Loading [a11y]/accessibility-menu.js
Novel security metrics for ranking vulnerabilities in computer networks | IEEE Conference Publication | IEEE Xplore
Subscribe
ADVANCED SEARCH
Conferences >7'th International Symposium ...

Novel security metrics for ranking vulnerabilities in computer networks

PDF
Marjan Keramati; Mahsa Keramati
All Authors

Abstract:

By daily increasing appearance of vulnerabilities and various ways of intruding networks, one of the most important fields in network security will be doing network harde...Show More

Metadata

Abstract:

By daily increasing appearance of vulnerabilities and various ways of intruding networks, one of the most important fields in network security will be doing network hardening and this can be possible by patching the vulnerabilities. But this action for all vulnerabilities may cause high cost in the network and so, we should try to eliminate only most perilous vulnerabilities of the network. CVSS itself can score vulnerabilities based on amount of damage they incur in the network but the main problem with CVSS is that, it can only score individual vulnerabilities without considering its relationship with other vulnerabilities of the network. So, in order to help fill this gap, in this paper we have defined some Attack graph and CVSS-based security metrics that can help us to prioritize vulnerabilities in the network by measuring the probability of exploiting them and also the amount of damage they will impose on the network. Proposed security metrics are defined by considering interaction between all vulnerabilities of the network. So our method can rank vulnerabilities based on the network they exist in. Results of applying these security metrics on one well-known network example are also shown that can demonstrates effectiveness of our approach.
Published in: 7'th International Symposium on Telecommunications (IST'2014)
Date of Conference: 09-11 September 2014
Date Added to IEEE Xplore: 08 January 2015
ISBN Information:
DOI: 10.1109/ISTEL.2014.7000828
Conference Location: Tehran, Iran
Contents

I. Introduction

These days, computer network has become one of the inseparable part of our life and various fields of our life is fully dependent on computer networks like banking transactions, education, etc. So by development of various methods of intruding the networks, network immunization becomes one of the most serious challenges nowadays. One of the most effective ways of opposition against attacks is try to do intrusion prevention. In doing intrusion prevention, first we need to identify causes of attacks or vulnerabilities in the networks. Vulnerability is a mistake in the software that can be directly used by a hacker to gain access to a system [1]. After realizing vulnerabilities, attempts should be done in order to remove them. The simplest solution for network hardening is removing all vulnerabilities but this solution is practically impossible. Because, vulnerabilities are emerged expeditiously and the rate of patch releasing for them is not consistent with this rapidly vulnerability emergence. On the other hand, unconfirmed patches may bring the system into instability and introduce more bugs. Thirdly, patching on OS kernel level often needs to be rebooted, and some organizations are intolerant of affecting availability [1]. These unwanted effects of vulnerability patching on network are referred to as cost. Sometimes this type of cost predominate the danger of the attacks in the network. So as because of cost we cannot patch all vulnerabilities in the network, the other solution to do intrusion prevention is to limit the number of vulnerabilities that should be patched. In order to do such limiting, it can be effective to find the most dangerous vulnerabilities in the network and pay patch cost only for them. For measuring danger of the vulnerabilities, The Common Vulnerability Scoring System (CVSS) [17] is introduced that can score and rank individual vulnerabilities in the network. Despite of its power in scoring vulnerabilities, CVSS cannot be a good choice, because as we know, most of the attacks in the network are multistep attacks that, attacker exploits more than one vulnerability in proper order to reach his goal. On the other hand CVSS can score vulnerabilities independent of the network they exit in.

Contact IEEE to Subscribe

References

References is not available for this document.

IEEE Account

Purchase Details

Profile Information

Need Help?

A not-for-profit organization, IEEE is the world's largest technical professional organization dedicated to advancing technology for the benefit of humanity.
© Copyright 2025 IEEE - All rights reserved. Use of this web site signifies your agreement to the terms and conditions.