Quantitative risk assessment under multi-context environments
| dc.contributor.author | Zhang, Su | |
| dc.date.accessioned | 2014-11-04T19:48:36Z | |
| dc.date.available | 2014-11-04T19:48:36Z | |
| dc.date.graduationmonth | December | |
| dc.date.issued | 2014-11-04 | |
| dc.date.published | 2014 | |
| dc.description.abstract | If you cannot measure it, you cannot improve it. Quantifying security with metrics is important not only because we want to have a scoring system to track our efforts in hardening cyber environments, but also because current labor resources cannot administrate the exponentially enlarged network without a feasible risk prioritization methodology. Unlike height, weight or temperature, risk from vulnerabilities is sophisticated to assess and the assessment is heavily context-dependent. Existing vulnerability assessment methodologies (e.g. CVSS scoring system, etc) mainly focus on the evaluation over intrinsic risk of individual vulnerabilities without taking their contexts into consideration. Vulnerability assessment over network usually output one aggregated metric indicating the security level of each host. However, none of these work captures the severity change of each individual vulnerabilities under different contexts. I have captured a number of such contexts for vulnerability assessment. For example, the correlation of vulnerabilities belonging to the same application should be considered while aggregating their risk scores. At system level, a vulnerability detected on a highly depended library code should be assigned with a higher risk metric than a vulnerability on a rarely used client side application, even when the two have the same intrinsic risk. Similarly at cloud environment, vulnerabilities with higher prevalences deserve more attention. Besides, zero-day vulnerabilities are largely utilized by attackers therefore should not be ignored while assessing the risks. Historical vulnerability information at application level can be used to predict underground risks. To assess vulnerability with a higher accuracy, feasibility, scalability and efficiency, I developed a systematic vulnerability assessment approach under each of these contexts. | |
| dc.description.advisor | Xinming (Simon) Ou | |
| dc.description.degree | Doctor of Philosophy | |
| dc.description.department | Department of Computing and Information Sciences | |
| dc.description.level | Doctoral | |
| dc.description.sponsorship | Air Force Office of Scientific Research U.S. National Science Foundation | |
| dc.identifier.uri | http://hdl.handle.net/2097/18634 | |
| dc.language.iso | en_US | |
| dc.publisher | Kansas State University | |
| dc.rights | © the author. This Item is protected by copyright and/or related rights. You are free to use this Item in any way that is permitted by the copyright and related rights legislation that applies to your use. For other uses you need to obtain permission from the rights-holder(s). | |
| dc.rights.uri | http://rightsstatements.org/vocab/InC/1.0/ | |
| dc.subject | Vulnerability assessment | |
| dc.subject | Quantitative risk assessment | |
| dc.subject | Cloud computing security | |
| dc.subject | Zero-day vulnerability assessment | |
| dc.subject | Software dependency risk assessment | |
| dc.subject | Network security (attack graph) | |
| dc.subject.umi | Computer Science (0984) | |
| dc.title | Quantitative risk assessment under multi-context environments | |
| dc.type | Dissertation |
