A New Approach for Security Risk Assessment Caused by Vulnerabilities of System by Considering the D - PDF

Document Sample
A New Approach for Security Risk Assessment Caused by Vulnerabilities of System by Considering the D - PDF Powered By Docstoc
					                                                               (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                  Vol. 8, No. 2, 2010

    A New Approach for Security Risk Assessment
  Caused by Vulnerabilities of System by Considering
                 the Dependencies

                   Mohammad Taromi                                            Mohammad Abdollahi Azgomi (Corresponding Author)
       Performance and Dependability Eng. Lab.                                     Performance and Dependability Eng. Lab.
   School of Computer Engineering, Iran University of                          School of Computer Engineering, Iran University of
               Science and Technology                                                      Science and Technology
                     Tehran, Iran                                                                Tehran, Iran
                taromi@comp.iust.ac.ir                                                        azgomi@iust.ac.ir

Abstract— Risk estimation is a necessary step in risk                       limitations in providing patches for specific vulnerabilities, it is
management which is the measurement of impact caused by the                 impossible to remove all these vulnerabilities. Moreover,
probability of exploiting vulnerabilities recognized in the system.         despite using various attacker countermeasures such as
At the moment, the qualitative metrics are used for this purpose            firewalls or anti-viruses, the attackers are not easily recognized,
that is believed to suffer subjectivity. The risk caused by a               or they are likely to disturb the system’s ordinary operation.
recognized vulnerability is computed using the values of common             Therefore, due to the un-patched vulnerabilities and
vulnerabilities scoring system (CVSS) attributes. But the great             unrecognized attacks, there might be a security risk in system
challenge in this field is that the dependency between                      that should be managed [1, 28]. Thus, it is necessary for the
vulnerabilities recognized in the system is not taken into account.
                                                                            administrator to manage the risk caused by these
In this paper, a new approach to risk assessment for the risks
                                                                            vulnerabilities. Risk estimation is a necessary step in risk
caused by vulnerabilities of system has been proposed which
considers the dependencies among vulnerabilities. This approach             management which is the measurement of impact caused by
consists of three steps. In the first step, after recognizing               probability exploiting these vulnerabilities. Such estimation
vulnerabilities of system and configuring the system, an attack             could be carried out either quantitatively or qualitatively.
graph is generated for all the critical resources of the system             Estimating the quantitative risks using security metrics will be
using MulVAL framework. Using these attack graphs, the                      more useful than using qualitative metrics that are believed to
dependency among vulnerabilities is extracted. In the second                suffer subjectivity [2].
step, using the dependencies extracted among the vulnerabilities
                                                                                Definition of vulnerability depends on the level of
and estimated impact and exploitability defined based on CVSS
attributes for individual vulnerability, a Markov model is
                                                                            abstraction and the stage of system development. Vulnerability
generated. In the third step, using the Markov model, the                   is an internal fault that empowers the external fault in
quantitative security risk is estimated as the attacker keeps               damaging the system. In other words, vulnerability is of great
progressing in the system. In this paper we introduce the                   importance in causing error and probably the resultant failure
proposed approach, a case study demonstrating the above steps               produced by the external fault [3]. The vulnerability addressed
and the results of quantitative security risk estimation.                   throughout this paper is based on the definition given by [4] as
                                                                            “a bug, flaw, weakness, or exposure of an application, system,
   Keywords-Security Risk Assessment; Vulnerability; Attack                 device, or service that could lead to a failure of confidentiality,
Graph                                                                       integrity, or availability”. At the moment, it is possible to use
                                                                            open source scanners like OVAL [5] to recognize
                      I.    INTRODUCTION                                    vulnerabilities in the host. The risk caused by a recognized
    Although engineering methods are applied in software                    vulnerability is computed using the values of common
production, with extending use and increasing complexities                  vulnerabilities scoring system (CVSS) attributes [4]. To do so,
involved in information systems and market’s requirements in                two components of risk assessment that are the exploitability
reducing time and production costs, remarkable vulnerabilities              and the impact due to the vulnerabilities are estimated. The
remain unresolved in these systems. Furthermore, due to the                 advantage of using CVSS is that it employs a common open
intruders’ different motivations in obtaining the resources of              framework used by the experts for scoring and that it cannot be
these systems or disturbing their functionality, the number of              easily influenced by subjective judgment.
methods exploiting these vulnerabilities is also increasing.
                                                                                However, to evaluate the scoring of impact and
Despite the patching of vulnerabilities, due to the lack of                 exploitability in CVSS, the dependency between vulnerabilities
appropriate patches, or the possibility of losing system’s
                                                                            recognized in the system is not taken into account [4]. To
functionality after system reconfiguration, or even financial               estimate the risk due to all vulnerabilities, it is necessary to take

