Content uploaded by Maxim Kolomeets
Author content
All content in this area was uploaded by Maxim Kolomeets on Sep 13, 2019
Content may be subject to copyright.
Jacek Rak · John Bay · Igor Kotenko
Leonard Popyack · Victor Skormin
Krzysztof Szczypiorski (Eds.)
123
LNCS 10446
7th International Conference
on Mathematical Methods, Models, and Architectures
for Computer Network Security, MMM-ACNS 2017
Warsaw, Poland, August 28–30, 2017, Proceedings
Computer
Network Security
Jacek Rak •John Bay •Igor Kotenko
Leonard Popyack •Victor Skormin
Krzysztof Szczypiorski (Eds.)
Computer
Network Security
7th International Conference
on Mathematical Methods, Models, and Architectures
for Computer Network Security, MMM-ACNS 2017
Warsaw, Poland, August 28–30, 2017
Proceedings
123
Editors
Jacek Rak
Gdansk University of Technology
Gdansk
Poland
John Bay
Binghamton University
Binghamton, NY
USA
Igor Kotenko
St. Petersburg Institute
for Informatics and Automation
St. Petersburg
Russia
Leonard Popyack
Utica College
Utica, NY
USA
Victor Skormin
Binghamton University
Binghamton, NY
USA
Krzysztof Szczypiorski
Warsaw University of Technology
Warsaw
Poland
ISSN 0302-9743 ISSN 1611-3349 (electronic)
Lecture Notes in Computer Science
ISBN 978-3-319-65126-2 ISBN 978-3-319-65127-9 (eBook)
DOI 10.1007/978-3-319-65127-9
Library of Congress Control Number: 2017948184
LNCS Sublibrary: SL5 –Computer Communication Networks and Telecommunications
©Springer International Publishing AG 2017
This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the
material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information
storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now
known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.
The publisher, the authors and the editors are safe to assume that the advice and information in this book are
believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors
give a warranty, express or implied, with respect to the material contained herein or for any errors or
omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in
published maps and institutional affiliations.
Printed on acid-free paper
This Springer imprint is published by Springer Nature
The registered company is Springer International Publishing AG
The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland
Choosing Models for Security Metrics
Visualization
Maxim Kolomeec
1,3
, Gustavo Gonzalez-Granadillo
2
,
Elena Doynikova
1,3
, Andrey Chechulin
1,3
, Igor Kotenko
1,3(&)
,
and HervéDebar
2
1
St. Petersburg Institute for Informatics and Automation of the Russian
Academy of Sciences (SPIIRAS), 39, 14 Liniya, St. Petersburg, Russia
{kolomeec,doynikova,chechulin,ivkote}@comsec.spb.ru
2
Institut Mines-Télécom, Télécom SudParis, CNRS UMR 5157 SAMOVAR,
Evry, France
pci_gustavo@yahoo.com,
herve.debar@telecom-sudparis.eu
3
St. Petersburg National Research University of Information Technologies,
Mechanics and Optics, 49, Kronverkskiy Prospekt, Saint-Petersburg, Russia
Abstract. This paper aims at finding optimal visualization models for repre-
sentation and analysis of security related data, for example, security metrics,
security incidents and cyber attack countermeasures. The classification of the
most important security metrics and their characteristics that are important for
their visualization are considered. The paper reviews existing and suggested
research by the author’s data representation and visualization models. In addi-
tion, the most suitable models for different metric groups are outlined and
analyzed. A case study is presented as an illustration on the way the visual-
ization models are integrated with different metrics for security awareness.
Keywords: Visualization model !Security metrics !Cost-sensitive metrics !
Countermeasure selection !Security assessment
1 Introduction
Nowadays, cyber security situational awareness and countermeasure selection become
more and more relevant as soon as cyber technology becomes an essential part of our
life. The appropriate mitigation of a given attack depends on the optimal selection of
security countermeasures. In order to select a countermeasure, it is important to identify
its attributes and properties as well as the consequences of its application. A great
number of researches propose cost-sensitive models [1,2] including various security
metrics to evaluate threats and select security countermeasures. However, due to the
complexity and sophistication of current attacks, the detection and reaction process
requires additional tools to help security analysts in the decision making process.
