An Experimental Approach to Network Monitoring Using Quantitative Security Metrics

This paper presents our work in developing quantitative metrics for network security evaluation and monitoring. We introduce a unified security health index that indicates the security status of the network. Recent efforts have focused on a framework of security metrics derived from a variety of technical, organizational, and operational sources. However, network administrators have faced challenges in deploying these frameworks in operational networks. The challenges stem from the sheer volume of metrics and the difficulty of combining them into a unified security health index. Regardless, the time has come for security metrics to make the bridge from the theoretical to the practical. In this paper, our contribution is threefold. First, we conduct practical experiments of fusing security alerts extracted from the logs of the Snort Intrusion Detection System. The experiments are conducted against real network traces. Second, we classify Snort security alerts into well-defined metric groups. Our final contribution is to study the fusing of metric groups into a single overall metric using simple combination criterion. This metric represents the security status of a network. The results of this experimental work demonstrate that operational deployment of a security network health index framework is viable and can produce meaningful results if combined with existing security tools such as IDSs.