A Quantitative Measure of the Security Risk Level of Enterprise Networks

Rashid Munir*,a, Jules Pagna Dissoa, Irfan Awana and Muhammad Rafiq Muftia

aSchool of Computing, Informatics and Media University of Bradford, UK

Email: rmunir@student.bradford.ac.uk

Abstract—Along with the tremendous expansion of information technology and networking, the number of malicious attacks which cause disruption to business processes has concurrently increased. Despite such attacks, the aim for network administrators is to enable these systems to continue delivering the services they are intended for. Currently, many research efforts are directed towards securing network further whereas, little attention has been given to the quantification of network security which involves assessing the vulnerability of these systems to attacks. In this paper, a method is devised to quantify the security level of IT networks. This is achieved by electronically scanning the network using the vulnerability scanning tool (Nexpose) to identify the vulnerability level at each node classified according to the common vulnerability scoring system standards (critical, severe and moderate). Probabilistic approach is then applied to calculate an overall security risk level of sub networks and entire network. It is hoped that these metrics will be valuable for any network administrator to acquire an absolute risk assessment value of the network. The suggested methodology has been applied to a computer network of an existing UK organization with 16 nodes and a switch.

Keywords—Network security; vulnerability analysis; security assessment; enterprise network security

I. INTRODUCTION Due to rapid increase in the network traffic and growing

complexity of computer networks, securing a network has become a huge challenge especially in large organizations, such as government agencies, laboratories and universities with large number of users. Despite large number of serious efforts to secure communication, a strong sense of insecurity still prevails. Attackers are working hard to be ahead of most solutions. More vulnerabilities are discovered and security patches are released. However, it has been the case that these patches cause more problems than they solve. Despite the evolvement in protecting IT infrastructure against attacks, there is a feeling that the level of security of enterprise is still unknown. The main challenge is how to measure the level of security following software updates, addition or deletion of software and users, introduction of new hardware into organization and much more.

In small organizations, anti-viruses and firewalls are the scanning tools used to protect networks from intrusions.

However, such tools lack the substance against which a security metric can be built upon since they only provide a mere snapshot of the security of any given system. In large organizations, Network Intrusion Detection Systems (NIDS) are the tools incorporated for intrusion detection and protection. To secure IT networks at enterprise level, it is necessary to evaluate the performance of these NIDS. This performance evaluation helps the network administrators to improve level of security but at the cost of degradation in the network performance[1].

Quantification of a network security is a tedious and lengthy process especially for large organizations which needs special attention. Network security depends upon threats, policy updates, emergence of new vulnerability and network traffic [2]. In general, scaling up a network introduces more vulnerabilities. To quantify security of a network, it is essential to analyze all the vulnerabilities using vulnerability scanning tools and then prioritize them by vulnerability scoring methods. This prioritization will help the network administrators to improve network security and reduce the intrusion risk on the network.

The main objective of this paper is to propose a novel security metrics that provide a quantitative solution in terms of absolute value. Nexpose vulnerability scanning tool [3] is used to identify the vulnerability level at each node classified according to the common vulnerability scoring system (CVSS) standards (critical, severe and moderate). Security risk level of each department and entire network has been computed using probability theory by incorporating the vulnerability scanning tool data.

The rest of the paper is organized as follows. Section-II discusses some existing related work along with comparisons of vulnerability scanning tools. Proposed work is given in Section-III, and evaluation results are discussed in Section-IV. Finally, the conclusion and some future work is given in Section-V.