Approaches in this domain propose visualization models (e.g., graphical models
[3,4], and geometrical models [5,6]) to estimate and analyze the impact of cyber
events, making it possible to represent graphically scenarios of multiple attacks and to
©Springer International Publishing AG 2017
J. Rak et al. (Eds.): MMM-ACNS 2017, LNCS 10446, pp. 75–87, 2017.
DOI: 10.1007/978-3-319-65127-9_7
select optimal countermeasures accordingly. However, the main issue faced nowadays
is to be able to select the appropriate model for the studied scenario.
In this paper, we propose to analyze security metrics and visualization models with
the aim of obtaining conclusions on the best match among them in order to help
operators in the security monitoring and selection of security countermeasures against
a given attack scenario.
The rest of the paper is structured as follows: Sect. 2introduces the different types
of metrics used for the security assessment and countermeasure selection. Section 3
presents the geometrical and graphical models used for the visualization of security
events. Section 4discusses the complexity and usefulness of visualization models.
Section 5describes visualization tools that implement suggested models, and provides
a case study to illustrate the applicability of our approach. Related works are presented
in Sect. 6. Finally, conclusions are presented in Sect. 7.
2 Metrics for the Security Assessment
Currently there are a lot of metrics for the security assessment and countermeasure
selection [1,2,7–12]. These metrics can be classified according to the object of
assessment. There are metrics that characterize networks, cyber attacks, attackers,
security incidents, and integral metrics that characterize common security level of the
analyzed system and that are used for the countermeasure selection [4,13]. These
objects can be compound (like network and attack) or not (like security incidents,
attackers and countermeasures). In addition, all these objects interact in the process of
security assessment and countermeasure selection that lead to the connections between
some groups of metrics (when the metrics of the next group are calculated using the
metrics of the previous group) and to the appearance of new metrics.
Network incorporates interconnected hosts, network hardware and services, hosts
include different software. Software and hardware, in its turn, include vulnerabilities and
weak places. From the security assessment point of view, for instance, the next examples
of metrics can be outlined: the metrics that characterize a network –Percentage of Hosts
without Known Severe Vulnerabilities [12]; the metrics that characterize hosts and
software/hardware –Criticality, Business Value; the metrics that characterize vulnera-
bilities –Exploitability, Impact [11].
We consider an attack as a sequence of attack actions that exploit network vul-
nerabilities. From the attack and attack action point of view the next metrics can be
outlined: Severity, Complexity, Impact, and Probability. Metrics of this group are
calculated using metrics of the previous network group. In addition, new knowledge on
the possible attacks allows getting new metrics for the network objects, for example,
Number of Attacks through the Host [4,13].
We consider security incident as a product of events correlation process. The
following metrics that characterize security incidents can be outlined: Severity, Con-
fidence Level [4,13]. New knowledge on the security incidents allows getting new
metrics for the network and its objects, for example, Number of Incidents, Number of
Compromised Hosts. It also allows refining metrics of the attacker group, for example,
76 M. Kolomeec et al.
current position in the network and skills, and attack group, for example, Attack
Probability [4,13,14].
The main metrics that characterize countermeasures are: Countermeasure Effi-
ciency, Collateral Damage Potential, and Countermeasure Cost. Integral metrics that
are used to define common security level include: Risk, Attack Surface [9,10], and
Expected Losses [15]. For the countermeasure selection, cost sensitive metrics are
used. Cost sensitive metrics are widely proposed as a viable approach to find an
optimal balance between intrusion damages and response costs, and to guarantee the
choice of the most appropriate response without sacrificing the system functionalities.
The Net Present Value (NPV) allows discounting all expected costs and benefits
from an investment to its present value, taking into account the time value of money.
The Internal Rate of Return (IRR) considers the compounded annual rate of return the
project is expected to generate. The ROI index compares the benefits versus the costs
obtained for a given investment [1]. The Return On Security Investment (ROSI) is
a relative metric that compares the differences between the damages originated by
attacks (with and without countermeasures) against the cost of the countermeasure. The
Return On Response Investment (RORI) provides a qualitative comparison of response
candidates against an intrusion by considering response collateral damages response
effects on intrusions [7].
3 Visualization Approaches
The current state of the art in visualization tools propose a wide range of models. It is
suggested to select conditionally two kind of visualization models: geometrical models
[5,6] and graphical models [3,4], to estimate the impact of cyber security events and
to select countermeasures accordingly. The rest of the section details such models.
3.1 Geometrical Models
This section presents the different visualization models that use geometry as a tool to
compute the impact of cyber attacks and security countermeasures within an infor-
mation system.
