Model-Based Quantitative Network Security Metrics A Survey

This article has been accepted for publication in a future issue of this journal, but has not been
fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/COMST.2017.2745505, IEEE
Communications Surveys & Tutorials
IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. XX, NO. X, , XXXXX QUARTER 2017 1
Model-Based Quantitative Network Security

Metrics: A Survey
Alex Ramos, Marcella Lazar, Raimir Holanda Filho, and Joel J. P. C. Rodrigues, Senior Member, IEEE
Abstract—Network security metrics (NSMs) based on models provided by these actions, since “you cannot improve what
allow to quantitatively evaluate the overall resilience of net- you cannot measure” [7].
worked systems against attacks. For that reason, such metrics Given that computer networks are complex systems, mod-
are of great importance to the security-related decision-making
process of organizations. Considering that over the past two eling techniques can be used to obtain meaningful security
decades several model-based quantitative NSMs have been pro- metrics that quantify overall network security. Such techniques
posed, this article presents a deep survey of the state-of-the- allow to describe a system in terms of an abstract model that
art of these proposals. First, to distinguish the security metrics captures only the attributes of interest, based on assumptions
described in this survey from other types of security metrics, an about attacker and system behavior.
overview of security metrics, in general, and their classifications
is presented. Then, a detailed review of the main existing model- For example, a state-based stochastic model can be used to
based quantitative NSMs is provided, along with their advantages represent a system in terms of its possible operational states.
and disadvantages. Finally, this survey is concluded with an These states can indicate when the system is vulnerable, when
in-depth discussion on relevant characteristics of the surveyed it is under attack, etc. The transitions among these states
proposals and open research issues of the topic. should also be included. Then, the resulting model could be
Index Terms—Security Metrics, Network Security, Model- parameterized with input data (e.g., success rate of attacks) and
Based Metrics, Quantitative Security, Security Level. solved to provide the desired security metrics. One example of
security metric that could be derived from such model is the
I. I NTRODUCTION mean time to compromise the system [8]. A larger value of
In today’s globalized world, people heavily rely on com- this metric indicates a more secure system. One application
puter networking technologies, since they are crucial to the example of this metric is to compute its value before and
operation of the information systems and critical infrastruc- after a new security mechanism is deployed. This can help
tures that underpin our society. However, computer networks determine whether the overall system security has improved.
are at constant risk from cyber attacks, which are becoming In general, the compromised states of a network correspond
increasingly severe and sophisticated. Such attacks may enable to violations of the underlying security policy. In turn, policy
an adversary to gain access to private information, degrade violations occur when attackers gain unauthorized access to
network performance, and, ultimately, take full control of one or more critical components (e.g., database servers). Since
the target system. Example of cyber attacks that can take a policy is defined according to the security goals of each
advantage of network vulnerabilities are denial of service, organization, model-based NSMs are used to quantify security
brute force, spoofing, and buffer overflow [1], [2]. Many of level in a relative context.
those attacks are now being targeted not only to computer Another model commonly used to quantify network security
applications and enterprise information systems, but also to in- is the attack graph (AG). An AG represents a system as a set of
dustrial control systems at gas pipelines and power plants [3], vulnerabilities and their interdependencies. This graph-based
[4]. Therefore, possible consequences of cyber attacks can be model allows to visualize the ways an attacker can exploit
devastating, leading to serious economic and social issues, or interdependent vulnerabilities to violate a security policy. In
even loss of life. AGs, a vulnerability exploitation usually results in privilege
To prevent, or detect and mitigate cyber attacks, network escalations on hosts (e.g., gaining root access).
administrators can take several actions. For instance, they can As an example, consider the hypothetical enterprise network
make changes to network configurations (e.g., connectivity) configuration presented in Fig. 1. It consists of two servers
or deploy security solutions (e.g., intrusion detection systems and two firewalls. The database server (D) is located in the
(IDSs1 ), firewalls [5], [6]). However, properly securing net- internal network while the IIS web server (W) is located
works requires a way to quantify the amount of security in the demilitarized zone (DMZ) of the enterprise network.
Firewall 1 controls external access from the Internet to the
Manuscript received Month XX, 2016; revised Month XX, 2017. DMZ. Firewall 2 mediates the access to the internal network.
Alex Ramos, Marcella Lazar, and Raimir Holanda Filho are with Univer- According to the firewalls rules, external users are only
sity of Fortaleza (UNIFOR), CE, Brazil (e-mail: alex.lacerda@edu.unifor.br;
marcellaplazar@edu.unifor.br; raimir@unifor.br). allowed to access the web server through HTTP (port 80) and
Joel J. P. C. Rodrigues is with National Institute of Telecommunications the database server through SSH (port 22). Only the web server
(Inatel), MG, Brazil; Instituto de Telecomunicações, Portugal; ITMO Uni- is allowed to access the database server though protocols FTP
versity, Russia; and University of Fortaleza (UNIFOR), CE, Brazil (e-mail:
joeljr@ieee.org). (ports 20 and 21) and RSH (port 514). Suppose also that
1 See Appendix for the list of abbreviations used in this survey. the security policy for this network states that external users
1553-877X (c) 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/COMST.2017.2745505, IEEE
should not be able to gain root privilege on the database server. IIS Web Database
Server (W) Server (D)
In Fig. 2, a possible attack graph2 for the example net- http
ssh
ftp
work (and security policy) is shown. In the graph, plaintexts rsh
refer to access rights on hosts, e.g., user(A) indicates that Internet
the attacker has user privilege on host A. Ovals represent
vulnerability exploits. For instance, sshd bof(A,D) indicates Attacker (A) Firewall 1 Firewall 2
the exploitation of an SSH buffer overflow vulnerability (CVE- External DMZ Internal
Network Network
2002-06403 ) executed from host A to host D. The edges of
the graph show how the exploits can be chained together Fig. 1. Sample Enterprise Network.
in different ways to form attack paths. Notice that attack
paths take the network from an initial state to a compromised
sshd_bof(W,D)
state. There are three attack paths in the example AG. The
longest path starts with the exploitation of an IIS bof (IIS IIS_bof(A,W)
buffer overflow vulnerability, CVE-2002-0364) from host A user(A) ftp_rhosts(W,D) rsh(W,D) local_bof(D,D) root(D)
to host W. This allows the attacker to gain access to host
W and exploit an ftp rhosts vulnerability (CVE-1999-0527).
sshd_bof(A,D)
In turn, this enables the attacker to anonymously upload a
list of trusted hosts from host W to host D. Using this new
trust relationship, the attacker executes a remote shell login Fig. 2. Sample Attack Graph.
(rsh) from host W to host D, without providing a password.
Finally, to gain root access on host D, the attacker exploits
general overviews and definitions of the field [11], [12],
a local bof vulnerability (local buffer overflow, CVE-2001-
[13]. Some other works propose taxonomies [14], [15] and
0886). The other two attack paths of the AG are similar to the
classification schemes [16], [17], [18] to categorize the various
one just described, but shorter.
types of existing security metrics. There are also many other
One attack graph-based security metric that could be used
works that focus on specific types of metrics. In [19], [20],
to express the overall security of the example network is the
[21], [22], the authors specify guidelines for using or creating
Shortest Path (SP) metric [10]. This metric corresponds to the
measurement-based security metrics tailored for a particular
length (number of exploits) of the smallest attack path. SP
organization. The works in [23], [24], [25] focus specifically
assumes that a network is no more secure than its smallest
on software security metrics, while the work in [26] focus on
attack path. Therefore, when comparing two network config-
economic security metrics.
urations, the one with shorter SP value is regarded as less
In contrast to these related works, the present survey focuses
secure. Considering the attack graph in Fig. 2, the shortest path
specifically on model-based quantitative security metrics that
(sshd bof(A,D) → local bof(D,D)) has size two. Therefore,
aim to quantify overall network resilience against attacks. To
to increase the security level of the network, one approach
the best of our knowledge, this is the first comprehensive
would be to disable the SSH service of the database server.
survey specifically addressing this type of security metric. This
As a result, the size of the smallest path would change to four.
more concentrated approach enables a more profound analysis
This would supposedly increase the difficulty of attacks and,
and fair comparison of the advantages and disadvantages of the
consequently, make the network more secure.
reviewed proposals. In addition, this survey reviews security
In general, model-based quantitative NSMs can support the
metrics not covered in the aforementioned papers, including
security-related decision-making process of organizations by
more recent proposals.
answering various questions, including, but not limited to:
The rest of the paper is organized as follows. Section II
• Which network configuration is the most secure? provides an introduction to security metrics in general. Sec-
• Is the network achieving its required security level? tion III describes the main model-based quantitative NSM
• How to change network configuration in order to improve proposals that are based on state-based stochastic models. The
security? proposals based on attack graphs are reviewed in Section IV.
• What is the impact of ongoing attacks? Section V covers proposals that are based on models other
Several quantitative NSMs derived from stochastic models, than attack graphs and stochastic models. In section VI, this
attack graphs, and other models (e.g., Bayesian networks) have paper discusses relevant features of the reviewed proposals
been proposed in the literature. This article presents a deep and presents open research issues in the topic of model-based
survey of the state-of-the-art of these proposals. quantitative NSMs. Related work is reviewed in Section VII.
Many other surveys on security metrics have been pub- Finally, Section VIII concludes this study.
lished. However, because the security metrics field has an
extremely broad scope, most of these works focus on providing II. I NTRODUCTION TO S ECURITY M ETRICS
To clarify how model-based quantitative NSMs relate to
2 Attack graphs can be automatically generated by tools like the Topological other types of security metrics, this section provides an
Vulnerability Analysis (TVA) system [9].
3 CVE – Common Vulnerabilities and Exposures, and details of the vulner- overview of the security metrics field. Specifically, we present
ability identifiers used in this paper can found in http://cve.mitre.org/. the desired properties and classifications of security metrics.
Then, the Common Vulnerability Scoring System (CVSS) • Localization: A metric should have a clearly defined
[27], a vulnerability impact quantification framework used by scale. This includes determining the type of scale used,
several NSMs surveyed in this article, is described. In addition, the range of values of the scale, and their respective
a comparison between the security metrics field and other interpretation. This is necessary for the correct application
related areas is also provided. of the metric.
In order to understand the meaning of security metrics, • Validation: This property states that a metric should
it is important to distinguish metrics from measurements. A be based on a hypothesis that relate the measured or
measurement is an observable value (associated with a given estimated value to the actual value of the security attribute
property or attribute) which is collected using any appropriate being analyzed. Hence, it is important to validate a
method that transforms the observation into data [16], [17]. metric in order to check whether its calculated values
A metric is comprised of a set of measurements along with accurately represent the associated security attribute of
a series of predefined rules that allow the interpretation of the target system. This is especially necessary for model-
the collected data values [22], [16], [17]. In other words, based security metrics, which are derived from system
measurements are raw data, while metrics are generated from abstractions, rather than actual system behavior. If the
the analysis of those data. For example, the number of spams validation property is not satisfied, the metric may lead
detected is a measurement. However, this measurement by to incorrect decision-making.
itself is not very useful. Only when it is compared to a More details about the desired properties of security metrics
reference and interpreted to draw conclusions, it becomes a can be found in [29], [17], [7].
metric. For instance, the number of spams detected this month,
when compared to the number of spams detected last month,
could indicate whether the effectiveness of content filtering B. Classification of Security Metrics
software is improving [7].
In general, security metrics are used to support decision- As can be seen in Fig. 3, it is possible to classify security
making regarding security-related characteristics of a process, metrics according to the following criteria [14], [16], [17]:
system, or organization. In particular, security metrics can 1) Target Type: Security metrics can be categorized ac-
be applied to compare different security mechanisms, or to cording to the target they evaluate. The most common targets
indicate the degree to which security requirements of an assessed (and respective security metrics) are the following:
organization are being met. In addition, they can also be used • Process: Refers to the process undertaken to develop a
to systematically improve the security level of a system, or to given product (e.g., software). Process security metrics
predict this security level in a future point in time [14], [15]. quantify the security level of a product by assessing its
Technical personnel (e.g., security engineers or network associated development process. The idea behind this
administrators), management members, end users, and external type of metric is that a more secure development process
authorities are the main audience of security metrics [14], [18]. results in a more secure product. Since process security
Technical personnel can, for example, use security metrics metrics measure security in an indirect manner, it is hard
to decide which configuration change is the most effective to define their actual impact of a process on the security of
to increase network resilience. Management members can, a product. One example of process security metric is the
for instance, make decisions regarding financial investment Software Security Engineering Capability Maturity Model
on security, resource allocation, program planning, and other (SSE-CMM) ISO/IEC 21827 international standard [30].
strategic actions. End users, in turn, can use security metrics • Software: Software security metrics evaluate software
to decide whether they should trust a specific Web application. security by assessing source code defects, software
Finally, external authorities can use security metrics as part of (mis)configuration, or other vulnerabilities present in soft-
the certification process of organizations [14], [18], [28]. ware components. More specifically, software security
metrics evaluate the security level of individual software,
A. Desired Properties of Security Metrics instead of whole networks. However, software security
When designing a security metric, the following properties metrics can be used as input to network security metrics,
should be satisfied [29], [17]: since network security is affected by software vulnerabil-
• Granularity: Metrics should allow to distinguish all sys- ities. For example, the VEA-bility metric [31] measures
tem states according to the differences among their re- network security by combining CVSS scores of software
spective attribute values. This makes metrics more accu- vulnerabilities present in network hosts. Other examples
rate because it avoids that systems with different security of software security metrics include number of defects
levels are regarded as having the same security level; per line of code [14] and attack surface [32].
• Availability: It should always be possible to calculate the • Network: Unlike software security metrics, which are
metric for a particular system, preferably in an easy and concerned with individual software, NSMs assess the se-
efficient way. If a metric is not available when needed, it curity of entire networks or parts thereof. NSMs take into
will not be useful for decision makers; account vulnerabilities that emerge from the interaction
• Cost effectiveness: The computation process of a metric among applications running in distinct hosts. Although
should be cost effective. This is desirable because the this survey focus mostly on NSMs for traditional net-
benefits of applying a metric must justify its cost. works, the NSMs field also includes metrics for specific
Security
Metrics
Construction Automation Measurement Measurement Measurement

Target Type Objective Type
Type Level Consistency Type Moment
Measurement
Process Compliance Manual Subjective Quantitative Static
-based
Software Economic Model-based Automatic Objective Qualitative Dynamic
Semi-
Network Effectiveness
automatic
Organization
Fig. 3. Classification of Security Metrics.
types of networks (e.g., wireless sensor networks [33], Examples of such metrics are the false positive and false
[34], [35] and cloud computing environments [36], [37]). negative rates of an intrusion detection system [39].
• Organization: This category includes metrics that eval-
3) Construction Type: Depending on the way security
uate physical security and personnel security. Physical
metrics can be derived, they can be classified as:
security refers to the protection of organizational assets
(e.g., hardware, software, information) against physical • Measurement-based: These metrics (also referred to as
threats. Personnel security refers to the activities devoted empirical metrics [29]) are generated from observation
to the training and posterior monitoring of organization’s of the security property they evaluate, i.e., observation of
staff. Examples of organization security metrics might be real behavior of the system. These metrics are only useful
the percentage of organizational units (e.g., departments) for quantifying properties that can be directly measured.
with contingency planning [18] and the percentage of Furthermore, unlike model-based metrics, measurement-
personnel with proper security training [14]. based metrics are not useful for prediction. Simple coun-
2) Objective Type: Depending on its objective type, a ters such as the number of attacks detected by the IDS
security metric can be categorized as [17], [38], [12]4 : [7] and the number of packets blocked by a firewall [7]
are classical examples of measurement-based metrics.
• Compliance: Compliance metrics attempt to measure how
• Model-based: These metrics, (also referred to as ana-
well the security requirements of a target (e.g., process,
lytical metrics [29]) are needed when the relation be-
network) are being met, in accordance with security
tween the measurements and the security property being
policies, standards, and best practices. One example is
measured is not trivial. In this case, the target being
the metric amount of users with passwords in accordance
evaluated is represented by a formal mathematical model
with the password management security policy [14].
and the metric values result from complex mathematical
• Economic: Metrics related to the financial aspects of secu-
equations. In other words, this type of metric is generated
rity are classified as economic. Such metrics can evaluate,
from the observation of models of the system.
for example, the expected cost required for performing
As depicted in Fig. 4, once a model of the system
successful attacks or applying security countermeasures.
is created, it takes several input parameters (including
The financial loss that results from security incidents or
measurement-based security metrics) and produces as
the financial benefit from investing resources in security
output the desired model-based security metrics [40].
solutions can also be assessed. Examples of such metrics
Examples of models used to evaluate security metrics are
might be the Return on Security Investment [26] and the
attack graphs, Markov models, attack trees, Bayesian net-
Annual Loss Expectancy [26].
works, etc. The required input parameters vary, depending
• Effectiveness: Effectiveness security metrics measure how
on the specification of the model. Examples of such inputs
well the deployed countermeasures are being able to
include information about attackers’ attributes, network
protect from, detect, or respond to security violations.
vulnerabilities, attack data collected by monitoring mech-
4 The
anisms, network topology, among others.
categories of the objective type criteria are not mutually exclusive.
• Qualitative: Qualitative security metrics are expressed by