                                                                      338                                http://sites.google.com/site/ijcsis/
                                                                                                         ISSN 1947-5500
                                                               (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                  Vol. 8, No. 2, 2010
the dependence between all vulnerabilities into consideration.              described using the values of CVSS attributes and new
By dependency, we mean that the possibility of exploiting                   definitions for exploitability and impact of vulnerability are
vulnerability, after exploiting the other vulnerabilities, is taken         offered. Section 4, introduces how the dependency matrix is
into account. This dependency is usually modeled by attack                  constructed based on the attack graph of the system. Section 5,
graphs [6]. For this purpose, we have developed a dependency                presents how a Markov model is generated based on the
graph based on MulVAL [7] in which the exploitation of any                  dependency matrix, the impact and exploitability of
vulnerability is possible by a certain privilege in the system. As          vulnerabilities. Section 6, using the generated Markov model,
a result of this exploitation, another privilege is provided for            the security risk of the system is estimated. Finally, in section
the attacker. The attacker attempts to obtain a critical privilege          7, some concluding remarks are mentioned.
in the system. This graph is easy to understand in analyzing the
vulnerabilities and has a lower presentational complexity then                                    II. RELATED WORKS
that generated in [8]. The study reported in this paper is an                   In addition to quantitative and qualitative risk assessment,
attempt to estimate the dependency between vulnerabilities in               risk assessment methods are categorized into two groups: the
obtaining critical privilege by the attacker.                               first group (e.g. [9]), to which the method used in presented
    The impact of any vulnerability can be estimated based on               study belongs, takes into account all the possible sequences or
the security properties (confidentially, availability, integrity),          the worst possible sequences as a basis for risk assessment
collateral damage potential (CDP) and distribution target (DT)              considering all the vulnerabilities in the system and
by CVSS. A continuous-time Markov chain (CTMC) model is                     exploitability of them. The second group (e.g. [10]) operates
generated using the impact caused by the exploitability of any              taking into consideration the attacks succeeded which are
vulnerability by itself and the dependency obtained between the             gathered by intrusion detection system (IDS). The main
vulnerabilities in the system using the attack graph. In each               advantage of the first category is that it takes into account all
state of this CTMC there are vulnerabilities whose impacts are              the possible sequences of exploitation. The second category, on
similar. Categorizing these vulnerabilities in a particular state           the other hand, examines the attacker’s behavior. However, due
into groups is due to the fact that the attacker is charged by the          to false positive and false negative problems observed in alerts
minimum cost to obtain privilege or to manipulate the files or              received from IDS, the state of system will not be precisely
to deny services with similar impact. Moreover, the attacker                specified. Moreover, the more skilled intruders will display a
does not try to exploit a series of vulnerabilities with similar            different behavior because of their familiarity with how IDS
impact. As a result, the dependency between these types of                  operates. As a result, the estimated risk will have a lower
vulnerabilities in risk assessment is of little importance. In the          reliability.
proposed approach, the assumption is that there is not the                      In [11] an initial model has been offered for quantitative
possibility of repairing these vulnerabilities dynamically. As a            measurement of security and the mean time and effort required
result, it is not possible to transfer from one state with higher           for security breaches have been computed. This paper was one
impact to another with lower impact. This assumption is                     of first papers that put forward the idea of using dependability
completely logical. The reasons are as follows. First, risk                 in security. The main challenge which using dependability
assessment for a snapshot of the system is performed. Second,               analysis methods to achieve the security attributes of the
there is a meaningful time interval between the vulnerability               system face is that in dependability analysis it is assumed that
recognized and offering a reliable path from software developer             the failure occurred in the system or its components are random
or it is not possible to patch the vulnerability because of                 or rare events. However, in security analysis we are faced with
interference. Having generated the model the quantitative risk              failures caused by humans. The probability of such attacks
assessment is estimated with attacker progress. Based on the                depends on human beings’ intelligent behavior and their
results of this risk assessment, one can determine the best time            learning through time [12].
to re-evaluate the system. It is worth to mention that model
generation is become possible in a time complexity of O(N3),                    In [13] the idea of using the attack graph to estimate the
where N is the number of system states.                                     quantitative metric for the networks has been offered. This is
                                                                            akin to an often used metric of cryptographic strength which
    The advantages of the approach proposed in this paper are               measures the weakest adversary who can break a cryptographic
as follows. (1) It can be used to assess the risk caused by the             scheme. Since in attack graph to exploit a given vulnerability,
threats from several critical parts of the system based on CVSS             certain conditions are required, these conditions cannot be
attributes for any vulnerabilities and dependency between them              achieved by attacker exploitation. Now, if the minimum
by considering the progresses of the attacker in the system. (2)            required conditions to conduct exploitation in a network exceed
In addition, it makes possible security evaluation of the system            those in a similar network but with a different configuration, it
considering the data vulnerabilities and real environmental                 is clear that the first network can better fulfill security
conditions to use the dependability techniques in security                  conditions than the second. In fact, this method has been
measurement. (3) It is possible to use the existing matured                 offered to compare the similar networks with different
dependability evaluation techniques.                                        configurations. Similar procedures are followed in [14] to
    The rest of this paper is organized as follows. In section 2,           hardening the network by achieving the minimum set of
the related works and their challenges and differences with this            required conditions to close the paths with which the intruder
paper is discussed. In section 3, the existing methods of risk              tries to penetrate the system. In this paper, the severity of
assessment for the risks resulting from any vulnerability are               meeting all conditions were assumed to be the same. However,

