Graph similarity metrics for assessing temporal changes in attack surface of dynamic networks

Measuring temporal variation in network attack surface is a key problem in dynamic networks.We propose to use graph distance metrics based on the Maximum Common Subgraph (MCS) and Graph Edit Distance (GED).We show test results on a set of 3 different network models.We compare the MCS and GED based metrics performance with the previously proposed 9 attack graph based metrics.We present the in-depth analysis of the obtained results. Assessment of attack surface is a formidable challenge for the present-day dynamic networks. Essentially, attack surface (of a computer network) is a subset of network configuration and vulnerabilities that an adversary can use to compromise the target network in an incremental fashion. There are a large number of metrics available for network security risk assessment. However, they fail to measure temporal variation in the network attack surface. To overcome this problem, we propose graph distance metrics based on the Maximum Common Subgraph (MCS) and Graph Edit Distance (GED). In particular, we make use of classical graph distance metrics to quantify the distance between a pair of successive attack graphs generated for a dynamic network. Since the attack graph is capable of successfully capturing the attack surface of an underlying network, the distance between a pair of consecutive attack graphs (generated over the observed sampling interval) indicates the change in the network attack surface. To validate the efficacy and usability of graph distance metrics proposed in this study, we have tested 11 different metrics on a set of 3 different network models, viz., Flat, External-Internal, and DMZ. Experimental results show that MCS and GED based graph distance metrics successfully capture the temporal variation in the attack surface and also generate an alert about the security events which are responsible for the change. Using such graph distance metrics, we can pinpoint the events that cause a significant change in the network attack surface, locate most dangerous hosts in the network and the effect of increasing vulnerabilities further on these hosts. The advantage of using these metrics is that they scale polynomially with the graphs size and are independent of the graphs topology. It is also evident from the test results that the performance of MCS and GED based metrics is almost similar and hence the computation of one metric is enough to detect temporal variation in the network attack surface. The MCS and GED based graph distance metrics are oblivious to the AND semantic between the initial conditions in the attack graphs. Thus, there is a scope for improving their performance (sensitivity) by considering the AND semantic.

[1]  William H. Sanders,et al.  Model-Based Cybersecurity Assessment with NESCOR Smart Grid Failure Scenarios , 2015, 2015 IEEE 21st Pacific Rim International Symposium on Dependable Computing (PRDC).

[2]  Frank L. Greitzer,et al.  Effect of network infrastructure factors on information system risk judgments , 2015, Comput. Secur..

[3]  Babu M. Mehtre,et al.  Attack Graph Generation, Visualization and Analysis: Issues and Challenges , 2014, SSCC.

[4]  Duminda Wijesekera,et al.  Scalable, graph-based network vulnerability analysis , 2002, CCS '02.

[5]  Peng Ning,et al.  Learning attack strategies from intrusion alerts , 2003, CCS '03.

[6]  Youki Kadobayashi,et al.  Exploring attack graph for cost-benefit security hardening: A probabilistic approach , 2013, Comput. Secur..

[7]  M. Kraetzl,et al.  Detection of abnormal change in dynamic networks , 1999, 1999 Information, Decision and Control. Data and Information Fusion Symposium, Signal Processing and Communications Symposium and Decision and Control Symposium. Proceedings (Cat. No.99EX251).

[8]  Sushil Jajodia,et al.  A weakest-adversary security metric for network configuration security analysis , 2006, QoP '06.

[9]  Richard Lippmann,et al.  An Interactive Attack Graph Cascade and Reachability Display , 2007, VizSEC.

[10]  Christine Solnon,et al.  Reactive Tabu Search for Measuring Graph Similarity , 2005, GbRPR.

[11]  Oliver Popov Priorities for Research on Current and Emerging Network Technologies , 2010 .

[12]  Sushil Jajodia,et al.  Topological Vulnerability Analysis: A Powerful New Approach For Network Attack Prevention, Detection, and Response , 2008 .

[13]  Diptikalyan Saha,et al.  Extending logical attack graphs for efficient vulnerability analysis , 2008, CCS.

[14]  Danai Koutra,et al.  DELTACON: A Principled Massive-Graph Similarity Function , 2013, SDM.

[15]  Ghanshyam S. Bopche,et al.  Extending Attack Graph-Based Metrics for Enterprise Network Security Management , 2016 .

[16]  Jeannette M. Wing,et al.  Measuring a System's Attack Surface , 2004 .

[17]  Sushil Jajodia,et al.  Metrics suite for network attack graph analytics , 2014, CISR '14.

[18]  Xinming Ou,et al.  Improving Attack Graph Visualization through Data Reduction and Attack Grouping , 2008, VizSEC.

[19]  Sushil Jajodia,et al.  An Attack Graph-Based Probabilistic Security Metric , 2008, DBSec.

[20]  R. Cunningham,et al.  Validating and Restoring Defense in Depth Using Attack Graphs , 2006, MILCOM 2006 - 2006 IEEE Military Communications conference.

[21]  Sajjan G. Shiva,et al.  Use of Attack Graphs in Security Systems , 2014, J. Comput. Networks Commun..

[22]  Reijo Savola,et al.  Quality of security metrics and measurements , 2013, Comput. Secur..

[23]  Andrew W. Appel,et al.  MulVAL: A Logic-based Network Security Analyzer , 2005, USENIX Security Symposium.

