Ibifubara Iganibo, Massimiliano Albanese, M. Mosko, Eric Bier, Alejandro E. Brito
{"title":"An attack volume metric","authors":"Ibifubara Iganibo, Massimiliano Albanese, M. Mosko, Eric Bier, Alejandro E. Brito","doi":"10.1002/spy2.298","DOIUrl":null,"url":null,"abstract":"For more than a decade, the notion of attack surface has been used to define the set of vulnerable assets that an adversary may exploit to penetrate a system, and various metrics have been developed to quantify the extent of a system's attack surface. However, most approaches to tackle this problem have failed to consider the complex interdependencies that exist between the many components of a distributed system, its vulnerabilities, and its configuration parameters. In our work, building upon previous research on vulnerability metrics and on graphical models to capture such interdependencies, we propose a novel approach to evaluate the potential risk associated with exposed vulnerabilities by studying how the effect of each vulnerability exploit propagates through chains of dependencies. Our analysis goes beyond the scope of traditional attack surface metrics, and considers the depth and implications of potential attacks, leading to the definition of a new family of metrics, which we refer to as attack volume metrics. We present experimental results illustrating how the proposed metric scales for graphs of realistic sizes, and illustrate its application to real‐world testbeds.","PeriodicalId":29939,"journal":{"name":"Security and Privacy","volume":" ","pages":""},"PeriodicalIF":1.5000,"publicationDate":"2023-01-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Security and Privacy","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1002/spy2.298","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 1
Abstract
For more than a decade, the notion of attack surface has been used to define the set of vulnerable assets that an adversary may exploit to penetrate a system, and various metrics have been developed to quantify the extent of a system's attack surface. However, most approaches to tackle this problem have failed to consider the complex interdependencies that exist between the many components of a distributed system, its vulnerabilities, and its configuration parameters. In our work, building upon previous research on vulnerability metrics and on graphical models to capture such interdependencies, we propose a novel approach to evaluate the potential risk associated with exposed vulnerabilities by studying how the effect of each vulnerability exploit propagates through chains of dependencies. Our analysis goes beyond the scope of traditional attack surface metrics, and considers the depth and implications of potential attacks, leading to the definition of a new family of metrics, which we refer to as attack volume metrics. We present experimental results illustrating how the proposed metric scales for graphs of realistic sizes, and illustrate its application to real‐world testbeds.