labels such as high-medium-low values. Ordinal numbers
can also be regarded as qualitative values. For instance,
the high-medium-low values could be converted into
Fig. 4. Evaluation Process of Model-Based Security Metrics. the numbers 1, 2, and 3, respectively. In this case, as
opposed to cardinal (quantitative) numbers, the ordinal
(qualitative) numbers 1-2-3 do not count anything. Hence,
4) Automation Level: Depending on the level of automation using qualitative values (i.e., labels or ordinal numbers)
employed to perform the measurements, a security metric can in algebraic or arithmetic operations would be mathemati-
be classified as manual, automatic, or semi-automatic: cally incorrect. One example of qualitative security metric
is the Common Criteria ISO/IEC 15408 international
• Manual: This type of metric requires total human in-
standard [42]. This metric provides seven evaluation
volvement, i.e., the collection of the metric values is
assurance levels that vary from EAL1 to EAL7. Other
entirely executed in a manual fashion. Manual collection
example is the password quality metric [43], whose values
of security measurements may be very time-consuming,
can be poor, average, good or excellent.
especially if the target being evaluated is very large.
One example of manual security metric is the number 7) Measurement Moment: Depending on the moment that
of employees who have received security training [18]. security metrics are applied to assess a given target, they can
• Automatic: In automatic security metrics, the measure- be classified as either static or dynamic:
ment process requires (almost) no human intervention, • Static: Static, or pre-deployment, security metrics are de-
since it can be thoroughly performed by a computerized veloped to be measured before the assessed target enters
system. For that reason, automatic security metrics are operation. Such metrics are usually based on static or
preferable. One example of automatic metric might be architectural security properties that hardly change over
the number of spams detected in e-mail accounts [7]. time. This type of metric enables security practitioners
• Semi-automatic: In this type of metric, some parts of the to perform what-if analysis with the aim of determining
measurement process are executed in a automatic manner which configuration or version of the target should be
while other parts still require manual intervention. Since it deployed. One example of static security metrics might
may be hard to develop automatic security metrics, many be the size of the cryptographic keys of hosts [44].
metrics tend to be semi-automatic. The attack surface • Dynamic: Dynamic, or run-time, security metrics are
metric is one example of semi-automatic metric [32]. those developed to be constantly measured, during the
5) Measurement Consistency: According to the consistency operation of the target being evaluated. This type of met-
of the metric values, security metrics can be classified as: ric allows the security of the target to be monitored and
improved in real-time. One example of dynamic security
• Subjective: In subjective metrics, different people ap- metric is the amount of reported attack attempts [14].
plying the same method to evaluate the same property Since security is an attribute that changes dynamically
may produce different results, i.e., determining the metric according to the behavior of the target, dynamic security
values depends on human judgment. An example of sub- metrics are desirable.
jective metric is the number of training hours necessary
for an employee to securely operate the system [14].
• Objective: Objective metrics do not depend on human C. Common Vulnerability Scoring System
judgments. In this case, different people performing the
The Common Vulnerability Scoring System (CVSS) is a
same measurement will get the same results. One example
public framework that provides a standardized method for as-
of objective metrics is the number of hours a system takes
signing quantitative values (scores) to security vulnerabilities
to recover from a security failure [41]. Although objective
according to their severity [27]. A CVSS score is a decimal
security metrics are preferable, various security metrics
number in the range [0.0, 10.0]. This score is derived from
tend to be quite subjective since several human behavioral
a set of qualitative values assigned by security experts to
characteristics are inherent to the security field.
predefined attributes (sub-metrics) of a given vulnerability. The
6) Measurement Type: According to the type of measure- qualitative values assigned are then converted into quantitative
ment, security metrics can be classified as: values and combined using a set of special formulas in order
• Quantitative: Quantitative security metrics are expressed to provide the final score. Each qualitative value of a given
as percentages or cardinal numbers (i.e., numbers that attribute has a predefined corresponding quantitative value.
count something, instead of ordinal numbers, which only The sub-metrics defined by the CVSS are divided into three
denote the position occupied by a given object). For groups: base, temporal, and environmental. Those groups and
example, the amount of application security vulnerabil- their respective sub-metrics are briefly described as follows:
ities [7] is expressed as a cardinal number that counts • Base group: Represents the fundamental and intrinsic
something. The advantage of quantitative values is that characteristics of the vulnerability that do not change over
they can be used in algebraic or arithmetic operations in time and do not depend on the system environment. This
order to derive more insightful and robust metrics. group is comprised of six sub-metrics:
– Access Vector: Describes the means by which the different systems. Readers interested in the quantitative values
vulnerability can be exploited. Accepted values are associated with the qualitative ratings of sub-metrics, the
Local, Adjacent Network, and Network. aggregation formulas, or other details about CVSS version 2.0
– Access Complexity: Indicates how difficult it is to ex- may refer to [47], [48].
ploit the vulnerability. The defined values are High,
Medium, and Low. D. Security Metrics and Other Related Areas
– Authentication: Measures the number of times an The terms dependability metric [49], quality of protection
attacker needs to authenticate to the system in order [50], and network security situational awareness [51] are
to misuse the vulnerability. Options are Multiple, often used interchangeably with the term security metric.
Single, and None. Although closely related, these terms differ from security
– Impact sub-metrics: Three sub-metrics that measure metrics in several ways. Hence, to distinguish these terms, this
the impact on confidentiality, integrity, and avail- section provides their definitions, as well as their different,
ability (respectively) caused by the exploitation of overlapping, and complementary characteristics with respect
the vulnerability. Options are None, Partial, and to security metrics.
Complete. Computer system dependability is a well investigated area in
• Temporal group: Represents the characteristics of the which several model-based approaches have been developed
vulnerability that may evolve over time. This group to quantify the effect of failures in computer systems. Unlike
contains the following sub-metrics: security metrics, which are designed to measure the impact of
– Exploitability: Indicates the availability of exploita- intentional failures caused by attacks, dependability metrics
tion techniques or codes. Score options are Proof-of- measure the effect of natural or accidental failures [52]. Since
concept, Functional, High, and Not Defined. those two areas share common attributes (e.g., availability,
– Remediation Level: Specifies the availability of fixes integrity), some works in the literature have proposed single
or patches for the vulnerability. Available options are frameworks to integrate security and dependability measures,
Official Fix, Temporary Fix, Workaround, Unavail- e.g., [53], [54]. Such approaches allow to measure the trust-
able, and Not Defined. worthiness of a system regardless of how failures occur
– Report Confidence: Measures the level of credibility (i.e., intentionally or accidentally). The similarities between
regarding the existence of the vulnerability and its those two areas is even more evident with regard to model-
technical details. Options are Unconfirmed, Uncor- based metrics. This is due to the fact that the techniques for
roborated, Confirmed, and Not Defined. model-based evaluation of security have been derived from the
techniques applied to the dependability domain. A detailed
• Environmental group: Represents the characteristics of
discussion on the adaptation of model-based metrics from
the vulnerability that are specific for the system envi-
dependability to security is provided in [52]. Details about the
ronment. The five sub-metrics comprising this group are:
differences and similarities between security and dependability
– Collateral Damage Potential: Indicates the financial are provided in [55].
impact on physical assets caused by the exploitation The term Quality of protection (QoP) has emerged in the
of the vulnerability. Options are None, Low, Low- literature, but has not yet been clearly defined. In general, QoP
medium, Medium-high, High, and Not Defined. is used as a synonym for security level [56]. From this point
– Target Distribution: Measures the fraction of system of view, it can be said that security metrics are a measure
components affected by the vulnerability. Options are of the quality of protection of systems. The term QoP has
None, Low, Medium, High, and Not Defined. also been used in the domain of mobile networks, with regard
– Security Requirements: Three sub-metrics that assess to frameworks that provide a trade-off between security and
the damage that results from the loss of confidential- performance, according to different user preferences. In such
ity, integrity, and availability (respectively) caused by frameworks, QoP refers to the security levels provided by
the exploitation of the vulnerability. Possible values different cryptographic algorithms and key sizes [57], [58],
are Low, Medium, High, and Not Defined. [59]. A similar approach is used in both the Digest Access
Several vulnerability databases, including the US National Authentication protocol (RFC 2617 [60]) and the WS-Security
Vulnerability Database (NVD) [45], use CVSS to quantify the [61]. In particular, these protocols provide a QoP field to
severity of reported vulnerabilities. Currently, CVSS is in its specify authentication and integrity options. Hence, QoP can
third version [46], launched in 2015. However, the sub-metrics be viewed as the level of protection a service provides for
described above belong to the second version of CVSS [47], transmitted messages. In this context of web services, QoP
which is used by most of the existing CVSS-based NSMs. has also been defined as a set of security guarantees offered
Despite the use of qualitative values for the sub-metrics, by service providers with respect to the services they provide.
CVSS is regarded as a quantitative framework. It is argued This allows clients to discover services with the required level
that these qualitative values are only used to facilitate the of security [50], [62]. In general, the notion of quality of
assignment of the actual quantitative values (probabilities) protection in security is comparable to the notion of quality
related to each sub-metric. Furthermore, given that CVSS of services (QoS) in networking [63], [64].
is a well-established and widely adopted framework, it can Network security situational awareness (NSSA) is a more
provide consistent results when used to compare the security of general term related to everything that can provide any kind
of perception of the security state of a network. NSSA tries Modeling a system as a stochastic process allows to estimate
to provide answers to questions like: What is going on in valuable information about its resilience to attacks. The work
the network at this moment? What type of different traffic is presented by Littlewood et al. [68] was one of the first
appearing on the network? NSSA approaches cover mecha- attempts in the direction of operational security quantification.
nisms such as network traffic monitoring, intrusion detection, In particular, the authors have raised several questions that
data fusion, and network security visualization [65], [51], should be answered to allow the development of security
[66]. NSSA tools deal with a large amount of network audit metrics based on stochastic models. They have also concluded
trace data collected from different sources. As the amount of that an empirical investigation (e.g., collecting data from real
data produced grows exponentially, data fusion and correlation systems in operation) would be required to answer many of
techniques are employed to summarize the data. Visualization these open questions.
tools are used to present the summarized data (e.g., network Following the suggestion made by Littlewood et al. [68],
topology, port activity, routing behavior) in a friendly and Jonsson and Olovsson [69] have performed various experi-
interactive manner. All those techniques combined allow an- ments in a real system to better understand the intrusion pro-
alysts to identify relationships, patterns, and anomalies that cess in networks. The results collected during the experiments
are implicit in the underlying data [65]. Recent researches in have indicated that the times between security breaches are
NSSA point to the development of algorithms that prioritize exponentially distributed. This implies that stochastic models
situations, and to an integration of NSSA and security metrics used in reliability could be applied to quantify system security,
[65], [67]. This results in tools that can automatically identify as initially suggested in [68].
and assess the impact of critical events on network assets. In the following, the main quantitative NSMs based on
stochastic models are reviewed.
III. M ODEL -BASED Q UANTITATIVE N ETWORK S ECURITY
M ETRICS BASED ON S TOCHASTIC M ODELS A. Time-Based Security Metrics
In the model-based quantitative NSMs domain, state-based Time-based security metrics express the amount of time a
Stochastic models are used to represent the evolution of system takes to be compromised by a successful attack. A
systems and attack processes over time [40]. In such models, larger time value implies more security.
the system is expressed as a finite state machine. Each state 1) Privilege Graph-Based Metrics: In [70], [71], Dacier
represents a security operational mode of the system, indi- et al. propose a state-based Markov model to evaluate system
cating whether it is under attack, whether countermeasures security based on the Mean Time to Failure (MTTF) metric.
are being executed, whether components of the system are Initially, their model highlights the vulnerabilities of a system
compromised, etc. Depending on the level of abstraction, the by means of a privilege graph. In this type of graph, nodes
system’s states are modeled as one or more good states and represent access rights (privileges) at hosts, and arcs represent
one or more security failure states. Good states are those in the execution of actions that enable the transition from one
which the system is able to deliver the required services, even privilege to another. Each arc is labeled with a value (λ) that
in the presence of attacks. On the other hand, in security failure represents the success rate of an elementary attack (privilege
states, the system has been compromised by attacks in a way escalation). Target nodes (e.g., super user privileges) are
that its intended services can no longer be delivered. marked in black. Once the privilege graph is constructed, it
During its lifetime, a system will continuously alternate is turned into a CTMC containing all possible attack paths to
between its several possible states. A state transition is trig- target nodes. The Markov model is based on the assumption
gered by a given event such as the appearance or remediation that the success probability of an elementary attack before
of a vulnerability, the successful execution of an attack step time t is represented by an exponential distribution given by:
(elementary attack), the responsive actions performed by se- P(t) = 1−e−λt . The mean time of succeeding in an elementary
curity mechanisms, etc. To model the dynamic behavior of the attack is given by 1/λ. The MTTF of the system is computed
system, each transition is labeled with a random variable. Such by aggregating all the mean times necessary for succeeding in
variable can indicate, for example, the probability or the time elementary attacks that lead to the targets.
to complete the event that triggered the associated transition. In [72], Ortalo et al. extend the model proposed by Dacier
The uncertainty in the occurrence of events is represented by et al. [70], [71] to compute the Mean Effort to Failure (METF)
the distribution functions describing the random variables. metric. The notion of effort in METF is analogous to the
Most state-based security metric proposals model the system notion of time in MTTF. The authors compute METF in
as a Continuous-Time Markov Chain (CTMC) with discrete three distinct ways, each one based on a different assumption.
state space. A CTMC is a special type of state-based stochastic In the first assumption, regarded as total memory (TM), at
process that possesses the Markov property. According to this each elementary attack, the attacker is able to obtain one out
property, the probability distribution of the next state depends of all privileges reachable from the already visited nodes.
only on the current state and not on the previous states. This is the same case considered by Dacier et al. In the
Moreover, the time spent in each state takes a continuous set of second assumption, referred to as memoryless (ML), at each
values (i.e., non-negative real values), and follows an exponen- stage of the attack process, the adversary can only obtain
tial distribution. A CTMC can be viewed as a continuous-time privileges reachable from the current node. Finally, in the third
version of the Discrete-Time Markov Chain (DTMC). assumption, named shortest path (SP), the adversary selects
the path that requires the lowest cumulative effort to reach the on a compromise graph (CG). A CG can be regarded as an
target. To validate the proposed METF metrics, the authors extended version of a privilege graph. According to the CG,
conduct experiments on a large real system for almost two each component (e.g., hosts) of the modeled system possesses
years. Their results show that METFT M is more accurate than an associated time to compromise (T). The system MTTC is
METF M L , which, in turn, is more accurate than METFS P . given by the sum of the T values of the components in the
However, in some cases, it might be impossible to compute shortest attack path of the CG.
METFT M , due to the huge number of possible attack paths In turn, T is modeled as a random process comprised of
it generates from the privilege graph. This is known as the the following three subprocesses. Process 1 represents the
exponential state explosion problem. situation in which the component has at least one known
Although MTTF and METF provide useful security level vulnerability and the attacker has at least one exploit on hand.
information, they do not take into account partial or interrupted Process 2 occurs when there is at least one known vulnerability
attacks (which may also cause damage to the system). on the component, but the attacker has no exploits available.
2) Metrics Based on a Manually Defined State Space: In Finally, Process 3 corresponds to the discovery phase of zero-
the model proposed by Almasizadeh and Azgomi [40], [73], day vulnerabilities and exploits.
[74], countermeasures performed by security mechanisms are Each of these three processes is comprised of two parts.
also considered. Such countermeasures take the system from The first part corresponds to the probability that the attacker
partially compromised states back to the secure state. In is in the respective process. This probability is computed from
this model, network’s resilience to attacks is represented by information such as total number of existing vulnerabilities,
the Mean Time to Security Failure (MTSF) metric. MTSF number of vulnerabilities present in the system component,
estimates the amount of time the first attack takes to be and number of available exploits per attacker skill level
successfully performed. To compute MTSF, the security failure (novice, beginner, intermediate, or expert). The second part
state is modeled as an absorbing state. In addition, the state refers to the estimated amount of time expended in the respec-
space is derived from manually defined attack types and attack tive process. The time for Process 1 is defined by the authors
steps. The model needs to take as input probability distribu- as 8 hours. The time for Process 2 depends on the mean time
tions for the attack steps. The time interval over which these to create an exploit (given below) and the mean number of
distributions are defined also need to be provided. After the attempts necessary for successfully completing an attack. This
inputs are provided, the model results in a Semi-Markov Chain last value is computed based on attacker skill level, number
(SMC). Then, this SMC is transformed into its corresponding of exploitable vulnerabilities, and number of vulnerabilities on
DTMC and the metric is computed. With SMCs, any type of the system component. The time for Process 3 is a function of
distribution can be used in state transitions, unlike CTMCs, the faction of exploitable vulnerabilities for a given attacker
which require probabilities to be exponentially distributed. skill level, and two constant values derived from applying
In [53], [54], Sallhammar et al. propose a model to estimate an exponential distribution to historical data. These constant
the Mean Time to First Failure (MTFF) metric. Their model values are 30.42 (mean time between vulnerabilities) and 5.8
takes into account both security and dependability on a single (mean time to create an exploit).
framework, instead of treating these two aspects separately. Finally, when the probability values (w1 , w2 , and w3 ) and
This allows to measure the trustworthiness of a system regard- the time values (t1 , t2 , and t3 ) respective to the three processes
less of how failures occur (i.e., intentionally or accidentally). are obtained, the time-to-compromise a component is given by
In this proposal, the system is modeled as a CTMC. The state T = t1 · w1 + t2 · w2 + t3 · w3 .
transition rates can be of three types: accidental failure rates, An extended version of the model proposed by McQueen
repair rates, and intentional failure rates. The first two types et al. [8] is provided by Leversage et al. [76]. The authors use
of rate are dependability-related measures and can be directly a variable length Markov chain (VLMC) to compute MTTC,
gathered from systems in operation and given as input to the instead of using a CG. The VLMC is modeled as an attack
model. In contrast, the intentional failure rates are given by path model — a state-space model containing high level attack
multiplying the accumulated intensity of a given attack step paths. In this model, MTTC is given by the sum of the
by the probability that this attack step is executed. In turn, the mean times spent in each attack path. In addition, the authors
accumulated attack intensities can be directly measured from introduce a visibility variable (α) to account for the influence
multiple sources (e.g., historical data). Finally, to compute the exerted by firewalls in the value of T. The possible values for
probabilities of attack step execution, the authors apply game α are defined by security experts according to the frequency
theory techniques based on reward and cost (negative reward) of reviews in firewall rules. The authors also introduce a rating
values assigned to the actions of attacker and defender. variable (s) to represent attacker skill level. With this variable,
One advantage of this proposal is its focus on the impact the authors show how to compute the MTTC for three attacker
of intrusions, rather than on specific attacks. This enables profiles, namely, beginner (for s = 0.5), intermediate (for
the modeling of zero-day attacks in terms of generic state s = 0.9), and expert (for s = 1.0). As an extension to this
transitions, i.e., any actions that take the system from a good idea, Paulauskas and Garsva [77] propose to use range values
state to a failure state. to represent s, instead of using singles values. This results in
3) Metrics Based on the Time to Compromise of System higher MTTC values for all skill level profiles. The author in
Components: McQueen et al. [8], [75] propose a model to [78] improve upon this approach, by estimating α based on 15
estimate the Mean Time to Compromise (MTTC) metric based years of vulnerability data (CVSS exploitability scores) from
the National Vulnerability Database (NVD). compromise rates and fix rates. After discussing the practical
Despite the modifications introduced by Leversage applications of q, the authors perform several simulations to
et al. [76] and the authors in [77], [78], the MTTC model is validate the analytical results of their model.
still based on strong assumptions that have not been validated. Xu et al. [82] further extend this model by weakening the
strong assumptions made in [81] with respect to the indepen-
dence and exponential distribution of the random variables.
B. Probability-Based Security Metrics
Probability-based security metrics usually express the like-
IV. M ODEL -BASED Q UANTITATIVE N ETWORK S ECURITY
lihood of an adversary compromising the system or the prob-
M ETRICS BASED ON ATTACK G RAPHS
ability that the system is secure.
In [40], [73], [74], Almasizadeh and Azgomi propose the The concept of attack graph (AG) was originally proposed
steady-state security metric. This metric is derived from the by Phillips and Swiler [83]. An attack graph is a model
same model used to calculate MTSF (see Sec. III-A). The only used to represent all possible ways an attacker may violate
difference is that the this metric is represented as a transient a security policy through the exploitation of interdependent
state rather than an absorbing state. This means that the vulnerabilities. Besides the security policy, the minimum in-
system can recover from a security failure state. Considering a formation necessary to build an attack graph includes hosts
sufficiently long execution time, the steady-state security will connectivity and vulnerabilities on hosts. There are many
express the probability that the system stays in the security tools to automatically build attack graphs for a given network
failure state. A larger value for this metric implies less security. (e.g., the Topological Vulnerability Analysis (TVA) tool [9]
In [79], Jha et al. propose the reliability metric, which and the MulVAL Logic-Based Network Security Analyzer
represents the probability of an adversary not succeeding in [84]). These tools may take as input vulnerabilities discovered
an attack. This metric is obtained from a CTMC generated by vulnerability scanners (e.g., Nessus [85]) and host connec-
from assigning transition probabilities to the edges of an tivity information provided by tools like NetSTAT [86].
attack graph (for a detailed description of attack graphs, refer In general, AGs are represented by security-related condi-
to Sec. IV). Formally, the reliability of the network is the tions and exploits. An exploit is a misused vulnerability, i.e., it
probability that, in a sufficiently long execution time, the includes the vulnerability and the hosts involved in the realiza-
Markov chain will not be in a security failure state. In case not tion of the vulnerability. Conditions are the network attributes
all transition probabilities are available, due to, for example, necessary for the execution of an exploit (preconditions) or the
lack of data about attacks, the authors propose a Decision network attributes that result from the realization of an exploit
Markov Process approach to compute the reliability metric. (postconditions). Network attributes include information such
A CTMC based on attack graphs is also used by Kanoun as trust relationship between hosts and access rights (privilege
et al. [80] to estimate a metric called Success Likelihood (SLH) levels) at hosts. Given the interdependence among vulnerabili-
of an attacker. Considering that several security failure states ties, postconditions that result from the execution of an exploit
may exist, the attack graph is first decomposed into several may act as preconditions for subsequent exploits. Generally,
subgraphs, one for each failure state. Then, each subgraph is multiple preconditions for an exploit have a conjunctive rela-
turned into a Markov chain. Considering a failure state as tion (AND-decomposition), while multiple postconditions for
an absorbing state, for each CTMC, SLH is calculated as an exploit present a disjunctive relation (OR-decomposition).
a logarithmic function of the mean time necessary for an In general, an AG can be viewed as a directed graph
attacker to reach the failure state. The key feature of the presenting all attack paths that take the network from an
proposed model is that it takes into account both observed initial (secure) state to one or more goal (compromised) states.
and unobserved states. This means that the Markov chain Depending on how nodes and edges are represented, attack
is updated whenever an elementary attack is detected by graphs can be classified as condition-oriented, exploit-oriented,
monitoring mechanisms (e.g., IDSs). Other peculiarity of this or condition-exploit-oriented [87]. Condition-oriented AGs
model is that transition probabilities are derived from the represent nodes as conditions, and edges as exploits. An
(attacker) skill level required for executing an attack step. exploit-oriented AG is the opposite of a condition-oriented
Despite the interesting features of this model, the generation AG, i.e., nodes are represented as exploits, and edges as con-
of subgraphs may result in exponential state explosion. ditions. This type of graph is sometimes referred to as exploit
In [81], Xiaohu et al. use a renewal stochastic process to dependency graph. Some representations of exploit-oriented
estimate the likelihood that an adversary exploits a randomly AGs choose to omit the conditions, i.e., these representations
selected system vulnerability. This likelihood is given by the connect nodes (exploits) using unlabeled edges. Finally, the
q metric, which is calculated when the system is in its steady condition-exploit-oriented AG represents both conditions and
state. A lower q value indicates more security. To compute q, exploits as nodes. In this case, an edge may connect a
the network is modeled as a vulnerability graph, in which a condition to an exploit, or an exploit to a condition.
vertex represents a vulnerability, and an edge indicates that the Fig. 5 shows a simplified example of condition-exploit-
exploitation of a vulnerability may result in the exploitation of oriented AG from [88]. There are two hosts in the network
the other. At any given moment, each node can either be in a represented by the graph. The security policy of this network
secure state or a compromised state. The behavior of the nodes states that a user on host 0 should not be able to gain root
is described by a series of random variables that represent privileges on host 1, otherwise the network will be in a
user(0) by: SP = min(l(p1 ), l(p2 ), ..., l(pk )), where each pi represents
an attack path and the function l provides the length of an
attack path. The authors defined that l(pi ) is given by the
ftp_rhosts(0,1) sum of the weights of the arcs along attack path pi . They
also defined that the weight of an arc of the graph could
trust(0,1) correspond to input parameters such as success probability of
sshd_bof(0,1)
an exploit, time to succeed on an exploit, or effort required for
rsh(0,1)
executing an exploit. Given that it may be difficult to obtain
user(1) these parameters, Idika and Bhargava [10] later suggested that
the length of an attack path should be given by the number of
exploits found on the attack path. In addition, they have also
local_bof(1,1) proposed to use a condition-exploit-oriented attack graph.
The major advantage of the SP metric is its simplicity,
root(1) which allows it to be computed in a fast and fully automatic
manner. On the other hand, as first pointed out by Ortalo
Fig. 5. Attack Graph Illustration. et al. [72] and further detailed by Idika and Bhargava [10],
this metric has several drawbacks. Among them, the most
notorious shortcoming is that this metric does not account for
compromised state. In this figure, there are two kinds of nodes, the number of different shortest paths that a network may have.
namely, ovals and plaintexts. Ovals contain predicates repre- As a result, a network with a unique shortest path of size 1 will
senting exploits. Plaintexts refer to predicates that represent be regarded as having the same level of security as another
conditions. For instance, user(0) indicates that the attacker network with ten different shortest paths of size 1. However,
has user privilege on host 0 and sshd bo f (0, 1) corresponds the second network is clearly less secure than the first since
to an ssh buffer overflow exploit executed from host 0 to an adversary will have several distinct ways of compromising
host 1. Note that there are two attack paths from the initial the network with a single step.
state user(0) to the goal state root(1). In [72], Ortalo et al. also proposed the Number of Paths
Because AGs enumerate all possible attack paths, they metric (NP), which has been adapted to attack graphs by
may suffer from exponential state explosion. Indeed, the first Idika and Bhargava [10]. This metric represents the number of
techniques proposed to construct AGs (e.g., model checking distinct ways an adversary can compromise a given network
[89], [90]) produced prohibitively large state spaces, even asset. More specifically, this metric counts the total number of
for relatively small networks. To avoid this issue, Ammann attack paths that exist in the attack graph of a given network
et al. [91] proposed a more compact version of attack graphs, [10]. A larger count implies less security, i.e., an attacker has
based on the monotonicity assumption. This assumption states more chances of compromising a network if there is a larger
that there is no need for the adversary to backtrack. With the number of different ways to do this. In contrast to the SP
monotonicity assumption, it is possible to generate manageable metric, the NP metric provides a more thorough information
AGs for large network, and compute useful security metrics about the overall security of a network. However, it does not
in a timely manner. Readers interested in detailed information take attack effort into account. This means that two networks
about the various types of AG and their applications may with the same number of attack paths will be regarded as
refer to [92], [87], [93]. In addition, a survey of attack graph having the same level of security, even if one network has
generation and analysis techniques is provided in [94]. attack paths that require considerably more effort than the
In the following, the main quantitative NSMs based on attack paths of the other network. This drawback have been
attack graph are described. confirmed in the experiments conducted in [72].
In [10], Idika and Bhargava detail the Mean of Path Lengths
A. Path Metrics metric (MPL), which was first introduced by Li and Vaughn
Security metrics based on the characteristics of attack paths in [95] as the Average Path Length metric. The MPL metric
are regarded as path metrics [10]. This type of metric is corresponds to the arithmetic average of all path lengths that
focused on information such as number or size of attack paths. exist within a given attack graph. This metric gives useful
Phillips and Swiler [83], besides proposing the attack information about attacks in general, since not all of the
graphs, also proposed the first security metric based on them, adversaries are able to find the shortest path (or because they
i.e., the shortest path metric (SP), also mentioned in [72]. Ac- try to avoid it in order to escape detection). However, given
cording to this metric, the network is modeled as a condition- that this metric is based on the arithmetic mean, it may not
oriented attack graph and its security level will correspond capture certain changes in the security level of the network. In
to the length of the smallest attack path that an adversary other words, two networks with different security levels may
can take to reach a desired goal state (which represents a still be assigned with the same Mean of Path Lengths value.
critical network asset). The intuition behind this metric is Idika and Bhargava [10] realize that SP, NP, and MPL
that the whole network is no more secure then its smallest could be combined to overcome their shortcomings. Hence,
attack path. Therefore, the longer the shortest path is, the the authors describe an algorithm to aggregate these metrics
more secure the networks is. Formally, this metric is given along with a complementary suite of metrics they propose.
The first metric proposed by them, the Normalized Mean of compromised (Nc ) by the total number of hosts. Nc can be
Path Lengths (NMPL), is given by the ratio between MPL obtained from a condition-oriented attack graph. Intuitively, a
and NP. This solves the issue that MPL has of not taking lower NCP value indicates a more secure network.
into account the number of paths in a network. The authors Most AG-based security metrics measure network security
also propose the three following metrics, Standard Deviation level focusing on specific hosts (goal states). In contrast, NCP
of Path Lengths (SDPL), Mode of Path Lengths (MoPL), and considers that all hosts have the same influence on the network
Median of Path Lengths (MePL). They then divide all these security level. One drawback of NCP is that it does not
metrics into two groups, namely, decision metrics (SP, NP, consider the amount of vulnerabilities on hosts. Hence, if new
and NMPL) and assistive metrics (MPL, SDPL, MoPL, and vulnerabilities are discovered on a host that initially had only
MePL). The decision metrics allow to determine which out of one vulnerability, the NCP value will not change, even though
two networks is the most secure. The assistive metrics, which those new vulnerabilities have made the network less secure.
should only be used in conjunction with decision metrics, help
determine the most secure network when no conclusion could
C. Probabilistic Metrics
be drawn from the application of decision metrics alone. If this
is still not enough to generate a final result, then the decision Probabilistic AG-based metrics either take probability val-
should be delegated to the network administrator. ues as input, or produce probability values as output, or both.
The aggregation algorithm proposed by Idika and Bhar- 1) PageRank-Based Metric: In [98], Mehta et al. use a
gava solve several shortcomings of the individual metrics. In condition-oriented AG to compute a metric named State Rank.
addition, it eases the analysis of the network administrator This metric measures the probability of goal states occurring
by producing useful results, although the algorithm may not (i.e., probability of the network being compromised). Specifi-
arrive at a conclusion in a few cases. One shortcoming of this cally, the authors use the PageRank algorithm to obtain a rank
approach is that it does not include the effort an adversary for each state of the AG. The rank of a given state corresponds
takes to perform an attack. In other words. the difficulty level to the probability, in the long run, of that state occurring.
of exploiting a given vulnerability is not considered. To compute these ranks, the PageRank algorithm needs to
receive as input from the network administrator a probability
value named damping factor (d). The authors consider that
B. Non-path Metrics an adversary executes the next exploit (AG arc) in a random
As opposed to path metrics, the measurements produced by fashion, with each exploit having the same likelihood of being
non-path metrics do not depend on attack paths. Instead, non- chosen by an attacker. Hence, d is equally divided among all
path metrics are based on more general information such as the outgoing arcs of a given state. The authors also consider
the number of hosts that can be compromised. that once in a while the attacker may restart the attack process
In [96], Pamula et al. propose the Weakest Adversary metric, from the initial state (either because the current attack has been
which is based on a condition-exploit-oriented attack graph. detected and prevented, or because the adversary has decided
This metric expresses the security strength of a network by to abort the current attack). This situation is represented by
means of the least amount of effort an attacker needs to the probability 1 − d. Once the rank of all states have been
compromise a given network asset. The authors consider the computed, the compromise probability of the network can be
minimum effort expended by an attacker as the strength of given by the sum of the probabilities of all goal states.
the set of initial conditions (of an attack graph) that enable Notice that, in general, attackers are smart and carefully
the compromise of a network. Therefore, when comparing choose their exploits. Hence, the assumption that attacks are
two networks, the less secure network will be the one with randomly executed might not hold true.
the weaker set of initial conditions. Given two sets of initial 2) Metrics Based on Independent Attack Paths: Consider-
conditions A and B, the set A will be regarded as weaker than ing that different exploits may have different chances of being
the set B if A is a proper subset of B. However, in the case executed, Noel et al. [99] use an exploit dependency graph
that neither of the sets is a proper subset of the other, then an to quantify network security by propagating exploit likelihood
alternative comparison relation can be defined by the network scores from initial exploits to the goal exploit. In this approach,
administrator in order to decide which set is the weaker. For each exploit has an individual score as well as a cumulative
example, if the cardinality of the sets is used to compare them, score. The individual score of each exploit is given as input
then the set with smaller size would be regarded as the least to the model, and represent the conditional probability of
secure. Another option would be the assignment of a weight the exploit occurring when all its preconditions are already
to each condition of a set, according to their difficulty level. satisfied. In contrast, a cumulative score is a probability value
An issue with this metric is that it provides little insight computed by combining the scores of immediately preceding
about the actual effort required for compromising a network, exploits, according to the type of relationship that exists
since the internal nodes of the attack graph are disregarded. between them (i.e., conjunctive or disjunctive relationship).
Another non-path metric is provided by Lippmann When an exploit B is only preceded by a single exploit A,
et al. [97]. This metric, called Network Compromise Percent- then it is said that they have a conjunctive relationship, i.e., B
age (NCP), represents the percentage of hosts in which an can only occurs if A also occurs. In that case, the cumulative
attacker is able to achieve any given privilege level. NCP score of B is given by the product of the individual scores
is calculated by dividing the number of hosts that can be of A and B. Then, supposing that B also has a conjunctive
relationship with an exploit C (with B preceding C), the bilistic metrics (i.e., [99], [88], [100]) is that they assume that
cumulative score of C is given by the product of the cumulative the multiple attack paths to a critical asset are independent
score of B and the individual score of C. from one another, which is not true in most cases, since they
On the other hand, in the case that an exploit Z can only share common exploits.
be realized if either exploits X or Y occur, then it is said 3) Metric Based on D-separation: Considering that the
that Z has a disjunctive relationship with X and Y . In such attack paths that lead to the goal state of an AG are indeed
case, the cumulative score of Z is given by the product of the interdependent, Homer et al. [102] propose the enhanced
individual probability of Z, and the individual probability of cumulative score metric. This metric is computed based on
X or Y occurring, i.e., p(Z) · p(XorY ) = p(Z) · (p(X) + p(Y ) − the concept of d-separation, which is employed to take ad-
p(X)· p(Y )). vantage of conditional independencies between sets of nodes.
Once the cumulative scores of all exploits of the graph have To understand this proposal, consider the simplified example
been computed, the security level of the whole network will of condition-exploit-oriented attack graph from [102] that is
correspond to the cumulative score of the goal exploit of the depicted in Fig. 6. Condition c1 corresponds to the adversary’s
attack scenario represented by the attack graph. initial state, and condition c3 refers to the goal state. The
One strength of this model is that the cumulative proba- execution of exploit e1 takes the adversary from c1 to c2 .
bilities can be easily calculated, provided that the graph has From c2 , the adversary can achieve the goal state c3 by
been populated with all individual probability scores. The launching any of the exploits e2, ..., e5 . As an example, suppose
authors state that individual scores can be obtained from online that the success probability of each exploit is 0.5 (i.e., the
vulnerability databases or empirical data from real networks. conditional probability that the exploit is launched given that
One drawback of this model is that the authors do not provide its preconditions have been satisfied). Considering that the
any further details on how to handle cycles in the AG. the attack paths share dependencies, the probability that the
An extended version of the cumulative score metric [99] is adversary successfully reaches c3 can be computed as follows:
provided by Wang et al. in [88]. It is called attack graph P(c3 ) = P(c3 |c2 ) · P(c2 ) = (1 − 0.54 ) · 0.5 = 0.47. On the other
probabilistic (AGP) metric. Wang et al. use a condition- hand, if all the attack paths that lead the attacker from c1 to c3
exploit-oriented AG to compute AGP. Hence, both conditions are regarded as independent, as suggested by the probabilistic
and exploits will have individual and cumulative scores. This security metrics previously presented, then the following cu-
implies that the conjunctive relation will happen between an mulative score should be achieved: P(c3 ) = 1 − 0.754 = 0.68.
exploit and its preconditions. In addition, a disjunctive relation This deviation could be even greater in larger attack graphs
will take place between a postcondition and the exploits that with a huge number of attack paths.
lead to it. The authors assume that the individual score of
every condition is 1 and that the individual scores of exploits e2
could be obtained by converting CVSS scores into probability 0.5
values, although they do not specify how to do this. The major

