2016 2nd IEEE International Conference on Computer and Communications
System Vulnerability Risk Evaluation Using Connectivity Operator
Zhang Heng-wei, Huang Jian-ming
Zhengzhou Institute of Information Science and Technology,
Zhengzhou 450001, China,
The National Natural Science Foundation of China (61303074, 61309013)
Zhengzhou 450001, China
e-mail: zhwllqd@163.com.hjm_ijbb@126.com
Abstract-In order to quantify the risk of
vulnerabilities, a vulnerability risk assessment methodology is
proposed based on connectivity Operators, and vulnerability
relationship is quantitatively analyzed on the use
vulnerability attack graph. Two kinds of connectivity operator
are proposed to calculate the connectivity
vulnerability, achieving a quantitative analysis
vulnerability's self risk and spread risk. On this basis the risk
assessment algorithm VREA-CO is raised, assessing the system
overall risk. The vulnerability assessment results can help
managers identify key vulnerabilities, and improve
management efficiency. Example analysis shows
method is feasible and effective.
Keywords-vulnerability risk; risk assessment; connectivity
operator; vulnerability attack graph; self risk; spread risk
I. I NTRODUCTION
Risk matrix is mathematical tool to describe the network
system vulnerability relationship based on the adjacency
matrix[ll. In [2], the author proposed risk adjacency matrix
method based on attack graph, and the rationality and
validity of mentioned methods are verified by the
experiment. [n [3], the author constructed a attack paths
vulnerability matrix which rows represent the attack host
vulnerabilities and columns represent the next attack host
vulnerabilities, but the matrix element is 1 or 0, only
indicates whether the vulnerability is connected and does
not reflect the vulnerability connecting rates. In this paper,
risk matrix row and column corresponding to the system
vulnerabilities, risk matrix element is connectivity between
vulnerability. [t is more intuitive and clear to use the risk
matrix represents the using relationship between the
vulnerabilities, and makes it easy to follow-up operations.
Attack graph is a network vulnerability analysis
technique based on the model[4l, it is possible to analyze
network vulnerabilities correlated up, analyze the
relationship between the target network vulnerabilities and
potential threats resulting, so the security managers can
intuitively grasp the relationship between the network
vulnerabilities. For application of attack graph to risk
analysis, in [5], the author introduced the basic principle of
using attack graph model to analyze the computer network
attack behavior, an attack graph generation algorithm is
proposed and a method of using attack graph to analyze the
risk of network system security is studied. In [6], the author
proposed an automatic generation algorithm based on the
cost of network attack vulnerability associated of the
978-1-4673-9026-2/16/$31.00 ©2016 IEEE
security network attack graph, the effective integration of the
correlation between the vulnerability can make a scientific
assessment of the cost of the attack. [n [7], the author
of the proposed expansion of the network attack graph generation
method, and a network attack strategy generation algorithm
between
based on expansion of the network attack graph is proposed.
of the
[n this paper, for the problem of quantitative assessment
of information system security vulnerabilities, connectivity
and value of vulnerability is defined, and a quantitative
analysis method of using the effect and interaction between
safety
that the
vulnerability attack graphs and security vulnerability. On
this basis, we achieved a quantitative calculation of the
connectivity of vulnerability by designing two kinds of
connectivity operators, and proposed Vulnerability Risk
Evaluation Algorithm based on Connectivity
Operator(VREA-CO), and realized assessment of the
information system security vulnerabilities their self risk
and the risk of transmission accurately and completely, it is
possible to identify the degree of vulnerabilities risk for
security personnel, and to provide effective help for
carrying out security defense.
[I. VULNERABILITY CONNECTIVITY AND V ALUE
Vulnerability connectivity represents the possibility of
attacker to exploit a vulnerability attack another. This paper
refers CVSS vulnerabilities evaluation methods which
defined in Figure I. CVSS is proposed by the National
vulnerabilities connectivity and value evaluation system
Infrastructure Advisory Committee(NIAC) to provide an
open generic vulnerabilities ratings framework mechanism,
and it has six key indicators for basic vulnerability metric:
Access Vector (AV), Authentication (AU), Access
Complexity (AC), Conflmpact (CI), Integlmpact (II),
Definition 1 Vulnerability connectivity. In a complex
AvailImpact (AI).
network topology, the attacker need to use multiple
vulnerability nodes to achieve the target, vulnerability
connectivity is the possibility that the attacker would exploit
a vulnerability to attack another adjacent node.
Vulnerability connectivity is connected with information
accessibility between the nodes, host connectivity and
vulnerability availability, as shown in Fig. 1.
[nfonnation accessibility is denoted by Access Vector
property(AV) in NVD database, and the recommended
reference CVSS score are 0.395 (local), 0.646 (adjacent
network), 1.0 (Network). Host Connectivity is denoted by
Authentication property(AU) in NVD database, and the
979
recommended reference CVSS score are 0.45 (multiple), node corresponds to a particular system vulnerability. r is
0.56 (single), 0.704 (none). Vulnerability availability is the host assets or system resources which hopes to obtain
denoted by Access Complexity property(AC) in NVD the protection of attacker and defender. u represents
database, and the recommended reference CVSS score are vulnerability value which will result in the loss or effect to