[24]  Omer F. Rana,et al.  Identifying cyber risk hotspots: A framework for measuring temporal variance in computer network risk , 2016, Comput. Secur..

[25]  Sushil Jajodia,et al.  Measuring the Overall Security of Network Configurations Using Attack Graphs , 2007, DBSec.

[26]  Yongtian Yang,et al.  A Method Based on Global Attack Graph for Network Hardening , 2008, 2008 4th International Conference on Wireless Communications, Networking and Mobile Computing.

[27]  Jiri Pospichal,et al.  Fast Evaluation of Chemical Distance by Tabu Search Algorithm , 1994, Journal of chemical information and computer sciences.

[28]  Yi Zhang,et al.  A Scalable Approach to Analyzing Network Security using Compact Attack Graphs , 2010, J. Networks.

[29]  Sushil Jajodia,et al.  k-Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown Vulnerabilities , 2014, IEEE Transactions on Dependable and Secure Computing.

[30]  J. A. Bondy,et al.  Graph Theory with Applications , 1978 .

[31]  F. Chung,et al.  Connected Components in Random Graphs with Given Expected Degree Sequences , 2002 .

[32]  Xinming Ou,et al.  Identifying Critical Attack Assets in Dependency Attack Graphs , 2008, ESORICS.

[33]  Horst Bunke,et al.  A New Algorithm for Error-Tolerant Subgraph Isomorphism Detection , 1998, IEEE Trans. Pattern Anal. Mach. Intell..

[34]  Karen Scarfone,et al.  Common Vulnerability Scoring System , 2006, IEEE Security & Privacy.

[35]  Edmund M. Clarke,et al.  Ranking Attack Graphs , 2006, RAID.

[36]  Richard Lippmann,et al.  Practical Attack Graph Generation for Network Defense , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[37]  Hassan Asgharian,et al.  Cost-aware network immunization framework for intrusion prevention , 2011, 2011 IEEE International Conference on Computer Applications and Industrial Electronics (ICCAIE).

[38]  Rayford B. Vaughn,et al.  Cluster Security Research Involving the Modeling of Network Exploitations Using Exploitation Graphs , 2006 .

[39]  Cynthia A. Phillips,et al.  Computer-attack graph generation tool , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[40]  Xinming Ou,et al.  A scalable approach to attack graph generation , 2006, CCS '06.

[41]  Jeannette M. Wing,et al.  An Attack Surface Metric , 2011, IEEE Transactions on Software Engineering.

[42]  Hannes Holm,et al.  An expert-based investigation of the Common Vulnerability Scoring System , 2015, Comput. Secur..

[43]  Peter Willett,et al.  RASCAL: Calculation of Graph Similarity using Maximum Common Edge Subgraphs , 2002, Comput. J..

[44]  Somesh Jha,et al.  Two formal analyses of attack graphs , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[45]  Sushil Jajodia,et al.  Efficient minimum-cost network hardening via exploit dependency graphs , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[46]  Horst Bunke,et al.  Matching graphs with unique node labels , 2004, Pattern Analysis and Applications.

[47]  Bharat K. Bhargava,et al.  Extending Attack Graph-Based Security Metrics and Aggregating Their Application , 2012, IEEE Transactions on Dependable and Secure Computing.

[48]  Aaron Striegel,et al.  Intelligent network management using graph differential anomaly visualization , 2012, 2012 IEEE Network Operations and Management Symposium.

[49]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[50]  Sushil Jajodia,et al.  Protecting Enterprise Networks through Attack Surface Expansion , 2014, SafeConfig '14.

[51]  Michael Howard,et al.  Measuring Relative Attack Surfaces , 2005 .

[52]  Sushil Jajodia,et al.  Minimum-cost network hardening using attack graphs , 2006, Comput. Commun..

[53]  Karen A. Scarfone,et al.  A Complete Guide to the Common Vulnerability Scoring System Version 2.0 | NIST , 2007 .

[54]  Indrajit Ray,et al.  Using Attack Trees to Identify Malicious Attacks from Authorized Insiders , 2005, ESORICS.

[55]  Andrew P. Moore,et al.  Attack Modeling for Information Security and Survivability , 2001 .

[56]  Richard Lippmann,et al.  Modeling Modern Network Attacks and Countermeasures Using Attack Graphs , 2009, 2009 Annual Computer Security Applications Conference.

[57]  Cynthia A. Phillips,et al.  A graph-based system for network-vulnerability analysis , 1998, NSPW '98.

[58]  Lingyu Wang,et al.  A Heuristic Approach to Minimum-Cost Network Hardening Using Attack Graph , 2008, 2008 New Technologies, Mobility and Security.

[59]  Rodolphe Ortalo,et al.  Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security , 1999, IEEE Trans. Software Eng..

[60]  Kevin Jones,et al.  A review of cyber security risk assessment methods for SCADA systems , 2016, Comput. Secur..

[61]  Babu M. Mehtre,et al.  Exploiting Domination in Attack Graph for Enterprise Network Hardening , 2015, SSCC.

[62]  Sushil Jajodia,et al.  Adversarial and Uncertain Reasoning for Adaptive Cyber Defense: Building the Scientific Foundation , 2014, ICISS.

[63]  Horst Bunke,et al.  A graph distance metric based on the maximal common subgraph , 1998, Pattern Recognit. Lett..