e3
contribution of this work is the procedure the authors propose 0.5
to handle cycles in the attack graph. e1 C2
C1 0.5
C3
Both AGP [88] and cumulative score [99] are probabilistic e4
0.5
instances of the general security metrics framework [100],
[101] proposed by the same authors. The framework states e5
that a security metric should be designed to take into account 0.5
that: (1) some exploits are easier to execute than others, (2)
the execution of an exploit may make the execution of another Fig. 6. Example of attack graph with exploit probabilities.
exploit easier, (3) the existence of more attack paths make the
In addition to accounting for conditional relationships
network less secure, and (4) a network is no stronger than
among attack paths, Homer et al. also address cycles in
its weakest part. The framework also states that the exploits
AGs. Moreover, they suggest that the success probabilities of
should be assigned with scores that express their resistance
exploits that are context-specific should be provided by the
level (i.e., difficulty level) and that these scores should be
network administrator, while the others should be computed
combined by means of conjunctive and disjunctive operators in
from the Access Complexity (AC) scores from CVSS. One is-
order to compute the final cumulative resistance score. Then,
sue with this approach is that the AC score alone is insufficient
based on this framework, the authors show an example of
for obtaining these probabilities, since there are other factors to
Attack Resistance metric in which the individual resistance
be considered. For example, availability of exploitation codes,
scores of exploits are represented by real numbers. In this
number of authentications required, etc.
case, the conjunctive operator will correspond to the sum of the
individual scores, while the disjunctive operator will evaluate
to the reciprocal of the sum of the reciprocal of individual D. Bayesian Network-Based Metrics
scores. In a second example, the authors show that their A Bayesian Network (BN), also known as belief network,
proposed framework can also be viewed as a generalization can be defined as a directed acyclic graph (DAG) with nodes
of the weakest adversary metric [96]. representing variables of a system and edges representing
The major disadvantage of the three aforementioned proba- causal relationships among these variables [103]. In a BN,
each node is assigned with a Conditional Probability Table i.e., to calculate the posterior probability of the target node
(CPT). Hence, an attack graph annotated with values indicat- being compromised given that a malicious event has been
ing the conditional probabilities of each vulnerability being detected in one or more non-target nodes. Another interesting
exploited can be modeled as a BN. characteristic of this approach is that only the exploit prob-
The probabilistic security metrics previously presented can abilities and prior probabilities need to be given as input to
be regarded as special cases of BNs. However, unlike BN- the model (instead of every individual CPT value). However,
based metrics, they do not allow to update nodes’ probabilities these probabilities have to be defined by security experts.
in the face of evidences that other nodes have been compro- 2) CVSS-Based Metrics: Frigault and Wang [105] also
mised (attack detections). Moreover, other more complex re- propose a BN-based security metric. Differently from Liu
lationships that are encoded in the CPTs of BN models cannot and Man [104], Frigault and Wang generate the BN from a
be represented by the aforementioned probabilistic approaches. condition-exploit-oriented AG and assign success probabilities
Thus, the advantage of BNs is that they provide a formal to the nodes rather than to the arcs. Another difference is that
technique to make inferences under conditions of uncertainty the proposed BN model handles not only OR-decompositions
and they are suitable for real-time security evaluation. but also AND-decompositions. The model can also handle
1) Metric Based on OR-Decomposition: In [104], Liu and other more complex relationships among nodes such as the
Man generate a BN from a condition-oriented AG. In this case in which a root node can have its prior probabilities
BN, each node is a Bernoulli random variable representing influenced by other nodes. The authors also propose to derive
the state of a condition, i.e., True (T) or False (F). Each the success probabilities of exploits from the CVSS standard.
arc (exploit) e is assigned with a probability of success However, they do not specify how this could be done.
p(e). These probabilities are used to compute the CPT for In [106], Frigault et al. extend their previous model by using
each node (condition), following an OR-decomposition. As a dynamic Bayesian network (DBN) in order to address the
an example, assume that a node C has two parent nodes A temporal aspects of vulnerabilities, such as the development of
and B. Consider also that node C is connected to A through new exploitation codes or the release of patches. The authors
exploit e1 and to B through exploit e2 . Tab. I shows the CPT also specify that the success probability of exploits should
of node C. To compute the conditional probabilities of the be generated by dividing the base and temporal CVSS scores
last line of the table, Liu and Man use the noisy-OR operator, by 10. Once these probabilities are computed, it is possible
i.e., p(e1 ∪e2 ) = 1−[(1−p(e1 ))·(1−p(e2 ))]. Note that besides the that they change as time goes by. In this case, the use of
probability of exploits, the prior probabilities of all root nodes DBNs comes in handy. This is because in the DBN-based
(initial states) must also be provided. In the given example, the model proposed by the authors, the network is represented as
prior probabilities should be assigned for nodes A and B. a series of BNs, each representing a distinct instant of time. In
this DBN, if the temporal CVSS scores are modified, then the
TABLE I success probabilities of exploits can be updated accordingly.
CPT SPECIFICATION FOR NODE C. In spite of these improvements, the two models proposed by
Frigault and colleagues have not been designed to update the
C
CPTs when attacks are detected by monitoring mechanisms.
A B P(C = T | A, B) P(C = F | A, B) Another BN-based model is proposed by Poolsappasit
F F 0 1 et al. [107]. Their model is similar to that of Liu and Man
T F p(e1 ) 1 − p(e1 ) [104]. One difference is that, like in [105], the CPTs of
F T p(e2 ) 1 − p(e2 ) nodes can be computed from OR-decomposition and AND-
T T p(e1 ∪ e2 ) 1 − p(e1 ∪ e2 ) decomposition. In addition, the success probabilities of ex-
ploits are derived from three CVSS base scores, namely, access
Liu and Man define the unconditional probability of the vector, access complexity, and authentication. Another contri-
target node (goal state) as the security metric of the network, bution of this work is that it takes into account two additional
(i.e., the probability that the target node gets compromised). kinds of uncertainty (in the CPTs). The first uncertainty is
Given the prior probabilities of the root nodes and the CPTs related to the existence of an attacker. To express this uncer-
of all non-root nodes, Bayesian inference techniques can be tainty, the authors add (root) nodes that represent the attackers,
used to compute the unconditional probabilities of all non- and their prior probabilities (which are subjectively provided
root nodes, including the target node. In the example BN by the network administrator) indicate the probability that the
given above, the unconditional probability of target node C, attackers are present in the network. The second uncertainty is
i.e., P(C = T), would represent the network security level. related to the possibility that zero-day vulnerabilities exist in
In addition, it is also possible to calculate the posterior the network. This uncertainty can be expressed by assigning
probability (which corresponds to the updated unconditional non-zero probabilities in the CPT of a node for the case in
probability) of node A being compromised given an evidence which all its parents are false.
that node C has been compromised, i.e., P(A = T |C = T). This The work proposed by Xie et al. [108], which is a BN model
backward belief propagation can be useful, for example, to find based on a condition-exploit-oriented AG, considers two ad-
out the most probable attack path followed by the attacker, ditional types of uncertainty (besides the ones considered by
given that a monitoring tool has detected a malicious event Poolsappasit et al.). These uncertainties are: the error rates of
in the target node. A forward propagation is also possible, the IDS (false positive and false negative rates) and the leaky
parameters. One example of leaky parameter is the probability should be a real number derived from CVSS scores, rather than
that the attacker gains network access to a specific host by a probability, as commonly proposed by other works. However,
circumventing the firewall. A leaky parameter can also be used the authors do not specify how to derive these real values.
to represent the chance of zero-day vulnerabilities occurring, 2) Desirability-Based Metric: In [31], Tupper and Zincir-
similar to what is done in [107]. Thus, the authors suggest that Heywood propose the VEA-bility security metric. The VEA-
when building the CPTs of nodes, the conditional probabilities bility score is expressed by a value in the range [0, 10] that rep-
should be set up in order to account for the possible existence resents the desirability of network configurations. This means
of such leaky parameters. The other uncertainty considered by that a higher VEA-bility score implies more security. The VEA
the authors, the IDS error rates, is addressed by the inclusion acronym in the name of this metric stands for Vulnerability,
of two nodes, one representing the existence of an attack and Exploitability, and Attackability — the three sub-metrics that
the other representing an IDS. If the attack existence node is compose the overall VEA-bility metric. Each of these three
modeled as parent of the IDS node, then the CPT of the IDS sub-metrics are first computed for each individual host, then
node will coincide with the error rates of the IDS. for the whole network. Finally, their values are combined in
As for the input parameters required by this model, the order to obtain the overall VEA-bility score.
probabilities of exploits are derived from the CVSS, while the The first sub-metric, the vulnerability score (V) of the
other uncertainties (e.g., leaky parameters, attacker existence network, is a value in the range [0, 10] given by V =
min(10, ln evh ), where vh is the vulnerability score of a
Í
probability) have to be provided by the network administrator.
In addition, some exploit probabilities that cannot be obtained host. In turn, vh corresponds to the exponential average of the
from CVSS scores have to be manually provided by the severity scores of the vulnerabilities that exist on that host, or a
network administrator as well. The results of the experiments maximum of 10. The severity score of a vulnerability is given
conducted by the authors show that their model has high ac- by the arithmetic mean of the CVSS impact and temporal
curacy in estimating the desired security metric (compromise scores of this vulnerability.
probabilities), even in the face of the several uncertainties The second sub-metric, the exploitability score (E) of the
considered. In addition, the experiments have also shown that network, also in the range [0, 10], is given by the sum of
the compromise probabilities provided by the model are not the exploitability scores of the network hosts. In turn, the
significantly effected by slight inaccuracies in the CPTs values. exploitability of a host is given by multiplying the ratio of
3) Metric Based on Subgraphs: A different BN-based ap- network services available on that host by the exponential
proach is provided by Dantu et al. [109], [110], [111]. In their average of the CVSS exploitability scores of all vulnerabilities
approach, the authors propose to model exploit dependency on that host, or a maximum of 10.
graphs as BNs to estimate the compromise probability of The third sub-metric, the attackability score (A) of the
critical assets taking into account different attacker profiles. network, is given by the sum of the attackability scores of
The authors believe that attackers with different characteristics the hosts (Ah ). In turn, Ah = 10 · na /n p , where na is the
(e.g., skill level, available money) will follow different attack number of attack paths that lead to this host in the underlying
paths. Hence, each attacker profile is manually associated with condition-oriented AG, and n p is the total number of existing
a specific subgraph. The model takes attack evidences, attacker network paths. Finally, the overall score is given as follows:
profiles, and the CPT values of each exploit as input. One VEA-bility = 10 − ((V + E + A)/3).
major concern is that all CPTs values have to be manually The authors provide the results of their experiments on small
specified, based on expert knowledge. Such manual activity network scenarios, which show that this metric accurately rep-
may become infeasible in large networks, making it impossible resents the security level of different network configurations.
to apply the BN-based model proposed by the authors. Nonetheless, this metric may not be suitable for evaluating
more complex network configurations, since the VEA-bitlity
score does not take into account the interdependencies among
E. Other Security Metrics Based on Attack Graph different vulnerabilities when combining the CVSS scores.
This section presents other types of attack graph-based 3) Metrics for Zero-Day Attacks: In [113], [114], Wang
network security metrics. et al. propose a security metric to quantify the resilience of
1) Metric Based on Attack Difficulty Level: In [112], Ghosh networks against zero-day attacks. To do so, the authors extend
and Bhattacharya use a condition-exploit-oriented AG to mea- a traditional condition-exploit-oriented AG to include zero-
sure network security level in terms of the expected difficulty day exploits. The proposed metric, k-zero day safety, counts
that a random adversary may encounter while attempting to the minimum number of distinct unknown vulnerabilities that
compromise the network. To compute the expected difficulty are needed for compromising critical network assets. A greater
metric, the authors assume that the attacker chooses exploits count indicates more security. One limitation of the k-zero day
at random and that every security condition of the graph safety metric is that it requires that the network administrator
is equally likely to be the postcondition of a given exploit. specifies an equivalence relation to compare zero-day exploits.
Based on these assumptions, the authors propose an equation In [115], [116], Zhang et al. propose two security metrics to
to calculate the expected number of exploits necessary to reach measure the resistance of networks against zero-day attacks,
goal states. This number of exploits is then multiplied by the based on the diversity of network resources (e.g., services,
average difficulty level of exploits in order to obtain the desired firewalls). To do so, the authors use a modified version of
metric. The authors state that the difficulty level of an exploit a condition-exploit-oriented AG, named resource graph. This
graph models zero-day attacks rather than known vulnerabil- B. Bayesian Network-Based Metrics
ities [117]. The idea behind the proposed metrics is that a
higher resources diversity level makes a network more secure. In [118], Zounouz et al. propose an online security analysis
The first proposed metric, d2 -Diversity, measures the min- framework called Seclius. This framework uses IDS alerts
imum effort needed by an adversary to compromise critical to estimate the probability that critical network assets have
network resources. This effort is given by the ratio between been compromised by the detected intrusions. The higher this
the smallest amount of different resources on a path, and the probability is, the more insecure the network is. In contrast
smallest amount of steps on a path. Note that the most diverse to vulnerability-based metrics, which try to predict security
minimum path has a ratio equal to 1. To compute this metric, a according to the possibility of future vulnerability exploitation,
similarity function to determine the level of similarity between Seclius is regarded as a consequence-centric metric. This
resources needs to be provided by the network administrator. means that Seclius analyses security focusing on the damage
Given that d2 -Diversity is focused on the minimum path, it already caused by intruders. To capture the dependence be-
provides only a partial picture of network security. tween network assets, Seclius employs a dependency graph,
To provide a thorough picture of network security, the other
which is a Bayesian network automatically constructed during
metric proposed by the authors, d3 -Diversity, measures the
an initial training phase. When an IDS alert is received, Seclius
average effort an attacker needs to make for compromising
computes the probability that the security of the network
critical resources. This metric is given by the ratio between
has been affected by using a belief propagation algorithm to
the probability that the target asset is compromised, and this
combine the dependency graph with a consequence tree. A
same probability but with the assumption that attackers can
consequence tree is a fault tree manually built by network
reuse exploits to compromise similar resources. To compute
administrators to represent the most critical network assets
this metric, the authors transform the resource graph into a
in the organization. In summary, Seclius calculates overall
Bayesian network that contains special nodes that directly
network security using a logical propagation of the individual
influence the conditional probabilities of resource instances
probabilities that network assets have been compromised.
of the same type. A different special node is included for
Seclius also accounts for IDS error rates.
each shared resource type of the graph. These special nodes
represent the adversary’s capability of exploiting similar re- It is important to highlight that the dependency graph
sources of a given type. The input parameters required for used by Seclius is different from attack graphs. While AGs
computing this metric include a function for determining the represent the relation among vulnerabilities, the dependency
similarity between resources, prior probabilities of exploiting graph is used to represent the information flow among ob-
each resource type, and conditional probabilities of exploiting jects (e.g., files and application processes). Furthermore, the
resources instances. dependency graph has an additional feature of being able to
The extensive simulations carried out by the authors have automatically compute the conditional compromise probabili-
shown that the accuracy of the proposed metrics is satisfactory ties (CPTs) of its nodes, based on the information flow among
in most cases. represented objects. In [119], a prototype of the proposed
solution is implemented and validated in a real testbed system.
V. OTHER M ODEL -BASED N ETWORK S ECURITY M ETRICS In [120], Chatzipoulidis et al. propose a high-level system
This section describes security metrics based on models abstraction model with the aim of measuring the risk of
other than attack graphs and stochastic processes. zero-day vulnerabilities in terms of the damage that can be
caused on system information and resources. The proposed
A. Biodiversity-Based Metric model is represented as a Bayesian network comprised of
In [115], [116], Zhang et al. proposes a metric named five nodes. These nodes respectively correspond to five risk
d1 -diversity. This metric is inspired on biodiversity metrics elements, namely, vulnerability (V), threat (T), damage on
borrowed from the ecology field. Its objective is to measure the confidentiality (Dc ), damage on integrity (Di ), and damage
resilience of networks against zero-day attacks. Specifically, on availability (Da ). Considering that a higher number of
this metric assumes that a more diverse network is more vulnerabilities may increase the effectiveness of threats, the
resistant to zero-day attacks. It also assumes that all network authors propose a method to compute the prior probability
resources have the same level of importance, instead of focus- that a given number of vulnerabilities will exist, i.e., P(V).
ing on specific critical assets. Hence, the measure provided by This vulnerability prediction is performed by means of a
d1 -Diversity corresponds to the percentage of different existing distribution fitting procedure. CVSS scores and historical data
network resource instances. The computation of this metric about the occurrence and impact of known vulnerabilities are
takes into account the degree of similarity among different used as input to the prediction model. These data are also used
resource instances as well as their irregular distribution among to compute the CPTs of the other nodes of the BN. Once P(V)
the various resource types. As with d2 - and d3 -Diversity, this and the CPTs are obtained, the unconditional probabilities of
metric also requires the network administrator to provide a the damage nodes are computed, i.e., P(Dc ), P(Di ), P(Da ).
resources similarity function. Although d1 -Diversity can be With this information, the network administrator can be aware
used to quantify overall network security, it does not capture of the damage risk level of the system. To illustrate the use of
the relationship among network resources, given that it is not this model, the authors show an example of its implementation
based on an attack graph. on the e-baking sector.
C. Tree-Based Metrics as well as their respective probabilities.
In [121], the mean privacy metric is proposed by Alma- D. Metrics Based on Vulnerability Severity Scores
sizadeh and Azgomi. This metric quantifies security by esti- In [124], Abedin et al. introduce the Policy Security Score
mating the amount of private network information that can be (PSS) metric. This metric evaluates to a value in the range
leaked to attackers. Examples of private information of interest [0, 10] that indicates the security of a network in terms of the
for an attacker are system topology, network vulnerabilities, (CVSS) severity scores of current and past vulnerabilities. To
open ports, available services, among others. Mean privacy compute PSS, the authors first compute the severity score x of
values are non-negative and are given in units of bits. A the network as the weighted sum of two vulnerability severity
smaller mean privacy value indicates more security. Note that sub-metrics, namely, existing vulnerability measure (EVM)
a value of zero indicates a totally secure network. The mean and aggregated historical vulnerability measure (AHVM). Ac-
privacy metric is based on an information theoretic model and cordingly, PSS will correspond to a monotonically decreasing
uses an attack tree labeled with probability mass functions that function of x. This means that a severity value of x = 0
represent the evolution of the attack process. Accordingly, this will correspond to a PSS score of 10. The control parameter
metric can be described as a weighted average of uncertainty required by the monotonically decreasing function, and the
of distinct attack paths. More specifically, the metric value is weight assigned to each sub-metric have to be subjectively
given by the entropy of the attack scenario described by the defined by the network administrator.
attack tree. To compute the mean privacy, initially, the entropy The EVM sub-metric measures the risk posed by the ex-
is computed for the leaf nodes of the tree (initial attacker isting vulnerabilities in the network. To compute this metric,
actions). Then, a recursive algorithm computes the entropy for it is necessary to separate the existing vulnerabilities into two
all internal nodes (partial attack steps), until reaching the root, groups. The first group, EVU , refers to the vulnerabilities that
which represents the security compromise state. The value have no solutions or patches available at the present moment,
computed for the root corresponds to the Mean Privacy. One and the second group, EVS , corresponds to vulnerabilities
disadvantage of the proposed model is that attack scenarios that already have known solutions available. For each of
have to be manually identified to generate the attack tree. those groups (EVU and EVS ), the exponential average of the
In [122], [123] Sahinoglu propose the Security Meter, a severity scores of vulnerabilities is taken. Then, it is possible to
decision-tree model to measure network security risk based calculate EVM, which is given by the weighted sum of the two
on risk factors like vulnerabilities, threats, and (lack of) exponential averages. The weight of each average considered
countermeasures. In this model a probabilistic approach is in the computation of EVM has to be subjectively informed
used to compute the final metric value as a probability or by the network administrator, according to the risk posed by
percentage indicating how insecure the network is. More each vulnerability group (EVU and EVS ).
specifically, Security Meter organizes the vulnerabilities of AHVM, the other sub-metric that composes the PSS metric,
the network in a decision-tree according to their probability measures how vulnerable the network has been in the past so
of existence. Possible threats for each vulnerability are also as to predict new vulnerabilities. Precisely, a network with a
included in the tree. Each threat has a probability of exploiting higher AHVM is more likely to have unknown vulnerabilities
a specific vulnerability. The third component of the tree refers in the present. To compute AHVM, the past vulnerabilities of
to the countermeasures used to defend the network against the network are split into three sets, according to the level of
attacks. Each countermeasure has a probability of failing risk they pose (high, medium, and low). Each vulnerability is
to mitigate each given threat. From the decision tree, it is assigned with a weight that is specific to the set in which the
possible to compute, for each <vulnerability,threat> pair, the vulnerability is included. Then, in order to account for the age
residual risk that remains after the application of the respective of the vulnerabilities, an exponential decay function is applied
countermeasure. The residual risk is given by the product of to their severity scores, such that the vulnerabilities that have
the three aforementioned probabilities, and the final network been discovered more recently have a higher influence in the
risk is given by multiplying the criticality factor (importance value of AHVM. Once the decay function has been applied,
level) of the network by the sum of all residual risks. The the resulting severity scores are combined in order to obtain
criticality factor is a subjective value that has to be provided the AHVM score.
by the network administrator. In [123], the authors propose a In [125], Ahmed et al. propose the probabilistic vulnerabil-
method to obtain the probabilities of vulnerabilities, threats, ity measure (PVM). This metric estimates the risk that may
and countermeasures from empirical data. However, given the be faced by a network in the time coming. The PVM metric
difficulty to obtain real attack data, the authors conclude that is given by the exponential average of the expected risk (ER)
technology still needs to advance so that accurate empirical of each service (si ) of the network. The expected risk of a
data can be obtained. given service (E Rsi ) is given by the product of two values, Psi
One advantage of Security Meter is its generality, which and E[X si ]. The first value, Psi , denotes the probability that
enables it to measure network security taking into account not a vulnerability on service si will be discovered over a given
only remote but also physical threats. One disadvantage of this period of time T. A probability distribution function needs to
model is that the decision-tree has to be manually constructed be defined in order to determine Psi . The second value, E[X si ]
by the network administrator, who has to know the specific corresponds to the expected severity score that a vulnerability
vulnerabilities, threats, and countermeasures of the network, on service si will have.
In [126], Ahmed et al. use the ER, EVM, and AHVM sub- a higher abstraction level and includes additional information
metrics to derive the Attack Propagation (AP) metric. The regarding attack steps, such as timing and cost values.
AP metric is a real number that expresses the effect of the ADVISE enables the specification of different attacker pro-
propagation of an attack through the hosts of the network. files (e.g., insider, criminal organization, terrorist). To assess
Considering D as the set of all hosts that can be reached from how a given adversary is likely to attack the system, ADVISE
outside the network, the AP metric is given by the following uses an attack execution algorithm that combines attacker
equation, AP = d ∈D P(d) · SBEd . The P(d) term represents
Í
profiles with an AEG. More precisely, this algorithm evaluates
the probability that a vulnerability is present at host d, and the attractiveness of each attack step in the AEG to determine
can be derived from the ER sub-metric. SBEd refers to the the sequence of attack steps chosen by the adversary. The
Service Breach Effect, and denotes the effect of an attacker attractiveness of each attack step is defined according to the
at host d reaching every other accessible host. The authors current model state (i.e., access domains, knowledge items,
compute the value of SBEd by using a Service Connectivity and attack goals the adversary has achieved) and the attacker
Graph — a directed graph that shows how several services preferences defined in the adversary’s profile. The attack pref-
(edges) connect different hosts (nodes) — to combine values erences include monetary value of each attack goal, monetary
of several distinct input parameters. Such parameters include cost and payoff of each attack step, attacker skill level, attacker
EVM, AHVM, protection level of firewalls, false negative rate initial state, and probability that the attacker is detected.
of the IDS, and the effect of compromising a host d. The ADVISE method described above allows the definition
In [126], the authors implement a tool to compute in real- of different types of security metrics. In particular, LeMay
time the EVM and AHVM sub-metrics proposed by Abe- et al. use ADVISE to evaluate system resilience against attacks
din et al. [124] and the PVM metric proposed by Ahmed based on the average amount of time the system remains in a
et al. [125]. Despite the availability of an automated tool, secure state. In [128], the authors developed a tool for users
it may still be difficult to apply these metrics in a real who want to use ADVISE.
environment. This is especially because the authors do not
give any guidelines on how to define the subjective weights VI. D ISCUSSION AND O PEN I SSUES
that are necessary for computing the metrics and the control This section presents a discussion and comparative analysis
parameters that are required by the aggregation functions used. of the surveyed model-based quantitative NSMs. Open issues
and future research directions in the field are also provided.
E. Metric Based on Attack Execution Graph
In [127], LeMay et al. propose the ADversary VIew Security A. Discussion and Comparative Analysis
Evaluation (ADVISE) method to produce security metrics that In the following, each of the three great groups of metrics
quantify network resilience against attacks. ADVISE models presented in the previous sections is individually discussed.
an intrusion process as a series of attack steps organized Then, a general discussion on all reviewed metrics is provided.
into an attack execution graph (AEG). The nodes in an AEG 1) Discussion on the Metrics Based on Stochastic Models:
represent five different attributes: attack steps, system access Tab. II summarizes the security metrics described in Sec. III.
domains, relevant system knowledge items, adversary skills This table includes metric output, analytical model(s) used,
required to attack the system, and attack goals. The arrows in auxiliary state-space model, and input parameters.
an AEG represent a cause-consequence relationship between While state-based stochastic models have been satisfactorily
the linked nodes. As opposed to an attack graph, an AEG has used in the dependability domain, the adaptation of these
TABLE II
Q UANTITATIVE NSM S BASED ON S TATE -S PACE S TOCHASTIC M ODELS .
Analytical
Proposed Approach Metric Metric Output State-Space Model Input Parameters
Models
Dacier et al. [70],[71] MTTF time to compromise CTMC privilege graph-based success rate of elementary attacks
Ortalo et al. [72] METF effort to compromise CTMC privilege graph-based success rate of elementary attacks
Almasizadeh and Azgomi manually defined attack
MTSF time to compromise SMC, DTMC probabilities of attack steps, time for attack steps
[40],[73],[74] types and attack steps
CTMC, Game manually defined attack accidental failure rates, repair rates, accumulated attack steps
Sallhammar et al. [53], [54] MTFF time to compromise
Theory types and attack steps intensities, reward and cost values for attackers/defenders
# of existing vulnerabilities, # of vulnerabilities on component,
# of available exploits, attacker skill level, # of exploitable
McQueen et al. [8], [75] MTTC time to compromise Random Process compromise graph vulnerabilities, faction of exploitable vulnerabilities, 30.42
(mean time between vulnerabilities), 5.8 (mean time to create
an exploit), 8 hours (time for process 1)
visibility variable, attacker skill rating, and all parameters used
Leversage et al. [76] MTTC time to compromise VLMC attack path model
by McQueen et al.
Almasizadeh and Azgomi Steady-State manually defined attack
compromise probability SMC, DTMC probabilities of attack steps, time for attack steps
[40],[73],[74] Security types and attack steps
Jha et al. [79] Reliability security probability CTMC attack graph-based transition probabilities
Success
Kanoun et al. in [80] compromise probability CTMC attack graph-based skill level required for executing an attack step, IDS alerts
Likelihood
Xiaohu et al. [81] q compromise probability Renewal Process vulnerability graph compromise rates, fix rates
techniques to the security field still presents some important predicting the evolution of the security level of networks
challenges. We describe some of these challenges below: during their operation.
• It may be difficult to correctly model an intrusion process As a final note, it should be noted that although the reviewed
by means of classical stochastic approaches. This is due to metrics are focused on traditional networks, there also exist a
the intentional nature of attacks, as opposed to the random few stochastic-based metrics proposed specifically for intru-
nature of accidental failures considered in dependability sion tolerant systems (e.g., [131], [132]). A system designed
models. to be intrusion tolerant should be able to automatically detect
• Because attacks are intentional, the assumption that the and mitigate attacks such that the critical services provided
times between attacks are exponentially distributed might to users are not interrupted. One example of such system is
not be suitable to describe attacker behavior, as discussed SITAR [133], an intrusion tolerant architecture for distributed
in [129], [52]. Instead, the empirical analysis presented services. In [131], [132], Madan et al. propose a model to
in [129] suggests that a mixture distribution obtained estimate the mean time to security failure (MTTSF) metric
from combining an exponential distribution with a Pareto for SITAR.
distribution seems more promising. 2) Discussion on the Metrics Based on Attack Graphs:
• The abstraction level of network, vulnerabilities, attacks, The attack graph-based network security metrics reviewed
and defensive controls is determined by the amount of in Sec. IV are summarized in Tab. III. This table includes
states defined by the model. Thus, the number of states metric output, additional models and algorithms used, type
must be carefully chosen. In particular, this number must of AGs used, and input parameters. Notice that the input
be sufficiently large to represent all relevant elementary parameters necessary for creating the attack graphs have been
attack steps. At the same time, it must be small enough omitted from the table, since they are common to all AG-
to avoid exponential growth when applied to very large based metrics. Examples of such parameters include host
networks (e.g., cloud computing environments [130]). connectivity, network vulnerabilities, firewall rules, available
Given that stochastic processes take into account the time network services, user privileges, critical assets, among others.
variable, the security metrics presented are very useful for The following conclusions can be drawn with respect to the
TABLE III
Q UANTITATIVE NSM S BASED ON ATTACK G RAPHS .
Additional
Proposed Approach Metric Metric Output Type of Attack Graph Input Parameters
Models
Phillips and Swiler [83], and Idika condition-oriented,
Shortest Path path length – –
and Bhargava [10] condition-exploit-oriented
Ortalo et al. [72], and Idika and
Number of Paths amount of paths – condition-exploit-oriented –
Bhargava [10]
Li and Vaughn [95], and Idika and
Mean of Path Lengths path length – condition-exploit-oriented –
Bhargava [10]
Normalized mean of path
Idika and Bhargava [10] path length – condition-exploit-oriented –
lengths
Assistive metrics: SDPL,
Idika and Bhargava [10] path length – condition-exploit-oriented –
MoPL, MePL
strength of initial
Pamula et al. [96] Weakest Adversary – condition-exploit-oriented comparison relation of initial sets
conditions set
Network Compromise Percent- compromise
Lippmann et al. [97] – condition-oriented –
age percentage
Mehta et al. [98] State Rank compromise prob. PageRank condition-oriented damping factor
Noel et al. [99] Cumulative Score compromise prob. – exploit dependency graph exploit conditional probabilities
Wang et al. [88] AGP compromise prob. CVSS condition-exploit-oriented exploit conditional probabilities
condition-exploit-oriented,
Wang et al. [100] Attack Resistance resistance level – exploit difficulty levels
exploit dependency graph
Homer et al. [102] Enhanced Cumulative Score compromise prob. CVSS condition-exploit-oriented exploit conditional probabilities
exploit conditional probabilities, root nodes
Liu and Man [104] Liu and Man’s metric compromise prob. BN condition-oriented
prior probabilities., IDS alerts
Frigault and Wang. [105] Frigault and Wang’s metric compromise prob. BN, CVSS condition-exploit-oriented exploit conditional probabilities
Frigault et al. [106] Frigault and colleagues’ metric compromise prob. DBN, CVSS condition-exploit-oriented exploit conditional probabilities
Poolsappasit and colleagues’ exploit cond. probs., attacker existence prob.,
Poolsappasit et al. [107] compromise prob. BN, CVSS condition-oriented
metric zero-day vulnerabilities prob., IDS alerts
exploit cond. probs., attacker existence prob.,
Xie et al. [108] Xie and colleagues’ metric compromise prob. BN, CVSS condition-exploit-oriented
IDS error rates, IDS alerts, leaky parameters
attacker profiles, CPT values for each exploit,
Dantu et al. [109], [110], [111] Dantu and colleagues’ metric compromise prob. BN exploit dependency graph
IDS alerts
Ghosh and Bhattacharya [112] Expected difficulty difficulty level CVSS condition-exploit-oriented exploit difficulty levels
Tupper and Zincir-Heywood [31] VEA-bility desirability score CVSS condition-oriented CVSS scores of vulnerabilities
amount of zero-
Wang et al. [113], [114] k-zero day safety – condition-exploit-oriented zero-day exploits equivalence relation
day vulnerabilities
d2-Diversity (least attacking ef- probability of di-
Zhang et al. [115], [116] – condition-exploit-oriented resources similarity function
fort) versity
d3-Diversity (average attacking compromise prob- resources similarity function, prior and condi-
Zhang et al. [115], [116] BN, CVSS condition-exploit-oriented
effort) ability tional compromise probabilities of resources
existing types of attack graph-based network security metrics: vulnerabilities, exploits, network topology. This is the case
• On one hand, the simplicity of path metrics make them with Seclius, mean privacy, attack propagation, and ADVISE.
practical and cheap to apply, given that they do not On the other hand, the policy security score metric, the
require additional input parameters. On the other hand, probabilistic vulnerability measure, the damage risk metric,
path metrics, when applied alone, provide little insight and the security meter, although combine information about
about network security level. Interestingly, the suite of multiple vulnerabilities, do not take into account their causal
metrics and aggregation algorithm provided by Idika and relationships. As a consequence, those approaches are likely
Bhargava [10] is a first step toward solving this issue. to estimate security level less accurately.
• Non-path metrics suffer from the same issues as path 4) Discussion on All Reviewed Metrics: This section pro-
metrics. In particular, the weakest adversary metric [96] vides a discussion and comparative analysis regarding addi-
has the additional disadvantage of requiring the definition tional aspects of all surveyed security metrics.
of a comparison relation. Metrics Classification. In Sec. II-B, the surveyed metrics
• Probabilistic metrics seem to provide a natural way for have been classified into the following categories: model-
capturing the relationship among exploits and measuring based, quantitative, and network. Those categories respectively
their combined effect on network security. They can refer to the following three criteria: construction type, mea-
also be efficiently computed, even for large networks. surement type, target type. Tab. V presents a classification
However, these metrics have not been designed to update of the surveyed metrics with regard to the four remaining
the network security level as attacks are detected (in real- classification criteria (i.e., objective type, automation level,
time) by monitoring mechanisms. measurement consistence, and measurement moment). Details
• Bayesian-based security metrics are a powerful extension on these criteria are described in the following.
of probabilistic security approaches. They are not only Objective Type Criteria: If a larger value of the metric
able to handle IDS inputs in order to update network indicates more security, then the metric has been classified as
security level in real-time, but they are also capable of compliance, otherwise it has been regarded as non-compliance
capturing the effects of several uncertainties regarding (i.e., a larger metric value indicates less security).
the intrusion process. Examples of uncertainties are: ex- Automation Level Criteria: The metrics classified as semi-
istence of zero-day vulnerabilities, error rates of the IDS, automatic are those that require the network administrator
etc. The challenge, however, is how to accurately obtain to manually provide input parameters that cannot be easily
information regarding those uncertainties. Moreover, the gathered or defined (e.g., comparison relations). In contrast,
exponential complexity of BN computations is of great metrics classified as automatic are those whose parameters can
concern, especially in dynamic and large networks. all be automatically obtained (e.g., from online databases), or
• Other attack graph-based approaches such as those fo- can be easily provided by administrators (e.g., critical assets).
cusing on zero-day attacks and network diversity are very From Tab. V, it is possible to see that the majority of the an-
promising, although they still need further improvements. alyzed security metrics are semi-automatic. The problem with
3) Discussion on the Metrics Based on Other Models: this type of metric is that it requires the security administrators
Tab. IV summarizes the security metrics presented in Sec. V, to have an advanced knowledge of the network infrastructure
in terms of the metrics outputs, used models and input param- and the particularities of the metric model. It is important
eters. Instead of using attack graphs or state-based stochastic to emphasize that because various aspects of security metrics
models, these metrics rely models such as fault trees, Bayesian usually depend on personal preferences, manual intervention
networks, decision trees, etc. Some of these approaches are is almost always necessary. However, human resources should
able to capture the relationship among the several dynamic be preferably expended on the analysis of the metric values
aspects that influence the security of a network, such as instead of on their computation procedure.
TABLE IV
OTHER M ODEL -BASED Q UANTITATIVE NSM S .
Proposed Approach Metric Metric Output Models Used Input Parameters