We have proposed a polygonal model to calculate the impact of cyber events in
a 2-dimensional system. The approach considers information about all entities com-
posing an information system (e.g., users, IP addresses, communication protocols,
physical and logical resources, etc.), as well as contextual information (e.g., temporal,
spatial, historical conditions) to plot cyber attacks and countermeasures as polygons of
n sides. A variety of geometrical instances (e.g., regular and irregular polygons such as:
line segments, triangles, squares, pentagons, etc.) results from the analysis of the
entities’information included in a system, attack and/or countermeasure [16].
Each side of the polygon is computed as the contribution of the entity in the
execution of an event. The contribution for the user account dimension, for instance,
can be evaluated as the number of users affected by a given attack over the total number
of active users from the system. Following the CARVER methodology [17], which
Choosing Models for Security Metrics Visualization 77
considers six criteria (i.e., criticality, accessibility, recuperability, vulnerability, effect,
recognizability), we assign numerical values on a scale of 1 to 10 to each type of
elements within the axis. As a result, we obtain a weighting factor (WF) that is
associated to each type of elements. Examples of visualization of attacks and coun-
termeasures in the polygonal system are shown in Fig. 1.
Three-dimensional model allows to compute the volume of an information sys-
tem, an attack and/or a countermeasure or a group of them. We identified three main
dimensions that contribute directly to the execution of a given attack: User account
(subject), Resource (object), and Channel (the way to execute actions, e.g., connect,
read, write, etc.) [6]. The projection of the three axis in our coordinate system generates
a parallelepiped in three dimensions. The volume of this parallelepiped is equal to the
absolute value of the scalar triple product of all three vectors. The volume calculation
requires the computation of the contribution of each axis represented in the coordinate
system. This contribution is determined as the sum of each set of axis entities (e.g., user
account type, port class, resource type) times its associated weighting factor. Examples
of visualization of attacks and countermeasures in a 3D system are shown in Fig. 1.
(a) Triangle (b) Rhombus (c) Pentagon (d) Octagon
(i) Trian
g
ular Prism (j) Prism (k) Octa
g
onal Prism (l) Multi
p
le Prisms
(e) Single
Volume
(f) Partially Joint
Volumes
(g) Totally Joint
Volumes
(h) Multiple
Volumes
Fig. 1. Geometrical Models
78 M. Kolomeec et al.
A prismatic model is proposed to represent cyber security events (e.g., attacks,
countermeasures) as prismatic instances of n-sides. The base of the prism integrates the
information from the target’s side (internal entities), whereas the height of the prism
integrates the information from the attacker’s side (external entities). The approach
considers information about all entities composing an information system and the
attacker’s information (e.g., knowledge, motivation, skills, etc.), to plot cyber attacks
and countermeasures in a geometrical system. The ultimate goal of our model is to help
organizations make the most cost-effective decisions in minimizing the risk of the
studied cyber events [18]. A variety of geometrical instances (e.g., regular and irregular
prisms) results from the analysis of the internal and external information related to a
given cyber security event. Examples of visualization of attacks and countermeasures
in an N-Prismatic system are shown in Fig. 1.
3.2 Graphical Models
Graphical models are based on elements of Visual Grammar [19] such as abstract
objects (dot, line, plane, demission, format), abstract structures (basic, formal, grada-
tion, concentric radial, centrifugal and not-formal structures), specific objects (shape,
size, color, tone, saturation, opacity), acts (repeat, mirror reflection, rotation, scaling,
movement, offset) and relationships (attraction, symmetry, balance, cluster, diffusion,
domination, variation, overlay). The combinations of these elements create different
graphical models, that user can simply interpret.
Graphical models can be classified by different ways, but the simplest classification
is separation on numerical models –graphics that can visualize data objects; and not
numerical models –graphics that can visualize data objects and links between them.
The basic examples of numerical models are: charts [20] (Fig. 2a) –data visualized
using specific objects as lines, areas, color and other; parallel coordinates [20] (Fig. 2b)
–data are represented as polylines that crossing the metric scales; trilinear coordinates
[20] (Fig. 2c) –models in which objects are situated in trilinear coordinates; wind roses
[20] (Fig. 2d) –modes where data represented as polylines (like in a parallel coordi-
nates) that crossing the metric scales, but scales located as radial structure; interval
graphs [20] (Fig. 2e) –processes are represented as lines or arcs, where their overlay on
specific axes represents the concurrent execution of processes.
