Approach to attack path generation based on vulnerability correlation

Network attack path analysis is an important method for analyzing the security status of computer network, which can automatically analyze the correlation between network vulnerabilities and potential threats resulting from vulnerabilities. It plays a guiding role in establishing network security policy. This paper chooses NVD and Bugtraq as vulnerability data sources, and extracts key properties required to build a vulnerability database that mainly contains privilege escalation vulnerabilities in Linux system and common server software. An association analysis of vulnerabilities and related information is made and properties are abstracted to construct atomic attacks and corresponding atomic attack database. A network attack model is constructed from network connection and host configuration. Via matching atomic attacks in attack database, the paper adopts state comparison algorithm to mine potential attack paths that may lead to specified attack goals. The experiment verifies that the proposed approach can reduce the number of attack states effectively and mine all non-redundant attack paths.

[1]  L J Busby,et al.  Sex-role research on the mass media. , 1975, The Journal of communication.

[2]  Hu Ming-zeng Research on privilege-escalating based vulnerability taxonomy with multidimensional quantitative attribute , 2004 .

[3]  Wang Guo-yu Study of network security evaluation based on attack graph model , 2007 .

[4]  Andrew W. Appel,et al.  MulVAL: A Logic-based Network Security Analyzer , 2005, USENIX Security Symposium.

[5]  Yi Zhang,et al.  Two Formal Analysis of Attack Graphs: Two Formal Analysis of Attack Graphs , 2010 .

[6]  Michael Lyle Artz,et al.  NetSPA : a Network Security Planning Architecture , 2002 .

[7]  Cynthia A. Phillips,et al.  Computer-attack graph generation tool , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[8]  Xinming Ou,et al.  A scalable approach to attack graph generation , 2006, CCS '06.

[9]  John Hale,et al.  A systematic approach to multi-stage network attack analysis , 2004, Second IEEE International Information Assurance Workshop, 2004. Proceedings..

[10]  Ludovic Mé,et al.  ADeLe: An Attack Description Language for Knowledge-Based Intrusion Detection , 2001, SEC.

[11]  Duminda Wijesekera,et al.  Scalable, graph-based network vulnerability analysis , 2002, CCS '02.

[12]  Paul Ammann,et al.  Using model checking to analyze network vulnerabilities , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[13]  Lin Chuang,et al.  Research on Model-Checking Based on Petri Nets , 2004 .

[14]  Jeannette M. Wing,et al.  Tools for Generating and Analyzing Attack Graphs , 2003, FMCO.

[15]  Somesh Jha,et al.  Two formal analyses of attack graphs , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[16]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.