A Scalable Attack Graph Generation for Network Security Management

As the dependencies on network system is increasing, such systems are vulnerable and are exposed to different attacks due to some software misconfigurations, software flaws and operating system service malfunctions. Network managers often rely on Attack Graphs to visually perform security risk assessment on the network systems. The Attack Graphs are very cumbersome to visually understand as they grow exponentially when the size of the network increases or the number of hosts‟ vulnerabilities increases in a network. This paper addresses the scalability issues of Attack Graph generation by leveraging on graph theory background. MulVAL and Nessus scanners tools were employed for the generation of Attack Graphs and network information mapping respectively. A computational algorithm that is capable of handling cycles was formulated. A valid path detection algorithm was also formulated to determine the most critical and valid paths needed within an Attack Graph for the purpose network security risk assessment. The results showed that the proposed model alleviates redundancy in Attack Graphs. This will assist the security administrator in making reasonable decision on the security risk management of the network systems.

[1]  Wu Yang,et al.  A Method for Global Attack Graph Generation , 2008, 2008 IEEE International Conference on Networking, Sensing and Control.

[2]  Cynthia A. Phillips,et al.  A graph-based system for network-vulnerability analysis , 1998, NSPW '98.

[3]  Donald B. Johnson,et al.  Finding All the Elementary Circuits of a Directed Graph , 1975, SIAM J. Comput..

[4]  Cynthia A. Phillips,et al.  Computer-attack graph generation tool , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[5]  Xinming Ou,et al.  A scalable approach to attack graph generation , 2006, CCS '06.

[6]  Xiaofeng Hu,et al.  A Scalable, Bidirectional-Based Search Strategy to Generate Attack Graphs , 2010, 2010 10th IEEE International Conference on Computer and Information Technology.

[7]  Dong Li,et al.  A Data Mining Approach to Generating Network Attack Graph for Intrusion Prediction , 2007, Fourth International Conference on Fuzzy Systems and Knowledge Discovery (FSKD 2007).

[8]  Sushil Jajodia,et al.  Topological analysis of network attack vulnerability , 2006, PST.

[9]  Paul Ammann,et al.  A host-based approach to network attack chaining analysis , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[10]  Jin B. Hong,et al.  Scalable Attack Representation Model Using Logic Reduction Techniques , 2013, 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications.

[11]  Oleg Sheyner,et al.  Scenario Graphs and Attack Graphs : a Summary , 2004 .

[12]  Heejo Lee,et al.  Scalable attack graph for risk assessment , 2009, 2009 International Conference on Information Networking.

[13]  Xuemin Lin,et al.  A Fast and Effective Heuristic for the Feedback Arc Set Problem , 1993, Inf. Process. Lett..

[14]  Sushil Jajodia,et al.  Advanced Vulnerability Analysis and Intrusion Detection through Predictive Attack Graphs , 2009 .

[15]  Duminda Wijesekera,et al.  Scalable, graph-based network vulnerability analysis , 2002, CCS '02.

[16]  S. Bhattacharya,et al.  A scalable representation towards attack graph generation , 2008, 2008 1st International Conference on Information Technology.

[17]  Rodolphe Ortalo,et al.  Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security , 1999, IEEE Trans. Software Eng..

[18]  Andrew W. Appel,et al.  A logic-programming approach to network security analysis , 2005 .

[19]  Andrew W. Appel,et al.  MulVAL: A Logic-based Network Security Analyzer , 2005, USENIX Security Symposium.

[20]  Sushil Jajodia,et al.  Managing attack graph complexity through visual hierarchical aggregation , 2004, VizSEC/DMSEC '04.

[21]  Cheng-Kuan Lin,et al.  Graph Theory and Interconnection Networks , 2008 .

[22]  Marc Dacier,et al.  Models and tools for quantitative assessment of operational security , 1996, SEC.

[23]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.