                                                                      339                              http://sites.google.com/site/ijcsis/
                                                                                                       ISSN 1947-5500
                                                             (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                Vol. 8, No. 2, 2010
the main challenge in such papers is that this problem is NP              groups based on their impact. Then the groups have been
considering the very conditions.                                          ordered considering the impact of vulnerability. The system
                                                                          starts with a sound state until it encounters a failure. In our
    The attack graph introduced in [15] whose nodes either                study, a different method of risk assessment has been proposed
describe the exploitation which are likely to be successful               considering the dependencies between vulnerabilities.
given all the conditions are met (as a result, it is called a AND
node) or are pre- or post-conditions of the exploitations that                            TABLE I.          CVSS METRIC GROUPS [4]
could be assumed as OR nodes. According to the logic of these
nodes, and using the intersection and conjunction operators                                                  Temporal Metric        Environmental
                                                                                 Base Metric Group
                                                                                                                 Group              Metric Group
corresponding to these nodes, and assuming that these                          Access                                              Confidentiality(E_C)
conditions are independent of one another, and finally using the             Vector(A
                                                                                                             Exploitability(T_E)     , Integrity(E_I),
CVSS metric, the probability of reaching the target node                          V)                                                Availability(E_A)
examining all the paths available in the graph could be                      Complexit
                                                                                             Integrity       Remediation Level      Collateral Damage
                                                                                           impact(B_I)           (T_RL)              Potential (CDP)
calculated. The difference between dependency graph                             y(AC)
generated in [16] and the one generated in the presented paper               Authentica    Availability      Report Confidence     Target Distribution
                                                                              tion(Au)    impact(B_A)            (T_RC)                   (TD)
is that the graph offered in this study contains a vulnerability
node that, if exploited, enables attacker’s privilege. Therefore,              III. CALCULATING THE RISK OF ANY VULNERABILITY
the attack graph introduced in the current paper, the privilege,
and vulnerability node follow the OR logic.                                  CVSS [4] was introduced in 2004 and at the present second
                                                                          version is supported by Forum of Incident Response and
   For the first time in [17], the idea of using web page                 Security Teams. It assigns a number to each vulnerability
ranking algorithm to score attack graph’s nodes [18] was                  which is in vulnerability database like NVD [22]. In fact,
proposed. In this algorithm the significance of each node, like           CVSS is an open framework to determine the attribute and
the webpage, depends on the number of paths the attacker                  impact of vulnerability based on predefined and conceptable
could achieve. In [19], the changed web pages ranking                     values to estimate the security risk due to this vulnerability.
algorithm has been applied onto the attack graph [8] that                 CVSS is consisted of three groups of metric: basic, temporary,
contains AND and OR nodes. In this way, the priority of each              and environmental.
vulnerability for patching along with CVSS privilege is
computed considering the dependency with other                                The basic group metric is consisted of attributes that
vulnerabilities. In our dependency graph the web page ranking             represent the inherent quality of vulnerability. The temporary
algorithm can be employed but with fewer complexities.                    group displays the attributes that changes over time and the
                                                                          environmental group shows those attributes that are unique to
    In [9], the methodology for risk assessment of a potential            the user’s immediate environment. The attributes of each group
threat which has been modeled using an attacker tree, first               have been summarized in TABLE I. The metric for each group
computes the dependency between the vulnerabilities to                    receives a value ranging from 0 to 10 and the content vector
facilitate the exploitation of one vulnerability or another.              contains the values assigned to the attributes of the
Generating a dependency graph and the rate of facilitation                vulnerability that generate this numerical value.
between two vulnerabilities is determined by the expert. Using
this dependency graph and the rate of facilitating each                       CVSS offers a common set of attributes for vulnerabilities.
vulnerability based on such an updated exploitability and                 All these attributes include presupposed qualitative values that
impact, the number of days when the service is not available              are needed to select the values of the attributes of the
has been defined, the risk resulting from each vulnerability has          vulnerability. For example, the attribute access vector from
been estimated, and finally the total risk of threat has been             metric group that represents the way a vulnerability accessed
estimated using the attack tree. The difference between the               and exploited, receives L value, this value indicates that the
method used and one introduced in the present study lies in               intruder is required to have physical access or a local account
defining dependency. The dependency defined in [9] relies                 to exploit this vulnerability. The value of A suggests that the
heavily on subjective judgment, whereas the dependency                    intruder should access local network of the host. Finally, the
defined in the present paper is systematic that can be easily             value of N indicates that the intruder can exploit the
computed. In addition, in this paper, to estimate the                     vulnerability without having a remote local access. To estimate
exploitability and impact due to these vulnerabilities, the CVSS          the CVSS scores, for a given qualitative value a quantitative
has been used. The approach taken is able to estimate the risk            value has been assigned and using the equations that represent
of several threats.                                                       the relationships between these attributes, the basic group
                                                                          metric (the values of impact, and exploitability separately), the
    In [20], through combining the vulnerability attributes of            temporary group metric, and the environmental group
CVSS using Bayesian networks, its impact and frequency have               metric(along with the adjusted impact) are estimated. To
been estimated. Through combining these components, the                   estimate these metrics, the CVSS calculator in NVD can be
resulting security risk has been computed. To achieve the total           used. Due to the fact that in estimating basic exploitability in
security for a given system, the use of Bayesian’s algorithms             CVSS, the attributes of temporary group, all of which can
has been suggested. In [21], a method has been offered to                 affect the exploitability, are not considered, the exploitability
estimate the total security risk in a system. In this method, the         addressed in this paper is defined as follows:
vulnerabilities of the system have been divided into different

                                                                    340                                     http://sites.google.com/site/ijcsis/
                                                                                                            ISSN 1947-5500
                                                              (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                 Vol. 8, No. 2, 2010
         Exploitability = BaseExploitability(CVSS ) *                      generation tools. In [25], approach for the extraction of this pre
                                                              (1)          and post-condition of several vulnerability database is
         T _ E * T _ RL * T _ RC
   Furthermore, in the estimation of adjusted impact, in CVSS,
two attributes of the environmental group, that is, collateral
damage potential and target distribution are not taken into
consideration. For this end, the impact addressed in this paper
has been defined as follows (based on the metric of adjusted
impact and the above-mentioned attributes):

