A survey on the usability and practical applications of Graphical Security Models

This paper presents and discusses the current state of Graphical Security Models (GrSM), in terms of four GrSM phases: (i) generation, (ii) representation, (iii) evaluation, and (iv) modification. Although many studies focused on improving the usability, efficiency, and functionality of GrSMs (e.g., by using various model types and evaluation techniques), the networked system is evolving with many hosts and frequently changing topologies (e.g., Cloud, SDN, IoT etc.). To investigate the usability of GrSMs, this survey summarizes the characteristics of past research studies in terms of their development and computational complexity analysis, and specify their applications in terms of security metrics, availability of tools and their applicable domains. We also discuss the practical issues of modeling security, differences of GrSMs and their usability for future networks that are large and dynamic.

[1]  Stefano Bistarelli,et al.  Defense trees for economic evaluation of security investments , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[2]  Liudong Xing,et al.  An overview of the phase-modular fault tree approach to phased mission system analysis , 2003 .

[3]  M. J. Reed,et al.  Attack graphs representations , 2012, 2012 4th Computer Science and Electronic Engineering Conference (CEEC).

[4]  Eugene H. Spafford,et al.  Automated adaptive intrusion containment in systems of interacting services , 2007, Comput. Networks.

[5]  Vamsi Paruchuri,et al.  Threat modeling using attack trees , 2008 .

[6]  Mattia Monga,et al.  Assessing the risk of using vulnerable components , 2006, Quality of Protection.

[7]  William H. Sanders,et al.  Adversary-driven state-based system security evaluation , 2010, MetriSec '10.

[8]  Indrajit Ray,et al.  Optimal security hardening on attack tree models of networks: a cost-benefit analysis , 2012, International Journal of Information Security.

[9]  Jin B. Hong,et al.  What Vulnerability Do We Need to Patch First? , 2014, 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[10]  Kai Petersen,et al.  Prioritizing Countermeasures through the Countermeasure Method for Software Security (CM-Sec) , 2010, PROFES.

[11]  Cynthia A. Phillips,et al.  Computer-attack graph generation tool , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[12]  Cong Jin,et al.  Dynamic Attack Tree and Its Applications on Trojan Horse Detection , 2010, 2010 Second International Conference on Multimedia and Information Technology.

[13]  Xinming Ou,et al.  A scalable approach to attack graph generation , 2006, CCS '06.

[14]  Barbara Kordy,et al.  Foundations of Attack-Defense Trees , 2010, Formal Aspects in Security and Trust.

[15]  Sushil Jajodia,et al.  Topological analysis of network attack vulnerability , 2006, PST.

[16]  Sushil Jajodia,et al.  Efficient minimum-cost network hardening via exploit dependency graphs , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[17]  Flemming Nielson,et al.  Quantitative Verification and Synthesis of Attack-Defence Scenarios , 2016, 2016 IEEE 29th Computer Security Foundations Symposium (CSF).

[18]  Steven Noel,et al.  Representing TCP/IP connectivity for topological analysis of network security , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[19]  Scott A. DeLoach,et al.  Simulation-based Approaches to Studying Effectiveness of Moving-Target Network Defense | NIST , 2012 .

[20]  Jin B. Hong,et al.  Towards Automated Generation and Visualization of Hierarchical Attack Representation Models , 2015, 2015 IEEE International Conference on Computer and Information Technology; Ubiquitous Computing and Communications; Dependable, Autonomic and Secure Computing; Pervasive Intelligence and Computing.

[21]  Peng Liu,et al.  Using Bayesian networks for cyber security analysis , 2010, 2010 IEEE/IFIP International Conference on Dependable Systems & Networks (DSN).

[22]  Sushil Jajodia,et al.  Linear-Time Network Hardening , 2014 .

[23]  Eugene H. Spafford,et al.  ADEPTS: adaptive intrusion response using attack graphs in an e-commerce environment , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[24]  Sushil Jajodia,et al.  Topological Vulnerability Analysis: A Powerful New Approach For Network Attack Prevention, Detection, and Response , 2008 .

