SAT-solving approaches to context-aware enterprise network security management

Enterprise network security management is a complex task of balancing security and usability, with trade-offs often necessary between the two. Past work has provided ways to identify intricate attack paths due to misconfiguration and vulnerabilities in an enterprise system, but little has been done to address how to correct the security problems within the context of various other requirements such as usability, ease of access, and cost of countermeasures. This paper presents an approach based on Boolean satisfiability solving (SAT solving) that can reason about attacks, usability requirements, cost of actions, etc. in a unified, logical framework. Preliminary results show that the approach is both effective and efficient.

[1]  Letizia Tanca,et al.  What you Always Wanted to Know About Datalog (And Never Dared to Ask) , 1989, IEEE Trans. Knowl. Data Eng..

[2]  Olivier Coudert,et al.  On solving covering problems , 1996, DAC '96.

[3]  Somesh Jha,et al.  Two formal analyses of attack graphs , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[4]  Vasco M. Manquinho,et al.  Search pruning techniques in SAT-based branch-and-bound algorithmsfor the binate covering problem , 2002, IEEE Trans. Comput. Aided Des. Integr. Circuits Syst..

[5]  S. Jajodia,et al.  Chapter 5 TOPOLOGICAL ANALYSIS OF NETWORK ATTACK VULNERABILITY , 2003 .

[6]  Sushil Jajodia,et al.  Efficient minimum-cost network hardening via exploit dependency graphs , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[7]  Matthias F. Stallmann,et al.  Optimization algorithms for the minimum-cost satisfiability problem , 2004 .

[8]  Sharad Malik,et al.  Zchaff2004: An Efficient SAT Solver , 2004, SAT (Selected Papers.

[9]  Robert K. Cunningham,et al.  Evaluating and Strengthening Enterprise Network Security Using Attack Graphs , 2005 .

[10]  Richard P. Lippmann,et al.  An Annotated Review of Past Papers on Attack Graphs , 2005 .

[11]  Andrew W. Appel,et al.  MulVAL: A Logic-based Network Security Analyzer , 2005, USENIX Security Symposium.

[12]  Sanjai Narain,et al.  Network Configuration Management via Model Finding , 2005, LISA.

[13]  R. Cunningham,et al.  Validating and Restoring Defense in Depth Using Attack Graphs , 2006, MILCOM 2006 - 2006 IEEE Military Communications conference.

[14]  S. Malik,et al.  Solving the Minimum-Cost Satisfiability Problem Using SAT Based Branch-and-Bound Search , 2006, 2006 IEEE/ACM International Conference on Computer Aided Design.

[15]  Sharad Malik,et al.  On Solving the Partial MAX-SAT Problem , 2006, SAT.

[16]  Sushil Jajodia,et al.  Minimum-cost network hardening using attack graphs , 2006, Comput. Commun..

[17]  Xinming Ou,et al.  A scalable approach to attack graph generation , 2006, CCS '06.

[18]  Edmund M. Clarke,et al.  Ranking Attack Graphs , 2006, RAID.

[19]  Richard Lippmann,et al.  Practical Attack Graph Generation for Network Defense , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[20]  Sushil Jajodia,et al.  Measuring the Overall Security of Network Configurations Using Attack Graphs , 2007, DBSec.

[21]  Sushil Jajodia Topological analysis of network attack vulnerability , 2007, ASIACCS '07.

[22]  Sushil Jajodia,et al.  Toward measuring network security using attack graphs , 2007, QoP '07.

[23]  Indrajit Ray,et al.  Optimal security hardening using multi-objective optimization on attack tree models of networks , 2007, CCS '07.

[24]  Xinming Ou,et al.  Identifying Critical Attack Assets in Dependency Attack Graphs , 2008, ESORICS.

[25]  Sharad Malik,et al.  Declarative Infrastructure Configuration Synthesis and Debugging , 2008, Journal of Network and Systems Management.

[26]  Chen Feng,et al.  A Flexible Approach to Measuring Network Security Using Attack Graphs , 2008, 2008 International Symposium on Electronic Commerce and Security.