         Impact=2*AdjustedImpact(CVSS)*CDP*TD                 (2)                       Figure 1. Example of a proposed attack graph

                                                                                                     v1   v2   v3   v4   v5
   The main problem, however, is that the total score or any
generated metrics for each vulnerability by CVSS, or metric                                      v1  0   0    0     0    0
proposed by other methods [20], take into consideration the                                      v2  0
                                                                                                         0    0     0    0
vulnerability by itself without reference to its dependency with                                 v3  1   0    0     0    0
                                                                                                                          
other vulnerabilities.                                                                           v4  1   0    0     0    0
                                                                                                 v5  0
                                                                                                         1    1     1    0
     A lot of studies have been conducted to generate the attack                        Figure 2. Dependency matrix of attack graph
graph which shows all the sequences of exploitation of
vulnerabilities in a network to attain critical privilege [6].                 To simplify the complexity of presentation of attack graphs,
Recently, the challenge of many studies in this area has been to           the attack graph which we generated using attack-traces output
produce attack graphs with high scalability. But, to provide the           of MulVAL, only includes the vulnerabilities and privilege
data needed to better generate attack graphs, make it                      obtained from exploitation of these vulnerabilities. Each
comprehensible, and its use for risk management networks are               vulnerability can be exploited by one or more privileges. As a
still hot topic in this field. In [8], using MulVAL [7], the logic         result, attacker will obtain a new privilege. Also, using one
based on the framework for vulnerability analysis, an algorithm            privilege, the attacker can exploit one or more vulnerabilities.
to generate the attack graph with high scalability is presented.           For example, considering attack graph drawn in Figure 1, the
As a result, time complexity of attack graph generation has                attacker with privilege P0 can exploit V1 and V2 vulnerabilities.
been reduced to quadratic time. The resultant attack graph has             His/her goal is to obtain the privilege P4 on system. By
still presentational complexities which make it difficult to               dependency between V1 and V2 , we mean that exploiting V2
comprehend by humans. This challenge is discussed in [23]                  provides a condition that enables exploiting V1. For example, in
and the exploitation which do not provide deeper privilege on              Figure 1, the Vulnerabilities set {V2,V3,V4} which vulnerability
the network to attacker were removed.                                      V5 depends on it, provides privileges P2 and P3 which enable
                                                                           the attacker in the exploitation of V5. Dependency matrix
    MulVAL provides a framework based logic-programming                    (|V|×|V|) between vulnerabilities was extracted applying
approach to analyze multistage and multi-host attack path due              Breath First Search (BFS) on the generated attach graph. This
to software vulnerabilities and misconfigurations. Network                 dependency matrix belongs to the attack graph given in Figure
configurations, vulnerability specification, exploitation rules,           2.
and a set of privileges on network are specified by logic-
programming language, Datalog. A logic program is a                                          V. THE PROPOSED METHOD
sequence of facts and rules. Facts are information about                       A system is often faced with vulnerabilities at any level of
network elements, vulnerabilities, and privileges. Rules express           security. The intruder can decrease the level of service
how the attacker exploited existing facts to attain new facts              provided by the system through exploiting these vulnerabilities.
about the network. Then, an off-the-shelf logic-programming                The loss incurred as a result of service level drop which is
engine that can evaluate logic-program efficiently in contrast             imposed on the system in exploiting the vulnerabilities,
with security policy violation which presents such “policy                 depends on the collateral damage potential of the host where
violation (Adversary, Access, Resource)”, results in attack-               the vulnerabilities have been observed. In the initial state, the
traces of violation from security policy. Using this attack-traces         system includes all the vulnerabilities that can be exploited
attack graph is constructed.                                               directly. The intruder decreases the level of the service
    Using OVAL Interpreter [5] vulnerability and the specific              provided by the system and it targets at a state where it can
configuration are recognized. One major challenge in this field            cause much security failure. Despite these attacks and drop of
is the identification of pre and post-conditions of exploitation           service level, the attacks can be tolerated by the system and the
of vulnerabilities. Recently, in [24] on XML-based format                  system manages to offer its main services accurately. As the
similar to OVAL language has been proposed to express pre                  exploitation proceeds, it provides the intruders with more
and post-conditions required for the exploitation of                       opportunities to exploit the vulnerability causing sever security
vulnerabilities with the purpose of using it in attack graphs              impact. In addition, it makes the system enter a collateral

