An Attack Graph Based Risk Management Approach of an Enterprise LAN

In today’s large complex enterprise network, security is a challenging task for most of the administrators. The typical means by which an attacker breaks into a network is through a series of exploits, where each exploit in the series satisfies the precondition for subsequent exploits and makes a causal relationship among them. Such a series of exploits constitutes an attack path and the set of all possible attack paths form an attack graph. Even the well administered networks are susceptible to such attacks as present day vulnerability scanners are only able to identify the vulnerabilities in isolation but there is a need for logical formalism and correlation among these vulnerabilities within a host or across multiple hosts to identify overall risk of the network. In this paper we propose a novel approach by map this problem in artificial intelligence domain and find out an attack path consisting of logically connected exploits, which essentially shows the minimum number of exploits required to gain access over a critical network resource. The solution is further extended to form an attack graph and find out the set of vulnerabilities which are the root cause for overall security threat towards enterprise network. The inherent time and scalability problem of attack graph generation is also taken care of in this approach. Once the set of vulnerabilities has been identified for rectification, the network administrator can then prioritize the vulnerability rectification procedure to make the network secure.

[1]  Sushil Jajodia,et al.  Topological analysis of network attack vulnerability , 2006, PST.

[2]  Paul Ammann,et al.  A host-based approach to network attack chaining analysis , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[3]  Richard Lippmann,et al.  Practical Attack Graph Generation for Network Defense , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[4]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[5]  Yixin Chen,et al.  Temporal Planning using Subgoal Partitioning and Resolution in SGPlan , 2006, J. Artif. Intell. Res..

[6]  Sushil Jajodia,et al.  Efficient minimum-cost network hardening via exploit dependency graphs , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[7]  Duminda Wijesekera,et al.  Scalable, graph-based network vulnerability analysis , 2002, CCS '02.

[8]  Cynthia A. Phillips,et al.  A graph-based system for network-vulnerability analysis , 1998, NSPW '98.

[9]  Jeannette M. Wing,et al.  Game strategies in network security , 2005, International Journal of Information Security.

[10]  Sushil Jajodia,et al.  Interactive Analysis of Attack Graphs Using Relational Queries , 2006, DBSec.

[11]  Sushil Jajodia,et al.  Understanding complex network attack graphs through clustered adjacency matrices , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[12]  Sushil Jajodia,et al.  Managing attack graph complexity through visual hierarchical aggregation , 2004, VizSEC/DMSEC '04.

[13]  Paul Ammann,et al.  Using model checking to analyze network vulnerabilities , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[14]  Rayford B. Vaughn,et al.  Cluster Security Research Involving the Modeling of Network Exploitations Using Exploitation Graphs , 2006, Sixth IEEE International Symposium on Cluster Computing and the Grid (CCGRID'06).

[15]  Tao Zhang,et al.  An effective method to generate attack graph , 2005, 2005 International Conference on Machine Learning and Cybernetics.

[16]  Xinming Ou,et al.  A scalable approach to attack graph generation , 2006, CCS '06.

[17]  Richard P. Lippmann,et al.  An Annotated Review of Past Papers on Attack Graphs , 2005 .

[18]  B. Wah,et al.  New Features in SGPlan for Handling Preferences and Constraints in PDDL3.0∗ , 2006 .

[19]  Avrim Blum,et al.  Fast Planning Through Planning Graph Analysis , 1995, IJCAI.

[20]  Steven Noel,et al.  Representing TCP/IP connectivity for topological analysis of network security , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[21]  Peter Norvig,et al.  Artificial Intelligence: A Modern Approach , 1995 .