Vulnerability Metrics for Graph-based Configuration Security

“…A "good" attack surface metric should be able to identify and credibly enumerate all attack paths 6 by conducting an in-depth analysis of each path's entry and exit points or target points, implicit and explicit interdependencies, and vulnerabilities. 7 Stuckman and Purtilo highlighted that an attack surface metric quantifies the scale of vulnerabilities of a system. 6 They suggested that, in analyzing a system's security posture, a good metric will demonstrate that software with fewer vulnerabilities is more secure than software with more exposures.…”

“…Therefore, we focus our attention on features of the vulnerabilities themselves and on any information that may be available to potential attackers and that could influence their selection of target exploits. 7,19 We define the exploitation likelihood (or simply likelihood) of a vulnerability as the probability that an attacker will attempt to exploit that vulnerability, if given the opportunity. An attacker has the opportunity to exploit a vulnerability if certain preconditions are met, most notably if they have access to the vulnerable host and have sufficient privileges.…”

“…The susceptibility of a system to attacks is determined by the area of its attack surface. A “good” attack surface metric should be able to identify and credibly enumerate all attack paths 6 by conducting an in‐depth analysis of each path's entry and exit points or target points, implicit and explicit interdependencies, and vulnerabilities 7 …”

“…In this subsection, we review the metrics 7 we have developed to address the need to quantify different dimensions of the vulnerability subgraphs used in SCIBORG's model. For the purpose of this analysis, we consider a static snapshot of the system being studied, so that we can assume that the set of known vulnerabilities is fixed.…”

“…While approaches considering the skills and resources available to different types of attackers have been explored in the literature, 14 such approaches are not useful in practice, as defenders should always operate under worst‐case assumptions, and assume they are facing skilled and well‐equipped attackers. Therefore, we focus our attention on features of the vulnerabilities themselves and on any information that may be available to potential attackers and that could influence their selection of target exploits 7,19 …”

An attack volume metric

“…A "good" attack surface metric should be able to identify and credibly enumerate all attack paths 6 by conducting an in-depth analysis of each path's entry and exit points or target points, implicit and explicit interdependencies, and vulnerabilities. 7 Stuckman and Purtilo highlighted that an attack surface metric quantifies the scale of vulnerabilities of a system. 6 They suggested that, in analyzing a system's security posture, a good metric will demonstrate that software with fewer vulnerabilities is more secure than software with more exposures.…”

“…Therefore, we focus our attention on features of the vulnerabilities themselves and on any information that may be available to potential attackers and that could influence their selection of target exploits. 7,19 We define the exploitation likelihood (or simply likelihood) of a vulnerability as the probability that an attacker will attempt to exploit that vulnerability, if given the opportunity. An attacker has the opportunity to exploit a vulnerability if certain preconditions are met, most notably if they have access to the vulnerable host and have sufficient privileges.…”

“…The susceptibility of a system to attacks is determined by the area of its attack surface. A “good” attack surface metric should be able to identify and credibly enumerate all attack paths 6 by conducting an in‐depth analysis of each path's entry and exit points or target points, implicit and explicit interdependencies, and vulnerabilities 7 …”

“…In this subsection, we review the metrics 7 we have developed to address the need to quantify different dimensions of the vulnerability subgraphs used in SCIBORG's model. For the purpose of this analysis, we consider a static snapshot of the system being studied, so that we can assume that the set of known vulnerabilities is fixed.…”

“…While approaches considering the skills and resources available to different types of attackers have been explored in the literature, 14 such approaches are not useful in practice, as defenders should always operate under worst‐case assumptions, and assume they are facing skilled and well‐equipped attackers. Therefore, we focus our attention on features of the vulnerabilities themselves and on any information that may be available to potential attackers and that could influence their selection of target exploits 7,19 …”

An attack volume metric