                                                                     341                                   http://sites.google.com/site/ijcsis/
                                                                                                           ISSN 1947-5500
                                                                (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                   Vol. 8, No. 2, 2010
damage potential whose impact cannot be easily endured by the                exploitability of the vulnerabilities (ExState). As a result, a
system or it is more likely to enter from these states into a                higher possibility of success for the attacker (a higher risk for
complete failure state.                                                      the system) is taken into account in case there are more
A. Generating the Markov Model                                               vulnerabilities in a state.
    Having estimated the vulnerabilities recognized in the
                                                                                                           Ex( A) * Ex(B) Ex(v)
system, the impact and exploitability defined in section 2 for                 Ex(v) = (Ex( A) + Ex(B) +                 )*     ; for | ascendents of v |= 2   (3)
                                                                                                                 10         10
the vulnerability are estimated using CVSS attributes
vulnerabilities. All the vulnerabilities except for the ones
recognized in the initial state are categorized into N groups                   3) In the third step, the transfers between these states and
based on the impact they place on the system per se and the                  their rates are determined such that. The attacker can transfer
system’s requirements. A group is a state of the system where                from Si to Sj only if exploitability of at least one of the
the exploitation of any vulnerability recognized in the system               vulnerabilities of Si allows the exploitation of at least one of
has similar impact. The number of state (N) is equal to the                  the vulnerabilities in Sj.
number of mission tasks, or the number of user group’s                          4) And finally, from a state whose impact is above the
privilege, or the number of subsystems which can be attacked                 tolerable threshold, a transfer is made to the failure state. In
by the intruder. The justification for such a grouping is that the           the process, to make sure that the states are reachable from the
intruders select the easiest and most likely vulnerability to
                                                                             initial state, and it is possible to access the failure from any
exploit the vulnerabilities that provide them with similar
results. Moreover, because the vulnerabilities of a particular               state, all the rows and columns of the transition-state matrix
state result in a similar impact, the dependency between them is             should be examined. In case there is not any transfer to any
of little importance and they are not taken into account in risk             state except for the initial state, or there is no possibility of
assessment. In fact, this type of grouping is considered to be               transfer to another state except for the failure state, the
better than the grouping based on subsystems, privilege, and                 corresponding row and column of this state are removed from
etc. to decrease the complexity involved in vulnerability                    the transition-state matrix. Afterwards, the transition-state
analysis because it is conducted with reference to the                       matrix is re-examined to ensure that such conditions are not
component where the vulnerability is observed.                               present. In the worst case, the examination and removal of
    The transition rate between the two states is assumed to be              unreachable states from the initial state N-1 is repeated.
the exploitability estimated of each vulnerability which is easy             Moreover, the examination and removal of these states, has
and more likely to exploit compared to the other vulnerabilities.            the complexity of O(N2).
Furthermore, the transfer between any two states occurs when                     The time complexity of an algorithm in proportion to the
the attacker can exploit the vulnerabilities of the new state. To            number of states is O (N3). The attacker will not transfer from a
achieve the transfer rate between these states, the dependency               state with a higher impact to another with a lower impact. This
matrix introduced in section IV will be used. The assumption                 is completely logical because the attacker is not naturally
that intruder exploits the easiest vulnerability to transfer to              willing to transfer to a state where it has higher possible impact
another state provides the worst realistic estimation of the                 to another state where it has lower impact. In addition, as it was
security risk and does not contradict the unpredictability of                mentioned earlier, we do not consider dynamic reparability.
intruder’s behavior.                                                         Consequently, the resulting graph is directed acyclic graph
    The model generating algorithm has been generated using
the impact due to the exploitation of vulnerabilities, the                                        VI. RISK ASSESSMENT
dependency matrix between them, and the threshold tolerable
impact for the system. The vulnerabilities that are exposed to                   As it has been mentioned in many of the existing work on
the attacker directly are categorized into the initial state, and            risk assessment, risk is the possibility of impact due to
the remaining vulnerabilities are categorized into the N states              probability of exploiting the vulnerabilities in the system. It is
according to the impact due to them. This algorithm consists of              obvious that the intruder should be able to access these
the following four steps:                                                    vulnerabilities during risk assessment. Therefore, the risk due
                                                                             to the vulnerabilities that are not accessible to the intruder does
  1) In the first step, for any state, the ascendents of each                not incur any risks to the system. For example, let us assume
vulnerability in states which have fewer impact are extracted                that the possibility of exploiting V1 depends on exploiting V2
using the dependency matrix.                                                 and the mean time needed to exploit V2 is t1. Therefore, in t1
  2) In the next step, the exploitability of vulnerabilities                 time interval when the system keeps its initial conditions, V1
found in that state are normalized according to the                          poses no threat to the system. In addition, in t (t> t1) risk does
                                                                             not involve exploiting V2 because in the worst case, the failure
exploitability of their ascendents, their own exploitability
                                                                             due to the exploiting V2 has been imposed on the system. As a
alone, and assuming that the exploitations of the ascendents of              result, the level of security provided by the system has
the vulnerabilities are independent of each other (for two                   decreased and there is more possibility that the intruders can
ascendents shown in equation (3)). After estimating the                      exploit the vulnerabilities.
exploitability of all vulnerabilities of a state, its exploitability
is assumed to be equal to the probability of conjunction

