Vulnerability analysis For evaluating quality of protection of security policies

Muhammad Abedin; Syeda Nessa; Ehab Al-Shaer; Latifur Khan

doi:10.1145/1179494.1179505

Vulnerability analysis For evaluating quality of protection of security policies

Muhammad Abedin^*, Syeda Nessa, Ehab Al-Shaer, Latifur Khan

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

50 Scopus citations

Abstract

Evaluation of security policies, specifically access control policies, plays an important part in securing the network by ensuring that policies are correct and consistent. Quality of protection (QoP) of a policy depends on a number of factors. Thus it is desirable to have one unified score based on these factors to judge the quality of the policy and to compare policies. In this context, we present our method of calculating a metric based on a number of factors like the vulnerabilities present in the system, vulnerability history of the services and their exposure to the network, and traffic patterns. We measure the existing vulnerability by combining the severity scores of the vulnerabilities present in the system. We mine the National Vulnerability Database, NVD, provided by NIST, to find the vulnerability history of the services running on the system, and from the frequency and severity of the past vulnerabilities, we measure the historical vulnerability of the policy using a decay factor. In both cases, we take into account the exposure of the service to the network and the traffic volume handled by the service. Finally, we combine these scores into one unified score - the Policy Security Score.

Original language	English
Title of host publication	Proceedings of the 2nd ACM Workshop on Quality of Protection, QoP'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06
Pages	49-52
Number of pages	4
DOIs	https://doi.org/10.1145/1179494.1179505
State	Published - 2006
Externally published	Yes
Event	2nd ACM Workshop on Quality of Protection, QoP'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06 - Alexandria, VA, United States Duration: 30 Oct 2006 → 30 Oct 2006

Publication series

Name	Proceedings of the 2nd ACM Workshop on Quality of Protection, QoP'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06

Conference

Conference	2nd ACM Workshop on Quality of Protection, QoP'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06
Country/Territory	United States
City	Alexandria, VA
Period	30/10/06 → 30/10/06

Keywords

Evaluation
Metric
Policy
Security

ASJC Scopus subject areas

Computer Networks and Communications
Software

UN SDGs

This output contributes to the following UN Sustainable Development Goals (SDGs)

Access to Document

10.1145/1179494.1179505

Cite this

Abedin, M., Nessa, S., Al-Shaer, E., & Khan, L. (2006). Vulnerability analysis For evaluating quality of protection of security policies. In Proceedings of the 2nd ACM Workshop on Quality of Protection, QoP'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06 (pp. 49-52). (Proceedings of the 2nd ACM Workshop on Quality of Protection, QoP'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06). https://doi.org/10.1145/1179494.1179505

Abedin, Muhammad ; Nessa, Syeda ; Al-Shaer, Ehab et al. / Vulnerability analysis For evaluating quality of protection of security policies. Proceedings of the 2nd ACM Workshop on Quality of Protection, QoP'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06. 2006. pp. 49-52 (Proceedings of the 2nd ACM Workshop on Quality of Protection, QoP'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06).

@inproceedings{c7a12dc4802044e081711c4d9c3a6790,

title = "Vulnerability analysis For evaluating quality of protection of security policies",

abstract = "Evaluation of security policies, specifically access control policies, plays an important part in securing the network by ensuring that policies are correct and consistent. Quality of protection (QoP) of a policy depends on a number of factors. Thus it is desirable to have one unified score based on these factors to judge the quality of the policy and to compare policies. In this context, we present our method of calculating a metric based on a number of factors like the vulnerabilities present in the system, vulnerability history of the services and their exposure to the network, and traffic patterns. We measure the existing vulnerability by combining the severity scores of the vulnerabilities present in the system. We mine the National Vulnerability Database, NVD, provided by NIST, to find the vulnerability history of the services running on the system, and from the frequency and severity of the past vulnerabilities, we measure the historical vulnerability of the policy using a decay factor. In both cases, we take into account the exposure of the service to the network and the traffic volume handled by the service. Finally, we combine these scores into one unified score - the Policy Security Score.",

keywords = "Evaluation, Metric, Policy, Security",

author = "Muhammad Abedin and Syeda Nessa and Ehab Al-Shaer and Latifur Khan",

year = "2006",

doi = "10.1145/1179494.1179505",

language = "English",

isbn = "1595935533",

series = "Proceedings of the 2nd ACM Workshop on Quality of Protection, QoP'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06",

pages = "49--52",

booktitle = "Proceedings of the 2nd ACM Workshop on Quality of Protection, QoP'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06",

note = "2nd ACM Workshop on Quality of Protection, QoP'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06 ; Conference date: 30-10-2006 Through 30-10-2006",

