1
2) In the next step, the exploitability of vulnerabilities time interval when the system keeps its initial conditions, V1
found in that state are normalized according to the poses no threat to the system. In addition, in t (t> t1) risk does
not involve exploiting V2 because in the worst case, the failure
exploitability of their ascendents, their own exploitability
due to the exploiting V2 has been imposed on the system. As a
alone, and assuming that the exploitations of the ascendents of result, the level of security provided by the system has
the vulnerabilities are independent of each other (for two decreased and there is more possibility that the intruders can
ascendents shown in equation (3)). After estimating the exploit the vulnerabilities.
exploitability of all vulnerabilities of a state, its exploitability
is assumed to be equal to the probability of conjunction

342 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 8, No. 2, 2010
Generally, a limited number of vulnerabilities are exposed VII. CASE STUDY
to exploitability in a second. As time passes, the intruder In this section, it will be shown how to estimate the risk
exploiting these vulnerabilities finds more opportunities to applying the proposed approach on simple network given in
exploit vulnerabilities with sever impacts. This risk increases [16]. In this network there are three hosts: Web server, File
for a while. Finally, as the intruder exploits these server, and Database server. For the attacker located in the
vulnerabilities on critical hosts, the failure due to these internet only Web server is directly accessible. Firewall and
vulnerabilities affects the system until it crashes. Thus, threat network configuration determine reachability among hosts (in
is posed by a risk, because there is no possibility of a further TABLE II). What vulnerabilities exist on any host, and the
failure. Risk variations along time have been shown in Figure privilege required to exploit them (pre-condition), and the
3. resultant privilege (post-condition) after the exploitation of
vulnerabilities are given in TABLE III. All vulnerabilities on
the network are remotely exploitable. For all vulnerabilities,
CVSS attributes values of basic and temporal metric groups are
gathered from NVD [22] and OSVDB [27]. Environmental
security requirements in which the network is located are
assumed to be similar to those of the network located in a
university. Since, availability in this environment is very
important, and integrity and confidentially are the next
priorities, the cost of damage done to Database server is
Figure 3. General diagram of system risk variation with time greater than those of servers and the cost of damage done to
File server is greater than that of Web server. As a result, the
For the estimation of system's risks, two components value of CPD attribute of CVSS for vulnerabilities which is
should be obtained: first, to consider the risk due to the located in corresponding host is determined. Because the
vulnerabilities of a particular state in risk assessment, the mean attacker can access the network via Web server value of TD
time spent by the intruder to successfully exploit the attribute of CVSS for vulnerabilities located in Web server
vulnerabilities in this state should be calculated. Second, the maximum possible value is selected. The Values of CVSS
states that are accessible by the intruder after a successful attributes for each vulnerability are given in TABLE III. In this
exploitation of a previous state should be obtained by table, exploitability and the impact of each vulnerability are
examining the risk due to their vulnerabilities. To calculate the also estimated.
mean time elapsed at each state, according to [26], and since
the Markov model utilized in this paper is an absorbing one
where the states are divided into two groups of operational and
faulty, the τ vector is calculated as follows (the transition-rate
matrix is limited to the operational states):

τ Q = −π (0) (4)

Where Q is the transition-rate matrix restricted to
operational states only, π (0) is the initial state vector and π i
indicates the mean time takes the system to passes through the
failure at the operational state i. After computing the mean time
spent in each state to reach the failure state, using transition- Figure 4. Configuration of example network
rate matrix, it could be easily shown that when the intruder has
reached the state i, which states are possible for the intruder to TABLE II. FIREWALL RULES OF NETWORK
access as time ti passes? In this way, the risk due to new states
exposed to the intruder is taken into account. The total risk is Source Dest. Service Action
All H1 Http Allow
estimated by the equation (5), regarding the change in reaching
All H1 Ftp Allow
the states by the intruder. In this formula impacti , the highest All H2 Ftp Allow
impact due to exploiting the vulnerabilities at the state i, and H1 H3 Oracle Allow
ExStatei, the exploitability of state i are included. H2 H3 ftp Allow

