Cukier wins CAREER Award

news story image

Congratulations to ISR-affiliated Assistant Professor Michel Cukier (ME), who has won a National Science Foundation Faculty Early Career Development (CAREER) Award for "Probabilistic Evaluation of Computer Security based on Experimental Data." The project will evaluate the security of a computer network based on experimental data such as vulnerability and attacker data collections.

The NSF CAREER program fosters the career development of outstanding junior faculty, combining the support of research and education of the highest quality and in the broadest sense.


Due to the complexity of current computer networks, any network contains at least some vulnerabilities that might be exploited by an attacker. Once a vulnerability is discovered, an important issue is to decide when it should be removed. For security concerns, the vulnerability should be immediately removed. However, this removal may impact other components of the network (e.g., some applications may no longer run if a "patch" is applied on the operating system).

To resolve these trade-offs among others, I propose to introduce a measure of computer security and to probabilistically quantify it based on experimental data. Applying this approach, the most critical vulnerabilities (i.e., prone to attacks) can be identified.

This proposal combines three aspects: a data collection of vulnerabilities and attacks, a formal description of vulnerabilities and attacks, and a probabilistic framework.

The first step for accurately evaluating computer security consists of collecting data. Since security data are very sensitive, very few of them are available. Therefore, I propose to build two experiments. The first experiment will consist of collecting data on network vulnerabilities, system vulnerabilities, and application vulnerabilities. New methods and tools will be developed for finding these vulnerabilities. The second experiment will focus on collecting data on attacks. Such data will be obtained by using dedicated networks for observing attackers.

In order to build the proposed probabilistic framework, vulnerabilities and attacks will be formally specified. I propose to describe vulnerabilities in a "privilege graph" where a node represents a set of privileges owned by some users and arcs indicate the flow of privilege between users. Moreover, I propose to use state machines for describing the different steps of attacks. The nodes in the state machine will be associated with levels of privilege and the arcs will indicate how privilege is gained. New tools will be developed for automatically building these privilege graphs and state machines from the collected data. The two formalisms will be the base on which the proposed probabilistic framework will be developed.

The proposed framework uses Bayesian estimation methods so that vulnerability and attack data collected on other networks can be used as a prior knowledge for evaluating computer security. Based on the data collected on vulnerabilities and attacks, I will identify similarities between the networks on which these data were collected and the network which security will be evaluated. Based on this prior knowledge, I will calculate the probability of different privilege gains for the privilege graphs. These results, which are a measure of the security of the network, will then show, for example, which vulnerabilities are the most critical for attacks.

This research will benefit the security community by providing a measure that is probabilistically quantified and is based on previous data collections of vulnerabilities (system, network, and application vulnerabilities) and attacks to assess the security of a computer network.

Published September 8, 2003