Definition 4 Vulnerability attack graph. Vulnerability

0.35 (high), 0.61 (medium), 0.71 (low). Therefore, the system once the vulnerability is permeated.
connectivity Pij between node i and node j can be expressed

as Pij =
Attack Graph uses vulnerability node N as figure node and
f
AU . .
' W h'IC h Pij E (0,1). Host connectivity
AG = {N, L} which N (npn2' ",n",) is node set, it represents
attack path as the directed edge, so it is a directed graph
AU+ '\fAC-AV
I =

has positive correlation with vulnerability connectivity, and

information accessibility, vulnerability availability have all vulnerabilities network exist. Node with zero indegree is
called originating node, and the node with zero outdegree is
negatively correlated with vulnerability connectivity. In
indegree and outdegree is called process node. L is a set of
called target node, otherwise, and the node with non-zero
general, if the connectivity between two vulnerabilities is
stronger, the information availability is easier, and the
directed edges, showing the relationship between the
vulnerability availability has less difficulty, then the attacker
vulnerability.
has a greater choosing probability to attack the vulnerability
According to the standard BS7799, British Standards
and the connectivity between vulnerabilities is greater. On
Institution (BSI) for the development of information
the other hand, if it is difficult for attacker to pass the host
security management, it pointed out that the risk of
authentication, to obtain vulnerabilities information, to
information systems is the impact on the system that threat
exploits vulnerability, then the attacker has less choosing
uses vulnerability to attack assets. The attackers always try
probability to attack the vulnerability and the connectivity
to benefit from exploiting the vulnerability of assets subject,
Definition 2 Vulnerability Value. Vulnerability value
between vulnerabilities is smaller.
to form a "Threat - Vulnerability - Asset" risk chain, the
node model as shown in Fig. 3.
V represents once a particular vulnerability has an impact
on the system, including confidentiality, integrity, ----- - /",------ ....
\
/ \
-

availability of the vulnerability, which are described by CI, Payoffs of attacker and
I Attacker : Defender

s Attack
II, AI in CVSS respectively, as shown in Fig. 2. We can I defender
I

�
evaluate the value of vulnerability by the three properties CI, I

II, AI, and V(CI,II,AI) CJ

t::t:: ���I;lerabili(y
+ + AI
1
=
.
strategy �vuln-_erabi�lity 2)
1

stAtratteagyck 3)Y
-

System asset 1

\ / ,-----_/

Figure 3. Vulnerabilities node model.

Definition 5 Adjacency matrix. VAG is a vulnerability

attack graph consisting of several vulnerabilities, M is
Figure l. Vulnerability connectivity assessment adjacency matrix of VAG, and the matrix element represents

< ��:�����:
connectivity which has directly relation between two nodes.
Conf'idcntiality
VAG and M have the following characteristics:
(1) VAG is correspond with adjacency matrix M;
Impact1v1etrics Vulnerability (2) In the adjacency matrix M, if there are elements of
't- - - -( Integrity
(AC) (II) Value
/

all zeros column, its corresponding node is source node or

AvaJ1lmpact input node; if there are elements of all zeros row, its
Availability
(Al) �� - corresponding node is called output node;
Figure 2. Vulnerability value assessment. (3) In the VAG, if the node ni can arrive at the node nj by
k edges, and k is the length of the path between ni and nj ,
III. VULNERABILITY ATTACK GRAPH then the elements of row i and column j of the matrix M is
There is a complex relationship between system Pij ' and 0 otherwise;
vulnerabilities, and attacker can use this kind of relationship (4) Matrix elements represent directed using relationship
to attack associated vulnerabilities from a succeeded between the two vulnerabilities.
security vulnerability departure, thus forming a chain of Vulnerability adjacency matrix can be expressed as:
attacks, until it reaches the target, and a number of attack
Pl1 PI2 PI"
Definition 3 Vulnerability node. Vulnerability node is
chains form an attack graph.
M=
P21 P22 P2" , which diagonal elements a are
defined as N = (v,r,u}, which v represents node name and
P
corresponding CVE vulnerabilities numbers and generally a Pvl P,,2 Prv

