Quantitative risk analysis of computer networks

Posted on:2004-12-19

Degree:Ph.D

Type:Dissertation

University:Dartmouth College

Candidate:Bilar, Daniel

Full Text:PDF

GTID:1469390011458756

Subject:Computer Science

Abstract/Summary:

Quantitative Risk Analysis of Computer Networks (QSRA) addresses the problem of risk opacity of software in networks. It allows risk managers to get a detailed and comprehensive snapshot of the constitutive software on the network, assess its risk with assistance of a vulnerability database, and manage that risk by rank ordering measures that should be taken in order to reduce it, subject to cost, functionality and risk constraints. A theoretical methodology is proposed and a prototype implementation has been developed. Six out-of-the-box popular operating systems were studied using the methodology and the prototype.; We find that around 75% of discovered vulnerabilities are patchable within two weeks, and around 90% within 40 days after initial discovery. We find a statistically significant time window difference between security-audited and non-security audited software. Across the operating systems, the majority of faults give rise to availability and full compromise consequences. There is a statistically significant difference between fault types: Input validation faults are proportionally over-represented. There is a statistically significant difference between consequence types: Full compromise consequences are proportionally over-represented. There is, however, no statistically significant fault or consequence proportion difference between the audited systems.; QSRA's risk assessment model calculated that for all audited systems, four to six months after their respective release date, the probabilities are very high (66% to 99%) that an attacker can conduct a full consequence compromise, remotely and locally. Risk management analysis for remote risk probabilities indicates that, given a moderate fault count, QSRA's ‘highest risk’ analytic risk mitigation strategy consistently outperforms the simpler strategy of choosing software with the highest vulnerability count. ‘Highest risk’ outperforms the undifferentiated ‘highest count’ strategy for at least four out of the six tested operating systems and for four out of five fault consequences.

Keywords/Search Tags:

Risk, Operating systems, Fault, Software

Related items

1	Research On Software Outsourcing Enterprises Operating
2	Software project risk analysis models with application to embedded systems
3	Telecommunications Operators Software Project A Outsourcing Risk Management Research
4	A qualitative analysis of risk assessment and the criteria for software evaluation and selection
5	Surface and subsurface fault and fracture systems with associated natural gas production in the Lower Mississippian and Upper Devonian, Price Formation, southern West Virginia
6	Operating risk: Planning for flexible mining systems
7	Bot Financing Risk Assessment Method Based On Fault Tree Research
8	Fuzzy-Fault Tree Model For Risk Analysis With Application To Rural BOT Projects
9	Analysis On Probability Risk Parametric Identification Based On Improved Monte Carlo Simulation And Fault Tree Integration
10	The Research On Financing And Operating Decisions Of Enterprises Based On Supply Chain Finance