Interdicting Attack Graphs to Protect Organizations from Cyber Attacks : A Bi-Level Attacker-Defender Model

Today’s organizations are inherently open and connected, sharing knowledge and ideas in order to remain innovative. As a result, these organizations are also more vulnerable to information theft through different forms of security breaches caused by hackers and competitors. One way of understanding the vulnerability of an information system is to build and analyze the attack graph of that system. The attack graph of an information system contains all the paths that can be used to penetrate the system in order to breach critical assets. Although existing literature provides an abundance of attack graph generation algorithms, more methods are required to help analyze the attack graphs. In this paper, we study how best to deploy security countermeasures to protect an organization by analyzing the vulnerability of the organization through the use of its attack graph. In particular, we present an approach to find an optimal affordable subset of arcs, called an interdiction plan, on an attack graph that should be protected from attack to minimize the loss due to security breaches. We formulate this problem as a bi-level mixed-integer linear program and develop an exact algorithm to solve it. Experiments show that the algorithm is able to solve relatively large problems. Two heuristic methods, one with and the other without a heuristic to solve the master problem and both limiting the master problem branch-and-bound tree to only one node solve the large problems remarkably well. Experiments also reveal that the quality of an interdiction plan is relatively insensitive with respect to the error in the estimate of the attacker’s budget, and that the breach loss drops sharply at the beginning, then levels off before finally dropping sharply again with increases in the security budget.

[1]  Sushil Jajodia,et al.  Topological analysis of network attack vulnerability , 2006, PST.

[2]  Sushil Jajodia,et al.  Time-efficient and cost-effective network hardening using attack graphs , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012).

[3]  Sushil Jajodia,et al.  Efficient minimum-cost network hardening via exploit dependency graphs , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[4]  Gerald G. Brown,et al.  Interdicting a Nuclear-Weapons Project , 2009, Oper. Res..

[5]  William H. Sanders,et al.  RRE: A Game-Theoretic Intrusion Response and Recovery Engine , 2014, IEEE Transactions on Parallel and Distributed Systems.

[6]  Cynthia A. Phillips,et al.  A graph-based system for network-vulnerability analysis , 1998, NSPW '98.

[7]  Barbara Kordy,et al.  DAG-based attack and defense modeling: Don't miss the forest for the attack trees , 2013, Comput. Sci. Rev..

[8]  Sushil Jajodia,et al.  Optimal IDS Sensor Placement and Alert Prioritization Using Attack Graphs , 2008, Journal of Network and Systems Management.

[9]  Cynthia A. Phillips,et al.  Sensor Placement in Municipal Water Networks with Temporal Integer Programming Models , 2006 .

[10]  J. Yates Network Interdiction Methods and Approximations in a Hazmat Transportation Setting , 2013 .

[11]  Duminda Wijesekera,et al.  Scalable, graph-based network vulnerability analysis , 2002, CCS '02.

[12]  J. Salmeron,et al.  Analysis of electric grid security under terrorist threat , 2004, IEEE Transactions on Power Systems.

[13]  Richard W. Hamming,et al.  Error detecting and error correcting codes , 1950 .

[14]  R. Kevin Wood,et al.  Shortest‐path network interdiction , 2002, Networks.

[15]  Indrajit Ray,et al.  Optimal security hardening using multi-objective optimization on attack tree models of networks , 2007, CCS '07.

[16]  Jacques F. Benders,et al.  Partitioning procedures for solving mixed-variables programming problems , 2005, Comput. Manag. Sci..

[17]  Richard P. Lippmann,et al.  An Annotated Review of Past Papers on Attack Graphs , 2005 .

[18]  William E. Hart,et al.  Formulation and Optimization of Robust Sensor Placement Problems for Drinking Water Contamination Warning Systems , 2009 .

[19]  Robert D. Carr,et al.  Designing Contamination Warning Systems for Municipal Water Networks Using Imperfect Sensors , 2009 .

[20]  Richard Lippmann,et al.  Practical Attack Graph Generation for Network Defense , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[21]  Dong Seong Kim,et al.  Cyber security analysis using attack countermeasure trees , 2010, CSIIRW '10.

[22]  M. Nehme Two-person games for stochastic network interdiction : models, methods, and complexities , 2009 .

[23]  Robert D. Carr,et al.  US Environmental Protection Agency Uses Operations Research to Reduce Contamination Risks in Drinking Water , 2009, Interfaces.

[24]  Jinshu Su,et al.  Two Scalable Analyses of Compact Attack Graphs for Defending Network Security , 2009, 2009 International Conference on Networks Security, Wireless Communications and Trusted Computing.

[25]  Hugh R. Medal,et al.  Methods for removing links in a network to minimize the spread of infections , 2016, Comput. Oper. Res..

[26]  Sushil Jajodia,et al.  Cauldron mission-centric cyber situational awareness with defense in depth , 2011, 2011 - MILCOM 2011 Military Communications Conference.

[27]  M. Alhomidi,et al.  Finding the minimum cut set in attack graphs using genetic algorithms , 2013, 2013 International Conference on Computer Applications Technology (ICCAT).

[28]  Cynthia A. Phillips,et al.  Computer-attack graph generation tool , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[29]  Y. Toyoda A Simplified Algorithm for Obtaining Approximate Solutions to Zero-One Programming Problems , 1975 .

[30]  Gerald G. Brown,et al.  Assessing and Improving Operational Resilience of Critical Infrastructures and Other Systems , 2014 .

[31]  R. Cunningham,et al.  Validating and Restoring Defense in Depth Using Attack Graphs , 2006, MILCOM 2006 - 2006 IEEE Military Communications conference.

[32]  David P. Morton,et al.  Models for nuclear smuggling interdiction , 2007 .

[33]  Kelly M. Sullivan,et al.  Securing a border under asymmetric information , 2014 .

[34]  J. Salmeron,et al.  Worst-Case Interdiction Analysis of Large-Scale Electric Power Grids , 2009, IEEE Transactions on Power Systems.

[35]  R. Kevin Wood,et al.  Deterministic network interdiction , 1993 .

[36]  Indrajit Ray,et al.  Optimal security hardening on attack tree models of networks: a cost-benefit analysis , 2012, International Journal of Information Security.

[37]  Brian K. Reed Models for Proliferation Interdiction Response Analysis. , 1994 .

[38]  Stefano Bistarelli,et al.  Defense trees for economic evaluation of security investments , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[39]  Feng Pan,et al.  Minimizing a stochastic maximum‐reliability path , 2008, Networks.