Annual Computer Security Applications Conference (ACSAC) 2012

Full Program »

M4: Security Metrics and Risk Analysis of Enterprise Networks: Techniques and Challenges

Monday, 3 December 2012
13:30 - 17:00


At present, computer networks constitute the core component of information technology infrastructures in areas such as power grids, financial data systems and emergency communication systems. Protection of these networks from malicious intrusions is critical to the economy and security of our nation. Protection of enterprise networks from malicious intrusions is critical to the economy and security of our nation. To improve the security of these information systems, it is necessary to measure the amount of security provided by different networks configurations. A standard model for security analysis will enable us to answer questions such as "are we more secure than yesterday" or "how does the security of one network configuration compare with another one". Also, having a standard model to measure network security will bring together users, vendors and researchers to evaluate methodologies and products for network security.

The objective of this tutorial is to give an overview of the techniques and challenges for security metrics and risk analysis of enterprise networks. In this tutorial, we will present some basics of security metrics and a methodology for security risk analysis that is based on the model of attack graphs and the Common Vulnerability Scoring System (CVSS).

The area of how to measure security for enterprise systems is a challenging one. In security, business leaders ask the following questions:

These are difficult questions to answer. Security metrics can help an organization for

In this tutorial, we will first present basic concepts about security metrics and then present techniques for security risk analysis of enterprise networks using Attack Graphs.

An essential type of security risk analysis is to determine the level of compromise possible for important hosts in a network from a given starting location. This is a complex task as it depends on the network topology, security policy in the network as determined by the placement of firewalls, routers and switches and on vulnerabilities in hosts and communication protocols. Traditionally, this type of analysis is performed by a red team of computer security professionals who actively test the network by running exploits that compromise the system. Red team exercises are effective, however they are labor intensive and time consuming. There is a need for alternate approaches that can work with host vulnerability scans.

In this tutorial, we will present a methodology for security risk analysis that is based on the model of attack graphs and the Common Vulnerability Scoring System (CVSS). Attack graphs illustrate the cumulative effect of attack steps, showing how individual steps can potentially enable an attacker to gain privileges deep within the network. CVSS is a risk measurement system that gives the likelihood that a single attack step is successfully executed. In this tutorial we present a methodology to measure the overall system risk by combining the attack graph structure with CVSS. Our technique analyzes all attack paths through a network, providing a probabilistic metric of the overall system risk.

Prerequisites. None. The course is intended to be useful to IT Security Professionals in industry and academia, researchers in computer and network security, and graduate students.


  1. Basics of Enterprise Security Metrics
  2. Examples of Technical Security Metrics
  3. Automating Metrics Calculations Using a Data Model
  4. Common Vulnerability Scoring System (CVSS)
  5. Attack Graphs, Bayesian Networks and MulVAL Tool for generating Attack Graphs
  6. Security Risk Analysis of Enterprise Systems using Attack Graphs
  7. Challenges and Future Directions
  8. Conclusions

About the Instructors:

Dr. Anoop Singhal is currently a Senior Computer Scientist in the Computer Security Division at NIST. His research interests are in secure web services and network security, intrusion detection and large scale data mining systems. He has several years of research experience at NIST, George Mason University and AT&T Bell Labs. As a Distinguished Member of Technical Staff at Bell Labs he has led several research projects in the area of Databases and Data Mining Systems, Web Services and Network Management Systems. He is a senior member of IEEE and he has published more than 25 papers in leading conferences and journals. He received his Ph.D. in Computer Science from Ohio State University, Columbus Ohio. He has given several talks and presented papers in conferences such as RSA 2007, IFIP DBSEC 2010, ACM CCS 2010 and ACSAC 2009.

Dr. Xinming Ou is currently an Associate Professor at Kansas State University. He received his PhD from Princeton University in 2005, where he designed the MulVAL network security analyzer as his PhD dissertation work. He was a post-doctoral research associate at Purdue University's CERIAS center from Sept 2005 to May 2006, and joined Kansas State University in Aug 2006. Dr. Ou has also visited Idaho National Laboratory (INL) for the summers of 2006 and 2007 as a research associate, working with INL scientists on applying attack graphs to analyze the security threats facing the nation's critical infrastructures. Dr. Ou's current research activities focus on enterprise network security defense, including security configuration management, intrusion analysis, incident response and forensics, and security metrics. He is a recipient of NSF Faculty Early Career Development (CAREER) Award.



Powered by OpenConf®
Copyright ©2002-2012 Zakon Group LLC