The basic not numerical models are: graphs [20] (Fig. 2)–models where objects
are represented as vertexes and links –as edges; matrices [20] (Fig. 2)–objects are
represented as axes and links –as their crossing; treemaps [20] (Fig. 2)–hierarchical
models where objects are visualized as areas and links as object placement (if objects
are linked, they are located in each other); graphs with glyphs [20] (Fig. 2)–graph
models in which vertexes are replaced by the stacked pie-charts for possibility of
placement more metrics of objects; Voronoi diagrams [3] (Fig. 2)–models where
objects are represented as polygons and links –as tiny lines between the polygons;
Chord diagrams [21] (Fig. 2)–objects are represented as donate chart and links –as
edges between chart`s pieces; geo-maps [20] (Fig. 2)–models in which other models
overlapping on geographical maps.
Choosing Models for Security Metrics Visualization 79
Above mentioned models have different advantages that depend on the use of
metrics for model construction and of the context in which the model is used.
4 Complexity and Usefulness of Visualization Models
It is important to understand that there is no universal visualization model that can
represent all stages of risk analysis process. That is why analytics usually use slices of
data. Such slices have different properties, for example: dependencies of services have
topology of links, events sequences are structured by time, network and its segments
have hierarchy, and countermeasures have no links or dependencies (if they do not
represent a connected set of different countermeasures).
At the same time, each model can describe only few sets of metrics: for example,
2D linear charts have 2 axes, line thickness, color and opacity; and some analytics
trying to combine or create new visualization models that can contain more metrics
especially for selected slice. Therefore it is not trivial to choose or create appropriate
visualization models. To understand how to choose model for data slices we propose
the methodology that choose a visualization model or hierarchically create a model
depending on the properties of slice. This methodology includes 4 simple steps:
(1) data slicing, (2) definition of set of models, (3) generation of a set of new models
and (4) model choosing from the set.
Step 1 –data slicing. Depending on the risk analysis goal we need to select the
data subset –slice. Typical case that can become a problem is when the data set
(a) Chart (b) Parallel coordi-
nates
(c) Trilinear coor-
dinates
(d) Wind rose
(e) Interval graph (f) Graph (g) Matrix (h) Treemap
(i) Graph with glyphs (j) Voronoi
diagram (k) Chord diagram (l) Geo-maps
Fig. 2. Graphical models
80 M. Kolomeec et al.
consists of too many objects (example: host with 50 attributes) or data set is deeply
nested (example: data represent networks that contain hosts with software vulnerabil-
ities). If we try to visualize this set, we will obtain a complex image. That is why it is
strongly recommended to minimize the set structure to few necessary attributes and
nesting levels using data aggregation. Data aggregation is a complex standalone task,
and it will be considered in future works.
Step 2 –definition of a set of models. At this step we associate data slice with
visualization models. To do this, we have to select the attributes of the slice. The set of
basic attributes that we can determine is a more detailed description of “numerical”and
“not numerical”data classification:
•Not linked –the slice that can be described as an object or independent list of
objects characterized by numerical data. For example: list of vulnerabilities,
aggregated parameters of network, attacker parameters.
•Not structured linked –the slice that contains dependent data. The basic example is
the network topology.
•Planar linked –the slice that contains dependent data that can be represented as a
planar graph. The basic example is the network topology on the physical level.
•Hierarchy linked –the slice that contains dependent data that can be represented as
a tree. An example –an attack tree.
•Multiply linked –the slice that contains dependent data with different types of links.
For example, a network topology (not structured links) including an attack tree
(hierarchy linked).
Examples of association with models from Sect. 3are shown in Table 1.
Step 3 –generation of a set of new models. It is absolutely possible that data in
the selected slice are deeply nested. The simple example of this case is the slice that
contains 3 nested sets: hosts with the network topology, software on the hosts that
depend on each other, independent software vulnerabilities.