Zhang et al. [115], [116] d1-Diversity % of distinct hosts Biodiversity model resources similarity function
Zounouz et al. [118] Seclius compromise prob. fault trees, BN IDS alerts, IDS error rates
Chatzipoulidis et al. [120] Damage Risk compromise probability BN, CVSS CVSS scores of vulnerabs., vulnerabs. historical data
Almasizadeh and Azgomi [121] Mean Privacy number of bits leaked attack trees, information theory attack probability mass functions, attack types, attack steps
decision-tree components, criticality factor, probabilities of vul-
Sahinoglu [122], [123] Security Meter compromise probability decision-tree
nerabilities, threats, and countermeasures
Policy Security
Abedin et al. [124] security score CVSS subjective weights, control parameters of functions, CVSS scores
Score
Probabilistic Vulner- period of time T, expected severity of vulnerabilities, probability
Ahmed et al. [125] severity score CVSS
ability Measure distribution function, CVSS scores of vulnerabs.
ER, EVM, and AHVM sub-metrics, protection level of firewalls,
attack propagation ef- Service Connectivity Graph,
Ahmed et al. [126] Attack Propagation false negative rate of the IDS, effect of node compromise, CVSS
fect CVSS
scores of vulnerabilities
network data for generating AEG and adversary’s profile
LeMay et al. [127] ADVISE time to compromise Attack Execution Graph
(e.g., attack step cost and payoff, detection probability)
Measurement Moment Criteria: The metrics developed with completely reconstructed. Another interesting characteristic
the primary intention of being used before deployment, to of some of the dynamic security metrics is their capabil-
aid system design, have been classified as static. Conversely, ity of handling IDS alerts. This characteristic enables them
the metrics created specifically for quantifying security during to provide a more accurate estimation of network security
network operation have been classified as dynamic. One inter- level. This is because the metric computation procedure takes
esting characteristic of dynamic metrics is that they are able into account attacks that are actually occurring, rather than
to capture the security-related events that affect security, and attempting to measure security based on the possibility of
adjust the computed security level accordingly. future exploitation. In addition, dynamic metrics that handle
IDS alerts are more sensitive, since attacks may occur much
Tab. VI presents a list of security-related events and the
more frequently than modifications to the graphs. However,
corresponding dynamic security metrics that provide updated
metrics that handle IDS alerts but do not update the network
values when these events occur. The events that cause a
graph when other events occur may also provide an inaccurate
modification of the graph model of a network (e.g., appearance
security level. Therefore, metrics capable of handling both IDS
or removal of vulnerabilities) usually require the graph to be
alerts and graph modifications, such as the Success Likelihood
totally regenerated, which may result in serious performance
metric proposed in [80], are desirable. A final remark about
issues. One interesting approach to handle such modifications
dynamic metrics is that they can also be applied to measure
is the type of AG proposed by Lippmann et al. [97], referred
security in a static manner, i.e., they can help find out the most
to as predictive AG. In this efficient AG, only the edges and
secure network configuration to be deployed.
nodes directly affected by the fired events are removed or
added. This means that the graph is edited instead of being Measurement Consistence Criteria: Metrics based solely on
TABLE V
C LASSIFICATION OF THE R EVIEWED M ODEL -BASED Q UANTITATIVE NSM S .
Automation Measurement Measurement

