Pareto-Optimal Adversarial Defense of Enterprise Systems

The National Vulnerability Database (NVD) maintained by the US National Institute of Standards and Technology provides valuable information about vulnerabilities in popular software, as well as any patches available to address these vulnerabilities. Most enterprise security managers today simply patch the most dangerous vulnerabilities—an adversary can thus easily compromise an enterprise by using less important vulnerabilities to penetrate an enterprise. In this article, we capture the vulnerabilities in an enterprise as a Vulnerability Dependency Graph (VDG) and show that attacks graphs can be expressed in them. We first ask the question: What set of vulnerabilities should an attacker exploit in order to maximize his expected impact? We show that this problem can be solved as an integer linear program. The defender would obviously like to minimize the impact of the worst-case attack mounted by the attacker—but the defender also has an obligation to ensure a high productivity within his enterprise. We propose an algorithm that finds a Pareto-optimal solution for the defender that allows him to simultaneously maximize productivity and minimize the cost of patching products on the enterprise network. We have implemented this framework and show that runtimes of our computations are all within acceptable time bounds even for large VDGs containing 30K edges and that the balance between productivity and impact of attacks is also acceptable.

[1]  R. Srikant,et al.  Correlated jamming on MIMO Gaussian fading channels , 2004, 2004 IEEE International Conference on Communications (IEEE Cat. No.04CH37577).

[2]  Quanyan Zhu,et al.  A Stochastic Game Model for Jamming in Multi-Channel Cognitive Radio Systems , 2010, 2010 IEEE International Conference on Communications.

[3]  Cynthia A. Phillips,et al.  A graph-based system for network-vulnerability analysis , 1998, NSPW '98.

[4]  Kerem Bülbül,et al.  Simultaneous column-and-row generation for large-scale linear programs with column-dependent-rows , 2013, Math. Program..

[5]  Quanyan Zhu,et al.  Dynamic policy-based IDS configuration , 2009, Proceedings of the 48h IEEE Conference on Decision and Control (CDC) held jointly with 2009 28th Chinese Control Conference.

[6]  Jaideep Srivastava,et al.  Managing Cyber Threats: Issues, Approaches, and Challenges (Massive Computing) , 2005 .

[7]  Paul Ammann,et al.  Using model checking to analyze network vulnerabilities , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[8]  Eugene L. Lawler,et al.  Generating all Maximal Independent Sets: NP-Hardness and Polynomial-Time Algorithms , 1980, SIAM J. Comput..

[9]  Sushil Jajodia,et al.  Minimum-cost network hardening using attack graphs , 2006, Comput. Commun..

[10]  Indrajit Ray,et al.  Optimal security hardening using multi-objective optimization on attack tree models of networks , 2007, CCS '07.

[11]  Quanyan Zhu,et al.  Game-theoretic analysis of node capture and cloning attack with multiple attackers in wireless sensor networks , 2012, 2012 IEEE 51st IEEE Conference on Decision and Control (CDC).

[12]  Tamer Basar,et al.  The Gaussian test channel with an intelligent jammer , 1983, IEEE Trans. Inf. Theory.

[13]  Karen Scarfone,et al.  Common Vulnerability Scoring System , 2006, IEEE Security & Privacy.

[14]  Peter Mell,et al.  Creating a Patch and Vulnerability Management Program | NIST , 2005 .

[15]  Peter Mell,et al.  Creating a Patch and Vulnerability Management Program , 2005 .

[16]  Cynthia A. Phillips,et al.  Computer-attack graph generation tool , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[17]  Sushil Jajodia,et al.  Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts , 2006, Comput. Commun..

[18]  A. Messac,et al.  The normalized normal constraint method for generating the Pareto frontier , 2003 .

[19]  Sushil Jajodia,et al.  Correlating intrusion events and building attack scenarios through attack graph distances , 2004, 20th Annual Computer Security Applications Conference.

[20]  Eitan Altman,et al.  Jamming in wireless networks: The case of several jammers , 2009, 2009 International Conference on Game Theory for Networks.

[21]  Quanyan Zhu,et al.  GUIDEX: A Game-Theoretic Incentive-Based Mechanism for Intrusion Detection Networks , 2012, IEEE Journal on Selected Areas in Communications.

[22]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[23]  Heinrich von Stackelberg Market Structure and Equilibrium , 2010 .

[24]  Ravi Sandhu,et al.  ACM Transactions on Information and System Security: Editorial , 2005 .

[25]  Salil P. Vadhan,et al.  Computational Complexity , 2005, Encyclopedia of Cryptography and Security.

[26]  Martin W. P. Savelsbergh,et al.  Branch-and-Price: Column Generation for Solving Huge Integer Programs , 1998, Oper. Res..

[27]  Rodolphe Ortalo,et al.  Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security , 1999, IEEE Trans. Software Eng..

[28]  Somesh Jha,et al.  Two formal analyses of attack graphs , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[29]  Quanyan Zhu,et al.  Game theory meets network security and privacy , 2013, CSUR.

[30]  Tansu Alpcan,et al.  Security Games for Vehicular Networks , 2008, IEEE Transactions on Mobile Computing.

[31]  Indrajit Ray,et al.  Dynamic Security Risk Management Using Bayesian Attack Graphs , 2012, IEEE Transactions on Dependable and Secure Computing.

[32]  Karl N. Levitt,et al.  NetKuang - A Multi-Host Configuration Vulnerability Checker , 1996, USENIX Security Symposium.

[33]  Ian T. Foster,et al.  Mapping the Gnutella Network , 2002, IEEE Internet Comput..

[34]  Duminda Wijesekera,et al.  Scalable, graph-based network vulnerability analysis , 2002, CCS '02.

[35]  Mihalis Yannakakis,et al.  On Generating All Maximal Independent Sets , 1988, Inf. Process. Lett..

[36]  C. R. Ramakrishnan,et al.  Model-Based Analysis of Configuration Vulnerabilities , 2002, J. Comput. Secur..

[37]  Zhu Han,et al.  Physical layer security game: How to date a girl with her boyfriend on the same table , 2009, 2009 International Conference on Game Theory for Networks.

[38]  Sushil Jajodia,et al.  Cauldron mission-centric cyber situational awareness with defense in depth , 2011, 2011 - MILCOM 2011 Military Communications Conference.

[39]  Sushil Jajodia,et al.  An efficient approach to assessing the risk of zero-day vulnerabilities , 2013, 2013 International Conference on Security and Cryptography (SECRYPT).

[40]  Indrajit Ray,et al.  Optimal security hardening on attack tree models of networks: a cost-benefit analysis , 2012, International Journal of Information Security.