II. RELATED WORK Measuring the security risk at enterprise level is a big

challenge for network security communities now-a-days. Various security metrics exists with some limitations [4-6]. Metrics are helpful tools for security analyst in identifying the security risk level within an organization. This

2013 Eighth International Conference on Broadband, Wireless Computing, Communication and Applications

978-0-7695-5093-0/13 $31.00 © 2013 IEEE

DOI 10.1109/BWCCA.2013.76

437

2013 Eighth International Conference on Broadband, Wireless Computing, Communication and Applications

978-0-7695-5093-0/13 $31.00 © 2013 IEEE

DOI 10.1109/BWCCA.2013.76

437

identification of security risk can also be used to distinguish the effectiveness of different components of the security programs [7]. Furthermore, metrics can be used to increase the level of security awareness within an organization. Metrics made easy for security analyst to answer most arisen questions from the high authorities such as:

• Are we more secure than yesterday?

• How much the current network is secure?

It has been investigated that much of the earlier work performed by the security management was based on system security engineering-capability maturity model (SSE-CMM) which primarily focuses on qualitative measure instead of quantitative measure. National Institute of Standard and Technology has made a lot of efforts on performance measurement security; for example NIST SP 800-30, NIST SP 800-55, NIST 800-39 and NIST SP 800-27 describe the risk management guides of security. But still there is a need of a complete model which evaluates the security of enterprise network quantitatively [8].

CVSS proposes a method that scores vulnerability independently of each other in a numeric value between 0-10, whereas CERT/CC approach gives value in the interval 0-180. Some organizations such as CERT/CC, Symantec, ISS, Cisco Systems use variety of metrics to determine single overall threat score [9], but do not provide full solution of scoring the vulnerability of a network, as these metrics are internet-centric and time invariant [10]. By so doing the individual vulnerability scores are not aggregated to create a realistic picture of the overall system security.

To protect a network against malicious intrusion, there is a need to assess the security risk level of that network [11]. In [5], a quantitative network security assessment approach is suggested which calculates the impact of threat by counting the number of attacks for a specific period of time, as the threat impact should be completely recognized in order to calculate information security risk assessment. Also, grey scale images was another approach proposed by [6] to assess the security level of enterprise network vividly. Similarly, Attack graph is a unique approach that shows each single path which leads an attacker to intrude the network. Different researchers have recommended different solutions to generate attack graph [12-14]. These attack graphs are good enough to measure the security of a small network as compare to enterprise level. As network state changes, the attack graph will also change. Therefore, at enterprise level there must be a way to generate an automatic attack graph.

Another idea to secure a network is the usage of a strong password which is most fundamental defense against attacker [15]. There are certain attributes which need to be addressed in making a password strong, for example password must be greater than 6 characters and it must not be the username. In information security, one of the most burning questions is why network security assessment unsuccessful? In [15], the causes of this failure are due to poor/miss configuration, ignorance, updating failure, human and policy factors.

A. Firewalls The firewall concept was initially introduced in 1980

when most of the world’s populations were not familiar with the word internet. The major reason behind its invention was the Morris attack which was occurred in 1988. This attack damaged the Berkely, UC San Diego, Lawrence Livermore and NASA Ames Research Centre networks. Scientists like Dodong Sean James and Elohra from Digital Equipment Corporation wrote the first white paper on firewall and introduced a new packet filtering system in a firewall which allowed a packet to pass or drop based on the rules defined by the administrator of that network.

B. Intrusion Detection Systems Intrusion detection systems (IDS) are being developed in

response to unwanted malicious traffic on major sites and networks [16]. One of the key features of efficient IDS is to analyze the activities running on the system and to monitor the data provided by the user. Pattern matching is a most important technique used by the IDS for analyzing and monitoring the malicious traffic on the network. NIDS are now becoming indispensable part for any organization. For the requirement of such detection systems, organizations have been allocating sufficient money to produce more efficient IDSs which can be implemented through software or hardware [17, 18]. In order to secure a network, it is mandatory to assess the performance evaluation of these NIDS. However, this performance evaluation [19] of NIDS is helpful in order to make secure network but does not cater for the overall security risk assessment of any organization.