[25]  Ahto Buldas,et al.  Practical Security Analysis of E-Voting Systems , 2007, IWSEC.

[26]  Jin B. Hong,et al.  Scalable Security Model Generation and Analysis Using k-importance Measures , 2013, SecureComm.

[27]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[28]  Rajesh Kumar,et al.  Quantitative Security and Safety Analysis with Attack-Fault Trees , 2017, 2017 IEEE 18th International Symposium on High Assurance Systems Engineering (HASE).

[29]  C. Wieser,et al.  An Enumeration of RFID Related Threats , 2008, 2008 The Second International Conference on Mobile Ubiquitous Computing, Systems, Services and Technologies.

[30]  Sushil Jajodia,et al.  Measuring Security Risk of Networks Using Attack Graphs , 2010, Int. J. Next Gener. Comput..

[31]  Barbara Kordy,et al.  Attack-defense trees , 2014, J. Log. Comput..

[32]  Nahid Shahmehri,et al.  Modeling Software VulnerabilitiesWith Vulnerability Cause Graphs , 2006, 2006 22nd IEEE International Conference on Software Maintenance.

[33]  Rodolphe Ortalo,et al.  Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security , 1999, IEEE Trans. Software Eng..

[34]  Sushil Jajodia,et al.  Multiple coordinated views for network attack graphs , 2005, IEEE Workshop on Visualization for Computer Security, 2005. (VizSEC 05)..

[35]  Miles A. McQueen,et al.  Quantitative Cyber Risk Reduction Estimation Methodology for a Small SCADA Control System , 2006, Proceedings of the 39th Annual Hawaii International Conference on System Sciences (HICSS'06).

[36]  Bruce Schneier,et al.  Secrets and Lies: Digital Security in a Networked World , 2000 .

[37]  Heejo Lee,et al.  Scalable attack graph for risk assessment , 2009, 2009 International Conference on Information Networking.

[38]  Richard Lippmann,et al.  Visualizing attack graphs, reachability, and trust relationships with NAVIGATOR , 2010, VizSec '10.

[39]  Dong Seong Kim,et al.  Cyber security analysis using attack countermeasure trees , 2010, CSIIRW '10.

[40]  Sushil Jajodia,et al.  Measuring the Overall Security of Network Configurations Using Attack Graphs , 2007, DBSec.

[41]  Juanjo Unzilla,et al.  Application of 'Attack Trees' Technique to Copyright Protection Protocols Using Watermarking and Definition of a New Transactions Protocol SecDP (Secure Distribution Protocol) , 2004, MIPS.

[42]  Manimaran Govindarasu,et al.  Smart grid cybersecurity exposure analysis and evalution framework , 2010, IEEE PES General Meeting.

[43]  Sushil Jajodia,et al.  Minimum-cost network hardening using attack graphs , 2006, Comput. Commun..

[44]  Indrajit Ray,et al.  Using Attack Trees to Identify Malicious Attacks from Authorized Insiders , 2005, ESORICS.

[45]  Bruce Schneier,et al.  MODELING SECURITY THREATS , 1999 .

[46]  Paul Ammann,et al.  Using model checking to analyze network vulnerabilities , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[47]  Sophie Pinchinat,et al.  Is My Attack Tree Correct? , 2017, ESORICS.

[48]  Francesco Maffioli,et al.  Cardinality constrained minimum cut problems: complexity and algorithms , 2004, Discret. Appl. Math..

[49]  Richard Lippmann,et al.  Practical Attack Graph Generation for Network Defense , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[50]  Stefan Schlott,et al.  Advanced Detection of Selfish or Malicious Nodes in Ad Hoc Networks , 2004, ESAS.

[51]  Indrajit Ray,et al.  Optimal security hardening using multi-objective optimization on attack tree models of networks , 2007, CCS '07.

