ABSTRACT
Even well administered networks are vulnerable to attack. Recent work in network security has focused on the fact that combinations of exploits are the typical means by which an attacker breaks into a network. Researchers have proposed a variety of graph-based algorithms to generate attack trees (or graphs). Either structure represents all possible sequences of exploits, where any given exploit can take advantage of the penetration achieved by prior exploits in its chain, and the final exploit in the chain achieves the attacker's goal. The most recent approach in this line of work uses a modified version of the model checker NuSMV as a powerful inference engine for chaining together network exploits, compactly representing attack graphs, and identifying minimal sets of exploits. However, it is also well known that model checkers suffer from scalability problems, and there is good reason to doubt whether a model checker can handle directly a realistic set of exploits for even a modest-sized network. In this paper, we revisit the idea of attack graphs themselves, and argue that they represent more information explicitly than is necessary for the analyst. Instead, we propose a more compact and scalable representation. Although we show that it is possible to produce attack trees from our representation, we argue that more useful information can be produced, for larger networks, while bypassing the attack tree step. Our approach relies on an explicit assumption of monotonicity, which, in essence, states that the precondition of a given exploit is never invalidated by the successful application of another exploit. In other words, the attacker never needs to backtrack. The assumption reduces the complexity of the analysis problem from exponential to polynomial, thereby bringing even very large networks within reach of analysis
- R. Baldwin. Kuang: Rule based security checking. Technical report, MIT Lab for Computer Science, Programming Systems Research Group, May 1994.Google Scholar
- Computer Oracle and Password System (COPS). ftp.cert.org/pub/tools/cops.Google Scholar
- F. Cuppens and A.Miege. Alert correlation in a cooperative intrusion detection framework. In Proceedings of the 2002 IEEE Symposium on Security and Privacy (Oakland 2002), pages 187--200, Oakland, CA, May 2002. Google ScholarDigital Library
- Network associates: CyberCop Scanner. www.nai.com/asp_set/products/tns/ccscanner_intro.asp.Google Scholar
- M. Dacier, Y. Deswartes, and M. Kaaniche. Quantitive assessment of operational security models and tools. Technical Report Research Report 96493, LAAS, May 1996.Google Scholar
- J. Dawkins, C. Campbell, and J. Hale. Modeling network attacks: Extending the attack tree paradigm. In Workshop on Statistical and Machine Learning Techniques in Computer Intrusion Detection, Johns Hopkins University, June 2002. Center for Information Security, University of Tulsa.Google Scholar
- S. Jha, O. Sheyner, and J. Wing. Minimization and reliability analysis of attack graphs. Technical Report CMU-CS-02-109, School of Computer Science, Carnegie Mellon University, February 2002.Google Scholar
- S. Jha, O. Sheyner, and J. Wing. Two formal analyses of attack graphs. In Proceedings of the 2002 Computer Security Foundations Workshop, pages 45--59, Nova Scotia, June 2002. Google ScholarDigital Library
- R. Ortalo, Y. Deswarte, and M. Kaaniche. Experimenting with quantitative evaluation tools for monitoring operational security. IEEE Transactions on Software Engineering, 25(5):633--650, September/October 1999. Google ScholarDigital Library
- C. Phillips and L. Swiler. A graph-based system for network-vulnerability analysis. In Proceedings of the New Security Paradigms Workshop, pages 71--79, Charlottesville, VA, 1998. Google ScholarDigital Library
- C. Ramakrishnan and R. Sekar. Model-based vulnerability analysis of computer systems. In Proceedings of the 2nd International Workshop on Verification, Model Checking and Abstract Interpretation, September 1998.Google Scholar
- R. W. Ritchey and P. Ammann. Using model checking to analyze network vulnerabilities. In Proceedings of the 2000 IEEE Symposium on Security and Privacy (Oakland 2000), pages 156--165, Oakland, CA, May 2000. Google ScholarDigital Library
- O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J. Wing. Automated generation and analysis of attack graphs. In Proceedings of the 2002 IEEE Symposium on Security and Privacy (Oakland 2002), Oakland, CA, May 2002. Google ScholarDigital Library
- L. Swiler, C. Phillips, D. Ellis, , and S. Chakerian. Computer-attack graph generation tool. In Proceedings DISCEX '01: DARPA Information Survivability Conference & Exposition II, pages 307--321, June 2001.Google ScholarCross Ref
- Internet security systems: System scanner. www.iss.net.Google Scholar
- S. Templeton and K. Levitt. A requires/provides model for computer attacks. In Proceedings of the New Security Paradigms Workshop, Cork, Ireland, September 2000. http://seclab.cs.ucdavis.edu/papers/NP2000-rev.pdf. Google ScholarDigital Library
- D. Zerkle and K. Levitt. Netkuang - A multi-host configuration vulnerability checker. In Proceedings of the 6th USENIX Unix Security Symposium, San Jose, CA, 1996. Google ScholarDigital Library
Index Terms
- Scalable, graph-based network vulnerability analysis
Recommendations
A planner-based approach to generate and analyze minimal attack graph
In the present scenario, even well administered networks are susceptible to sophisticated cyber attacks. Such attack combines vulnerabilities existing on different systems/services and are potentially more harmful than single point attacks. One of the ...
Simulating cyber-attacks for fun and profit
Simutools '09: Proceedings of the 2nd International Conference on Simulation Tools and TechniquesWe introduce a new simulation platform called Insight, created to design and simulate cyber-attacks against large arbitrary target scenarios. Insight has surprisingly low hardware and configuration requirements, while making the simulation a realistic ...
A weakest-adversary security metric for network configuration security analysis
QoP '06: Proceedings of the 2nd ACM workshop on Quality of protectionA security metric measures or assesses the extent to which a system meets its security objectives. Since meaningful quantitative security metrics are largely unavailable, the security community primarily uses qualitative metrics for security. In this ...
Comments