Skip to Main content Skip to Navigation

Evaluation quantitative de la sécurité informatique : approche par les vulnérabilités

Géraldine Vache Marconato 1
1 LAAS-TSF - Équipe Tolérance aux fautes et Sûreté de Fonctionnement informatique
LAAS - Laboratoire d'analyse et d'architecture des systèmes
Abstract : This thesis presents a new approach for quantitative security evaluation for computer systems. The main objective of this work is to define and evaluate several quantitative measures. These measures are probabilistic and aim at quantifying the environment influence on the computer system security considering vulnerabilities. Initially, we identified the three factors that have a high influence on system state: 1) the vulnerability life cycle, 2) the attacker behaviour and 3) the administrator behaviour. We studied these three factors and their interdependencies and distinguished two main scenarios based on nature of vulnerability discovery, i.e. malicious or non malicious. This step allowed us to identify the different states of the system considering the vulnerability exploitation process and to define four measures relating to the states of the system: vulnerable, exposed, compromised, patched and secure. To evaluate these measures, we modelled the process of system compromising by vulnerability exploitation. Afterwards, we characterized the vulnerability life cycle events quantitatively, using real data from a vulnerability database, in order to assign realistic values to the parameters of the models. The simulation of these models enabled to obtain the values of the four measures we had defined. Finally, we studied how to extend the modelling to consider several vulnerabilities. So, this approach allows the evaluation of measures quantifying the influences of several factors on the system security.
Document type :
Complete list of metadata

Cited literature [52 references]  Display  Hide  Download
Contributor : Arlette Evrard <>
Submitted on : Wednesday, March 10, 2010 - 9:42:13 AM
Last modification on : Thursday, June 10, 2021 - 3:04:20 AM
Long-term archiving on: : Friday, June 18, 2010 - 10:37:31 PM


  • HAL Id : tel-00462530, version 1


Géraldine Vache Marconato. Evaluation quantitative de la sécurité informatique : approche par les vulnérabilités. Informatique [cs]. INSA de Toulouse, 2009. Français. ⟨tel-00462530⟩



Record views


Files downloads