[52]  Saurabh Bagchi,et al.  Determining Placement of Intrusion Detectors for a Distributed Application through Bayesian Network Modeling , 2008, RAID.

[53]  Cynthia A. Phillips,et al.  A graph-based system for network-vulnerability analysis , 1998, NSPW '98.

[54]  Richard Lippmann,et al.  GARNET: A Graphical Attack Graph and Reachability Network Evaluation Tool , 2008, VizSEC.

[55]  Igor Nai Fovino,et al.  Through the Description of Attacks: A Multidimensional View , 2006, SAFECOMP.

[56]  William H. Sanders,et al.  Ieee Transactions on Parallel and Distributed Systems Rre: a Game-theoretic Intrusion Response and Recovery Engine , 2022 .

[57]  Peng Ning,et al.  Learning attack strategies from intrusion alerts , 2003, CCS '03.

[58]  Paul Ammann,et al.  A host-based approach to network attack chaining analysis , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[59]  Jin B. Hong,et al.  Scalable Attack Representation Model Using Logic Reduction Techniques , 2013, 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications.

[60]  John Hale,et al.  A systematic approach to multi-stage network attack analysis , 2004, Second IEEE International Information Assurance Workshop, 2004. Proceedings..

[61]  Scott A. DeLoach,et al.  Model-driven, Moving-Target Defense for Enterprise Network Security , 2011, Models@run.time@Dagstuhl.

[62]  Sushil Jajodia,et al.  Time-efficient and cost-effective network hardening using attack graphs , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012).

[63]  Andrew W. Appel,et al.  MulVAL: A Logic-based Network Security Analyzer , 2005, USENIX Security Symposium.

[64]  Jin B. Hong,et al.  Towards scalable security analysis using multi-layered security models , 2016, J. Netw. Comput. Appl..

[65]  Sushil Jajodia,et al.  Managing attack graph complexity through visual hierarchical aggregation , 2004, VizSEC/DMSEC '04.

[66]  P. Saiz,et al.  Application of 'attack trees' in security analysis of digital contents e-commerce protocols with copyright protection , 2005, Proceedings 39th Annual 2005 International Carnahan Conference on Security Technology.

[67]  Sushil Jajodia,et al.  Topological Vulnerability Analysis , 2010, Cyber Situational Awareness.

[68]  Michael Lyle Artz,et al.  NetSPA : a Network Security Planning Architecture , 2002 .

[69]  Jin B. Hong,et al.  Scalable security analysis in hierarchical attack representation model using centrality measures , 2013, 2013 43rd Annual IEEE/IFIP Conference on Dependable Systems and Networks Workshop (DSN-W).

[70]  Barbara Kordy,et al.  DAG-based attack and defense modeling: Don't miss the forest for the attack trees , 2013, Comput. Sci. Rev..

[71]  Xinming Ou,et al.  Improving Attack Graph Visualization through Data Reduction and Attack Grouping , 2008, VizSEC.

[72]  Flemming Nielson,et al.  Automated Generation of Attack Trees , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[73]  Sushil Jajodia,et al.  An Attack Graph-Based Probabilistic Security Metric , 2008, DBSec.

[74]  Marc Dacier,et al.  Privilege Graph: an Extension to the Typed Access Matrix Model , 1994, ESORICS.

[75]  Zonghua Zhang,et al.  Boosting Logical Attack Graph for Efficient Security Control , 2012, 2012 Seventh International Conference on Availability, Reliability and Security.

[76]  Yu Liu,et al.  Network vulnerability assessment using Bayesian networks , 2005, SPIE Defense + Commercial Sensing.

[77]  Lingyu Wang,et al.  Measuring Network Security Using Bayesian Network-Based Attack Graphs , 2008, 2008 32nd Annual IEEE International Computer Software and Applications Conference.

[78]  Xinming Ou,et al.  Identifying Critical Attack Assets in Dependency Attack Graphs , 2008, ESORICS.

