Article

Scalable, graph-based network vulnerability analysis

Authors:
Paul Ammann

George Mason University, Fairfax, VA

George Mason University, Fairfax, VA
View Profile

,
Duminda Wijesekera

George Mason University, Fairfax, VA

George Mason University, Fairfax, VA
View Profile

,
Saket Kaushik

George Mason University, Fairfax, VA

George Mason University, Fairfax, VA
View Profile

CCS '02: Proceedings of the 9th ACM conference on Computer and communications securityNovember 2002Pages 217–224https://doi.org/10.1145/586110.586140

Published:18 November 2002Publication History

CCS '02: Proceedings of the 9th ACM conference on Computer and communications security

Pages 217–224

ABSTRACT

Even well administered networks are vulnerable to attack. Recent work in network security has focused on the fact that combinations of exploits are the typical means by which an attacker breaks into a network. Researchers have proposed a variety of graph-based algorithms to generate attack trees (or graphs). Either structure represents all possible sequences of exploits, where any given exploit can take advantage of the penetration achieved by prior exploits in its chain, and the final exploit in the chain achieves the attacker's goal. The most recent approach in this line of work uses a modified version of the model checker NuSMV as a powerful inference engine for chaining together network exploits, compactly representing attack graphs, and identifying minimal sets of exploits. However, it is also well known that model checkers suffer from scalability problems, and there is good reason to doubt whether a model checker can handle directly a realistic set of exploits for even a modest-sized network. In this paper, we revisit the idea of attack graphs themselves, and argue that they represent more information explicitly than is necessary for the analyst. Instead, we propose a more compact and scalable representation. Although we show that it is possible to produce attack trees from our representation, we argue that more useful information can be produced, for larger networks, while bypassing the attack tree step. Our approach relies on an explicit assumption of monotonicity, which, in essence, states that the precondition of a given exploit is never invalidated by the successful application of another exploit. In other words, the attacker never needs to backtrack. The assumption reduces the complexity of the analysis problem from exponential to polynomial, thereby bringing even very large networks within reach of analysis

References

R. Baldwin. Kuang: Rule based security checking. Technical report, MIT Lab for Computer Science, Programming Systems Research Group, May 1994.Google Scholar
Computer Oracle and Password System (COPS). ftp.cert.org/pub/tools/cops.Google Scholar
F. Cuppens and A.Miege. Alert correlation in a cooperative intrusion detection framework. In Proceedings of the 2002 IEEE Symposium on Security and Privacy (Oakland 2002), pages 187--200, Oakland, CA, May 2002. Google ScholarDigital Library
Network associates: CyberCop Scanner. www.nai.com/asp_set/products/tns/ccscanner_intro.asp.Google Scholar
M. Dacier, Y. Deswartes, and M. Kaaniche. Quantitive assessment of operational security models and tools. Technical Report Research Report 96493, LAAS, May 1996.Google Scholar
J. Dawkins, C. Campbell, and J. Hale. Modeling network attacks: Extending the attack tree paradigm. In Workshop on Statistical and Machine Learning Techniques in Computer Intrusion Detection, Johns Hopkins University, June 2002. Center for Information Security, University of Tulsa.Google Scholar
S. Jha, O. Sheyner, and J. Wing. Minimization and reliability analysis of attack graphs. Technical Report CMU-CS-02-109, School of Computer Science, Carnegie Mellon University, February 2002.Google Scholar
S. Jha, O. Sheyner, and J. Wing. Two formal analyses of attack graphs. In Proceedings of the 2002 Computer Security Foundations Workshop, pages 45--59, Nova Scotia, June 2002. Google ScholarDigital Library
R. Ortalo, Y. Deswarte, and M. Kaaniche. Experimenting with quantitative evaluation tools for monitoring operational security. IEEE Transactions on Software Engineering, 25(5):633--650, September/October 1999. Google ScholarDigital Library
C. Phillips and L. Swiler. A graph-based system for network-vulnerability analysis. In Proceedings of the New Security Paradigms Workshop, pages 71--79, Charlottesville, VA, 1998. Google ScholarDigital Library
C. Ramakrishnan and R. Sekar. Model-based vulnerability analysis of computer systems. In Proceedings of the 2nd International Workshop on Verification, Model Checking and Abstract Interpretation, September 1998.Google Scholar
R. W. Ritchey and P. Ammann. Using model checking to analyze network vulnerabilities. In Proceedings of the 2000 IEEE Symposium on Security and Privacy (Oakland 2000), pages 156--165, Oakland, CA, May 2000. Google ScholarDigital Library
O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J. Wing. Automated generation and analysis of attack graphs. In Proceedings of the 2002 IEEE Symposium on Security and Privacy (Oakland 2002), Oakland, CA, May 2002. Google ScholarDigital Library
L. Swiler, C. Phillips, D. Ellis, , and S. Chakerian. Computer-attack graph generation tool. In Proceedings DISCEX '01: DARPA Information Survivability Conference & Exposition II, pages 307--321, June 2001.Google ScholarCross Ref
Internet security systems: System scanner. www.iss.net.Google Scholar
S. Templeton and K. Levitt. A requires/provides model for computer attacks. In Proceedings of the New Security Paradigms Workshop, Cork, Ireland, September 2000. http://seclab.cs.ucdavis.edu/papers/NP2000-rev.pdf. Google ScholarDigital Library
D. Zerkle and K. Levitt. Netkuang - A multi-host configuration vulnerability checker. In Proceedings of the 6th USENIX Unix Security Symposium, San Jose, CA, 1996. Google ScholarDigital Library

Index Terms

Scalable, graph-based network vulnerability analysis

Recommendations

A planner-based approach to generate and analyze minimal attack graph

In the present scenario, even well administered networks are susceptible to sophisticated cyber attacks. Such attack combines vulnerabilities existing on different systems/services and are potentially more harmful than single point attacks. One of the ...
Read More
Simulating cyber-attacks for fun and profit
Simutools '09: Proceedings of the 2nd International Conference on Simulation Tools and Techniques

We introduce a new simulation platform called Insight, created to design and simulate cyber-attacks against large arbitrary target scenarios. Insight has surprisingly low hardware and configuration requirements, while making the simulation a realistic ...
Read More
A weakest-adversary security metric for network configuration security analysis
QoP '06: Proceedings of the 2nd ACM workshop on Quality of protection

A security metric measures or assesses the extent to which a system meets its security objectives. Since meaningful quantitative security metrics are largely unavailable, the security community primarily uses qualitative metrics for security. In this ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CCS '02: Proceedings of the 9th ACM conference on Computer and communications security
November 2002
284 pages
ISBN:1581136129
DOI:10.1145/586110
Editor:
Vijay Atluri
Rutgers University
,
General Chair:
Sushil Jajodia
George Mason University
,
Program Chair:
Ravi Sandhu
SingleSignOn.Net and George Mason University
Copyright © 2002 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 18 November 2002
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
exploit
model checking
monotonic analysis
network security
scalability
vulnerability
Qualifiers
- Article
Conference

Acceptance Rates
Overall Acceptance Rate1,261of6,999submissions,18%
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 320
  Total Citations
  View Citations
- 4,921
  Total Downloads
- Downloads (Last 12 months)204
- Downloads (Last 6 weeks)22
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Scalable, graph-based network vulnerability analysis

CCS '02: Proceedings of the 9th ACM conference on Computer and communications security

ABSTRACT

References

Cited By

Index Terms

Recommendations

A planner-based approach to generate and analyze minimal attack graph

Simulating cyber-attacks for fun and profit

A weakest-adversary security metric for network configuration security analysis