Risk(t)= ∑
Si accessible & not exploited
impacti *ExStatei (5)

343 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 8, No. 2, 2010

TABLE III. VULNERABILITIES OF NETWORK AND ITS VALUES OF ATTRIBUTES OF CVSS

Pre & Post-condition The Values of CVSS Attributes
Host
Vulnerability (B_Av/B_Ac/B_Au/B_C/B_I/B_A: Impact Exploitability
Target Pre Post T_E/T_RL/T_RC:E_C/E_I/E_A/CDP/TD)

CVE-2002- Web
V1 Access≥user Access=root N/L/N/P/P/P:F/O/C:L/M/H/L/H 1.32 8.26
0392 Server
CVE-2003- Web
V2 Access≥user Access=root N/M/N/C/C/C:U/U/C:L/M/H/L/H 2.00 7.31
1327 Server
CVE-1999- Web
V3 Access=user Access=user N/L/N/P/P/P:H/N/N:L/M/H/L/H 1.32 10.00
0017 Server
CVE-1999-
V4 File Server Access=user Access=user N/L/N/P/P/P:H/N/N:L/M/H/Mh/M 3.96 10.00
0017
CVE-1999- DataBase
V5 Access=user Access=user N/L/N/P/P/P:H/N/N:L/M/H/H/M 4.95 10.00
0017 Server
CVE-2001- DataBase
V6 Access≥user Access=root N/L/N/P/P/P:H/N/N:L/M/H/H/M 7.50 7.39
0499 Server

A. Step1: Calculating Dependency Among Vulnerabilities
As mentioned before, dependency among vulnerabilities are
extracted from attack graph. To generate attack graph with
properties noted in section IV, first reachability and
vulnerability specification as input of MulVAL are extracted.
The attack graph in Figure 7 is generated for
“execCode(dbServer , root)” violation from security policy. In
generation of this attack graph all none simple path, mentioned
in [23], for easier presentation. Since this network is very
simple, it is clearly understandable that attack graph generation
for other goals do not add extra dependency to the dependency
matrix. As a result, the dependency matrix of network is
presented in Figure 5.
Figure 6. The markov model generated for the network
v1 v2 v3 v4 v5 v6
v1  0 0 0 0 0 0 
v2  0

0 0 0 0 0 


τ
TABLE IV. RESIDENCE TIME FOR EACH STATES
v3 1 1 0 0 0 0 
  Exploitability
v4 1 State Impact
1 1 0 0 0  of State
v5  0 0 0 1 0 0  S0 2.00 0.040 9.533
  S1 1.32 0.016 9.533
v6 1 1 1 0 1 0 
S2 4.95 0.050 9.989
Figure 5. Dependency Matrix is extracted from attack graph of Figure 7
S3 7.50 0.136 7.200

B. Step2: Create Purposed Model C. Step3: Risk Assessment
In initial state were categorized V1 and V2 vulnerabilities With restrict transition-rate matrix to states except the
because directly reachable for attacker. Difference among failure state and considering the state S0 as initial state using
impact value of vulnerabilities considered one, as a result three equation (4) can compute mean resident time in each state until
states are obtained for the model. The complete failure state achieve failure state. The values of impact, exploitability and
occurs when the root privilege of Database server is obtained mean resident time (τi) in each state is presented. Using the
by attacker. The Markov model created by algorithm for the values of TABLE IV and the risk defined in equation (5) is
network is presented in Figure 6. On the graph model transition estimated with attacker progress in network and is presented in
rate among states is given. Figure 8. Considering the Figure 8 one can understand that
with successful exploitation of V1 and V2 the vulnerabilities by
attacker, the risk extremely increases.