Security Metric Objective Type
Level Moment Consistence
MTTF [70], [71] compliance automatic dynamic objective
METF [72] compliance semi-automatic dynamic subjective
MTSF [40], [73], [74] compliance semi-automatic static subjective
MTFF [53], [54] compliance semi-automatic static subjective
MTTC by McQueen et al. [8], [75] compliance semi-automatic static subjective
MTTC by Leversage et al. [76] compliance semi-automatic static subjective
Steady-State Security [40], [73], [74] non-compliance semi-automatic static subjective
Reliability [79] compliance automatic static objective
Success Likelihood [80] non-compliance semi-automatic dynamic subjective
q [81] non-compliance automatic static objective
Shortest Path [83], [10] compliance automatic dynamic objective
Number of Paths [72], [10] non-compliance automatic dynamic objective
Mean of Path Lengths [95], [10] compliance automatic dynamic objective
Normalized Mean of Path Lengths [10] compliance automatic dynamic objective
Assistive metrics: SDPL, MoPL, MePL [10] compliance automatic dynamic objective
Weakest Adversary [96] compliance semi-automatic static subjective
Network Compromise Percentage [97] non-compliance automatic dynamic objective
State Rank [98] non-compliance semi-automatic static subjective
Cumulative Score [99] non-compliance automatic static objective
AGP [88] non-compliance automatic static subjective
Attack Resistance [100] compliance semi-automatic static subjective
Enhanced Cumulative Score [102] non-compliance semi-automatic static subjective
Liu and Man’s metric [104] non-compliance semi-automatic dynamic subjective
Frigault and Wang’s metric [105] non-compliance automatic static subjective
Frigault and colleagues’ metric [106] non-compliance automatic dynamic subjective
Poolsappasit and colleagues’ metric [107] non-compliance semi-automatic dynamic subjective
Xie and colleagues’ metric [108] non-compliance semi-automatic dynamic subjective
Dantu and colleagues’ metric [109], [110], [111] non-compliance semi-automatic dynamic subjective
Expected Difficulty [112] compliance automatic static subjective
VEA-bility [31] compliance automatic static subjective
k-zero day safety [113], [114] compliance semi-automatic static subjective
d2-Diversity (least attacking effort) [115], [116] compliance semi-automatic static subjective
d3-Diversity (avg. attacking effort) [115], [116] non-compliance semi-automatic static subjective
d1-Diversity (% of distinct resources) [115], [116] compliance semi-automatic static subjective
Seclius [118] non-compliance automatic dynamic objective
Damage risk [120] non-compliance automatic static subjective
Mean Privacy [121] non-compliance semi-automatic static subjective
Security Meter [122], [123] non-compliance semi-automatic static subjective
Policy Security Score [124] compliance semi-automatic dynamic subjective
Probabilistic Vulnerability Measure [125] non-compliance semi-automatic dynamic subjective
Attack Propagation [126] non-compliance semi-automatic dynamic subjective
ADVISE [127] compliance semi-automatic static subjective
TABLE VI
E VENTS THAT C AUSE THE E STIMATED N ETWORK S ECURITY LEVEL TO B E U PDATED .
Event Security Metric

Modification of the privilege graph (e.g., new vulnerabil-
MTTF [70], [71]; METF [72]
ity, new user, new attack success rate, etc.)
Modification of the attack graph (e.g., new vulnerability, Success Likelihood [80]; Shortest Path [83], [10]; Number of Paths [72], [10]; Mean of Path Lengths [95], [10];
new firewall rule, new compromise probabilities, etc.) Normalized Mean of Path Lengths [10]; Assistive metrics: SDPL, MoPL, MePL [10]
Modification of the number of (compromised) hosts Network Compromise Percentage [97]
Success Likelihood [80]; Liu and Man’s metric [104]; Poolsappasit and colleagues’ metric [107]; Xie and colleagues’
IDS alerts
metric [108]; Dantu and colleagues’ metric [109], [110], [111]; Seclius [118]
Frigault and colleagues’ metric [106]; Policy Security Score [124]; Probabilistic Vulnerability Measure [125]; Attack
CVSS score updates
Propagation [126]
objective input parameters have been categorized as objective, the security metric takes zero-day attacks into account when
otherwise they have been regarded as subjective. Tabs. VII and computing network security level. A zero-day attack corre-
VIII present, respectively, the subjective and objective input sponds to the exploitation of a zero-day vulnerability (i.e., a
parameters of each metric along with the respective source. vulnerability that has not yet been publicly disclosed) [135].
The disadvantage of subjective parameters is that it may Quantifying network security based on unknown vulnerabil-
be difficult to determine appropriate values for them, since ities is at the same time a challenging and important task.
this requires deep knowledge of the metric model, attacker Challenging because, in general, no information about those
behavior, and network infrastructure. The definition of these vulnerabilities is available before the discovery of an attack.
subjective values will, consequently, demand a huge amount Important because the risk imposed by zero-day attacks is
of time and effort from the network administrator. Moreover, very real and seriously affects network security. For example,
the estimated security level will vary a lot depending on attacks exploiting zero-day vulnerabilities may remain unde-
who chooses the subjective input values. One solution to tected for a long time. Thus, security metrics that disregard
these problems would be the use of standardized and widely the possible existence of zero-day attacks may not accurately
adopted frameworks such as CVSS. The use of CVSS would portray the actual security level of a network. In other words,
also allow to consistently compare the security of different a network may be regarded as being secure, while it is in fact
systems. Moreover, it is possible to automate the computation susceptible to zero-day attacks.
of security metrics that are based on CVSS since several Despite that, only a few security metrics consider zero-day
online databases maintain CVSS severity scores for numerous vulnerabilities. Considering the details provided in Secs. III,
existing vulnerabilities. The authors in [134] conduct attack IV, and V, the works that handle zero-day attacks can be
experiments in a real environment in order to study the cor- organized intro three groups. The first group refers to the
relation between several CVSS-based security metrics and the works that use distribution fitting procedures to make pre-
mean time necessary for compromising a network. Although dictions about the existence and impact of unknown vulner-
CVSS has some drawbacks, this study shows that security abilities. In general, the predictions are based on currently
metrics that use more CVSS data are able to estimate network available data about known vulnerabilities. MTTC, Damage
security level more accurately. Nevertheless, objective input Risk, PSS, PVM, and Attack Propagation are included in this
parameters are still preferable, although they might sometimes group. The second group includes k-zero day safety, d1−,
not be available. d2−, and d3−diversity. Those metrics assume that zero-day
Metric’s Additional Features. Additional features of the vulnerabilities are already present in every network service.
analyzed security metrics are presented in Tab. IX. These This can be modeled, for example, by including hypothetical
features are described in the following. zero-day vulnerabilities in attack graphs. Finally, the third
Indication of Absolute Security: This features indicates group includes MTFF, q, Poolsappasit and colleagues’ met-
if the metric scale (alone) allows to determine whether a ric, and Xie and colleagues’ metric. Those metrics assume
network is totally secure. The fact that a metric possesses a that probability values describing the existence of zero-day
value to indicate absolute security only means that, under the attacks (e.g., the leaky parameters described in [108]) can be
considered assumptions, there is a (hypothetical) situation in computed elsewhere and be given as input to the models.
which systems can be regarded as completely secure. However, Handling of Vulnerabilities Dependency: This feature indi-
in practice, an absolutely secure system is not attainable. cates if the metric model is capable of taking into account
Examples of this type of metric are those whose values are the interdependencies among vulnerabilities. This capability
probabilities (e.g., Success Likelihood metric). Security metrics is important because attacks are rarely performed by the ex-
marked as “no” are those that only allow to evaluate system ploitation of isolated vulnerabilities, as indicates the empirical
security from a relative point of view. This evaluation can done analysis conducted in [134].
by either comparing different systems or different versions Handling of Defensive Actions: This feature indicates if the
of the same system. Examples of relative security metrics security metric model takes into account the defensive actions
are those whose values are given in time units (e.g., MTTC performed by intrusion detection and response mechanisms.
metric). Defensive behavior of the system can be either encoded in data
Handling of Zero-Day Attacks: This feature indicates if captured off-line, or provided during runtime by the deployed
TABLE VII
S OURCE OF S UBJECTIVE PARAMETERS OF THE R EVIEWED M ODEL -BASED Q UANTITATIVE NSM S .
Security Metric Subjective Parameters and Respective Source