Each of these nested sets represents different level of abstraction. We can try to
visualize all levels at the same time in one visualization model, but it is possible that
Table 1. Association of data slice attributes with models
Data slice attributes Model
Not linked All geometrical models, charts, parallel coordinates, trilinear
coordinates, wind roses, interval graphs
Linked Not
structured
Graphs, glyphs, matrices
Planar
structured
Graphs, glyphs, matrices, Voronoi diagrams,
Hierarchy
structured
Graphs, glyphs, matrices, treemaps
Multiply
structured
Graphs, glyphs, matrices, Chord diagrams
Choosing Models for Security Metrics Visualization 81
results will be difficult to read. Another approach is to visualize each abstraction level
on demand, for example, to expand a host by a click, but in this case we will not see the
whole data at the same time. Another approach is to create a specific visualization
model for the selected slice.
The basic way of the model creation is the hierarchical visualization, where every
abstract level is a single visualization model. According to this, we have to separate the
slice by abstraction levels.
For example, slice for definition of the impact propagation via service dependences
can be separated on two abstract levels: (1) high level –services and their dependencies
with weights; (2) low level –service characteristics (intrinsic criticality and vulnera-
bility level). For every abstraction level we select the model according the association
between properties and models (see Table 1). Results for a given example are shown in
Table 2. Finally, the model of low level overlaps with the elements of the model of
high level. Examples are graphs with glyphs (Fig. 2), in which glyphs overlap with
graph nodes, and geo-maps, in which graphs overlap with geographical maps (Fig. 2).
Step 4 - Model choosing from the set. At the last step we have the set of the
models that we selected at step 2 and the models that we created at step 3. It is always
better to choose models that can be easy readable and have no external dimensions. It is
also common to find a situation when a final set contains only hard readable models. It
means that the selected slice has many abstraction levels or too many data dimensions.
The best solution is to reduce selected data slice and go to step 1.
5 Implementation and Verification of the Approach
Implementation. Data visualization models were developed as a web-application
prototype that was implemented on JavaScript using Node.js on server side, and D3.js
with THREE.js on client side. Software architecture is pretty similar to visualization
pipeline [22] and it is shown in Fig. 3.
Table 2. Abstraction levels of the slice
Abstraction
level
Data description Properties Model
High Services and their
dependencies with
weights
Not
structured
Graphs, glyphs, matrices
Low Services
characteristics
Not
linked
All geometrical models, charts, parallel
coordinates, trilinear coordinates, wind
roses, interval graphs
Fig. 3. Software architecture
82 M. Kolomeec et al.
Using the application we can load metrics and other data as CSV files. There is
a possibility to load 2 types of CSV: (1) file with objects and (2) file with links.
Numerical models need only file with objects, not numerical –both of them. After that
we can simply connect graphical attributes of the models (size, color, dimensions, etc.)
with attributes from CSV. As a result, we can visualize data using models in different
ways and select the most easy-readable variant.
Case study. For case study we present a small corporative network with the following
metrics and network attributes:
•Host attributes –number of software instances, number of services, number of
ports, performance rate, type of device, number of users, date of update, number of
incidents, medium severity of incidents, number of vulnerabilities, vulnerability,
compromising status, number of attacks, probability of attack, criticality.
•Links attributes –type of connection (optical fiber, wi-fi, etc.), level of connection
according to OSI model, traffic volume, noise immunity, channel capacity, status of
participation in the attack, number of attacks, criticality.
Hosts and links of physical level were visualized by the web-application prototype
to show the network topology. The result is shown in Fig. 4: network contains hosts of
different types (see Table 3). For visualization approach verification we provide two
examples. The first example is URL rewriting. The second example presents the
visualization of the computer network risks and attack routes for situational awareness.
Example 1. Example of geometrical visualization –URL Rewriting. The general
process starts when the attack (e.g., A3) accesses the URL of an external web appli-
cation and studies its behavior, and then the attacker rewrites the URL of the web
application to bypass any implemented security check (login, cookies, session). As
a result, the attacker bypasses security checks and accesses restricted information.
Fig. 4. Physical network topology
(Color figure online)
Table 3. Network structure
external network
user PC router
wi-fi mobile device
firewall data base
virtualization server virtual machine
Choosing Models for Security Metrics Visualization 83
Examples of countermeasures associated to attack A3 are: Deny or redirect requests
(C6); Disable URL-rewriting mode (C7); and Activate automatic expiring URLs (C8).
The graphical representation of each countermeasure vs. the detected attacks is
depicted in Fig. 5, where the blue parallelepiped represents attack A3 and the green
parallelepiped represents the countermeasures based on the affected users, resources
and channels.
Example 2.