C. Comparison of Vulnerability Scanning Tools Vulnerability assessment (VA) tools also called security

scanning tools is a computer program aimed to scan firewalls, network and software applications for known vulnerabilities and report potential exposures. Furthermore, these are also used to generate vulnerability report of a technical and management issues in the form of texts, charts and graphs. Various types of VA tools are available which differentiate from one another by a focus on enumerating the vulnerabilities present in one or more target.

Fig. 1. Components of Vulnerability Scanner

Vulnerability scanner architecture as shown in Figure 1 resembles with antivirus programs as VA database contains information about all known vulnerabilities while antivirus programs’ database contains information about attacks. VA

Vulnerability Database

Generate Report

Vulnerability Scanning Engine

User Interface

438438

plays an important role to secure any organization IT infrastructure. Therefore, it is suggested by the SANS Institute as a Critical Control and the US based NIST as a Security Management Control that each organization must implement these security controls [20].

One of the highly recommended VA tool by security personnel is Nessus. It is a commercial VA tool which is easy to use for configuring, patching and auditing the networks. It provides a complete platform for compliance monitoring, vulnerability management, IT risk management, attack detection and mitigation. It is regularly updated by more than 46,000 plug-ins [20]. Home feed version is available at free cost but it provides only limited features and is not suitable for assessing the security risk level of enterprise networks.

On the other hand, to assess the security risk level at enterprise level Retina and Core Impact are most popular commercial VA tools. The key functions perform by Retina are to efficiently assess the security risk level by discovering, fixing and prioritizing vulnerabilities of enterprise network. it provides fast, flexible deployment to increase remote and local security across all IT assets. The Core Impact provides systematic solution for assessing the real-world security of endpoints systems, network devices, email users, mobile devices, web applications and wireless networks. SAINT is the only available scanner today that provides the correlation of severity levels whether it is inferred or confirmed based on exploit code [3].

Network Infrastructure Parser is also another kind of VA tool. The main function of this tool is to assess the security risk level of network devices such as firewalls, routers and switches. Its security audit report contains the information about software version, authentication passwords, authentication services, VPN configuration etc.

Nexpose is a universal vulnerability management tool which is designed to assess the security risk level of any kind of network. The key functions provided by this tool are to detect, assess and mitigate the security risk level exposed by

vulnerabilities, misconfiguration, policy violations and malware in any IT environment having different operating systems, web applications and databases. Because of its high efficiency Nexpose provides reliable and prompt decisions in a very short period of time as compare to all other VA tools. It is stand-alone software which provides user interaction through web browser [3]. It works with Metasploit to exploit vulnerabilities and calculates their weightage through common vulnerability scoring system, and then validates the security risk.

D. Common Vulnerability Scoring System A number of commercial and non-commercial

vulnerability scoring systems are available in the literature in which CVSS is one of the most widely used open source understandable framework [10, 21]. This tool was introduced by National Infrastructure Advisory Council in July 2003. Its latest version CVSS-2 was released in June 2007. CVSS facilitates the user with a composite score by means of vulnerability which shows the overall severity and security risk of a system. It is further classified into three groups or metrics: Base, Temporal and Environmental groups. All these metrics produce a numeric value ranging from 0-10. The Base metric shows the key qualities of those vulnerabilities which are constant with time and user environment. Temporal metric describes the characteristics of those vulnerabilities which are varied with time whereas Environmental metric expresses the characteristics of vulnerabilities which are unique to any user’s environment.

CVSS is a very beneficial language especially designed for application vendors, researchers, IT managers and vulnerability bulletin providers [21]. Nowadays, the main focus of IT managements is to know how to assess and prioritize all the vulnerabilities across different network platforms and how to rectify high risk vulnerabilities among those having low risk vulnerabilities. For this purpose, IT management can take help from different scoring standards such as CVSS, Microsoft Security Response Centre Security Bulletin Severity, US-CERT and SANS Institute [22].

