A Flexible Approach to Measuring Network Security Using Attack Graphs

The previous approaches to measuring network security are most based on the hypothesis that the related source data can be known well and truly. But in practice, it is very difficult to obtain all the related accurate source data (Z Ciechanowicz, 1997). In this paper, we propose a flexible approach based on attack graphs to measuring security of crucial resources in vulnerable network, which could bring out the accurate result of measuring network security with incomplete input data. Another key improvement is presenting the backward iterative algorithm to solve the problem of cyclic attack paths in measuring security using attack graphs. At the same time, the simulation experiment demonstrates the algorithm can be applied to the large attack graphs.

[1]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[2]  Sushil Jajodia Topological analysis of network attack vulnerability , 2007, ASIACCS '07.

[3]  Paul Ammann,et al.  Using model checking to analyze network vulnerabilities , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[4]  Marianne Swanson,et al.  Security metrics guide for information technology systems , 2003 .

[5]  Richard Lippmann,et al.  Practical Attack Graph Generation for Network Defense , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[6]  Sushil Jajodia,et al.  A weakest-adversary security metric for network configuration security analysis , 2006, QoP '06.

[7]  Rodolphe Ortalo,et al.  Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security , 1999, IEEE Trans. Software Eng..

[8]  Karl N. Levitt,et al.  NetKuang - A Multi-Host Configuration Vulnerability Checker , 1996, USENIX Security Symposium.

[9]  Xinming Ou,et al.  A scalable approach to attack graph generation , 2006, CCS '06.

[10]  Sushil Jajodia,et al.  Efficient minimum-cost network hardening via exploit dependency graphs , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[11]  Steven Noel,et al.  Representing TCP/IP connectivity for topological analysis of network security , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[12]  Marc Dacier,et al.  Quantitative Assessment of Operational Security: Models and Tools * , 1996 .

[13]  Duminda Wijesekera,et al.  Scalable, graph-based network vulnerability analysis , 2002, CCS '02.

[14]  Zbigniew Ciechanowicz Risk analysis: requirements, conflicts and problems , 1997, Comput. Secur..

[15]  Cynthia A. Phillips,et al.  A graph-based system for network-vulnerability analysis , 1998, NSPW '98.

[16]  Sushil Jajodia,et al.  Toward measuring network security using attack graphs , 2007, QoP '07.

[17]  Marc Dacier,et al.  Models and tools for quantitative assessment of operational security , 1996, SEC.

[18]  Sushil Jajodia,et al.  Minimum-cost network hardening using attack graphs , 2006, Comput. Commun..

[19]  Z. G. Ruthberg,et al.  Technology Assessment: Methods for Measuring the Level of Computer Security , 1985 .