Step 1. For situational awareness we select the next data slice from network attributes:
host attributes –medium severity of incidents, compromising status, number
of attacks, probability of attack, risk; links attributes –network level of
connection, status of participation in attack, number of attacks, criticality.
Step 2. According to Table 1the slice is classified as “multiply structured”because
network level of connections can be represented as a fully connected graph
and we need to visualize the attacker’s route. According to Table 1the pos-
sible models are: graphs, glyphs, matrices, chord diagrams. If we use graphs,
the final model will be hard to read because some edges must represent
network connections and some edges –attacker`s route. As a result users
cannot effectively make out different types of edges. The rest of models cannot
represent not -structured connections and attacker’s route at the same time and
we need to create a specific visualization model.
Step 3. For hierarchical visualization we need to divide slices on different levels of
abstraction (see Table 4).
Our decision (Fig. 6) is to visualize high level as matrix, medium level as graph,
and low level as glyphs. Hosts are shown as diagonal glyphs, links –as glyphs above
the diagonal. Host’s glyphs consist of 4 parts: criticality (top-left), probability
(top-right), risk (bottom-left) and number of vulnerabilities (bottom-right). Link’s
glyph has 2 parts: criticality (top) and probability (bottom). The network that was
provided in the case study is shown in Fig. 4at the left side and the network with
attacker route (internet –> router –>firewall –> router –> database) is shown at the
right side. The numerical parameters were normalized to values between zero and one
are represented with blue, yellow, orange and red colors.
Fig. 5. Example of geometrical visualization of the attack and the countermeasure
84 M. Kolomeec et al.
6 Related Work
Current researches focus on simulation and visualization models as a tool to improve
the evaluation and selection of security countermeasures. Dini and Tiloca [8], propose
a simulation framework that evaluates the impact of cyber-physical attacks. However,
countermeasures are not considered in the evaluation process.
Kundur et al. [23], propose a paradigm for cyber attack impact analysis that employs
a graph-theoretic structure and a dynamical systems framework to model the complex
interactions amongst the various system components. The approach concentrates on the
attack impact but leaves aside the impact of mitigation actions in the evaluation. Duan
and Cleand-Huang [24] consider heuristic methods and genetic algorithm approaches
for the process of selecting a set of countermeasures. However, due to complexity of the
search space, the heuristic approach is neither optimal, nor complete. Howard et al. [9]
and Manadhata et al. [10] propose a model that measures quantitatively the level of
exposure of a given system called the attack surface model. This latter is limited to the
source code of the software to compare the risk level among similar options.
Table 4. Abstraction levels of the slice
Abstraction
level
Data
description
Properties Model
High Hosts and
links
Not
structured
Graphs, glyphs, matrices
Medium Attacker`s
route
Not
structured
Graphs, glyphs, matrices
Low Host and
links
attributes
Not
linked
All geometrical models, charts, parallel
coordinates, trilinear coordinates, wind roses,
interval graphs
Fig. 6. Matrices with glyphs
Choosing Models for Security Metrics Visualization 85
7 Conclusions
In this paper we presented a review and analysis of existing and suggested research on
data representation and visualization models. We outline the most suitable models for
different metric groups (including security and cost sensitive metrics) to match with
geometrical and graphical visualization models. The methodology that was suggested
in the paper can be used for selection and creation of new visualization models for
different stages of risk analysis. We also proposed the case study and examples of
metrics visualization. The future works will be focused on research of user cognition
for efficiency analysis and optimal ways for metrics representation.
Acknowledgements. This research is being supported by the grant of RSF #15-11-30029 in
SPIIRAS.
References
1. Schmidt, M.: Return on Investment (ROI): Meaning and Use. Encyclopedia of Business
Terms and Methods (2011). http://www.solutionmatrix.com/return-on-investment.html
2. Sonnenreich, W., Albanese, J., Stout, B.: Return on security Investment (ROSI) a practical
quantitative model. J. Res. Pract. Inf. Technol. 38(1), 45–56 (2006)
3. Kolomeets, M., Chechulin, A., Kotenko, I.: Visualization model for monitoring of computer
networks security based on the analogue of voronoi diagrams. In: International
Cross-Domain Conference, and Workshop on Privacy Aware Machine Learning for Health
Data Science (2016)
4. Doynikova, E., Kotenko, I.: Countermeasure selection based on the attack and service
dependency graphs for security incident management. In: Lambrinoudakis, C., Gabillon, A.
