Measuring the overall network security by combining CVSS scores based on attack graphs and bayesian networks

Abstract

Given the increasing dependence of our societies on networked information systems, the overall security of these systems should be measured and improved. This chapter examines several approaches to combining the CVSS scores of individual vulnerabilities into an overall measure for network security. First, we convert CVSS base scores into probabilities and then propagate such probabilities along attack paths in an attack graph in order to obtain an overall metric, while giving special considerations to cycles in the attack graph. Second, we show that the previous approach implicitly assumes the metric values of individual vulnerabilities to be independent, and we remove such an assumption by representing the attack graph and its assigned probabilities as a Bayesian network and then derive the overall metric value through Bayesian inferences. Finally, to address the evolving nature of vulnerabilities, we extend the previous model to dynamic Bayesian networks such that we can make inferences about the security of dynamically changing networks.