Fig. 2. Network diagram

439439

III. PROPOSED APPROACH

Enterprise networks have become esoperation of companies, laboratories, ungovernment agencies. As the network scaleboth in size and complexity, their securitycritical concern. By increasing security organization can decrease the risk associatebreaches. Vulnerabilities are regularly discovapplications which are exploited to stageSecurity Intrusions could never arise, if all vuremoved and ultimate goal of zero vulnerabVulnerability removal reduces the number into the system making the life of the adversharder (and ideally discouraging further attacommercial and non-commercial tools avafuzzy security risk level of a network but thprovide an absolute security risk level of aresult it is difficult to answer how much ansecure enough. However, there is a need security metric which provide an absolute vsecurity risk level of a network.

TABLE I. NODES BY VULNERABILITY SEV

Nodes Operating Systems Critical S

N1 Linux 2.6.18-308.24.1.e15 2

N2 ProCurve Series 2900 Switch 2

N3 Microsoft Windows 7 professional Edition SP1 -

N4 Apple Mac OS X 10.3.9 - N5 Apple Mac OS X 10.3.9 -

N6 Microsoft Windows 7 Professional Edition SP1 -

N7 Microsoft Windows XP Professional SP3 365

N8 Microsoft Windows XP Professional SP3 365

N9 Microsoft Windows XP Professional SP3 365

N10 Motorola embedded -

N11 Microsoft Windows 7 Professional Edition SP1 -

N12 Apple Mac OS X 10.3.9 - N13 Apple Mac OS X 10.3.9 -

N14 Microsoft Windows XP Professional SP3 365

N15 Apple Mac OS X 10.3.9 -

N16 Apple Mac OS X 10.3.9 -

A. TEST BENCH To measure the security risk level in te

value, we have evaluated a UK company several departments. Each department operating systems as shown in Figure 2. Tcomposed of 16 computers connecting througSeries 2900 switch which is directly coorganizations’ SME server to monitor all thinside and going outside from the netwvulnerability scanning tool has been uvulnerability severity level of a network.

H ssential to the niversities, and e starts to grow y is becoming a y spending, an ed with security vered in software e cyber-attacks. ulnerabilities are bility is attained.

of entry points sary increasingly acks). There are ailable to assess hese tools do not a network. As a n organization is

for quantitative value of overall

VERITY

Severe Moderate

12 8

2

2 -

- - - -

2 -

68 3

68 3

68 3

- 1

2 -

- - - -

68 3

- -

- -

erms of absolute which contains contains some

The network is gh the ProCurve

onnected to the e traffic coming work. Nexpose used to assess

Fig. 3. Distribution

Figure 3, depicts the numoperating systems. There systems identified during Windows is found on 7 sysMac operating systems anddifferent services found durin

Fig. 4. Nodes by

Figure 4 shows the distdifferent nodes. It is noted vulnerabilities, eight nodes hseven nodes contains modernodes are free from any vulne

IV. RESULT

Three scenarios have bassess the security risk levenetwork in terms of absoluteand Moderate vulnerability respectively. Suppose �� network. We calculate thedepartment and the entire vulnerabilities and individual

Scenario-I

In this section, we find oIT�����, Finance����, SalHuman Resource����� depasevere and moderate vulnercalculated using total law of

��� � � � ����� �����

��� � � � �������� ������

��� � � �������� ���� �� �������

Now, using Table I,

0

2

4

6

8

Microsoft Windows

Apple Mac OS X

Nod

es

Operatin

0

2

4

6

8

Critical SeverN

odes

Vuln

n of Operating Systems

mber of nodes along with their are five different operating the network scan. The MS

stems, six nodes contain Apple d so on. Further, there are 23 ng the scan.

y vulnerability severity

tribution of vulnerabilities over that six nodes contain critical

having severe vulnerabilities and rate vulnerabilities whereas six erability.