                                                                       342                                     http://sites.google.com/site/ijcsis/
                                                                                                               ISSN 1947-5500
                                                                         (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                            Vol. 8, No. 2, 2010
    Generally, a limited number of vulnerabilities are exposed                                             VII. CASE STUDY
to exploitability in a second. As time passes, the intruder                            In this section, it will be shown how to estimate the risk
exploiting these vulnerabilities finds more opportunities to                       applying the proposed approach on simple network given in
exploit vulnerabilities with sever impacts. This risk increases                    [16]. In this network there are three hosts: Web server, File
for a while. Finally, as the intruder exploits these                               server, and Database server. For the attacker located in the
vulnerabilities on critical hosts, the failure due to these                        internet only Web server is directly accessible. Firewall and
vulnerabilities affects the system until it crashes. Thus, threat                  network configuration determine reachability among hosts (in
is posed by a risk, because there is no possibility of a further                   TABLE II). What vulnerabilities exist on any host, and the
failure. Risk variations along time have been shown in Figure                      privilege required to exploit them (pre-condition), and the
3.                                                                                 resultant privilege (post-condition) after the exploitation of
                                                                                   vulnerabilities are given in TABLE III. All vulnerabilities on
                                                                                   the network are remotely exploitable. For all vulnerabilities,
                                                                                   CVSS attributes values of basic and temporal metric groups are
                                                                                   gathered from NVD [22] and OSVDB [27]. Environmental
                                                                                   security requirements in which the network is located are
                                                                                   assumed to be similar to those of the network located in a
                                                                                   university. Since, availability in this environment is very
                                                                                   important, and integrity and confidentially are the next
                                                                                   priorities, the cost of damage done to Database server is
      Figure 3. General diagram of system risk variation with time                 greater than those of servers and the cost of damage done to
                                                                                   File server is greater than that of Web server. As a result, the
    For the estimation of system's risks, two components                           value of CPD attribute of CVSS for vulnerabilities which is
should be obtained: first, to consider the risk due to the                         located in corresponding host is determined. Because the
vulnerabilities of a particular state in risk assessment, the mean                 attacker can access the network via Web server value of TD
time spent by the intruder to successfully exploit the                             attribute of CVSS for vulnerabilities located in Web server
vulnerabilities in this state should be calculated. Second, the                    maximum possible value is selected. The Values of CVSS
states that are accessible by the intruder after a successful                      attributes for each vulnerability are given in TABLE III. In this
exploitation of a previous state should be obtained by                             table, exploitability and the impact of each vulnerability are
examining the risk due to their vulnerabilities. To calculate the                  also estimated.
mean time elapsed at each state, according to [26], and since
the Markov model utilized in this paper is an absorbing one
where the states are divided into two groups of operational and
faulty, the τ vector is calculated as follows (the transition-rate
matrix is limited to the operational states):

               τ Q = −π (0)                                (4)

    Where Q is the transition-rate matrix restricted to
operational states only, π (0) is the initial state vector and π i
indicates the mean time takes the system to passes through the
failure at the operational state i. After computing the mean time
spent in each state to reach the failure state, using transition-                               Figure 4. Configuration of example network
rate matrix, it could be easily shown that when the intruder has
reached the state i, which states are possible for the intruder to                             TABLE II.      FIREWALL RULES OF NETWORK
access as time ti passes? In this way, the risk due to new states
exposed to the intruder is taken into account. The total risk is                                Source     Dest.       Service       Action
                                                                                                  All       H1          Http         Allow
estimated by the equation (5), regarding the change in reaching
                                                                                                  All       H1           Ftp         Allow
the states by the intruder. In this formula impacti , the highest                                 All       H2           Ftp         Allow
impact due to exploiting the vulnerabilities at the state i, and                                  H1        H3         Oracle        Allow
ExStatei, the exploitability of state i are included.                                             H2        H3           ftp         Allow

    Risk(t)=               ∑
               Si accessible & not exploited
                                               impacti *ExStatei   (5)

                                                                             343                                http://sites.google.com/site/ijcsis/
                                                                                                                ISSN 1947-5500
                                                                                      (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                                         Vol. 8, No. 2, 2010

                                        TABLE III.             VULNERABILITIES OF NETWORK AND ITS VALUES OF ATTRIBUTES OF CVSS

                                                    Pre & Post-condition                      The Values of CVSS Attributes
   Vulnerability                                                                            (B_Av/B_Ac/B_Au/B_C/B_I/B_A:                   Impact      Exploitability
                              Target                Pre                    Post           T_E/T_RL/T_RC:E_C/E_I/E_A/CDP/TD)

 CVE-2002-                      Web
                   V1                          Access≥user              Access=root              N/L/N/P/P/P:F/O/C:L/M/H/L/H                 1.32           8.26
   0392                        Server
 CVE-2003-                      Web
                   V2                          Access≥user              Access=root             N/M/N/C/C/C:U/U/C:L/M/H/L/H                  2.00           7.31
   1327                        Server
 CVE-1999-                      Web
                   V3                          Access=user              Access=user             N/L/N/P/P/P:H/N/N:L/M/H/L/H                  1.32          10.00
   0017                        Server
                   V4        File Server       Access=user              Access=user             N/L/N/P/P/P:H/N/N:L/M/H/Mh/M                 3.96          10.00
 CVE-1999-                   DataBase
                   V5                          Access=user              Access=user             N/L/N/P/P/P:H/N/N:L/M/H/H/M                  4.95          10.00
   0017                       Server
 CVE-2001-                   DataBase
                   V6                          Access≥user              Access=root             N/L/N/P/P/P:H/N/N:L/M/H/H/M                  7.50           7.39
   0499                       Server

A. Step1: Calculating Dependency Among Vulnerabilities
    As mentioned before, dependency among vulnerabilities are
extracted from attack graph. To generate attack graph with
properties noted in section IV, first reachability and
vulnerability specification as input of MulVAL are extracted.
The attack graph in Figure 7 is generated for
“execCode(dbServer , root)” violation from security policy. In
generation of this attack graph all none simple path, mentioned
in [23], for easier presentation. Since this network is very
simple, it is clearly understandable that attack graph generation
for other goals do not add extra dependency to the dependency
matrix. As a result, the dependency matrix of network is
presented in Figure 5.
                                                                                                         Figure 6. The markov model generated for the network
                        v1       v2     v3     v4         v5       v6
                   v1  0         0        0        0          0        0 
                   v2  0
                                  0        0        0          0        0 

                                                                                                          TABLE IV.       RESIDENCE TIME FOR EACH STATES
                   v3 1         1         0        0          0        0 
                                                                                                                                          Exploitability
                   v4 1                                                                                   State    Impact
                                 1         1     0             0        0                                                                    of State
                   v5  0        0         0     1             0        0                                   S0       2.00      0.040          9.533
                                                                                                           S1       1.32      0.016          9.533
                   v6 1         1         1        0      1            0 
                                                                                                             S2       4.95      0.050          9.989
  Figure 5. Dependency Matrix is extracted from attack graph of Figure 7
                                                                                                             S3       7.50      0.136          7.200

