| Quantitative security metrics have become an important research topic recently. In this thesis, a Hierarchical Quantitative Metrics (HQM) model is proposed and applied to enable the representation of important aspects of network security using quantitative metrics. Since Intrusion Detection Systems (IDSs) play a vital role in protecting networks, the well-known Snort IDS is utilized to explore methods to compress the large amount of IDS generated information into a few but meaningful metrics. Based on three different ways of categorizing Snort alerts, three different sets of metrics are extracted based on alerts' priority, protocol type, and attack classification. Then, the effect of selecting different intrusion metrics on the evaluation approach is experimentally analyzed. A prototype security evaluator is implemented to combine selected IDS metrics and deliver an overall intrusion metric which serves as an external threat indicator. All experiments are conducted using real network traffic traces from the WIDE network. |