(eds.) CRiSIS 2015. LNCS, vol. 9572, pp. 107–124. Springer, Cham (2016). doi:10.1007/
978-3-319-31811-0_7
5. Gonzalez Granadillo, G., Garcia-Alfaro, J., Debar, H.: Using a 3D geometrical model to
improve accuracy in the evaluation and selection of countermeasures against complex cyber
attacks. In: Security and Privacy in Communication Networks, pp. 26–29 (2015)
6. Gonzalez Granadillo, G., Alvarez, E., El-Barbori, M., Garcia-Alfaro, J., Debar, H.: Selecting
optimal countermeasures for attacks against critical systems using the Attack Volume model
and the RORI index. J. Comput. Electr. Eng. 13–34 (2015)
7. Kheir, N., Cuppens-Boulahia, N., Cuppens, F., Debar, H.: A service dependency model for
cost-sensitive intrusion response. In: 15th European Symposium on Research in Computer
Security (ESORICS), pp. 626–642 (2010)
8. Dini, G., Tiloca, M.: A simulation tool for evaluating attack impact in cyber physical
systems. In: International Workshop Modelling and Simulation for Autonomous Systems,
pp. 77–94 (2014)
9. Howard, M., Wing, J.: Measuring relative attack surfaces. In: Computer Security in the 21st
Century, pp. 109–137 (2005)
10. Manadhata, P., Wing, J.: An attack surface metric. J. IEEE Trans. Softw. Eng. 37(3), 371–
386 (2011)
86 M. Kolomeec et al.
11. Mell, P., Scarforne, K., Romanosky, S.: A complete guide to the common vulnerability
scoring system (CVSS) version 2.0. In: FIRST-Forum of Incident Response and Security
Teams, p. 23 (2007)
12. The Center for Internet Security. The CIS Security Metrics, 175 p. (2009)
13. Kotenko, I.V., Doynikova, E.: Dynamical calculation of security metrics for countermeasure
selection in computer networks. In: 24th Euromicro International Conference on Parallel,
Distributed and network-based Processing (PDP 2016), pp. 558–565. IEEE Computer
Society, Los Alamitos (2016)
14. Singhal, A., Ou, X.: Security risk analysis of enterprise networks using probabilistic attack
graphs. NIST Interagency Report 7788, Gaithersburg: National Institute of Standards and
Technology, 24 p. (2011)
15. Puangsri, P.: Quantified return on information security investment - a model for cost-benefit
analysis. Master Thesis, Delft University of Technology (2009)
16. Gonzalez Granadillo, G., Garcia-Alfaro, J., Debar, H.: An n-sided polygonal model to
calculate the impact of cyber security events. In: International Conference on Risks and
Security of Internet and Systems (2016)
17. Special operations forces intelligence and electronic warfare operations, appendix D: Target
analysis process, Federation of American Scientists (1991). http://www.fas.org/irp/doddir/
army/fm34-36/appd.htm
18. Gonzalez Granadillo, G., Rubio-Hernan, J., Garcia-Alfaro, J., Debar, H.: Considering
internal vulnerabilities and the attacker’s knowledge to model the impact of cyber events as
geometrical prisms. In: Conference on Trust, Security and Privacy in Computing and
Communications (2016)
19. Leborg, C.: Visual Grammar, 1st edn, p. 96. Princeton Architectural Press, New York (2006)
20. Kolomeec, M.V., Chechulin, A.A., Kotenko, I.V.: Methodological primitives for phased
construction of data visualization models. J. Internet Serv. Inf. Secur. (JISIS) 5(4), 60–84
(2015)
21. Holten, D.: Hierarchical edge bundles: visualization of adjacency relations in hierarchical
data. IEEE Trans. Vis. Comput. Graph. 12(5) (2006)
22. Haber, R.B., McNabb, D.A.: Visualization idioms: a conceptual model for scientific
visualization systems. In: Visualization in Scientific Computing, pp. 74–93. IEEE Computer
Society Press (1990)
23. Kundur, D., Feng, X., Liu, S., Zourntos, T., Butler-Purry, K.L.: Towards a framework for
cyber attack impact analysis of the electric smart grid. In: International Conference on Smart
Grid Communications, pp. 244–249 (2010)
24. Duan, C., Cleland-Huang, J.: Automated safeguard selection strategies. In: CTI Research
Symposium (2006)
Choosing Models for Security Metrics Visualization 87
