This paper presents and analyzes an attack graph optimization problem that arises in modeling certain adversarial cyber attack and defend scenarios. The problem formulation is based on representing attacks againt a system as a finite, weighted, directed graph in which the directed edges represent transitions between states in an attack and edge weights represent the estimated cost to an attacker for traversing the edge. An attacker strives to traverse the graph from a specified start node to a specified end node using the least weight cost directed path between those nodes. On the other hand, the defender seeks to allocate defensive measures in such a way as to maximize the attacker’s minimal cost attack path. We study the role that minimal cut sets play in hardening the attack graph and prove that under this simple model minimal cut sets are optimal defensive investments in the limit even though minimal cut sets may not play a role in hardening a system initially. Viewing attackers and defenders as players in a two person, non-zero sum game, the results in this paper describe the asyptotic behavior of optimal solutions to the game under certain conditions.
[1]
Sushil Jajodia,et al.
Efficient minimum-cost network hardening via exploit dependency graphs
,
2003,
19th Annual Computer Security Applications Conference, 2003. Proceedings..
[2]
D. West.
Introduction to Graph Theory
,
1995
.
[3]
Delbert Ray Fulkerson,et al.
Maximizing the minimum source-sink path subject to a budget constraint
,
1977,
Math. Program..
[4]
Sushil Jajodia,et al.
Minimum-cost network hardening using attack graphs
,
2006,
Comput. Commun..
[5]
K. Menger.
Zur allgemeinen Kurventheorie
,
1927
.
[6]
Gregg Schudel,et al.
Adversary work factor as a metric for information assurance
,
2001,
NSPW '00.
[7]
Lawrence Carin,et al.
Cybersecurity Strategies: The QuERIES Methodology
,
2008,
Computer.
[8]
B. Golden.
A problem in network interdiction
,
1978
.
[9]
R. Kevin Wood,et al.
Shortest‐path network interdiction
,
2002,
Networks.
[10]
Somesh Jha,et al.
Automated generation and analysis of attack graphs
,
2002,
Proceedings 2002 IEEE Symposium on Security and Privacy.