344 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 8, No. 2, 2010

Figure 7. The attack graph of the example network for DB Server

measurement that can be used for simplifying attack graph
presentation with removing “Useless” exploitations which do
not provide deeper access in network for the attacker. Since the
complexity of the model generation offered is obtained in
O(N3), this method is very better than the method presented in
MulVAL with exponential time. In the method proposed in this
paper all directly reachable vulnerabilities were categorized
into initial state because of the limitation of simple Markov. In
future works we will extend the model and consider the
attackers that can start from each state with some probability.
REFERENCES
[1] G. Stoneburner, A. Goguen, and A. Feringa,“Risk management guide for
information technology systems,” National Institute of Standards and
Technology, special publication 800-30, 2002.
[2] M. Sahinoglu,“An input–output measurable design for the security meter
model to quantify and manage software security risk,” IEEE
Transactions On Instrumentation And Measurement, June 2008,
Figure 8. Risk variation with attacker progress in the network Volume: 57, pp. 1251-1260.
[3] A. Avizienis, J. C. Laprie, B. Randell, and C. Landwehr,“Basic concepts
VIII. CONCLUSIONS AND FUTURE WORKS and taxonomy of dependable and secure computing,” IEEE Transactions
In this paper, we presented a new approach for estimating On Dependable And Secure Computing, Vol. 1, No. 1, January-March
2004, pp. 11-33.
the overall security risk due to system vulnerabilities with
[4] common Vulnerability Scoring System(CVSS),
regard to the dependency between them. First, the http://www.first.org/cvss/cvss-guide.html (3/1/2010)
dependencies between the vulnerabilities are extracted from [5] Open Vulnerability and Assessment Language (OVAL).
attack graphs of the system. Based on these dependencies and http://oval.mitre.org/index.html (3/1/2009)
the impact of exploitation of vulnerabilities a Markov model [6] R. Lippmann, and et al, “An annotated review of past papers on attack
was presented. In addition, this model provides the possibility graphs - pr-ia-1”, MIT Lincoln Laboratory Project Report, 31 March
of using mature dependability techniques for security 2005.