TS AND DISCUSSIONS een proposed to quantitatively

el of the existing UK company e value. Let the Critical, Severe be represented by C, S and M represents the ith node in the e security risk level of each

network with respect to all l vulnerabilities (C, S and M).

out the probability of attack on les����, Engineering�������and artments with respect to critical, rability. These probabilities are probability.

(1)

���

� �������� ������ ����

Linux Motorola embeded

ProCurve Series Switchng Systems (OS)

re Moderate Cleannerability severity

440440

��� � ��

�� �� � �

�� �� � �

�� � � �

� ��� � � � (2)

Similarly,

��� � � � ����� ����� � !!" (3)

���#� � � �����#����� � � (4)

����� � � � ����� �$��% � &&�'" (5)

����� � � � ����� �$��% � (!�'" (6)

�����#� � � �����#�$��% �0.4% (7)

��� � � � ����� ��)��* � (+�," (8)

��� � � � ����� ��)��* � '�," (9)

���#� � � �����#��)��* � &��!" (10)

���� � � � ����� ������� = 0 (11)

���� � � � ����� � ������� 33.3% (12)

����#� � � �����#� ������� 0 (13)

���� � � � ����� ��%���� � � (14)

���� � � � ����� ��%���� � � (15)

����#� � � �����#��%���� � � (16)

Since there is no C or M found in Finance department, so this department is 100% secure in terms of critical and moderate vulnerability as shown by Equ (2) and Equ (4). It is also clear from Equ (3) that security risk level with respect to severe vulnerability is 33 % which implies that the Finance department is 67 % secured according to the known vulnerabilities provided by Nexpose.

From equations 5-7, Engineering department is 44.3% secure in terms of critical vulnerability, 56.3% secure in case of severe vulnerability and 99.6% secure with respect to moderate vulnerability.

From equations 8-10, Sales department is 58.2% secure in terms of critical vulnerability, 92.2% secure in case of severe vulnerability and 49.7% secure with respect to moderate vulnerability.

From equations 11-13, since there is no C or M exist in IT department, so this department is 100% secure in case of critical and moderate vulnerability. Only the vulnerability found is S on which the department is 67% secure.

Finally, from equations 14-16, since there is no vulnerability found in HR department, so this department is 100% secure in case of all vulnerabilities.

Scenario-II

Now we calculate the security risk level of attack on each department with respect to total vulnerabilities. These probabilities are calculated using inclusion-exclusion principle of probability.

��-./� � � �0+�12�3� �3��4 5 ��6 5 ��78�9�4:�6:�79� 8�1��

(17)

��� �3��48�9�49� 0 � �3��4 5 ��68�9�4:�69� �� �3��; 5 ��< 5 ��48�9�4:�6:�79�

� ����� � ����� � ����� 0 ���� 5 ��� 0 ���� 5 ��� 0���� 5 ��� � ���� 5 �� 5 ���

��-./� � ��+" (18)

��=/>� � � �0+�12�3� �3��? 5 ��@ 5%9�?:�@:�A9$$1�%

��A�8 (19)

��� �3��?8%9�?9$ 0 � �3��? 5 ��@8%9�?:�@9$ �� �3��? 5 ��@ 5 ��A8%9�?:�@:�A9$

� ���%� � ���B� � ���$� 0 ���% 5 �B� 0 ���B 5 �$�0 ���% 5 �$� � ���% 5 �B 5 �$�

��=/>� � C(�&" (20)

�� DEFG� � � �0+�12�3� �3��H 5 ��;I8*9�H:�;I9�) 8�)1�*

(21)

��� �3��H8*9�H9�) 0 � �3��H 5 ��;I8*9�H:�;I9�)

� ���*� � ����)� 0 ���* 5 ��)�

�� DEFG� � C(�J" (22)

��KL� � � �0+�12�3� �3��;; 5 ��;< 5 ��;48��9�;;:�;<:�;49�� 8��1���

(23)

