A novel system for quantifying the danger degree of computer network attacks

摘要

Nowadays, security improvement of computer networks is a serious issue. In order to do minimum cost network hardening, scoring vulnerabilities for finding the most dangerous ones is urgent. Standard efforts like CVSS rank vulnerabilities. But, CVSS has some weaknesses like, lack of suitable diversity for vulnerability scoring. Consequently, by using CVSS, vast number of vulnerabilities are mapped into only a small set of scores. On the other hand, CVSS is not capable of ranking multi-step attacks. So, CVSS is not applicable for discriminating vulnerabilities in real world. By regarding such challenges, in this paper, some attack graph based security metrics have been defined that makes risk assessment of multi-step attacks possible. As each vulnerability is evaluated based on its situation in the network beside its intrinsic features, scores diversity improves considerably. The most important innovation of our approach is its capability to do quantitative risk assessment instead of qualitatively one which has been achieved by defining security metrics as much as independent from CVSS.