Attack Surface and Defense-in-Depth Metrics - January 2015

Public Audience
Purpose: To highlight project progress. Information is generally at a higher level which is accessible to the interested public. All information contained in the report (regions 1-3) is a Government Deliverable/CDRL.

PI(s):  Andy Meneely, Laurie Williams
Researchers: Kevin Campusano Gonzalez, Nuthan Munaiah, Jason King

HARD PROBLEM(S) ADDRESSED

• Security Metrics and Models - The project is to develop and analyze metrics that quantify the "shape" of a system's attack surface
• Scalability & Composability - The project delves uses call graph data beyond the attack surface to determine the risk of a given entry point
• Resilient Architectures - The project can be used to analyze large systems in terms of their inputs and outputs, providing information on the architecture of the system

PUBLICATIONS
Report papers written as a results of this research. If accepted by or submitted to a journal, which journal. If presented at a conference, which conference.

ACCOMPLISHMENT HIGHLIGHTS

• Collectively, we have submitted two conference papers which are currently under review.
• Nuthan Munaiah, Kevin Campusano Gonzalez, and Andy Meneely have more results beyond their paper submitted in November showing that their Defense in Depth metrics provide a fine-grained information about the risk of the system based on what attackers can reach. Specifically, they used the change in method calls to measure how subsystems integrate, and that impact on the attack surface. Beyond that, they have applied the metrics to individual releases of their case study for an evolutionary analysis, which the related literature has not approached. The approach is more actioanble than the metrics presented in literature. The title of the paper is "On the Evolution of Fine-Grained Attack Surface Metrics".
• Andy Meneely presented at the October Quarterly meeting regarding initial results.