Network Security Metrics: From Known Vulnerabilities to Zero Day Attacks

Abstract

Network Secunetwork security metric enables the direct measurement of the relative effectiveness of different security solutions. The results thus provide quantifiable evidences to assist security practitioners in choosing among those security solutions, which makes network security hardening a science rather than an art. The development of network security metrics has evolved from focusing on known vulnerabilities to considering also unknown zero day attacks. This chapter reviews the challenges and solutions in designing network security metrics for both known and unknown threats. Specifically, we first examine how CVSS scores may be combined based on attack graphs to measure the overall threat of residue vulnerabilites; we then estimate the resilience of networks against unknown vulnerabilities by counting the number of such vulnerabilities along the shortest attack path; finally, we model the effect of diversity on network security with respect to zero day attacks.