B. Step2: Create Purposed Model                                                                 C. Step3: Risk Assessment
    In initial state were categorized V1 and V2 vulnerabilities                                     With restrict transition-rate matrix to states except the
because directly reachable for attacker. Difference among                                       failure state and considering the state S0 as initial state using
impact value of vulnerabilities considered one, as a result three                               equation (4) can compute mean resident time in each state until
states are obtained for the model. The complete failure state                                   achieve failure state. The values of impact, exploitability and
occurs when the root privilege of Database server is obtained                                   mean resident time (τi) in each state is presented. Using the
by attacker. The Markov model created by algorithm for the                                      values of TABLE IV and the risk defined in equation (5) is
network is presented in Figure 6. On the graph model transition                                 estimated with attacker progress in network and is presented in
rate among states is given.                                                                     Figure 8. Considering the Figure 8 one can understand that
                                                                                                with successful exploitation of V1 and V2 the vulnerabilities by
                                                                                                attacker, the risk extremely increases.

                                                                                          344                                  http://sites.google.com/site/ijcsis/
                                                                                                                               ISSN 1947-5500
                                                                       (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                          Vol. 8, No. 2, 2010

                                             Figure 7. The attack graph of the example network for DB Server

                                                                                 measurement that can be used for simplifying attack graph
                                                                                 presentation with removing “Useless” exploitations which do
                                                                                 not provide deeper access in network for the attacker. Since the
                                                                                 complexity of the model generation offered is obtained in
                                                                                 O(N3), this method is very better than the method presented in
                                                                                 MulVAL with exponential time. In the method proposed in this
                                                                                 paper all directly reachable vulnerabilities were categorized
                                                                                 into initial state because of the limitation of simple Markov. In
                                                                                 future works we will extend the model and consider the
                                                                                 attackers that can start from each state with some probability.
                                                                                 [1]   G. Stoneburner, A. Goguen, and A. Feringa,“Risk management guide for
                                                                                       information technology systems,” National Institute of Standards and
                                                                                       Technology, special publication 800-30, 2002.
                                                                                 [2]   M. Sahinoglu,“An input–output measurable design for the security meter
                                                                                       model to quantify and manage software security risk,” IEEE
                                                                                       Transactions On Instrumentation And Measurement, June 2008,
      Figure 8. Risk variation with attacker progress in the network                   Volume: 57, pp. 1251-1260.
                                                                                 [3]   A. Avizienis, J. C. Laprie, B. Randell, and C. Landwehr,“Basic concepts
           VIII. CONCLUSIONS AND FUTURE WORKS                                          and taxonomy of dependable and secure computing,” IEEE Transactions
    In this paper, we presented a new approach for estimating                          On Dependable And Secure Computing, Vol. 1, No. 1, January-March
                                                                                       2004, pp. 11-33.
the overall security risk due to system vulnerabilities with
                                                                                 [4]   common             Vulnerability         Scoring        System(CVSS),
regard to the dependency between them. First, the                                      http://www.first.org/cvss/cvss-guide.html (3/1/2010)
dependencies between the vulnerabilities are extracted from                      [5]   Open      Vulnerability    and     Assessment     Language    (OVAL).
attack graphs of the system. Based on these dependencies and                           http://oval.mitre.org/index.html (3/1/2009)
the impact of exploitation of vulnerabilities a Markov model                     [6]   R. Lippmann, and et al, “An annotated review of past papers on attack
was presented. In addition, this model provides the possibility                        graphs - pr-ia-1”, MIT Lincoln Laboratory Project Report, 31 March
of using mature dependability techniques for security                                  2005.