METF [72] success rates of elementary attacks from security experts
MTSF [40], [73], [74] attack types and attack steps from network administrator
MTFF [53], [54] attack types, attack steps, reward and cost values for attackers/defenders from network administrator
information about vulnerabilities from online databases; information about exploits from metasploit website; attacker skill
MTTC by McQueen et al. [8], [75]
provided by the authors; predefined constant values given by the authors
visibility variable provided by security experts; attacker skill rating provided by the authors; other parameters are the same from
MTTC by Leversage et al. [76]
the model of McQueen et al.
Steady-State Security [40], [73], [74] attack types and attack steps from network administrator
Success Likelihood [80] skill level required for executing an attack step from network administrator
Weakest Adversary [96] comparison relation of initial sets provided by network administrator
State Rank [98] damping factor provided by network administrator
AGP [88] exploit conditional probabilities from CVSS or security experts
Attack Resistance [100] exploit difficulty levels from security experts
Enhanced Cumulative Score [102] exploit conditional probabilities from CVSS and network administrator
Liu and Man’s metric [104] exploit conditional probabilities and prior probabilities from security experts and online databases
Frigault and Wang’s metric [105] exploit conditional probabilities from CVSS
Frigault and colleagues’ metric [106] exploit conditional probabilities from CVSS
Poolsappasit and colleagues’ metric [107] exploit conditional probabilities from CVSS; prob. of attacker and zero-day vulnerability existence from network administrator
Xie and colleagues’ metric [108] exploit conditional probabilities from CVSS and network administrator; other uncertainty values from network administrator
Dantu and colleagues’ metric [109], [110], [111] attacker profiles and CPTs for each exploit from security experts
Expected Difficulty [112] exploit difficulty levels from security experts or CVSS
VEA-bility [31] vulnerability scores from CVSS
k-zero day safety [113], [114] zero-day exploits equivalence relation from network administrator
d2-Diversity (least attacking effort) [115], [116] resources similarity function from network administrator
d3-Diversity (avg. attacking effort) [115], [116] resources similarity function from network administrator
d1-Diversity (% of distinct resources) [115], [116] resources similarity function from network administrator
Damage risk [120] vulnerability scores from CVSS; vulnerabilities historical data from online databases
Mean Privacy [121] attack probability mass functions, attack types and attack steps from network administrator
Security Meter [122], [123] criticality factor and decision-tree components from network administrator
Policy Security Score [124] vulnerability scores from CVSS; weights and control parameters of functions from network administrator
period of time T and probability distribution function from network administrator; expected severity of vulnerabilities and
Probabilistic Vulnerability Measure [125]
vulnerability scores from vulnerability databases and CVSS
Attack Propagation [126] protection level of firewalls and node compromise effect from administrator; vulnerability scores from CVSS
ADVISE [127] network data and adversary’s profile from security experts and network administrator
TABLE VIII
S OURCE OF O BJECTIVE PARAMETERS OF THE R EVIEWED M ODEL -BASED Q UANTITATIVE NSM S .
Security Metric Objective Parameters and Respective Source

MTTF [70], [71] success rate of elementary attacks from statistical attack data provided by IDSs
MTSF [40], [73], [74] probabilities and times of attack steps from honeypots, intrusion experiments, or real attack data
MTFF [53], [54] accumulated attack steps intensities from honeypots/intrusion experiments; other rates from real data
Steady-State Security [40], [73], [74] probabilities of attacks and times for attacks from honeypots, intrusion experiments, or real attack data
Reliability [79] transitions probabilities from empirical data
q [81] fix/compromise rates from historical data
Cumulative Score [99] exploit conditional probabilities from empirical data
Xie and colleagues’ metric [108] IDS error rates from historical data
d3-Diversity (avg. attacking effort) [115], [116] prior and conditional compromise probabilities of resources from historical data
Seclius [118] IDS error rates from historical data
Security Meter [122], [123] vulnerability, threat, and countermeasure probabilities from empirical data
Attack Propagation [126] false negative rate of the IDS from historical data
security mechanisms. defined by the respective authors of each metric).

Focus on Critical Assets: This feature indicates if the metric Metric Validation: This feature indicates if the metric has
model represents the security level of an entire network by been validated by its respective authors, either through sim-
means of the security level of one or more specific target ulation or experiments in real environments. The validation
network resources. Security metrics marked as “no” are those procedure is important because it analyzes how accurate a
in which all network resources exert the same influence on the metric value portrays the security status of a network.
security level of the network.
As can be seen in Tab. IX, validation is one of the biggest
Handling Of Insider Attacks: This feature indicates if the issues of current security metric proposals. Attack data from
metric model accounts for the threats posed by insider attacks real networks (with real attacks) are usually unavailable (due
(i.e., attacks from legitimate users or employees). to privacy policies of organizations). Therefore, commonly
Definition Of Attacker Profiles: This feature indicates if the available validation procedures include network simulation
security metric is based on attacker profiles (which are usually tools and empirical experiments (performed in real environ-
TABLE IX
A DDITIONAL F EATURES OF THE R EVIEWED M ODEL -BASED Q UANTITATIVE NSM S .
Indication of Handling of Handling of Handling of Focus on Handling Definition of