980
zero, v IS the number of vulnerabilities, Pu IS the The biggest drawback of single-step risk matrix is that it
connectivity between vulnerabilities. can only represent neighboring connectivity between two
nodes, but can not represent connectivity between the
IV. CONNECTIVITY OPRATOR vulnerabilities which have multi-step attack in the attack
graph. If the risk matrix element represents the possibility of
A. Comprehensive Connectivity several times penetration attack along a path in the figure,
In [6], the authors proposed a multi-step method for and we call it multi-step risk matrix.
calculating the risk of adjacent matrix elements, which the According to the significance of risk matrix elements,
result evaluates the maximum possible loss between two Pu represent the connectivity of having directed using
nodes. This paper analyzes the node connectivity and node
relationship between node ni and node nj• Therefore, the
loss independently, as two independent factors to assess the
vulnerability risk. On the basis of the definition of the two-step risk matrix can be calculated as follow
adjacent node connectivity, we can get comprehensive
connectivity between any two nodes in VAG, and the (2) (2)
calculation method is described in the example as shown in M(2)=M0M= P21 P22 , which p�2) represent
Fig. 4.
(2) (2) (2)
P"I P,2 P'"
two-step connectivity between the node i and node j. In the

which have multiple paths in the attack graph is shown as

5
two-step risk matrix, the connectivity between two nodes

4 follows
2
Figure 4. Multi-path node connectivity analysis. Pi.; ) = 1- IT(l- Pi/v.. P"j)
.
k�1
To sum up, the meaning of elements in M(r) is the r-step
As shown in Fig. 4, there are three paths between node 1 connectivity between any two nodes which have r steps. If n
and node 5, we can see the three-step connectivity of node 1 is the greatest step in VAG, then the elements in M(n)
to node 5 by probability calculation is pi;) = PI2P23P35' and represent n-step connectivity between any two nodes.
connectivity for the two-step is p i;) = PI4P 4 S' Considering V. VULNERABILITY RISK ASSESSMENT BASED ON
there is an one-step connectivity between the two nodes, CONNECTIVITY OPERATOR
then the comprehensive connectivity between node 1 and
node 5 is /314 = 1- (1- PIS)(1- pi�))(1- pi�)) .
A. SelfRisk Assessment

B.
Through the definition of vulnerabilities' self risk and
Connectivity Operator the spreading risk, we can evaluate the global risk of the

Definition 7 Vulnerability Risk. Vulnerability risks Rw

Based on the above analysis of the connectivity, we can vulnerabilities.

Definition 6 Connectivity Operator. On the basis of include self risk R, and spreading risk Ro of the
define the connectivity operator of risk matrix operations.

multiplication operator i8l , the calculation result by i8l

matrix multiplication, we define the matrix connectivity vulnerability. Vulnerability self risk indicates that the threat
from other vulnerability has an impact on this vulnerability,
between the two matrices is: and the connectivity and vulnerabilities' self values between
2) 2) (2)
iII i12 PI" the vulnerabilities are the related factors; the vulnerability
2) 2) (2) spreading risk represents the risk of vulnerability passed to
M(2)=M0M= i21 i22 P2" which other vulnerabilities through the directed edge, and its

Pvl,'
(2) (2) (2) associated factors are vulnerability connectivity and the
Pvl Pv2
the sum of risk for both. Rw = R, + Ro .
effect value of vulnerabilities. Vulnerability global risk is
2 ,.

Pi; ) = 1- II(l- Pik . Pk)

k�1
.

