Despite the tremendous effort made by industry and academia,we are still searching for metrics that can characterize Cyberspace and system security risks. In this paper,we study the class of security risks that are in...Despite the tremendous effort made by industry and academia,we are still searching for metrics that can characterize Cyberspace and system security risks. In this paper,we study the class of security risks that are inherent to the dependence structure in software with vulnerabilities and exhibit a "cascading" effect. We present a measurement framework for evaluating these metrics,and report a preliminary case study on evaluating the dependence-induced security risks in the Apache HTTP Server. The experiment results show that our framework can not only clearly analyze the root cause of the security risks but also quantitatively evaluate the attack consequence of the risks.展开更多
Quantitative security metrics are desirable for measuring the performance of information security controls. Security metrics help to make functional and business decisions for improving the performance and cost of the...Quantitative security metrics are desirable for measuring the performance of information security controls. Security metrics help to make functional and business decisions for improving the performance and cost of the security controls. However, defining enterprise-level security metrics has already been listed as one of the hard problems in the Info Sec Research Council's hard problems list. Almost all the efforts in defining absolute security metrics for the enterprise security have not been proved fruitful. At the same time, with the maturity of the security industry, there has been a continuous emphasis from the regulatory bodies on establishing measurable security metrics. This paper addresses this need and proposes a relative security metric model that derives three quantitative security metrics named Attack Resiliency Measure(ARM), Performance Improvement Factor(PIF), and Cost/Benefit Measure(CBM) for measuring the performance of the security controls. For the effectiveness evaluation of the proposed security metrics, we took the secure virtual machine(VM) migration protocol as the target of assessment. The virtual-ization technologies are rapidly changing the landscape of the computing world. Devising security metrics for virtualized environment is even more challenging. As secure virtual machine migration is an evolving area and no standard protocol is available specifically for secure VM migration. This paper took the secure virtual machine migration protocol as the target of assessment and applied the proposed relative security metric model for measuring the Attack Resiliency Measure, Performance Improvement Factor, and Cost/Benefit Measure of the secure VM migration protocol.展开更多
基金supported by Natural Science Foundation of China under award No.61303024Natural Science Foundation of Jiangsu Province under award No.BK20130372+3 种基金National 973 Program of China under award No.2014CB340600National High Tech 863 Program of China under award No.2015AA016002supported by Natural Science Foundation of China under award No.61272452supported in part by ARO Grant # W911NF-12-1-0286 and NSF Grant #1111925
文摘Despite the tremendous effort made by industry and academia,we are still searching for metrics that can characterize Cyberspace and system security risks. In this paper,we study the class of security risks that are inherent to the dependence structure in software with vulnerabilities and exhibit a "cascading" effect. We present a measurement framework for evaluating these metrics,and report a preliminary case study on evaluating the dependence-induced security risks in the Apache HTTP Server. The experiment results show that our framework can not only clearly analyze the root cause of the security risks but also quantitatively evaluate the attack consequence of the risks.
文摘Quantitative security metrics are desirable for measuring the performance of information security controls. Security metrics help to make functional and business decisions for improving the performance and cost of the security controls. However, defining enterprise-level security metrics has already been listed as one of the hard problems in the Info Sec Research Council's hard problems list. Almost all the efforts in defining absolute security metrics for the enterprise security have not been proved fruitful. At the same time, with the maturity of the security industry, there has been a continuous emphasis from the regulatory bodies on establishing measurable security metrics. This paper addresses this need and proposes a relative security metric model that derives three quantitative security metrics named Attack Resiliency Measure(ARM), Performance Improvement Factor(PIF), and Cost/Benefit Measure(CBM) for measuring the performance of the security controls. For the effectiveness evaluation of the proposed security metrics, we took the secure virtual machine(VM) migration protocol as the target of assessment. The virtual-ization technologies are rapidly changing the landscape of the computing world. Devising security metrics for virtualized environment is even more challenging. As secure virtual machine migration is an evolving area and no standard protocol is available specifically for secure VM migration. This paper took the secure virtual machine migration protocol as the target of assessment and applied the proposed relative security metric model for measuring the Attack Resiliency Measure, Performance Improvement Factor, and Cost/Benefit Measure of the secure VM migration protocol.