��� �3��;;8��9�;;9�� 0 � �3��;; 5 ��;<8��9�;;:�;<9�� �� �3��;; 5 ��;< 5 ��;48��9�;;:�;<:�;49��

� ������ � ����M� � ������ 0 ����� 5 ��M� 0 ����M 5 ����0 ����� 5 ���� � ����� 5 ��M 5 ����

��KL� � ��+" (24)

��NO� � � �0+�12�3� �3��;7 5 ��;?8��9�;7:�;?9�% 8�%1���

(25)

��� �3��;78��9�;79�% 0 � �3��;7 5 ��;?8��9�;7:�;?9�%

� ������ � ����%� 0 ����� 5 ��%�

��NO� � � (26)

It is very much clear that Finance and IT department have the same security risk level, i.e. 0.1% which implies that these departments are 99.9% secure. The security risk levels of Engineering and Sales department are almost the same. Since, HR department is found having no known vulnerability during the network scan, so it is 100% secure.

441441

Scenario-III

Now we find out the entire security risk level of organizational network with respect to total vulnerabilities. Let ���� be the probability of attack on the entire network, then using again inclusion-exclusion principle of probability we have

���� � � �0+�12�3� �3��; 5 ��< P5�9�;:�<P:�Q9�%�%1��

��Q�8 (27)

���� � � �3��;8�9�;9�% 0 � �3��; 5 ��<8�9�;:�<9�% �� �3��; 5 ��< 5 ��48�9�;:�<:�49�% 0� �3��; 5 ��< P�5 ��68�9�;:�<P�:�69�% �� �3��; 5 ��< P�5 ��78�9�;:�<P�:�79�% 0� �3��; 5 ��< P�5 ��?8�9�;:�<P�:�?9�% �� �3��; 5 ��< P�5 ��@8�9�;:�<P�:�@9�% 0� �3��; 5 ��< P�5 ��A8�9�;:�<P�:�A9�% �� �3��; 5 ��< P�5 ��H8�9�;:�<P�:�H9�% 0� �3��; 5 ��< P�5 ��;I8�9�;:�<P�:�;I9�% �� �3��; 5 ��< P�5 ��;;8�9�;:�<P�:�;;9�% 0� �3��; 5 ��< P�5 ��;<8�9�;:�<P�:�;<9�% �� �3��; 5 ��< P�5 ��;48�9�;:�<P�:�;49�% 0� �3��; 5 ��< P�5 ��;68�9�;:�<P�:�;69�% �� �3��; 5 ��< P�5 ��;78�9�;:�<P�:�;79�% 0� �3��; 5 ��< P�5 ��;?8�9�;:�<P�:�;?9�%

After expending Equ (27) and using Table I, for probabilistic values, we come with

���� � �C8.9% (28)

This shows that the security risk level on organization’s entire IT network is 28.9% which implies that this organizational network is 71.1% secure.

V. CONCLUSION AND FUTURE WORK In this paper, a method has been proposed to quantify the

security level of IT networks. This have been achieved by electronically scanning the network using the VA tool (Nexpose) to identify the vulnerability level at each node classified according to the CVSS. Probability theory is then applied to calculate the overall security risk level for sub networks and entire network. It is hoped that these metrics will be valuable for any network administrator to acquire an absolute risk assessment value of the network. This study has considered known vulnerabilities as the prime factor of the risk metric. There are however many other factors that can influence the measure of a security in an enterprise environment. It can be claimed that this technique can be applied to assess the security risk level of any kind of IT networks. Our future work will look into unknown vulnerabilities and human factors as a source of vulnerabilities.

REFERENCES

[1] R. Munir, A. Alhomoud, J. P. Disso, and I. Awan, "On the Performance Evaluation of Intrusion Detection Systems," in Advances in Security Information Management: Perceptions

and Outcomes, ed: Nova Publishers, January, 2013, pp. 117-138.