Vulnerability's self risk can represent by the multiplying

connectivity addition operator if) is defined, and the

On the basis of the matrix addition, risk matrix of the possibility of the vulnerability risk events occur and

calculation result by if) between several matrices is:

the system loss after the risk events. Attacker may attack the
vulnerability through different path, therefore, the risk of a
vulnerability may come from different sources of risk. It can
/311 /312 /31,
be represented by I and k for the probability that risk source
which node I leads to the target node k risk events occur, and the
system loss after the risk events occur can be represented by
the vulnerability value of node k, the risk of the event is:
n R,.(l,k) [JlI( x fl(k)
/3 u = 1- II(1- pt'))·
=

r=l The sum of all risks which may spread to the node k is

981
 The global risk vector for system of vulnerability is:
the node self risk: RJk) = IA(l,k) = t (fllk . fI(k)) . RJl) Ro(l) 1\,.(1)
Then the self risk vector of information system R,(2) Ro(2)
vulnerability node is V(R,) [R,(I) R,(2) ... ]?,,( v)].
=
V(R,J' = VeRY + V(R,} = +

B. Spread Risk Assessment

R,(v) Ro(v) 1\,,(V)
Single-step iteration risk matrix M operation ® , we can C. Vulnerability Risk Evaluation Algorithm (VREA-CO)
obtain r-step risk matrix between vulnerabilities as follows:
vector U , attack graph maximum step length n, the number
Input: single-step risk matrix M , the vulnerability value

of vulnerabilities v;
Output: Vulnerability global risk vector V(RvJ ;
) XII. For(k=I;k=k+ l;k<=v)
p,�;) P:; p�:;> XTTT.
which r is the step number of the risk matrix. Let Mo For(l= 1;/=1+ 1;/<=v)
VI. Algorithm description:
XIV.

system, and make the operation EB by all risk matrix

represents the connectivity between any two nodes of the START
R,(l,k)= flt, xf.1(k);

M[i][j]=Pij
VII. Initialization parameters:
M M(n ) , which n denotes the maximum step size and we
�
XV.
R,(k) = R,(k) + R,(l, k)
can obtain comprehensive connectivity Risk Matrix in VAG. Mo[i][j] = [0] ;
fll1 fl12 flh V (R J [ R J l )
= R , (2) X V I.

which
XVII.
Ro(k)= Ro(k)+ Ro(k,l)
fl"l fl", fly,.
the matrix element flij represents comprehensive
XVTTT. End For
connectivity between node i and node j. XIX. RoCk) = R,(k) + RoCk)
VIII. For(i= l;i=i+ l;i<=n)
If the nodes which path through is overlap, that is two
M(i) =M(i-I) ®M;
Mo=MoffiM(i);
IX.
different paths independently in parallel. Attacker may XX. End For
penetrate by the vulnerability using relationship, so the X. XXI. Output
vulnerability spread risk represents the attacker from the Xl. End For V(R".) = [R".(l) R".(2)
penetration of the vulnerability spread to other
vulnerabilities. This paper attempts to exploit risk matrix to XXII. END

vulnerabilities value vector is u [fI(l) fI(2) ... fI( v)] ,

analyze the risk of transmission. Let information system
XXIII. EXAMPLE ANALYSIS
=

which v is the number of vulnerabilities, fI(k) denotes the To illustrate the application of vulnerability analysis
algorithm in practice, we can scan the vulnerabilities of a
value vulnerability k, the spread risk vector of vulnerability
network. According the scanning results by Nessus we can
k is:
obtain the host port and vulnerability information. Assuming
fll l fll2 A fI(1) Ro(1) that there are five major network vulnerabilities, we extract
T T
V(Ro) =Mo'U = fl21 fl22 fl2' fI(2) Ro(2) information from vulnerability database NVD and Bugtraq
to obtain the exploit vulnerability mode. We evaluate
vulnerabilities by referring to CVSS scoring criteria, and the
flvl flv2 Ro(v) flw fI(V) property value of vulnerabilities and directed edge is as
Which the element of spread risk vector Ro(k) shown in Table I and Table II below.
represents spread risk caused by the vulnerability k for

information system. Ro(k) = t flkl x fI(l)

