AN ESTIMATION OF ATTACK SURFACE TO EVALUATE NETWORK (IN)SECURITY

Andrea Atzeni, Antonio Lioy

Abstract

In spite of their importance, security measurement methods are unusual in practice. Security assessment is left in the hands of personel security experts’ judgment, with poor formal arguments on the security level of the underlying system. Thus, it is difficult to distinguish among security alternatives or justify possible security changes or improvements. In this work we focus on a limited but important set of security indicators, suitable to estimate the attack surface a system exposes, thus introducing a simple and objective metric for a fast evaluation of an important security facet.

References

  1. Albrecht, A. J. and Gaffney, J. E. (1983). Software function, source lines of code, and development effort prediction: A software science validation. IEEE Transactions on Software Engineering, 9(6):639-648.
  2. Atzeni, A. and Lioy, A. (2005). Why to adopt a security metric? A brief survey. In Proc. of QoP2005, First International Workshop on Quality of Protection, Milan (Italy), pages 1-12.
  3. Budiarto, R., Sureswaran, R., Samsudin, A., and Noor, S. (2004). Development of penetration testing model for increasing network security. In Proc. of Information and Communication Technologies: From Theory to Applications, Damascus (Syria), pages 563-564.
  4. CC (2006). Common criteria for information technology security evaluation v3.1. [Online] http://www.commoncriteriaportal.org/public/consumer/index.php?menu=2.
  5. Chidamber, S. R. and Kemerer, C. F. (1994). A metrics suite for object oriented design. IEEE Transactions on Software Engineering, 20(6):476-494.
  6. Disney, A. and Johnson, P. M. (1998). Investigating data quality problems in the PSP. In Proc. of the 6th ACM SIGSOFT international symposium on Foundations of software engineering, Lake Buena Vista (FL, USA), pages 143-152.
  7. FIRST (2005). Common Vulnerability Scoring System (CVSS). [Online] http://www.first.org/cvss/cvssguide.html.
  8. fyodor@Insecure.org (1998). Nmap security scanner. [Online] http://www.insecure.org/nmap/.
  9. Hauser, V. and Revmoon, D. J. (2006). The hacker's choice AMAP application mapper v5.2. [Online] http://thc.org/thc-amap/.
  10. Howard, M., Pincus, J., and Wing, J. (2003). Measuring relative attack surfaces. In Proc. of Workshop on Advanced Developments in Software and Systems Security, Taipei (Taiwan).
  11. Howard, M., Pincus, J., and Wing, J. (2005). Computer Security in the 21st Century, chapter 8, pages 109- 137. Springer.
  12. Martin, B., Sullo, C., and Kouns, J. (2002). OSVDB: Open Source Vulnerability Database. [Online] http://www.osvdb.org/database-info.php.
  13. McCabe, T. (1976). Complexity measure. IEEE Transactions on Software Engineering, 2(4):308-320.
  14. Microsoft (2003). Microsoft security alert severity matrix. [Online] http://www.microsoft.com/technet/ security/alerts/matrix.mspx.
  15. MITRE (2001). Common vulnerabilities and exposures web site. [Online] http://www.cve.mitre.org/.
  16. Nicol, D., Sanders, W., and Trivedi, K. (2004). Modelbased evaluation: from dependability to security. IEEE Transactions on Dependable and Secure Computing, 1(1):48-65.
  17. NIST (2005). National vulnerability database. [Online] http://nvd.nist.gov/.
  18. SANS (2003). Critical vulnerability analysis. [Online] http://www.sans.org/newsletters/cva/.
  19. Schudel, G. and Wood, B. (2000). Adversary work factor as a metric for information assurance. In Proc. of New Security Paradigm Workshop, ACM/SIGSAC, Ballycotton (Ireland), pages 23-30.
Download


Paper Citation


in Harvard Style

Atzeni A. and Lioy A. (2007). AN ESTIMATION OF ATTACK SURFACE TO EVALUATE NETWORK (IN)SECURITY . In Proceedings of the Ninth International Conference on Enterprise Information Systems - Volume 3: ICEIS, ISBN 978-972-8865-90-0, pages 493-497. DOI: 10.5220/0002377304930497


in Bibtex Style

@conference{iceis07,
author={Andrea Atzeni and Antonio Lioy},
title={AN ESTIMATION OF ATTACK SURFACE TO EVALUATE NETWORK (IN)SECURITY},
booktitle={Proceedings of the Ninth International Conference on Enterprise Information Systems - Volume 3: ICEIS,},
year={2007},
pages={493-497},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002377304930497},
isbn={978-972-8865-90-0},
}


in EndNote Style

TY - CONF
JO - Proceedings of the Ninth International Conference on Enterprise Information Systems - Volume 3: ICEIS,
TI - AN ESTIMATION OF ATTACK SURFACE TO EVALUATE NETWORK (IN)SECURITY
SN - 978-972-8865-90-0
AU - Atzeni A.
AU - Lioy A.
PY - 2007
SP - 493
EP - 497
DO - 10.5220/0002377304930497