Advanced Cyber Attack Modeling Analysis and Visualization

Abstract : This project delivers an approach for visualization, correlation, and prediction of potentially large and complex attack graphs. These attack graphs show multi-step cyber attacks against networks, based on system vulnerabilities, network connectivity, and potential attacker exploits. We introduce a new paradigm for attack graph analysis that augments the traditional graph-centric view, based on graph adjacency matrices. In our approach, the analysis includes all known network attack paths, while still keeping complexity manageable. It supports pre-attack network hardening, correlation of detected attack events, and attack origin/impact prediction for post-attack responses. The goal of this system is to transform large quantities of network security data into actionable intelligence. The utility of organizing combinations of network attacks as graphs is well established. Traditionally, such attack graphs have been formed manually by security red teams (penetration testers). We have demonstrated the capability for computational generation of attack graphs, rather than relying on manual creation. This approach is based on models of network security conditions and potential attacker exploits. Because of vulnerability interdependencies across networks, a topological attack graph approach is needed, especially for proactive defense against insidious multi-step attacks. The traditional approach that treats network data and events in isolation, without the context provided by attack graphs, is clearly insufficient.

[1]  Dino Mandrioli,et al.  A formal approach to sensor placement and configuration in a network intrusion detection system , 2006, SESS '06.

[2]  Sushil Jajodia,et al.  Topological analysis of network attack vulnerability , 2006, PST.

[3]  Wenke Lee,et al.  A hardware platform for network intrusion detection and prevention , 2005 .

[4]  Esko Nuutila,et al.  Efficient transitive closure computation in large digraphs , 1995 .

[5]  R. Cunningham,et al.  Validating and Restoring Defense in Depth Using Attack Graphs , 2006, MILCOM 2006 - 2006 IEEE Military Communications conference.

[6]  Christos Faloutsos,et al.  Fully automatic cross-associations , 2004, KDD.

[7]  Sushil Jajodia,et al.  Minimum-cost network hardening using attack graphs , 2006, Comput. Commun..

[8]  Sushil Jajodia,et al.  Attack Graphs for Sensor Placement , Alert Prioritization , and Attack Response , 2008 .

[9]  Somesh Jha,et al.  Minimization and Reliability Analyses of Attack Graphs , 2002 .

[10]  Karl N. Levitt,et al.  NetKuang - A Multi-Host Configuration Vulnerability Checker , 1996, USENIX Security Symposium.

[11]  Richard M. Karp,et al.  Reducibility among combinatorial problems" in complexity of computer computations , 1972 .

[12]  Sushil Jajodia,et al.  Advanced Vulnerability Analysis and Intrusion Detection through Predictive Attack Graphs , 2009 .

[13]  Sushil Jajodia,et al.  Managing attack graph complexity through visual hierarchical aggregation , 2004, VizSEC/DMSEC '04.

[14]  Peter Grünwald,et al.  A tutorial introduction to the minimum description length principle , 2004, ArXiv.

[15]  Cynthia A. Phillips,et al.  Computer-attack graph generation tool , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[16]  Sushil Jajodia,et al.  Correlating intrusion events and building attack scenarios through attack graph distances , 2004, 20th Annual Computer Security Applications Conference.

[17]  Steven Skiena,et al.  The Algorithm Design Manual , 2020, Texts in Computer Science.

[18]  Peng Ning,et al.  Building Attack Scenarios through Integration of Complementary Alert Correlation Method , 2004, NDSS.

[19]  Kenneth Prole,et al.  A Graph-Theoretic Visualization Approach to Network Risk Analysis , 2008, VizSEC.

[20]  Richard M. Karp,et al.  Reducibility Among Combinatorial Problems , 1972, 50 Years of Integer Programming.

[21]  Kwan-Liu Ma,et al.  PortVis: a tool for port-based detection of security events , 2004, VizSEC/DMSEC '04.

[22]  Richard Lippmann,et al.  An Interactive Attack Graph Cascade and Reachability Display , 2007, VizSEC.

[23]  Duminda Wijesekera,et al.  Scalable, graph-based network vulnerability analysis , 2002, CCS '02.

[24]  Sushil Jajodia,et al.  Efficient minimum-cost network hardening via exploit dependency graphs , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[25]  Steven Noel,et al.  Representing TCP/IP connectivity for topological analysis of network security , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[26]  Paul Ammann,et al.  Using model checking to analyze network vulnerabilities , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[27]  Martin Pelikan,et al.  Hybrid evolutionary algorithms on minimum vertex cover for random graphs , 2007, GECCO '07.

[28]  Rayford B. Vaughn,et al.  An approach to graph-based modeling of network exploitations , 2005 .

[29]  Sushil Jajodia,et al.  Understanding complex network attack graphs through clustered adjacency matrices , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[30]  Ben Shneiderman,et al.  Treemaps for space-constrained visualization of hierarchies , 2005 .

[31]  Peter Eades,et al.  Multilevel Visualization of Clustered Graphs , 1996, GD.

[32]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[33]  Sushil Jajodia,et al.  Advances in Topological Vulnerability Analysis , 2009, 2009 Cybersecurity Applications & Technology Conference for Homeland Security.

[34]  Jeffrey Heer,et al.  prefuse: a toolkit for interactive information visualization , 2005, CHI.

[35]  Sushil Jajodia,et al.  Topological Vulnerability Analysis , 2010, Cyber Situational Awareness.

[36]  William Yurcik,et al.  NVisionIP: netflow visualizations of system state for security situational awareness , 2004, VizSEC/DMSEC '04.

[37]  Sushil Jajodia,et al.  Optimal IDS Sensor Placement and Alert Prioritization Using Attack Graphs , 2008, Journal of Network and Systems Management.

[38]  Marianne Swanson,et al.  Security metrics guide for information technology systems , 2003 .

[39]  Frédéric Cuppens,et al.  Alert correlation in a cooperative intrusion detection framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[40]  Sushil Jajodia,et al.  Topological Vulnerability Analysis: A Powerful New Approach For Network Attack Prevention, Detection, and Response , 2008 .