Analysis of Attack Graph Representations for Ranking Vulnerability Fixes

Software vulnerabilities in organizational computer networks can be leveraged by an attacker to gain access to sensitive information. As fixing all vulnerabilities requires much effort, it is critical to rank the possible fixes by their importance. Centrality measures over logical attack graphs, or over the network connectivity graph, often provide a scalable method for finding the most critical vulnerabilities. In this paper we suggest an analysis of the planning graph, originating in classical planning, as an alternative for the logical attack graph, to improve the ranking produced by centrality measures. The planning graph also allows us to enumerate the set of possible attack plans, and hence, directly count the number of attacks that use a given vulnerability. We evaluate a set of centrality-based ranking measures over the logical attack graph and the planning graph, showing that metrics computed over the planning graph reduce more rapidly the set of shortest attack plans.

[1]  Teodor Sommestad,et al.  An empirical test of the accuracy of an attack graph analysis tool , 2015, Inf. Comput. Secur..

[2]  Ulrik Brandes,et al.  On variants of shortest-path betweenness centrality and their generic computation , 2008, Soc. Networks.

[3]  Ronen I. Brafman,et al.  Pruning Methods for Optimal Delete-Free Planning , 2012, ICAPS.

[4]  J. Ho,et al.  The Metric FF Planning System Translating Ignoring Delete Lists to Numeric State Variables , 2003 .

[5]  Rajeev Motwani,et al.  The PageRank Citation Ranking : Bringing Order to the Web , 1999, WWW 1999.

[6]  Michel Cukier,et al.  Prioritizing Vulnerability Remediation by Determining Attacker-Targeted Vulnerabilities , 2009, IEEE Security & Privacy Magazine.

[7]  Atul Prakash,et al.  Distilling critical attack graph surface iteratively through minimum-cost SAT solving , 2011, ACSAC '11.

[8]  Sushil Jajodia,et al.  Time-efficient and cost-effective network hardening using attack graphs , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012).

[9]  Daniel Bryce,et al.  A Tutorial on Planning Graph Based Reachability Heuristics , 2007, AI Mag..

[10]  Jörg Hoffmann,et al.  Simulated Penetration Testing: From "Dijkstra" to "Turing Test++" , 2015, ICAPS.

[11]  Andrew W. Appel,et al.  MulVAL: A Logic-based Network Security Analyzer , 2005, USENIX Security Symposium.

[12]  Dorin Shmaryahu,et al.  Constructing Plan Trees for Simulated Penetration Testing , 2016 .

[13]  Avrim Blum,et al.  Fast Planning Through Planning Graph Analysis , 1995, IJCAI.

[14]  Bill Morrow,et al.  BYOD security challenges: control and protect your most sensitive data , 2012, Netw. Secur..

[15]  Leonard M. Freeman,et al.  A set of measures of centrality based upon betweenness , 1977 .

[16]  Xinming Ou,et al.  Identifying Critical Attack Assets in Dependency Attack Graphs , 2008, ESORICS.

[17]  Carlos Sarraute,et al.  Attack Planning in the Real World , 2013, ArXiv.

[18]  Jin B. Hong,et al.  Scalable security analysis in hierarchical attack representation model using centrality measures , 2013, 2013 43rd Annual IEEE/IFIP Conference on Dependable Systems and Networks Workshop (DSN-W).

[19]  Sushil Jajodia,et al.  An Attack Graph-Based Probabilistic Security Metric , 2008, DBSec.

[20]  Jin B. Hong,et al.  What Vulnerability Do We Need to Patch First? , 2014, 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[21]  Cynthia A. Phillips,et al.  Computer-attack graph generation tool , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[22]  Xinming Ou,et al.  A scalable approach to attack graph generation , 2006, CCS '06.

[23]  Branislav Bosanský,et al.  Optimal Network Security Hardening Using Attack Graph Games , 2015, IJCAI.

[24]  Bernd Eggers Nessus Network Auditing , 2016 .

[25]  Somak Bhattacharya,et al.  An Attack Graph Based Risk Management Approach of an Enterprise LAN , 2008 .

[26]  Arthur C. Sanderson,et al.  AND/OR graph representation of assembly plans , 1986, IEEE Trans. Robotics Autom..

[27]  Xinwen Zhang,et al.  After we knew it: empirical study and modeling of cost-effectiveness of exploiting prevalent known vulnerabilities across IaaS cloud , 2014, AsiaCCS.