Metric
Security Metric Absolute Zero-Day Vulnerabs. Defensive Critical of Insider Attacker
Validation
Security Attacks Dependency Actions Assets Attacks Profiles
MTTF [70], [71] no no yes no yes yes no no
METF [72] no no yes no yes yes no yes
MTSF [40], [73], [74] no no yes yes yes no no no
MTFF [53], [54] no yes yes yes yes yes yes no
MTTC by McQueen et al. [8], [75] no yes no no yes no yes no
MTTC by Leversage et al. [76] no yes no no yes no yes no
Steady-State Security [40], [73], [74] yes no yes yes yes no no no
Reliability [79] yes no yes no yes no no no
Success Likelihood [80] yes no yes yes yes no no no
q [81] yes yes yes yes no no no yes
Shortest Path [83], [10] no no yes no yes no no no
Number of Paths [72], [10] yes no yes no yes no no yes
Mean of Path Lengths [95], [10] no no yes no yes no no no
Normalized Mean of Path Lengths [10] no no yes no yes no no no
Assistive metrics: SDPL, MoPL, MePL [10] no no yes no yes no no no
Weakest Adversary [96] no no yes no yes no no no
Network Compromise Percentage [97] yes no yes no no no no no
State Rank [98] yes no yes yes yes no no no
Cumulative Score [99] yes no yes no yes no no no
AGP [88] yes no yes no yes no no no
Attack Resistance [100] no no yes no yes no no no
Enhanced Cumulative Score [102] yes no yes no yes no no yes
Liu and Man’s metric [104] yes no yes yes yes yes no no
Frigault and Wang’s metric [105] yes no yes no yes no no no
Frigault and colleagues’ metric [106] yes no yes no yes no no no
Poolsappasit and colleagues’ metric [107] yes yes yes yes yes no no no
Xie and colleagues’ metric [108] yes yes yes yes yes no no yes
Dantu and colleagues’ metric [109], [110], [111] yes no yes yes yes yes yes no
Expected Difficulty [112] no no no no yes no no no
VEA-bility [31] yes no yes no no no no yes
k-zero day safety [113], [114] no yes yes no yes yes no no
d2-Diversity (least attacking effort) [115], [116] yes yes yes no yes no no yes
d3-Diversity (avg. attacking effort) [115], [116] yes yes yes no yes no no yes
d1-Diversity (% of distinct resources) [115], [116] yes yes no no no no no yes
Seclius [118] yes no yes yes yes no no yes
Damage risk [120] yes yes no no no no no yes
Mean Privacy [121] yes no yes no yes yes no no
Security Meter [122], [123] yes no no yes no no no no
Policy Security Score [124] yes yes no no no no no no
Probabilistic Vulnerability Measure [125] yes yes no no no no no no
Attack Propagation [126] no yes no yes no no no no
ADVISE [127] no no yes yes yes yes yes no
ments but under controlled conditions). However, most of the and strategies employed in these experiments may also differ
works analyzed in this survey do not perform any validation from those in real attack scenarios. For that reasons, apart from
procedure to measure the accuracy of their proposed metrics. the efforts of empirical validation works like [134], [72], most
Instead, they only provide case studies to show how their of the current quantitative model-based NSMs proposed in the
security metrics could be used. Only a few of the reviewed literature have not yet been validated.
proposals attempt to validate their metrics through simulations. Decision-making support. In Sec. I, we have listed four
However, the attacks and network behavior in a simulation important questions that can be answered by NSMs. In general,
environment may excessively diverge from real environments. answers to these questions help network administrators in-
crease network security level. In the following, we discuss how
Another very small subset of the current proposed metrics
the surveyed model-based NSMs can answer these questions.
are validated through empirical experiments. In these exper-
iments, while teams of hackers try to breach the system, Which network configuration is the most secure? Answering
several important information regarding the attacks is col- this question can be regarded as the main objective of all
lected so that the metrics being evaluated can be validated. surveyed metrics. Considering that security metrics assign
These experiments are usually very effective in determining numeric values to different network configurations, they allow
the validity of security metrics. However, they are usually a network administrator to objectively compare these config-
very expensive activities that take too much effort and time urations and determine which is the most secure.
(sometimes years) to be accomplished. Such difficulties may How to change network configuration in order to improve
hamper the validation processes. In addition, the attacker skills security? The act of improving network security by making
configuration changes is referred to as network hardening. prises that do not have security experts available or that
Network hardening measures include activities such as dis- need measuring security level in a timely fashion should
abling unnecessary services, blocking unnecessary connec- not use these metrics. Instead, Seclius, NCP, CVSS-based
tivity, patching known vulnerabilities, deploying new IDSs, metrics, or path metrics should be used;
among others. An important task of network administrators • If an enterprise is interested in metrics that enable more
is to decide which hardening measures should be applied intervention from network administrators, BN-based met-
to increase network security level. The model-based NSMs rics are a suitable option. This is mainly because CPTs
surveyed in this article are a powerful tool to support this can be used to encode subjective beliefs from adminis-
decision, since they can be used to rank different hardening op- trators along with objective compromise probabilities;
tions according to their relative effectiveness. This enables ad- • Organizations interested in measuring security based only
ministrators to discard hardening options that do not increase on critical assets, should use metrics that allow the
network security or to apply only the most effective ones. specification of such assets (see Tab. IX);
Often, administrators have a subset of available hardening • Enterprises that wish to monitor network security level
options to select from. If this subset is very large (e.g., in large during operation should consider dynamic security met-
networks), the selection of suitable options can be formulated rics (see Tab. V);
as an optimization problem. Works in [117], [136] propose • Organizations with few security employees might prefer
algorithms to generate optimal hardening recommendations automatic metrics, rather than semi-automatic metrics;
with respect to a given network security metric. It should be noted that only a few of the works reviewed in
Is the network achieving its required security level? Consid- this survey have implemented tools or prototypes to support
ering that it is not possible to provide absolute security for a the use of their proposed metrics. For example, Seclius [119],
network, it may suffice to know that the network is secure for a ADVISE [128], Probabilistic Vulnerability Measure [126],
given threshold. Based on a security metric, administrators can MTTF [72].
use their experience to define a desired network security level.
Once such level is defined, the selected security metric can be
used to check whether the underlying network is achieving the B. Open Issues
required threshold or not. In the following, open issues regarding model-based quan-
What is the impact of ongoing attacks? Unlike the previous titative network security metrics are provided.
three questions, this question can only be answered by security Process for Obtaining Objective Input Parameters. All
metrics that take IDS alerts as input (see Tab. VI). These objective security metric proposals described in this survey
metrics automatically update the estimated values when a new emphasize the need for input parameters based on attack data
attack occur. Hence, the impact of ongoing attacks can be collected from honeypots, intrusion experiments, or historical
obtained by calculating the difference between the last and data. However, none of these proposals describe a process
the updated metric values. for effectively obtaining such input parameters for a specific
Other Relevant Questions: It should be noted that the sur- network. In fact, the development of such a process is very
veyed metrics attempt to estimate security level by answering a much an open issue.
specific question, according to assumptions about attacker and Metrics Aggregation. Security is an abstract concept that
system behavior. Hence, depending on the specific questions is very hard to define and, consequently, to measure. However,
an administrator wants answered, he or she might need to the several factors that influence the security of a system pro-
use a different metric. For example, to know how much time vide a tangible source of information that can be used for esti-
a system takes to be compromised, the administrator should mating the amount of security possessed by a system. Hence,
apply a metric like MTTC. On the other hand, if he or she security metrics that handle a larger amount of additional
wants to know the minimum amount of vulnerabilities an information (e.g., zero-day attacks, vulnerability dependency,
attacker needs to exploit to compromise a system, then the insider threats, defensive actions) may be able to provide more
shortest path metric should be used. accurate results. However, current model-based quantitative
Guidelines on Which Metrics to Use. In general, the NSM are not able to measure overall network security taking
selection of suitable security metrics will depend on the into account all of these relevant factors at once. Hence, an
requirements of each organization. As previously discussed, interesting future direction would be the development of a
knowing which specific questions need to be answered can scheme for combining several distinct model-based NSMs.
help a network administrator choose among different available This scheme should consider the possible dependencies and
security metrics. Additionally, the several characteristics of conflicts that may arise from the combination these metrics.
the surveyed security metrics discussed in this section (see The resulting model will most likely be able to provide a more
Tabs. V, VI, VII, VIII, IX) should also be considered. In comprehensive and accurate security level estimation.
particular, we highlight the following suggestions: Objective Definition of Attacker Profiles. Attacker profiles
• Some metrics need input parameters defined (or com- are another valuable input information. Indeed, the attack pro-
puted) by security experts or very experienced network cess is one of the factors that most impact system security. The
administrators (see Tabs. VII, VIII). Moreover, input pa- simple existence of a vulnerability does not necessarily imply
rameters obtained from experiments in real environments that a system is compromised. Security will only be affected
usually take a long time to be computed. Hence, enter- if the attacker is able to exploit existing vulnerabilities. For
that reason, network security level directly depends on the uncertainties regarding the intrusion process. These uncertain-
attacker profile, i.e., attacker’s skills, motivation and strategies. ties include existence of zero-day vulnerabilities, error rates
However, a sound procedure for objectively deriving profiles of the IDS, difficulty level of exploits, etc. Therefore, an
based on attackers’ characteristics is still an open problem. interesting future work would be to study which additional
Effectiveness of Security Mechanisms as Input. System uncertainties influence security and how these uncertainties
vulnerabilities largely affect network security and are a inher- could be encoded in the CPTs of the BN nodes. Moreover,
ent part of all networks, including the most simple ones. For the exponential complexity of BN computations is of great
that reason, vulnerabilities are the characteristics most used by concern, especially in very dynamic and large networking
current model-based quantitative NSMs. However, the effec- environments.
tiveness of security mechanisms, which is an equally important Inclusion of Additional Attack Classes. Most of currently
factor that influences network security, is only addressed by a available model-based NSMs measure network resilience tak-
few security metric models. Security mechanisms are impor- ing into account traditional attack classes (e.g., buffer overflow,
tant because the greater their effectiveness is, the more difficult spoofing, denial of service). Therefore, one additional open
will be for a threat to exploit a given vulnerability. Although a issue is the development of a security metric model that takes
few proposals take into account information provided by IDSs, into account other attack classes such as social engineering,
their effectiveness is usually disregarded, as well as the effec- physical attacks, exploits of client-side applications, phishing,
tiveness of other mechanisms (e.g., key management schemes). and user mistakes.
The development of model-based quantitative NSMs that take Trustworthiness of Application Data for End Users.
into account such information constitutes an interesting future Although most security metrics are designed to be used by
line of investigation. security administrators, the development of NSMs to inform
Biodiversity-Inspired Security Metrics. Diversity is a users about data trustworthiness is an area of considerable
strong security mechanism used to defend a network against future research. This is especially true for specific architectures
the actions of adversaries. The work proposed by Zhang such as sensor networks [137], whose main goal is to provide
et al. [115] presents promising results that have provided in- reliable sensor data for end users. In this context, the work
sights on how to correctly apply diversity to increase network proposed by Ramos and Holanda Filho [33] is one of the
security. Their paper is basically the first work to provide a first efforts towards estimating the security level of data from
formal model based on network diversity to quantify security. sensor networks. With this information, end users can take
The success of their work is mainly because the security informed decisions about the use of the received sensor data.
metrics they propose are inspired by biodiversity metrics from Security metrics of this type would also be valuable for users
the ecology field. However, the authors have only used a small of other Internet infrastructures such as cloud computing [130]
part of the available biodiversity concepts. Hence, the devel- and, especially, the Internet of things (IoT) [138], whose
opment of new diversity-based security metrics that borrow security has received increasing attention [139].
other concepts from the ecology literature would provide even
more interesting results for the security evaluation field.
Enhanced Stochastic Models. As discussed in Sec. III, VII. R ELATED W ORK AND S UGGESTED R EADINGS
another future research direction is the development of an
NSM based on a stochastic model which do not assume Additional information regarding the security metrics field
that the times between attacks are exponentially distributed. in general or specific types of security metrics can be found
Instead, such model would have to allow the use of a mixture in the papers listed below. In contrast to our survey, these
distribution, obtained from combining an exponential distri- papers focus mostly on qualitative metrics, measurement-based
bution with a Pareto distribution, which seems to be more metrics, or security metrics for targets other than networks
suitable for describing attacker behavior, as discussed in [129]. (i.e., process, software, organization).
It would also be interesting to use an state space derived from • A brief overview of the security metrics field along with
an attack graph, which can be automatically generated and a few examples are provided by Stolfo et al. [12]. Several
seems to be a more natural way for describing the attack steps examples of security metrics, especially measurement-
performed by adversaries. This model should also possess real- based metrics, can also be found in [21], [18], [16].
time features of dynamic security metrics such as handling of • In [28], Jansen provides future directions regarding
attack graph modifications and handling of IDS alerts. Finally, promising research areas that should be explored in order
this model should provide as output a probability value to to improve the development of security metrics.
express network security level, instead of a time value. This • A more detailed overview of the security metrics field is
would allow to estimate the security of the network in an provided by Bayuk and Mostashari [11]. A classification
absolute manner, not only in a relative fashion. and review of several qualitative, measurement-based, and
Enhanced Bayesian Networks-Based Models. Another process security metrics is also provided.
promising approach for the development of more accu- • Pfleeger and Cunningham [140] analyze the security
rate model-based quantitative NSMs is the use of Bayesian metrics field and discusses several reasons why measuring
network-based models. Such models are able to handle IDS security is hard. The authors also present several strate-
inputs in order to update network security level during runtime. gies to overcome those difficulties in the development of
Moreover, they are also able to capture the effects of several security metrics.
• Boyer and McQueen [20] propose seven security ideals rity metrics. Jaatun [24] evaluates some approaches for
that should be used to guide the development of new measuring software security and makes recommendations
quantitative security metrics. regarding the use of security maturity models. Ouchani
• A self-assessment framework that helps users determine and Debbabi [25] reviews the state-of-the-art regarding
the measurement-based security metrics that are more ap- the security quantification of software modeled using
propriate for a specific system or organization is provided Unified Modeling Language (UML).
by Heinzle and Furnell [19]. • Nicol at al. [52] survey the main model-based evaluation
• Taxonomies for security metrics are provided by Vaughn techniques used to derive system dependability metrics.
et al. [14] and Savola [15]. Those works focus on process, The authors also discuss how these models and techniques
qualitative, quantitative, and measurement-based metrics. can be adapted in order to measure system security. Since
• In [18], Villarrubia et al. propose a metrics classification this work only includes metrics until 2004, our survey
scheme based on different metrics properties. Then they includes more recent papers.
use this scheme to classify several measurement-based
security metrics that exist in the literature. VIII. C ONCLUSION
• Verendel [16], and Rudolph and Schwarz [17] also pro-
Model-based quantitative NSMs are essential for the de-
pose classification schemes to classify existing security
velopment and maintenance of secure systems, since these
metrics in the literature. While Verendel focused on
metrics are able to quantify the overall resilience of networks
quantitative metrics, Rudolph and Schwarz covered both
against attacks. In this survey, a deep literature review of
qualitative and quantitative metrics. Both studies provide
the state-of-the-art of model-based quantitative NSMs has
a comprehensive discussion on the classified metrics and
been presented. Initially, an overview of the security metrics
conclude that most of the quantitative metrics in the liter-
field has been provided, along with a classification scheme.
ature lacks validation. Although both of these works also
Then, the CVSS framework, that is used as input by several
cover model-based quantitative network security metrics
security metric models, has been described. The differences
in their classification schemes, they do not provide a
between the security metrics field and other closely related
description of the metrics classified. In contrast, our
areas have also been provided. Then, more specifically in the
survey provides an in-depth description of each surveyed
realm of model-based quantitative NSMs, a comprehensive
metric. Moreover, Verendel only covers works until 2008
and detailed review of the main metric proposals has been
and Rudolph and Schwarz only cover works until 2010,
presented. The main pros and cons of each reviewed work
while our survey includes more recent papers.
have also been described. Finally, an in-depth discussion on
• In [141], Pendleton et al. provide a comprehensive sur-
the main properties of the reviewed security metrics has been
vey on quantitative system security metrics. Their work
presented, along with open issues and suggestions of future
basically includes software, network, economic, and ef-
research directions. This was followed by a discussion on past
fectiveness security metrics. Initially, the authors propose
related work.
a hierarchical ontology in order to classify the surveyed
Quantifying the overall security of networked systems is
metrics. Then, each metric is briefly described. It should
a very difficult problem [144], [140]. Consequently, there is
be noted that the authors also cover model-based quantita-
some disbelief on the feasibility of security metrics [145],
tive network security metrics. However, due to the broad
[146]. According to what has been presented in this survey, it
focus of their work, in contrast to our survey, they do not
is possible to conclude that the field of model-based quantita-
provide explanations about the technical details of each
tive NSMs is still in development and much more progress still
individual metric. Moreover, unlike our survey, they do
needs to be done. Although none of the current approaches
not provide a comprehensive discussion and comparative
is totally satisfactory, the value of model-based quantitative
analysis of the reviewed metrics.
NSMs is in supporting decision-making, rather than perfectly
• A survey of security management in industrial control
representing the security level of networks. For that reason,
systems is provided by Knowles et al. [142]. Their
the security metrics that have been proposed over the last few
survey focuses on security standards, guidelines, and best
years are of immense practical value. Moreover, the advances
practices. In contrast to our survey, the security metrics
that have already been achieved so far show that this area
addressed by Knowles et al. are mostly qualitative or
is in constant evolution and that the development of feasible
measurement-based.
security metrics is indeed possible.
• In a more specific context of control systems, Cherdant-
seva et al. [143] present a survey of security metrics
and risk assessment methods for Supervisory Control and ACKNOWLEDGMENTS
Data Acquisition (SCADA) systems. The authors review This work has been supported by Coordination for the
qualitative metrics as well as a few quantitative model- Improvement of Higher Education Personnel (CAPES), by
based metrics. However, due to their specific focus on National Funding from the FCT - Fundação para a Ciência e
metrics for SCADA systems, our survey reviews model- a Tecnologia through the UID/EEA/500008/2013 Project, by
based quantitative security metrics not covered in their Government of Russian Federation, Grant 074-U01, and by
paper, including more recent proposals. Finep, with resources from Funttel, grant no. 01.14.0231.00,
• Mellado et al. [23] present a survey on software secu- under the Radiocommunication Reference Center (Centro de
Referência em Radiocomunicações CRR) project of the [7] A. Jaquith, Security Metrics: Replacing Fear, Uncertainty, and Doubt.
National Institute of Telecommunications (Instituto Nacional Addison-Wesley Professional, 2007.
[8] M. A. McQueen, W. F. Boyer, M. A. Flynn, and G. A. Beitel, “Time-to-
de TelecomunicaçõesInatel), Brazil. Compromise Model for Cyber Risk Reduction Estimation,” in Quality
of Protection Workshop at ESORICS 2005, the flagship European
Symposium on Research in Computer Security. Boston, MA: Springer
A PPENDIX US, 2005, pp. 49–64.
[9] S. Jajodia, “Topological analysis of network attack vulnerability,” in
Tab. X lists the abbreviations used throughout this survey. Proceedings of the 2Nd ACM Symposium on Information, Computer
and Communications Security, ser. ASIACCS ’07. New York, NY,
TABLE X USA: ACM, 2007, pp. 2–2.
L IST OF A BBREVIATIONS . [10] N. Idika and B. Bhargava, “Extending attack graph-based security
metrics and aggregating their application,” IEEE Transactions on
AC access complexity (CVSS sub-metric) Dependable and Secure Computing, vol. 9, no. 1, pp. 75–85, 2012.
ADVISE ADversary VIew Security Evaluation [11] J. L. Bayuk, “Security as a theoretical attribute construct,” Computers
AEG attack execution graph & Security, vol. 37, pp. 155–175, sep 2013.
AG attack graph [12] S. Stolfo, S. M. Bellovin, and D. Evans, “Measuring security,” IEEE
AGP attack graph probabilistic metric Security Privacy, vol. 9, no. 3, pp. 60–65, May 2011.
AHVM aggregated historical vulnerability measure [13] A. Hecker, “On system security metrics and the definition approaches,”
AP attack propagation in 2008 Second International Conference on Emerging Security Infor-
BN Bayesian network mation, Systems and Technologies, Aug 2008, pp. 412–419.
CG compromise graph [14] R. B. Vaughn, R. Henning, and A. Siraj, “Information assurance
CPT conditional probability table measures and metrics - state of practice and proposed taxonomy,”
CTMC continuous-time Markov chain in System Sciences, 2003. Proceedings of the 36th Annual Hawaii
CVE common vulnerabilities and exposures
International Conference on, Jan 2003, p. 10 pp.
CVSS common vulnerability scoring system [15] R. Savola, “Towards a security metrics taxonomy for the information
DAG directed acyclic graph
and communication technology industry,” in Proceedings of the Inter-
national Conference on Software Engineering Advances, ser. ICSEA
DBN dynamic Bayesian networ
’07. Washington, DC, USA: IEEE Computer Society, 2007, pp. 60–
DMZ demilitarized zone
66.
DTMC discrete-time Markov chain
[16] V. Verendel, “Quantified security is a weak hypothesis: A critical survey
ER expected risk
of results and assumptions,” in Proceedings of the 2009 Workshop on
EVM existing vulnerability measure
New Security Paradigms Workshop, ser. NSPW ’09. New York, NY,
IDS intrusion detection system
USA: ACM, 2009, pp. 37–50.
MePL median of path lengths
[17] M. Rudolph and R. Schwarz, “A critical survey of security indicator
METF mean effort to failure
approaches,” in Availability, Reliability and Security (ARES), 2012
MoPL mode of path lengths Seventh International Conference on, Aug 2012, pp. 291–300.
MPL mean of path lengths [18] C. Villarrubia, E. Fernández-Medina, and P. Mario, “Towards a Clas-
MTFF mean time to first failure sification of Security Metrics,” in Proceedings of the 2nd international
MTSF mean time to security failure workshop on security in information systems (WOSIS 2004). In con-
MTTC mean time to compromise junction with ICEIS, Porto, Portugal, 2004, pp. 342—-350.
MTTF mean time to failure [19] B. Heinzle and S. Furnell, “Assessing the Feasibility of Security
NCP network compromise percentage Metrics,” in Proceedings of the 10th International Conference on Trust,
NMPL normalized mean of path lengths Privacy, and Security in Digital Business (TRUSTBUS’13), 2013.
NP number of paths [20] W. Boyer and M. McQueen, “Ideal Based Cyber Security Technical
NSM network security metric Metrics for Control Systems,” in Proceedings of the 9th Interna-
NSSA network security situational awareness tional Conference on Critical Information Infrastructures Security
PSS policy security score (CRITIS’07), 2007.
PVM probabilistic vulnerability measure [21] E. Chew, M. Swanson, K. Stine, N. Bartol, A. Brown, and W. Robinson,
SDPL standard deviation of path length “Security Metrics Guide for Information Technology Systems, NIST
