Assessing the risk of using vulnerable components

“…There are thus two different ways for breaking the cycle among which we can only choose one. That is, we can either remove the edge from e 4 …”

“…Referring to the right-hand side of Figure 3, the search will reach c 3 from e 1 (or, reach c 4 from e 2 ) and then stop there, because the predecessor e 3 of c 4 (or, the predecessor e 4 of c 3 ) has not yet been, and will never be, reached. Notice that this is true no matter a cycle is removable (such as in the left-hand side of Figure 3) or not.…”

“…This termination of the procedure is actually desirable, because it signals that one or more cycles have been reached. It also indicates entry points of the cycle, that is, those vertices that have at least one of their predecessors reached, such as c 4 and c 3 in the right-hand side of Figure 3. Upon the termination of the main procedure, a sub-procedure will mark vertices inside the encountered cycle(s), and then calculate their cumulative scores by Definition 3.…”

“…The work by Balzarotti et al [3] focuses on computing the minimum efforts required for executing each exploit. Based the exploitability concept, a qualitative measure of risk is given in [4].…”

“…Based the exploitability concept, a qualitative measure of risk is given in [4]. Another approach measures the relative risk of different configurations using the weakest attacker model, that is the least conditions under which an attack is possible [20].…”

An Attack Graph-Based Probabilistic Security Metric

“…There are thus two different ways for breaking the cycle among which we can only choose one. That is, we can either remove the edge from e 4 …”

“…Referring to the right-hand side of Figure 3, the search will reach c 3 from e 1 (or, reach c 4 from e 2 ) and then stop there, because the predecessor e 3 of c 4 (or, the predecessor e 4 of c 3 ) has not yet been, and will never be, reached. Notice that this is true no matter a cycle is removable (such as in the left-hand side of Figure 3) or not.…”

“…This termination of the procedure is actually desirable, because it signals that one or more cycles have been reached. It also indicates entry points of the cycle, that is, those vertices that have at least one of their predecessors reached, such as c 4 and c 3 in the right-hand side of Figure 3. Upon the termination of the main procedure, a sub-procedure will mark vertices inside the encountered cycle(s), and then calculate their cumulative scores by Definition 3.…”

“…The work by Balzarotti et al [3] focuses on computing the minimum efforts required for executing each exploit. Based the exploitability concept, a qualitative measure of risk is given in [4].…”

“…Based the exploitability concept, a qualitative measure of risk is given in [4]. Another approach measures the relative risk of different configurations using the weakest attacker model, that is the least conditions under which an attack is possible [20].…”

An Attack Graph-Based Probabilistic Security Metric

Quantitative Security Risk Assessment of Enterprise Networks

A Theory of Gray Security Policies