A Vulnerability-Centric Approach to Network Security Metrics

以漏洞为中心的网络安全指标方法

• 批准号: 341840-2012
• 负责人: Wang, Lingyu
• 金额: $ 1.6万
• 依托单位: Concordia University
• 依托单位国家: 加拿大
• 项目类别: Discovery Grants Program - Individual
• 财政年份: 2016
• 资助国家: 加拿大
• 起止时间: 2016-01-01 至 2017-12-31
• 项目状态: 已结题
• 来源: https://www.nserc-crsng.gc.ca/ase-oro/Details-Detailles_eng.asp?id=595494
• 关键词: Vulnerability; Centric; Approach; Network; Security

As today's critical infrastructures and enterprises increasingly rely on networked computer systems, the security of such systems becomes crucial to the economy and society. However, before we can improve the security of a network, it is desirable to be able to measure it, since "you cannot improve what you cannot measure". A network security metric is desirable since it will allow for a direct measurement of how secure a network currently is, and how secure it would be after introducing new security mechanisms or configuration changes. Such a capability will make the effort of network hardening a science rather than an art. Emerging efforts on network security metrics, including the Common Vulnerability Scoring System (CVSS-SIG) standard, typically assign numeric scores to vulnerabilities as their relative exploitability or likelihood. The assignment is usually based on known facts about each vulnerability (e.g., whether it requires an authenticated user account). Such approaches share several limitations. First, by considering vulnerabilities on an individual basis, a network security administrator could be misled in a situation where individual vulnerabilities scores are low but these vulnerabilities can be combined to compromise a critical resource. Second, the methodology is no longer applicable when considering zero day vulnerabilities about which we have no prior knowledge or experience, which in fact leads to a major criticism of existing efforts on security metrics, that is, unknown zero day vulnerabilities are not measurable. Third, the numerical scores assigned to vulnerabilities usually lack a well defined semantic, and are not generally related to other measures that can be easily interpreted by human analysts, such as time or dollars. The proposed research will address these pressing issues by proposing a novel vulnerability-centric approach to quantitatively modeling vulnerability information through security metrics.

随着当今的关键基础设施和企业越来越依赖于联网的计算机系统，这种系统的安全性对于经济和社会变得至关重要。然而，在我们能够提高网络的安全性之前，最好能够对其进行测量，因为“你无法改善你无法测量的东西”。网络安全度量是期望的，因为它将允许直接测量网络当前有多安全，以及在引入新的安全机制或配置改变之后它将有多安全。这种能力将使网络强化成为一门科学，而不是一门艺术。网络安全指标方面的新兴努力，包括通用漏洞评分系统（CVSS-SIG）标准，通常会为漏洞分配数字分数，作为其相对可利用性或可能性。分配通常基于关于每个漏洞的已知事实（例如，是否需要认证的用户帐户）。这种方法有几个局限性。首先，通过在个体基础上考虑漏洞，网络安全管理员可能在个体漏洞分数较低但这些漏洞可以组合以危害关键资源的情况下被误导。其次，当考虑我们没有先验知识或经验的零日漏洞时，该方法不再适用，这实际上导致了对现有安全指标的主要批评，即未知的零日漏洞是不可测量的。第三，分配给漏洞的数值分数通常缺乏定义良好的语义，并且通常与人类分析师可以轻松解释的其他指标（如时间或美元）无关。拟议的研究将解决这些紧迫的问题，提出了一种新的以安全性为中心的方法，通过安全指标定量建模的漏洞信息。