Experimenting with Quantitative Evaluation
|
|
AbstractThis paper presents the results of an experiment in security
evaluation. The system is modeled as a privilege graph that exhibits
its security vulnerabilities. Quantitative measures that estimate the
effort an attacker might expend to exploit these vulnerabilities to
defeat the system security objectives are proposed. A set of tools has
been developed to compute such measures and has been used in an
experiment to monitor a large real system for nearly two years. The
experimental results are presented and the validity of the measures is
discussed. Finally, the practical usefulness of such tools for
operational security monitoring is shown and Keywords: computer security, metrics, quantitative assessment, privilege graphs, attack graphs |