SLH success likelihood Special Publication 800-55 Revision 1,” National Institute of Standards
SMC semi-Markov chain and Technology (NIST), Tech. Rep., 2008.
SP shortest path [22] S. C. Payne, “A Guide to Security Metrics,” SANS Institute, Tech.
VLMC variable length Markov chain Rep., 2006.
[23] D. Mellado, E. Fernández-Medina, and M. Piattini, “A comparison
of software design security metrics,” in Proceedings of the Fourth
European Conference on Software Architecture: Companion Volume,
R EFERENCES ser. ECSA ’10. New York, NY, USA: ACM, 2010, pp. 236–242.
[24] M. G. Jaatun, “Hunting for Aardvarks: Can Software Security Be
[1] S. Hansman and R. Hunt, “A taxonomy of network and computer Measured?” in IFIP WG 8.4, 8.9/TC 5 International Cross-Domain
attacks,” Computers & Security, vol. 24, no. 1, pp. 31–43, feb 2005. Conference and Workshop on Availability, Reliability, and Security,
[2] U. Lindqvist and E. Jonsson, “How to systematically classify computer CD-ARES 2012, 2012.
security intrusions,” in Security and Privacy, 1997. Proceedings., 1997 [25] S. Ouchani and M. Debbabi, “Specification, verification, and quantifi-
IEEE Symposium on, May 1997, pp. 154–163. cation of security in model-based systems,” Computing, vol. 97, no. 7,
[3] S. Zonouz and P. Haghani, “Cyber-physical security metric inference pp. 691–711, jul 2015.
in smart grid critical infrastructures based on system administrators’ [26] R. Böhme and T. Nowey, “Economic Security Metrics,” in Dependabil-
responsive behavior,” Computers & Security, vol. 39, no. PART B, pp. ity Metrics, I. Eusgeld, F. C. Freiling, and R. Reussner, Eds. Berlin,
190–200, nov 2013. Heidelberg: Springer Berlin Heidelberg, 2008, pp. 176–187.
[4] U. Premaratne, J. Samarabandu, T. Sidhu, R. Beresh, and J. C. [27] P. Mell, K. Scarfone, and S. Romanosky, “Common vulnerability
Tan, “Security analysis and auditing of iec61850-based automated scoring system,” IEEE Security Privacy, vol. 4, no. 6, pp. 85–89, Nov
substations,” IEEE Transactions on Power Delivery, vol. 25, no. 4, 2006.
pp. 2346–2355, Oct 2010. [28] W. Jansen, “Directions in Security Metrics Research, NISTIR 7564,”
[5] M. Bishop, “What is computer security?” IEEE Security & Privacy U.S. National Institute of Standards and Technology, Tech. Rep., 2009.
Magazine, vol. 1, no. 1, pp. 67–69, jan 2003. [29] R. Böhme and F. C. Freiling, “On Metrics and Measurements,” in
[6] T. F. Lunt, “A survey of intrusion detection techniques,” Computers & Dependability Metrics, I. Eusgeld, F. C. Freiling, and R. Reussner,
Security, vol. 12, no. 4, pp. 405–418, jun 1993. Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2008, pp. 7–13.
[30] ISO/IEC, “Information technology - systems security engineering - [53] K. Sallhammar, B. E. Helvik, and S. J. Knapskog, “On Stochastic Mod-
capability maturity model (SSE-CMM), ISO/IEC 21827,” Geneva, eling for Integrated Security and Dependability Evaluation,” Journal of
Switzerland, p. 132, 2002. Networks, vol. 1, no. 5, oct 2006.
[31] M. Tupper and a. N. Zincir-Heywood, “VEA-bility Security Metric: A [54] ——, “Towards a stochastic model for integrated security and depend-
Network Security Analysis Tool,” 2008 Third International Conference ability evaluation,” in First International Conference on Availability,
on Availability, Reliability and Security, pp. 950–957, mar 2008. Reliability and Security (ARES’06), April 2006, p. 8 pp.
[32] P. K. Manadhata and J. M. Wing, “An Attack Surface Metric,” IEEE [55] M. Al-Kuwaiti, N. Kyriakopoulos, and S. Hussein, “A comparative
Transactions on Software Engineering, vol. 37, no. 3, pp. 371–386, analysis of network dependability, fault-tolerance, reliability, security,
may 2011. and survivability,” IEEE Communications Surveys Tutorials, vol. 11,
[33] A. Ramos and R. Filho, “Sensor Data Security Level Estimation no. 2, pp. 106–124, 2009.
Scheme for Wireless Sensor Networks,” Sensors, vol. 15, no. 1, pp. [56] S. N. Foley, S. Bistarelli, B. O’Sullivan, J. Herbert, and G. Swart,
2104–2136, jan 2015. “Multilevel security and quality of protection,” in Quality of Protection
[34] A. Ramos, M. Lazar, R. Holanda Filho, and J. J. P. C. Rodrigues, Workshop at ESORICS 2005, the flagship European Symposium on
“A Security Metric for the Evaluation of Collaborative Intrusion De- Research in Computer Security. Boston, MA: Springer US, 2005, pp.
tection Systems in Wireless Sensor Networks,” in IEEE International 93–105.
Conference on Communications (Accepted for publication), 2017. [57] C. S. Ong, K. Nahrstedt, and W. Yuan, “Quality of protection for mobile
[35] A. Ramos, B. Aquino, R. Holanda Filho, and J. J. P. C. Rodrigues, multimedia applications,” in Multimedia and Expo, 2003. ICME ’03.
“Quantifying Node Security in Wireless Sensor Networks under Worm Proceedings. 2003 International Conference on, vol. 2, July 2003, pp.
Attacks,” in Brazilian Symposium of Computer Networks (Accepted for II–137–40 vol.2.
publication), 2017. [58] B. Ksiezopolski, “QoP-ML: Quality of protection modelling language
[36] M. Whaiduzzaman and A. Gani, “Measuring security for cloud service for cryptographic protocols,” Computers & Security, vol. 31, no. 4, pp.
provider: A third party approach,” in Electrical Information and 569–596, jun 2012.
Communication Technology (EICT), 2013 International Conference on, [59] H. Zhu, K. H. Liu, W. He, and K. Ota, “Quality of experience and
Feb 2014, pp. 1–6. quality of protection provisions in emerging mobile networks [guest
[37] Q. Duan, Y. Wang, F. Mohsen, and E. Al-Shaer, “Private and anony- editorial],” IEEE Wireless Communications, vol. 22, no. 4, pp. 8–9,
mous data storage and distribution in cloud,” in Services Computing August 2015.
(SCC), 2013 IEEE International Conference on, June 2013, pp. 264– [60] J. Franks, P. Hallam-Baker, J. Hostetler, S. Lawrence, P. Leach,
271. A. Luotonen, and L. Stewart., “HTTP Authentication: Basic and Digest
[38] D. S. Herrmann, Complete Guide to Security and Privacy Metrics: Access Authentication.” Internet RFC 2617, 1999.
Measuring Regulatory Compliance, Operational Resilience, and ROI. [61] T. Moses, “Web Services Security Quality of Protection,” 2002.
Auerbach Publication, 2007. [Online]. Available: http://xml.coverpages.org/ni2002-09-21-a.html
[39] G. Gu, P. Fogla, D. Dagon, W. Lee, and B. Skorić, “Measuring [62] G. Karjoth, B. Pfitzmann, M. Schunter, and M. Waidner, “Service-
intrusion detection capability: An information-theoretic approach,” in oriented Assurance Comprehensive Security by Explicit Assurances,”
Proceedings of the 2006 ACM Symposium on Information, Computer in Quality of Protection, D. Gollmann, F. Massacci, and A. Yautsiukhin,
and Communications Security, ser. ASIACCS ’06. New York, NY, Eds. Boston, MA: Springer US, 2006, pp. 13–24.
USA: ACM, 2006, pp. 90–101. [63] O. Gerstel and G. H. Sasaki, “Quality of protection (QoP): a quanti-
tative unifying paradigm to protection service grades,” in Proc. SPIE
[40] J. Almasizadeh and M. A. Azgomi, “A stochastic model of attack
4599, OptiComm 2001: Optical Networking and Communications, aug
process for the evaluation of security metrics,” Computer Networks,
2001, p. 12.
vol. 57, no. 10, pp. 2159–2180, jul 2013.
[64] “First Workshop on Quality of Protection,” 2005. [Online]. Available:
[41] A. Xie, W. Wen, L. Zhang, J. Hu, and Z. Chen, “Applying Attack
http://disi.unitn.it/ qop/QoP2008/index.htm
Graphs to Network Security Metric,” in 2009 International Conference
[65] H. Shiravi, A. Shiravi, and A. A. Ghorbani, “A survey of visualization
on Multimedia Information Networking and Security, vol. 1. IEEE,
systems for network security,” IEEE Transactions on Visualization and
2009, pp. 427–431.
Computer Graphics, vol. 18, no. 8, pp. 1313–1329, Aug 2012.
[42] M. S. Merkow and J. Breithaupt, Computer security assurance, using
[66] X. Yin, W. Yurcik, Y. Li, K. Lakkaraju, and C. Abad, “Visflowconnect:
the common criteria. Clifton Park, NY: Thomson Delmar Learning,
providing security situational awareness by visualizing network traffic
2005.
flows,” in Performance, Computing, and Communications, 2004 IEEE
[43] K. Solic, H. Ocevcic, and M. Golub, “The information systems’ International Conference on, 2004, pp. 601–607.
security level assessment model based on an ontology and evidential [67] F. Lan, W. Chunlei, and M. Guoqing, “A framework for network secu-
reasoning approach,” Computers & Security, vol. 55, pp. 100–112, nov rity situation awareness based on knowledge discovery,” in 2010 2nd
2015. International Conference on Computer Engineering and Technology,
[44] Z. Benenson, U. Kühn, and S. Lucks, “Cryptographic Attack Metrics,” vol. 1, April 2010, pp. V1–226–V1–231.
in Dependability Metrics, I. Eusgeld, F. C. Freiling, and R. Reussner, [68] O. Littlewood and J. Dobson, “Towards Operational Measures of
Eds. Berlin, Heidelberg: Springer Berlin Heidelberg, 2008, pp. 133– Computer Security,” Journal of Computer Security,, vol. 2, no. 3, pp.
156. 211–229, 1993.
[45] NIST (National Institute of Standards and Technology), “National [69] E. Jonsson and T. Olovsson, “A quantitative model of the security
Vulnerability Database.” [Online]. Available: https://nvd.nist.gov/ intrusion process based on attacker behavior,” IEEE Transactions on
[46] FIRST, “Common Vulnerability Scoring System v3.0: Specification Software Engineering, vol. 23, no. 4, pp. 1–11, 1997.
Document,” 2015. [70] M. Dacier, Y. Deswarte, and M. Kaâniche, Information Systems Secu-
[47] P. Mell, K. Scarfone, and S. Romanosky, “A Complete Guide to the rity: Facing the information society of the 21st century. Boston, MA:
Common Vulnerability Scoring System Version 2.0,” 2007. Springer US, 1996, ch. Models and tools for quantitative assessment
[48] K. Scarfone and P. Mell, “An analysis of cvss version 2 vulnerability of operational security, pp. 177–186.
scoring,” in 2009 3rd International Symposium on Empirical Software [71] M. Dacier, Y. Deswarte, and M. Kaâniche, “Quantitative Assessment
Engineering and Measurement, Oct 2009, pp. 516–525. of Operational Security: Models and Tools,” LAAS 96493, Tech. Rep.,
[49] A. Avizienis, J.-c. Laprie, and B. Randell, “Fundamental concepts of 1996.
dependability,” LAAS-CNRS N01145, Tech. Rep., 2001. [72] R. Ortalo, Y. Deswarte, and M. Kaaniche, “Experimenting with Quan-
[50] Y. Bo, Y. Lin, and M. L. Ru, “Quality of protection in web service: titative Evaluation Tools for Operational Security,” IEEE Transactions
An overview,” in Instrumentation, Measurement, Computer, Communi- on Software Engineering, vol. 25, no. 5, pp. 633–650, 1999.
cation and Control, 2011 First International Conference on, Oct 2011, [73] J. Almasizadeh and M. A. Azgomi, “A Method for Estimation of
pp. 495–498. the Success Probability of an Intrusion Process by Considering the
[51] L. Jibao, W. Huiqiang, and Z. Liang, “Study of network security situa- Temporal Aspects of the Attacker Behavior,” in Transactions on
tion awareness model based on simple additive weight and grey theory,” Computational Science IV, 2009, pp. 200–214.
in 2006 International Conference on Computational Intelligence and [74] ——, “Intrusion Process Modeling for Security Quantification,” in
Security, vol. 2, Nov 2006, pp. 1545–1548. 2009 International Conference on Availability, Reliability and Security.
[52] D. Nicol, W. Sanders, and K. Trivedi, “Model-based evaluation: from IEEE, 2009, pp. 114–121.
dependability to security,” IEEE Transactions on Dependable and [75] M. A. McQueen, W. F. Boyer, M. A. Flynn, and G. A. Beitel,
Secure Computing, vol. 1, no. 1, pp. 48–65, jan 2004. “Quantitative cyber risk reduction estimation methodology for a small
scada control system,” in Proceedings of the 39th Annual Hawaii in Proceedings of the 2nd ACM workshop on Quality of protection -
International Conference on System Sciences - Volume 09, ser. HICSS QoP ’06. ACM Press, 2006, p. 31.
’06. Washington, DC, USA: IEEE Computer Society, 2006, pp. 226–. [97] R. Lippmann, K. Ingols, C. Scott, K. Piwowarski, K. Kratkiewicz,
[76] D. J. Leversage and E. J. Byres, “Estimating a System’s Mean Time- M. Artz, and R. Cunningham, “Validating and restoring defense in
to-Compromise,” IEEE Security & Privacy Magazine, vol. 6, no. 1, pp. depth using attack graphs,” in Military Communications Conference,
52–60, 2008. 2006. MILCOM 2006. IEEE, Oct 2006, pp. 1–10.
[77] N. Paulauskas and E. Garsva, “Attacker skill level distribution es- [98] V. Mehta, C. Bartzis, H. Zhu, E. Clarke, and J. Wing, “Ranking attack
timation in the system mean time-to-compromise,” in Information graphs,” in Proceedings of the 9th International Conference on Recent
Technology, 2008. IT 2008. 1st International Conference on, May 2008, Advances in Intrusion Detection, ser. RAID’06. Berlin, Heidelberg:
pp. 1–4. Springer-Verlag, 2006, pp. 127–144.
[78] S. M. Abraham, “Estimating mean time to compromise using non- [99] S. Noel, S. Jajodia, L. Wang, and A. Singhal, “Measuring Security
homogenous continuous-time markov models,” in 2016 IEEE 40th Risk of Networks Using Attack Graphs,” International Journal of Next
Annual Computer Software and Applications Conference (COMPSAC), Generation Computing, vol. 1, no. 1, pp. 135–147, 2010.
vol. 2, June 2016, pp. 467–472. [100] L. Wang, A. Singhal, and S. Jajodia, “Measuring the overall security of
[79] S. Jha, O. Sheyner, and J. Wing, “Two formal analys s of attack graphs,” network configurations using attack graphs,” in Proceedings of the 21st
in Proceedings of the 15th IEEE Workshop on Computer Security annual IFIP WG 11.3 working conference on Data and applications
Foundations, ser. CSFW ’02. Washington, DC, USA: IEEE Computer security. Springer-Verlag, jul 2007, pp. 98–112.
Society, 2002, pp. 49–. [101] ——, “Toward measuring network security using attack graphs,” in
[80] W. Kanoun, S. Dubus, S. Papillon, N. Cuppens-Boulahia, and F. Cup- Proceedings of the 2007 ACM Workshop on Quality of Protection, ser.
pens, “Towards Dynamic Risk Management: Success Likelihood of QoP ’07. New York, NY, USA: ACM, 2007, pp. 49–54.
Ongoing Attacks,” Bell Labs Technical Journal, vol. 17, no. 3, pp. [102] J. Homer, S. Zhang, X. Ou, D. Schmidt, Y. Du, S. R. Rajagopalan, and
61–78, dec 2012. A. Singhal, “Aggregating vulnerability metrics in enterprise networks
[81] X. Li, P. Parker, and S. Xu, “A Stochastic Model for Quantitative using attack graphs,” Journal of Computer Security, vol. 21, no. 4, pp.
Security Analyses of Networked Systems,” IEEE Transactions on 561–597, jul 2013.
Dependable and Secure Computing, vol. 8, no. 1, pp. 28–43, jan 2011. [103] V. Mihajlovic and M. Petkovic, “Dynamic bayesian networks: A state
[82] M. Xu and S. Xu, “An Extended Stochastic Model for Quantitative Se- of the art, TR-CTI,” University of Twente, Centre for Telematics and
curity Analysis of Networked Systems,” Internet Mathematics, vol. 8, Information Technology, Tech. Rep., 2001.
no. 3, pp. 288–320, aug 2012. [104] Y. Liu and H. Man, “Network vulnerability assessment using bayesian
[83] C. Phillips and L. P. Swiler, “A graph-based system for network- networks,” in Data Mining, Intrusion Detection, Information Assur-
vulnerability analysis,” in Proceedings of the 1998 Workshop on New ance, and Data Networks Security 2005, ser. Proc. SPIE, vol. 5812,
Security Paradigms, ser. NSPW ’98. New York, NY, USA: ACM, Mar 2005, pp. 61–71.
1998, pp. 71–79. [105] M. Frigault and L. Wang, “Measuring network security using bayesian
[84] X. Ou, S. Govindavajhala, and A. W. Appel, “Mulval: A logic-based network-based attack graphs,” in Computer Software and Applications,
network security analyzer,” in Proceedings of the 14th Conference on 2008. COMPSAC ’08. 32nd Annual IEEE International, July 2008, pp.
USENIX Security Symposium - Volume 14, ser. SSYM’05. Berkeley, 698–703.
CA, USA: USENIX Association, 2005, pp. 8–8. [106] M. Frigault, L. Wang, A. Singhal, and S. Jajodia, “Measuring network
security using dynamic bayesian network,” in Proceedings of the 4th
[85] Nessus, “The Nessus Security Scanner.” [Online]. Available:
ACM Workshop on Quality of Protection, ser. QoP ’08. New York,
http://www.nessus.org
NY, USA: ACM, 2008, pp. 23–30.
[86] G. Vigna and R. A. Kemmerer, “Netstat: A network-based intrusion
[107] N. Poolsappasit, R. Dewri, and I. Ray, “Dynamic Security Risk
detection system,” J. Comput. Secur., vol. 7, no. 1, pp. 37–71, Jan.
Management Using Bayesian Attack Graphs,” IEEE Transactions on
1999.
Dependable and Secure Computing, vol. 9, no. 1, pp. 61–74, jan 2012.
[87] S. Noel and S. Jajodia, “Managing attack graph complexity through [108] P. Xie, J. H. Li, X. Ou, P. Liu, and R. Levy, “Using bayesian networks
visual hierarchical aggregation,” in Proceedings of the 2004 ACM for cyber security analysis,” in Dependable Systems and Networks
Workshop on Visualization and Data Mining for Computer Security, (DSN), 2010 IEEE/IFIP International Conference on, June 2010, pp.
ser. VizSEC/DMSEC ’04. New York, NY, USA: ACM, 2004, pp. 211–220.
109–118. [109] R. Dantu, P. Kolan, and J. Cangussu, “Network risk management
[88] L. Wang, T. Islam, T. Long, A. Singhal, and S. Jajodia, “An attack using attacker profiling,” Security and Communication Networks, vol. 2,
graph-based probabilistic security metric,” in Proceeedings of the 22Nd no. 1, pp. 83–96, jan 2009.
Annual IFIP WG 11.3 Working Conference on Data and Applications [110] R. Dantu and P. Kolan, Risk Management Using Behavior Based
Security. Berlin, Heidelberg: Springer-Verlag, 2008, pp. 283–296. Bayesian Networks. Berlin, Heidelberg: Springer Berlin Heidelberg,
[89] O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J. M. Wing, “Au- 2005, pp. 115–126.
tomated generation and analysis of attack graphs,” in Security and [111] R. Dantu, K. Loper, and P. Kolan, “Risk management using behavior
Privacy, 2002. Proceedings. 2002 IEEE Symposium on, 2002, pp. 273– based attack graphs,” in Information Technology: Coding and Com-
284. puting, 2004. Proceedings. ITCC 2004. International Conference on,
[90] R. W. Ritchey and P. Ammann, “Using model checking to analyze vol. 1, April 2004, pp. 445–449.
network vulnerabilities,” in Security and Privacy, 2000. S P 2000. [112] S. Ghosh and P. Bhattacharya, “Analytical framework for measuring
Proceedings. 2000 IEEE Symposium on, 2000, pp. 156–165. network security using exploit dependency graph,” IET Information
[91] P. Ammann, D. Wijesekera, and S. Kaushik, “Scalable, graph-based Security, vol. 6, no. 4, pp. 264–270, dec 2012.
network vulnerability analysis,” in Proceedings of the 9th ACM Confer- [113] L. Wang, S. Jajodia, A. Singhal, P. Cheng, and S. Noel, “k-Zero
ence on Computer and Communications Security, ser. CCS ’02. New Day Safety: A Network Security Metric for Measuring the Risk of
York, NY, USA: ACM, 2002, pp. 217–224. Unknown Vulnerabilities,” IEEE Transactions on Dependable and
[92] R. P. Lippmann and K. W. Ingols, “An annotated review of past Secure Computing, vol. 11, no. 1, pp. 30–44, jan 2014.
papers on attack graphs, ESC-TR-2005-054.” MIT Lincoln laboratory, [114] L. Wang, S. Jajodia, A. Singhal, and S. Noel, “K-zero day safety:
Lexington, MA, Tech. Rep., 2005. Measuring the security risk of networks against unknown attacks,”
[93] V. Shandilya, C. B. Simmons, and S. Shiva, “Use of Attack Graphs in Proceedings of the 15th European Conference on Research in
in Security Systems,” Journal of Computer Networks and Communi- Computer Security, ser. ESORICS’10. Berlin, Heidelberg: Springer-
cations, vol. 2014, pp. 1–13, 2014. Verlag, 2010, pp. 573–587.
[94] M. Barik, A. Sengupta, and C. Mazumdar, “Attack graph generation [115] M. Zhang, L. Wang, S. Jajodia, A. Singhal, and A. Massimiliano,
and analysis techniques,” Defence Science Journal, vol. 66, no. 6, pp. “Network Diversity: A Security Metric for Evaluating the Resilience
559–567, 2016. of Networks against Zero-Day Attacks,” IEEE Transactions on Infor-
[95] W. Li and R. Vaughn, “Cluster security research involving the mod- mation Forensics and Security, vol. PP, no. 99, pp. 1–1, 2016.
eling of network exploitations using exploitation graphs,” in Cluster [116] L. Wang, M. Zhang, S. Jajodia, A. Singhal, and M. Albanese, “Mod-
Computing and the Grid, 2006. CCGRID 06. Sixth IEEE International eling Network Diversity for Evaluating the Robustness of Networks
Symposium on, vol. 2, May 2006, pp. 26–26. against Zero-Day Attacks,” in Proceedings of the 19th European
[96] J. Pamula, S. Jajodia, P. Ammann, and V. Swarup, “A weakest- Symposium on Research in Computer Security. Wroclaw, Poland:
adversary security metric for network configuration security analysis,” Springer International Publishing, 2014, pp. 494–511.
[117] D. Borbor, L. Wang, S. Jajodia, and A. Singhal, “Diversifying Net- [137] I. F. Akyildiz, W. Su, Y. Sankarasubramaniam, and E. Cayirci, “A
work Services Under Cost Constraints for Better Resilience Against survey on sensor networks,” IEEE Communications Magazine, vol. 40,
Unknown Attacks,” in 30th Annual IFIP WG 11.3 Conference, DBSec. no. 8, pp. 102–114, Aug 2002.
Trento: Springer International Publishing, 2016, pp. 295–312. [138] A. Al-Fuqaha, M. Guizani, M. Mohammadi, M. Aledhari, and
[118] S. A. Zonouz, R. Berthier, H. Khurana, W. H. Sanders, and T. Yardley, M. Ayyash, “Internet of things: A survey on enabling technologies,
“Seclius: An Information Flow-Based, Consequence-Centric Security protocols, and applications,” IEEE Communications Surveys Tutorials,
Metric,” IEEE Transactions on Parallel and Distributed Systems, vol. 17, no. 4, pp. 2347–2376, Fourthquarter 2015.
vol. 26, no. 2, pp. 562–573, feb 2015. [139] J. Granjal, E. Monteiro, and J. S. Silva, “Security for the internet
[119] C. Vellaithurai, A. Srivastava, S. Zonouz, and R. Berthier, “Cpin- of things: A survey of existing protocols and open research issues,”
dex: Cyber-physical vulnerability assessment for power-grid infrastruc- IEEE Communications Surveys Tutorials, vol. 17, no. 3, pp. 1294–
tures,” IEEE Transactions on Smart Grid, vol. 6, no. 2, pp. 566–575, 1312, 2015.
March 2015. [140] S. Pfleeger and R. Cunningham, “Why measuring security is hard,”
[120] A. Chatzipoulidis, D. Michalopoulos, and I. Mavridis, “Information IEEE Security Privacy, vol. 8, no. 4, pp. 46–54, July 2010.
infrastructure risk prediction through platform vulnerability analysis,” [141] M. Pendleton, R. Garcia-Lebron, J.-H. Cho, and S. Xu, “A survey
Journal of Systems and Software, vol. 106, no. C, pp. 28–41, aug 2015. on systems security metrics,” ACM Comput. Surv., vol. 49, no. 4, pp.
[121] J. Almasizadeh and M. Abdollahi Azgomi, “Mean privacy: A metric 62:1–62:35, Dec. 2016.
for security of computer systems,” Computer Communications, vol. 52, [142] W. Knowles, D. Prince, D. Hutchison, J. F. P. Disso, and K. Jones, “A
pp. 47–59, oct 2013. survey of cyber security management in industrial control systems,”
[122] M. Sahinoglu, “Security meter: A practical decision-tree model to International Journal of Critical Infrastructure Protection, vol. 9,
quantify risk,” IEEE Security and Privacy, vol. 3, no. 3, pp. 18–24, no. C, pp. 52–80, jun 2015.
2005. [143] Y. Cherdantseva, P. Burnap, A. Blyth, P. Eden, K. Jones, H. Soulsby,
[123] ——, “An input-output measurable design for the security meter model and K. Stoddart, “A review of cyber security risk assessment methods
to quantify and manage software security risk,” IEEE Transactions on for SCADA systems,” Computers & Security, vol. 56, pp. 1–27, 2016.
Instrumentation and Measurement, vol. 57, no. 6, pp. 1251–1260, 2008. [144] Computing Research Association (CRA), “Four Grand Challenges
[124] M. Abedin, S. Nessa, E. Al-Shaer, and L. Khan, “Vulnerability analysis in Trustworthy Computing,” Tech. Rep., 2003. [Online]. Available:
for evaluating quality of protection of security policies,” in Proceedings http://archive.cra.org/reports/trustworthy.computing.pdf
of the 2Nd ACM Workshop on Quality of Protection, ser. QoP ’06. New [145] J. McHugh, “Quality of protection: Measuring the unmeasurable?” in
York, NY, USA: ACM, 2006, pp. 49–52. Proceedings of the 2Nd ACM Workshop on Quality of Protection, ser.
[125] M. S. Ahmed, E. Al-Shaer, and L. Khan, “A novel quantitative QoP ’06. New York, NY, USA: ACM, 2006, pp. 1–2.
approach for measuring network security,” in INFOCOM 2008. The [146] S. M. Bellovin, “On the brittleness of software and the infeasibility of
27th Conference on Computer Communications. IEEE, April 2008, pp. security metrics,” IEEE Security Privacy, vol. 4, no. 4, pp. 96–96, July
1957–1965. 2006.
[126] M. S. Ahmed, E. Al-Shaer, M. Taibah, and L. Khan, “Objective Risk
Evaluation for Automated Security Management,” Journal of Network
and Systems Management, vol. 19, no. 3, pp. 343–366, sep 2011.
[127] E. LeMay, M. D. Ford, K. Keefe, W. H. Sanders, and C. Muehrcke,
“Model-based Security Metrics Using ADversary VIew Security Eval-
uation (ADVISE),” in 2011 Eighth International Conference on Quan-
titative Evaluation of SysTems. IEEE, sep 2011, pp. 191–200.
[128] M. D. Ford, K. Keefe, E. LeMay, W. H. Sanders, and C. Muehrcke,
“Implementing the advise security modeling formalism in mobius,” in
2013 43rd Annual IEEE/IFIP International Conference on Dependable
Systems and Networks (DSN), June 2013, pp. 1–8.
[129] M. Kaaniche, E. Alata, V. Nicomette, Y. Deswarte, and M. Dacier,
“Empirical analysis and statistical modeling of attack processes based
on honeypots,” in IEEE/IFIP International Conference on Dependable
Systems and Networks (DSN-2006), 2006, pp. 119–124.
[130] B. P. Rimal, E. Choi, and I. Lumb, “A taxonomy and survey of cloud
computing systems,” in INC, IMS and IDC, 2009. NCM ’09. Fifth
International Joint Conference on, Aug 2009, pp. 44–51.
[131] B. B. Madan, K. Gogeva-Popstojanova, K. Vaidyanathan, and K. S.
Trivedi, “Modeling and quantification of security attributes of software
systems,” in Dependable Systems and Networks, 2002. DSN 2002.
Proceedings. International Conference on, 2002, pp. 505–514.
[132] B. B. Madan, K. Goševa-Popstojanova, K. Vaidyanathan, and K. S.
Trivedi, “A method for modeling and quantifying the security attributes
of intrusion tolerant systems,” Perform. Eval., vol. 56, no. 1-4, pp. 167–
186, Mar. 2004.
[133] F. Wang, F. Jou, F. Gong, C. Sargor, K. Goseva-Popstojanova, and
K. Trivedi, “Sitar: a scalable intrusion-tolerant architecture for dis-
tributed services,” in Foundations of Intrusion Tolerant Systems, 2003
[Organically Assured and Survivable Information Systems], 2003, pp.
359–367.
[134] H. Holm, M. Ekstedt, and D. Andersson, “Empirical Analysis of
System-Level Vulnerability Metrics through Actual Attacks,” IEEE
Transactions on Dependable and Secure Computing, vol. 9, no. 6, pp.
825–837, nov 2012.
[135] L. Bilge and T. Dumitras, “Before we knew it: An empirical study of
zero-day attacks in the real world,” in Proceedings of the 2012 ACM
Conference on Computer and Communications Security, ser. CCS ’12.
ACM, 2012, pp. 833–844.
[136] N. C. Idika, B. H. Marshall, and B. K. Bhargava, “Maximizing network
security given a limited budget,” in The Fifth Richard Tapia Celebration
of Diversity in Computing Conference: Intellect, Initiatives, Insight, and
Innovations, ser. TAPIA ’09. New York, NY, USA: ACM, 2009, pp.
12–17.

Model-Based Quantitative Network Security Metrics A Survey

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Model-Based Quantitative Network Security Metrics A Survey

Uploaded by

Copyright:

Available Formats

This article has been accepted for publication in a future issue of this journal, but has not been

Model-Based Quantitative Network Security

Construction Automation Measurement Measurement Measurement

Software Economic Model-based Automatic Objective Qualitative Dynamic

Fig. 3. Classification of Security Metrics.

• Qualitative: Qualitative security metrics are expressed by

values, although they do not specify how to do this. The major

C. Tree-Based Metrics as well as their respective probabilities.

Proposed Approach Metric Metric Output Models Used Input Parameters

Automation Measurement Measurement

Event Security Metric

Security Metric Subjective Parameters and Respective Source

Security Metric Objective Parameters and Respective Source

security mechanisms. defined by the respective authors of each metric).

Indication of Handling of Handling of Handling of Focus on Handling Definition of

You might also like