By enabling a direct comparison of different
security solutions with respect to their relative effectiveness, a network
security metric may provide quantifiable evidences to assist security
practitioners in securing computer networks. However, research on security
metrics has been hindered by difficulties in handling zero-day attacks exploiting
unknown vulnerabilities. In fact, the security risk of unknown vulnerabilities
has been considered as something unmeasurable due to the less predictable
nature of software flaws. This causes a major difficulty to security metrics,
because a more secure configuration would be of little value if it were equally
susceptible to zero-day attacks. In this paper, we propose a novel security
metric, k-zero day safety, to address this issue. Instead of attempting to rank
unknown vulnerabilities, our metric counts how many such vulnerabilities would
be required for compromising network assets; a larger count implies more
security because the likelihood of having more unknown vulnerabilities
available, applicable, and exploitable all at the same time will be
significantly lower. We formally define the metric, analyze the complexity of
computing the metric, devise heuristic algorithms for intractable cases, and
finally demonstrate through case studies that applying the metric to existing
network security practices may generate actionable knowledge.
No comments:
Post a Comment