I�l
TABLE I. VULNERABILITY VALUE DESCRIPTION

Impact Metrics
VlD eVElD Description Value
Availlmpact ConjImpact Integlmpact

nl 12918 RedHat Linux Telnet Overtlow 0 0.275 0.275 0.183

n2 31874 Windows Server RPC vulnerability 0.275 0.275 0 0.183

nJ 4855 Unicode vulnerability 0.660 0.275 0.275 0.403

982
 n4 6439 Weak Password 0 0.275 0.660 0. 312

ns 38115 Oracle II gR2 vulnerability 0.275 0.660 0.660 0.532

TABLE IT. DIRECTED EDGE CONNECTIVITY

Access Access
ElD Authentication Connectivity
Complexity Vector

PII 0.71 0.45 l.0 0.35

PI2 0.71 0.56 0.646 0.45

P13 0. 61 0.56 0.646 0.47

P24 0.35 0.45 0.646 0.54

P34 0.35 0.45 l.0 0.43

P3S 0.35 0.45 1.0 0.43

P4S 0.35 0.45 0.395 0.55

According vulnerabilities and directed edge values, we corresponding assets are network frrewalls and DB Server,
can calculate the connectivity between vulnerability and the the former is database server and the latter is import and
vulnerability value, and the NetSPA system developed by export portal for network.
MIT generates VAG shown in Figure 5.
XXIV. CONCLUSION
P"s = 0.55
To assess the risk caused by network system security
vulnerabilities, the paper propose a risk assessment method
P�4 = 0.43
based on connectivity operator which including VAG,

r-------.(
---
connectivity operator and vulnerability risk assessment
PH = 0.47 Pi1 = 0.43
n3,4855,O.403 algorithm. The risk assessment person can make
���- 3
quantitative analysis based on the using relationship of
Figure 5 Vulnerability attack graph
vulnerability attack graph to network system with this

vulnerability value vector U in the vulnerability attack graph

The corresponding single-step risk matrix M and method, then to calculate self risk and spread risk of the
vulnerabilities by connectivity operator. Finally, we can get
are as follow: the global risk vector of the network system vulnerability by
0.35 0.45 0.47 0 0 using VREA-CO. The method can identify different security
vulnerabilities have influence on the network system
0 0 0 0.54 0
effectively to help managers focus on the target defense.
M= 0 0 0 0.43 0.43 The proposed method has the characteristics and
0 0 0 0 0.55 advantages of the following two aspects:
0 0 0 0 0 (1) The evaluation of VAG node connectivity by CVSS
is proposed. We make a quantitative analysis of information
U= [0.183 0.183 0.403 0.312 0.532]
accessibility, host connectivity and vulnerability availability
The maximum step length in the vulnerability attack between nodes by referring AV, AU and AC three properties
graph is n = 3 total number of vulnerabilities is v = 5 . Input
,
in CVSS, and proposed a calculation method for node

U , the biggest step length n and enter the total number of

the single-step risk matrix M , the vulnerability value vector connectivity. The quantitative approach given in the paper
based on CVSS has authority and credibility and the
vulnerabilities v vulnerability risk evaluation algorithm application is more simple and convenient.
VREA-CO, we can obtain the global risk vector of system (2) The risk matrix connectivity operator and VREA-CO
vulnerability as follow: are proposed. It is possible to calculate the connectivity
M (Ro) = [9.22 4.57 7.46 8.32 8.72] between any two vulnerabilities by using connectivity
The degree of severity of the vulnerability is Operator which lays the foundation for quantitative
nj > ns > n4 > n3 > n2
, and we suppose the significant assessment of vulnerability risk; VREA-CO can integrate
self risk and spread risk of vulnerability to make global
threshold value of risk is 0.8, we can see the vulnerabilities
evaluation for system vulnerability risk, and that are more
n and n are most significant for the network system. The
j s reasonable and credible.

983
 REFERENCES [4] CHEN Feng, ZHANG Vi, et at. Research of Quantitative

Engineering and Science. 20 IO. 30(I 0):8-11

Vulnerability Assessment Based on Attack Graphs[J].Computer
[1] Zhang Youchun, Wei Qiang, et at. Architecture of vulnerability
discovery technique for information systems[J]. Journal on
Communications. 2011. 32(2):42-47. [5] Wang Yongjie, Xian Ming, et at. Study of network security
evaluation based on attack graph model[J]. Journal on
[2] Ye Yun, Xu Xishan, et at. Research on the risk adjacency matrix
Communications. 2007. 28(3):29-34
based on attack graphs[J]. Journal on Communications. 2011.
32(5):112-120 [6] He Jianghu, Pan Xiaozhong. Algorithm of attack graph generation
based on attack cost of Vulnerability relations[J]. Application
[3] Pan Xiaozhong, He Jianghu, et at. Visualization of Risk Assessment
Research of Computers. 2012. 29(5):1907-1909
Using Matrix Based on Attack Graph [J]. Journal of Chinese
Computer Systems.2013. 34(3):553-556 [7] Wang Huimei, Xian Ming, et at. A Network Attack Decision-making

Electronics & Information Technology. 2011. 33(12):3015

Algorithm Based on the Extended Attack Graph[J]. Journal of

984