                                                                           345                                    http://sites.google.com/site/ijcsis/
                                                                                                                  ISSN 1947-5500
                                                                          (IJCSIS) International Journal of Computer Science and Information Security,
                                                                                                                             Vol. 8, No. 2, 2010
[7]    X. Ou, A logic-programming approach to network security analysis.                      Cyber Security (VizSEC), Cambridge, MA USA, September 15, 2008,
       Ph.D. thesis, Princeton University, 2005.                                              LNSC, Vol. 5210, pp. 6879.
[8]    X. Ou, W. F. Boyer, and M. A. McQueen,“A scalable approach to attack            [24]   P. Maggi, P, D. Pozza, and D. Sisto, “Vulnerability modelling for the
       graph generation,” In Proceedings of the 13th ACM Conference on                        analysis of network attacks,” In Proceedings of the Third International
       Computer and Communications Security (CCS 2006), Alexandria, VA,                       Conference on Dependability of Computer Systems DepCoS-
       U.S.A., October 2006. pp. 336 – 345.                                                   RELCOMEX, Washington, DC, USA, ,2008, IEEE Computer Society,
[9]    M. Benini, S. Sicari, “Risk assessment in practice: a real case study,”                pp.15-22.
       Computer Communications, Vol. 31 (issue 15), September 2008, pp.                [25]   S. Roschke, F. Cheng, R. Schuppenies, and C. Meinel, “Towards
       3691-3699.                                                                             unifying vulnerability information for attack graph construction,” In
[10]   Arnes, K. Sallhammar, K. Haslum, T. Brekne, M. Moe, and S. J.                          Proceedings of the 12th International Conference on Information
       Knapskog,“Real-time risk assessment with network sensors and                           Security, Pisa, Italy, 2009, LNCS, Vol. 5735, pp. 218.233.
       intrusion detection systems,” In Proceedings of the International               [26]   K. S. Trivedi, Probability and Statistics with Reliability, Queuing, and
       Conference on Computational Intelligence and Security (CIS’05), Xian,                  Computer Science Applications, John Wiley and Sons, New York, 2001.
       China, December 2005, LNCS Vol. 3802, pp. 388-397                                      ISBN number 0-471-33341-7.
[11]   Littlewood, S. Brocklehurst, N. Fenton, P. Mellor, S. Page, and D.              [27]   OSVDB: The Open Source Vulnerability Database, osvdb.org,
       Wright, “Towards operational measures of computer security,” Journal                   (accessed March 3, 2010)
       of Computer Security, 1993,Vol. 2, pp. 211-229.                                 [28]   K. Scarfone, and T. Grance, “A framework for measuring the
[12]   M. Nicol, W. H. Sanders, and K. S. Trivedi, “Model-based evaluation:                   vulnerability of hosts,” In Proceedings of the 1st International
       from dependability tosecurity,” IEEE Transactions on Dependable and                    Conference on Information Technology, IEEE Computer Society, pp. 1-
       Secure Computing, vol. 1, issue 1, Jan 2004, pp. 48-65.                                4.
[13]   J. Pamula, S. Jajodia, P. Ammann, and V. Swarup, “Network security                                             AUTHORS PROFILE
       metrics: A weakest adversary security metric for network configuation
       security analysis,” In Proceedings of the 2nd ACM Workshop on Quality
       of Protectio, Alexandria, VA, USA, October 2006, pp.31-38.                                         Mohammad Taromi is currently M.Sc.
[14]   L. Wang, N. Steven, and S. Jajodia, “Minimum-cost network hardening                                student in computer engineering (software)
       using attack graphs,” Computer Communications, Vol. 29, Issue 18 , 28                              at school of computer engineering, Iran
       November 2006, pp. 3812-3824.                                                                      University of Science and Technology,
[15]   L. Wang, A. Singhal, and S. Jajodia, “An attack graph-based                                        Tehran, Iran.
       probabilistic security metric,” In Proceedings of the 22nd Annual IFIP
       WG 11.3 Working Conference on Data and Applications Security                                       His research interests include network
       (DBSEC 2008), London, U.K., July 13-16, 2008, LNCS, Vol. 5094, pp.                                 security, vulnerability analysis, security
       283-296.                                                                                           estimation and evalution, and modelling
[16]   P. Ammann, D. Wijesekera, and S. Kaushik, “Scalable, graph-based                and analysis of dependable system.
       network vulnerability analysis,” In Proceedings of The 9th ACM
       Conference on Computer and Communications Security, Washington,
       DC, November 2002, pp. 217-224.
[17]   V. Mehta, C. Bartzis, H. Zhu, E. Clarke, and J. Wing, “Ranking attack                                    Mohammad Abdollahi Azgomi received
       graphs,” In The Proceedings of Recent Advances in Intrusion Detection                                    the B.S., M.S. and Ph.D. degrees in
       (RAID), Massachusetts, USA, September 2006, LNCS, Vol. 4219, pp.                                         computer engineering (software) (1991,
                                                                                                                1996 and 2005, respectively) from Sharif
[18]   O. Sheyner, J. Haines, S. Jha, and R. Lippmann, and J. M. Wing, ,
       “Automated generation and analysis of attack graphs,” In Proceedings of
                                                                                                                University of Technology, Tehran, Iran.
       the IEEE Symposium on Security and Privacy, Oakland, CA, May 2002,                                 His research interests include performance
       pp. 273-284.
                                                                                                          and dependability modelling with high-
[19]   R. Sawilla and X. Ou, “Identifying critical attack assets in dependency
       attack graph,” In Proceedings of the 13th European Symposium on                                    level modelling formalisms such as
       Research in Computer Security (ESORICS),Malaga, Spain,October                   stochastic Petri nets, tools for modelling and evaluation,
       2008, LNCS, Vol. 5283, pp. 18-34.                                               verification and validation, object-oriented modelling, web
[20]   S. H. Houmb, V. Nunes Leal Franqueira, and E. A. Engum,                         services, grid computing and network security. He has
       ,“Quantifying security risk level from cvss estimates of frequency and
       impact,” Journal of systems and software, ISSN 0164-1212. (in press)
                                                                                       published several papers in international journals and
[21]   S. H. Houmb, and V. Nunes Leal Franqueira, “Estimating ToE risk level
       using CVSS,” In Proceedings of the Fourth International Conference on
       Availability, Reliability and Security (ARES 2009 The International
                                                                                       Dr. Abdollahi Azgomi is currently a faculty member at the
       Dependability Conference), 16-19 March 2009, Fukuoka, Japan, IEEE               school of computer engineering, Iran University of Science
       Computer Society, pp. 718-725.                                                  and Technology, Tehran, Iran.
[22]   NIST, National Vulnerability Database, NVD, http://nvd.nist.gov/
       (accessed March 3, 2010)
[23]   J. Homer, A. Varikuti, X. Ou, and M. A. McQueen, “Improving attack
       graphvisualization through data reduction and attack grouping,”
       Proceedings of the 5th International Workshop on Visualization for

                                                                                 346                                     http://sites.google.com/site/ijcsis/
                                                                                                                         ISSN 1947-5500