Evaluating Security of Computer Networks based on Attack Graphs and Qualitative Security Metrics

Approach to computer network security analysis for using both at design and operation stages is suggested. This approach is based on generating common attack graph and using qualitative security metrics. The graph represents possible scenarios of distributed attacks taking into account network configuration, security policy, malefactor’s location, knowledge level and strategy. The general architecture of the security analysis system proposed, the main concepts of common attack graph, used security metrics taxonomies, metrics calculation rules and general security level evaluation procedure are considered. The suggested security metrics allow to evaluate computer network security level with different detailing level and taking into account different aspects. The implemented software prototype is described, and examples of using the prototype for express-analysis of computer network security level are considered.