345 http://sites.google.com/site/ijcsis/
ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,
Vol. 8, No. 2, 2010
[7] X. Ou, A logic-programming approach to network security analysis. Cyber Security (VizSEC), Cambridge, MA USA, September 15, 2008,
Ph.D. thesis, Princeton University, 2005. LNSC, Vol. 5210, pp. 6879.
[8] X. Ou, W. F. Boyer, and M. A. McQueen,“A scalable approach to attack [24] P. Maggi, P, D. Pozza, and D. Sisto, “Vulnerability modelling for the
graph generation,” In Proceedings of the 13th ACM Conference on analysis of network attacks,” In Proceedings of the Third International
Computer and Communications Security (CCS 2006), Alexandria, VA, Conference on Dependability of Computer Systems DepCoS-
U.S.A., October 2006. pp. 336 – 345. RELCOMEX, Washington, DC, USA, ,2008, IEEE Computer Society,
[9] M. Benini, S. Sicari, “Risk assessment in practice: a real case study,” pp.15-22.
Computer Communications, Vol. 31 (issue 15), September 2008, pp. [25] S. Roschke, F. Cheng, R. Schuppenies, and C. Meinel, “Towards
3691-3699. unifying vulnerability information for attack graph construction,” In
[10] Arnes, K. Sallhammar, K. Haslum, T. Brekne, M. Moe, and S. J. Proceedings of the 12th International Conference on Information
Knapskog,“Real-time risk assessment with network sensors and Security, Pisa, Italy, 2009, LNCS, Vol. 5735, pp. 218.233.
intrusion detection systems,” In Proceedings of the International [26] K. S. Trivedi, Probability and Statistics with Reliability, Queuing, and
Conference on Computational Intelligence and Security (CIS’05), Xian, Computer Science Applications, John Wiley and Sons, New York, 2001.
China, December 2005, LNCS Vol. 3802, pp. 388-397 ISBN number 0-471-33341-7.
[11] Littlewood, S. Brocklehurst, N. Fenton, P. Mellor, S. Page, and D. [27] OSVDB: The Open Source Vulnerability Database, osvdb.org,
Wright, “Towards operational measures of computer security,” Journal (accessed March 3, 2010)
of Computer Security, 1993,Vol. 2, pp. 211-229. [28] K. Scarfone, and T. Grance, “A framework for measuring the
[12] M. Nicol, W. H. Sanders, and K. S. Trivedi, “Model-based evaluation: vulnerability of hosts,” In Proceedings of the 1st International
from dependability tosecurity,” IEEE Transactions on Dependable and Conference on Information Technology, IEEE Computer Society, pp. 1-
Secure Computing, vol. 1, issue 1, Jan 2004, pp. 48-65. 4.
[13] J. Pamula, S. Jajodia, P. Ammann, and V. Swarup, “Network security AUTHORS PROFILE
metrics: A weakest adversary security metric for network configuation
security analysis,” In Proceedings of the 2nd ACM Workshop on Quality
of Protectio, Alexandria, VA, USA, October 2006, pp.31-38. Mohammad Taromi is currently M.Sc.
[14] L. Wang, N. Steven, and S. Jajodia, “Minimum-cost network hardening student in computer engineering (software)
using attack graphs,” Computer Communications, Vol. 29, Issue 18 , 28 at school of computer engineering, Iran
November 2006, pp. 3812-3824. University of Science and Technology,
[15] L. Wang, A. Singhal, and S. Jajodia, “An attack graph-based Tehran, Iran.
probabilistic security metric,” In Proceedings of the 22nd Annual IFIP
WG 11.3 Working Conference on Data and Applications Security His research interests include network
(DBSEC 2008), London, U.K., July 13-16, 2008, LNCS, Vol. 5094, pp. security, vulnerability analysis, security
283-296. estimation and evalution, and modelling
[16] P. Ammann, D. Wijesekera, and S. Kaushik, “Scalable, graph-based and analysis of dependable system.
network vulnerability analysis,” In Proceedings of The 9th ACM
Conference on Computer and Communications Security, Washington,
DC, November 2002, pp. 217-224.
[17] V. Mehta, C. Bartzis, H. Zhu, E. Clarke, and J. Wing, “Ranking attack Mohammad Abdollahi Azgomi received
graphs,” In The Proceedings of Recent Advances in Intrusion Detection the B.S., M.S. and Ph.D. degrees in
(RAID), Massachusetts, USA, September 2006, LNCS, Vol. 4219, pp. computer engineering (software) (1991,
127-144.
1996 and 2005, respectively) from Sharif
[18] O. Sheyner, J. Haines, S. Jha, and R. Lippmann, and J. M. Wing, ,
“Automated generation and analysis of attack graphs,” In Proceedings of
University of Technology, Tehran, Iran.
the IEEE Symposium on Security and Privacy, Oakland, CA, May 2002, His research interests include performance
pp. 273-284.
and dependability modelling with high-
[19] R. Sawilla and X. Ou, “Identifying critical attack assets in dependency
attack graph,” In Proceedings of the 13th European Symposium on level modelling formalisms such as
Research in Computer Security (ESORICS),Malaga, Spain,October stochastic Petri nets, tools for modelling and evaluation,
2008, LNCS, Vol. 5283, pp. 18-34. verification and validation, object-oriented modelling, web
[20] S. H. Houmb, V. Nunes Leal Franqueira, and E. A. Engum, services, grid computing and network security. He has
,“Quantifying security risk level from cvss estimates of frequency and
impact,” Journal of systems and software, ISSN 0164-1212. (in press)
published several papers in international journals and
[21] S. H. Houmb, and V. Nunes Leal Franqueira, “Estimating ToE risk level
conferences.
using CVSS,” In Proceedings of the Fourth International Conference on
Availability, Reliability and Security (ARES 2009 The International
Dr. Abdollahi Azgomi is currently a faculty member at the
Dependability Conference), 16-19 March 2009, Fukuoka, Japan, IEEE school of computer engineering, Iran University of Science
Computer Society, pp. 718-725. and Technology, Tehran, Iran.
[22] NIST, National Vulnerability Database, NVD, http://nvd.nist.gov/
(accessed March 3, 2010)
[23] J. Homer, A. Varikuti, X. Ou, and M. A. McQueen, “Improving attack
graphvisualization through data reduction and attack grouping,”
Proceedings of the 5th International Workshop on Visualization for

346 http://sites.google.com/site/ijcsis/
ISSN 1947-5500