Skip to Main content Skip to Navigation
Journal articles

A vulnerability life cycle based security modeling and evaluation approach

Abstract : The objective of this work is the evaluation of information systems security using quantitative measures. These measures aim at forecasting risks and providing information to monitor the security level of the system in operation. In our approach, we take into account some environmental factors that have a significant impact on the security of the system. We have identified three such factors that are related to the vulnerability exploitation process: the vulnerability life cycle, the behavior of the attackers and the behavior of the system administrator. We have studied the interdependencies between these factors and how the evolution of these factors could impact the system security. From this study, we have defined quantitative security measures taking into account these environmental factors and we have developed a model based on Stochastic Activity Networks (SANs), describing how the vulnerability exploitation process could lead to system to be compromised. We have distinguished two scenarios according to whether the vulnerability is discovered by a malicious user or not. By analysing a vulnerability database, we have characterised the probability of occurrence of several events of the vulnerability life cycle. This characterization helped us to quantify the measures by processing the SAN model.
Document type :
Journal articles
Complete list of metadata

Cited literature [54 references]  Display  Hide  Download

https://hal.laas.fr/hal-01911985
Contributor : Mohamed Kaaniche <>
Submitted on : Monday, November 5, 2018 - 7:49:41 AM
Last modification on : Saturday, June 19, 2021 - 3:09:01 AM
Long-term archiving on: : Wednesday, February 6, 2019 - 2:33:03 PM

File

ComputerJournal-Hal.pdf
Files produced by the author(s)

Identifiers

Citation

Géraldine Vache Marconato, Mohamed Kaâniche, Vincent Nicomette. A vulnerability life cycle based security modeling and evaluation approach. The Computer Journal, Oxford University Press (UK), 2013, 56 (4), pp.422 - 439. ⟨10.1093/comjnl/bxs112⟩. ⟨hal-01911985⟩

Share

Metrics

Record views

144

Files downloads

229