[2] E. Al-Shaer, L. Khan, and M. S. Ahmed, "A comprehensive objective network security metric framework for proactive security configuration," in Proceedings of the 4th annual workshop on Cyber security and information intelligence research: developing strategies to meet the cyber security and information intelligence challenges ahead, 2008, p. 42.

[3] G. Lyon. (2006, Top 100 Network security tools. SecTools. Org. [4] J. Li and H. Wang, "A Quantification Method for Network

Security Situational Awareness Based on Conditional Random Fields," in Computer Sciences and Convergence Information Technology, 2009. ICCIT'09. Fourth International Conference on, 2009, pp. 993-998.

[5] R. Breu, F. Innerhofer-Oberperfler, and A. Yautsiukhin, "Quantitative assessment of enterprise security system," in Availability, Reliability and Security, 2008. ARES 08. Third International Conference on, 2008, pp. 921-928.

[6] A. Xie, C. Tang, N. Gui, Z. Cai, J. Hu, and Z. Chen, "An Adjacency Matrixes-based Model for Network Security Analysis," in Communications (ICC), 2010 IEEE International Conference on, 2010, pp. 1-5.

[7] S. C. Payne, "A guide to security metrics," SANS Institute Information Security Reading Room, 2006.

[8] A. Singhal and X. Ou, Security risk analysis of enterprise networks using probabilistic attack graphs: US Department of Commerce, National Institute of Standards and Technology, 2011.

[9] Q. Liu and Y. Zhang, "VRSS: A new system for rating and scoring vulnerabilities," Computer Communications, vol. 34, pp. 264-273, 2011.

[10] P. Mell, K. Scarfone, and S. Romanosky, "Common vulnerability scoring system," Security & Privacy, IEEE, vol. 4, pp. 85-89, 2006.

[11] C. Phillips and L. P. Swiler, "A graph-based system for network-vulnerability analysis," in Proceedings of the 1998 workshop on New security paradigms, 1998, pp. 71-79.

[12] P. Ammann, D. Wijesekera, and S. Kaushik, "Scalable, graph-based network vulnerability analysis," in Proceedings of the 9th ACM conference on Computer and communications security, 2002, pp. 217-224.

[13] O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J. M. Wing, "Automated generation and analysis of attack graphs," in Security and Privacy, 2002. Proceedings. 2002 IEEE Symposium on, 2002, pp. 273-284.

[14] N. Ghosh and S. Ghosh, "An intelligent technique for generating minimal attack graph," in First Workshop on Intelligent Security (Security and Artificial Intelligence), 2009.

[15] K. Lam, D. LeBlanc, and B. Smith, Assessing network security: Microsoft Press, 2009.

[16] J. Beale, A. R. Baker, and J. Esler, Snort IDS and IPS toolkit: featuring Jay Beale and Members of the Snort Team: Syngress Press, 2007.

[17] P. Mell, V. Hu, R. Lippmann, J. Haines, and M. Zissman, "An overview of issues in testing intrusion detection systems," ed: US Department of Commerce, National Institute of Standards and Technology, 2003.

[18] R. Wallner, "Intrusion Detection Systems," 2003. [19] A. Alhomoud, R. Munir, J. P. Disso, I. Awan, and A. Al-

Dhelaan, "Performance Evaluation Study of Intrusion Detection Systems," Procedia Computer Science, vol. 5, pp. 173-180, 2011.

[20] Nessus, OpenVAS and Nexpose VS Metasploitable. Available: http://hackertarget.com/nessus-openvas-nexpose-vs-metasploitable/

[21] P. Mell, K. Scarfone, and S. Romanosky, "A complete guide to the common vulnerability scoring system version 2.0," in Published by FIRST-Forum of Incident Response and Security Teams, 2007, pp. 1-23.

[22] P. Mell, K. Scarfone, and S. Romanosky, "A complete guide to the common vulnerability scoring system version 2.0," 2007, pp. 1-23

442442