}

Abedin, M, Nessa, S, Al-Shaer, E & Khan, L 2006, Vulnerability analysis For evaluating quality of protection of security policies. in Proceedings of the 2nd ACM Workshop on Quality of Protection, QoP'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06. Proceedings of the 2nd ACM Workshop on Quality of Protection, QoP'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06, pp. 49-52, 2nd ACM Workshop on Quality of Protection, QoP'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06, Alexandria, VA, United States, 30/10/06. https://doi.org/10.1145/1179494.1179505

Vulnerability analysis For evaluating quality of protection of security policies. / Abedin, Muhammad; Nessa, Syeda; Al-Shaer, Ehab et al.
Proceedings of the 2nd ACM Workshop on Quality of Protection, QoP'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06. 2006. p. 49-52 (Proceedings of the 2nd ACM Workshop on Quality of Protection, QoP'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Vulnerability analysis For evaluating quality of protection of security policies

AU - Abedin, Muhammad

AU - Nessa, Syeda

AU - Al-Shaer, Ehab

AU - Khan, Latifur

PY - 2006

Y1 - 2006

N2 - Evaluation of security policies, specifically access control policies, plays an important part in securing the network by ensuring that policies are correct and consistent. Quality of protection (QoP) of a policy depends on a number of factors. Thus it is desirable to have one unified score based on these factors to judge the quality of the policy and to compare policies. In this context, we present our method of calculating a metric based on a number of factors like the vulnerabilities present in the system, vulnerability history of the services and their exposure to the network, and traffic patterns. We measure the existing vulnerability by combining the severity scores of the vulnerabilities present in the system. We mine the National Vulnerability Database, NVD, provided by NIST, to find the vulnerability history of the services running on the system, and from the frequency and severity of the past vulnerabilities, we measure the historical vulnerability of the policy using a decay factor. In both cases, we take into account the exposure of the service to the network and the traffic volume handled by the service. Finally, we combine these scores into one unified score - the Policy Security Score.

AB - Evaluation of security policies, specifically access control policies, plays an important part in securing the network by ensuring that policies are correct and consistent. Quality of protection (QoP) of a policy depends on a number of factors. Thus it is desirable to have one unified score based on these factors to judge the quality of the policy and to compare policies. In this context, we present our method of calculating a metric based on a number of factors like the vulnerabilities present in the system, vulnerability history of the services and their exposure to the network, and traffic patterns. We measure the existing vulnerability by combining the severity scores of the vulnerabilities present in the system. We mine the National Vulnerability Database, NVD, provided by NIST, to find the vulnerability history of the services running on the system, and from the frequency and severity of the past vulnerabilities, we measure the historical vulnerability of the policy using a decay factor. In both cases, we take into account the exposure of the service to the network and the traffic volume handled by the service. Finally, we combine these scores into one unified score - the Policy Security Score.

KW - Evaluation

KW - Metric

KW - Policy

KW - Security

UR - http://www.scopus.com/inward/record.url?scp=34547401211&partnerID=8YFLogxK

U2 - 10.1145/1179494.1179505

DO - 10.1145/1179494.1179505

M3 - Conference contribution

AN - SCOPUS:34547401211

SN - 1595935533

SN - 9781595935533

T3 - Proceedings of the 2nd ACM Workshop on Quality of Protection, QoP'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06

SP - 49

EP - 52

BT - Proceedings of the 2nd ACM Workshop on Quality of Protection, QoP'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06

T2 - 2nd ACM Workshop on Quality of Protection, QoP'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06

Y2 - 30 October 2006 through 30 October 2006

ER -

Abedin M, Nessa S, Al-Shaer E, Khan L. Vulnerability analysis For evaluating quality of protection of security policies. In Proceedings of the 2nd ACM Workshop on Quality of Protection, QoP'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06. 2006. p. 49-52. (Proceedings of the 2nd ACM Workshop on Quality of Protection, QoP'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06). doi: 10.1145/1179494.1179505

Vulnerability analysis For evaluating quality of protection of security policies

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

UN SDGs

Access to Document

Fingerprint

Cite this