[79]  Peter J. Hawrylak,et al.  Toward hybrid attack dependency graphs , 2011, CSIIRW '11.

[80]  Duminda Wijesekera,et al.  Scalable, graph-based network vulnerability analysis , 2002, CCS '02.

[81]  William H. Sanders,et al.  Automatic Generation of Security Argument Graphs , 2014, 2014 IEEE 20th Pacific Rim International Symposium on Dependable Computing.

[82]  Anoop Singhal,et al.  Security Risk Analysis of Enterprise Networks Using Attack Graphs , 2012 .

[83]  Sushil Jajodia,et al.  Toward measuring network security using attack graphs , 2007, QoP '07.

[84]  Ronald R. Yager OWA trees and their role in security modeling using attack trees , 2006, Inf. Sci..

[85]  Zhong Chen,et al.  Evaluating Network Security With Two-Layer Attack Graphs , 2009, 2009 Annual Computer Security Applications Conference.

[86]  Sushil Jajodia,et al.  Scalable Analysis of Attack Scenarios , 2011, ESORICS.

[87]  Patrik Berander,et al.  Evaluating two ways of calculating priorities in requirements hierarchies - An experiment on hierarchical cumulative voting , 2009, J. Syst. Softw..

[88]  Sushil Jajodia,et al.  Measuring network security using dynamic bayesian network , 2008, QoP '08.

[89]  Alessandra Bagnato,et al.  Attribute Decoration of Attack-Defense Trees , 2012, Int. J. Secur. Softw. Eng..

[90]  Christos Douligeris,et al.  Expanding topological vulnerability analysis to intrusion detection through the incident response intelligence system , 2010, Inf. Manag. Comput. Secur..

[91]  Barbara Kordy,et al.  Attack Trees with Sequential Conjunction , 2015, SEC.

[92]  P. Bhattacharya,et al.  Analytical framework for measuring network security using exploit dependency graph , 2012, IET Inf. Secur..

[93]  Nahid Shahmehri,et al.  Towards a structured unified process for software security , 2006, SESS '06.

[94]  Jeannette M. Wing,et al.  Tools for Generating and Analyzing Attack Graphs , 2003, FMCO.

[95]  Soumya K. Ghosh,et al.  An Approach for Security Assessment of Network Configurations Using Attack Graph , 2009, 2009 First International Conference on Networks & Communications.

[96]  R. Cunningham,et al.  Validating and Restoring Defense in Depth Using Attack Graphs , 2006, MILCOM 2006 - 2006 IEEE Military Communications conference.

[97]  Ross Horne,et al.  Semantics for Specialising Attack Trees based on Linear Logic , 2017, Fundam. Informaticae.

[98]  Vijay Mann,et al.  SPHINX: Detecting Security Attacks in Software-Defined Networks , 2015, NDSS.

[99]  Steven Noel,et al.  Chapter 4 – CyGraph: Graph-Based Analytics and Visualization for Cybersecurity , 2016 .

[100]  William H. Sanders,et al.  Model-based Security Metrics Using ADversary VIew Security Evaluation (ADVISE) , 2011, 2011 Eighth International Conference on Quantitative Evaluation of SysTems.

[101]  William H. Sanders,et al.  AMI threats, intrusion detection requirements and deployment recommendations , 2012, 2012 IEEE Third International Conference on Smart Grid Communications (SmartGridComm).

[102]  David John Leversage,et al.  Comparing Electronic Battlefields: Using Mean Time-To-Compromise as a Comparative Security Metric , 2007 .

[103]  Indrajit Ray,et al.  Dynamic Security Risk Management Using Bayesian Attack Graphs , 2012, IEEE Transactions on Dependable and Secure Computing.

[104]  William H. Sanders,et al.  Go with the flow: toward workflow-oriented security assessment , 2013, NSPW '13.

[105]  Jin B. Hong,et al.  HARMs: Hierarchical Attack Representation Models for Network Security Analysis , 2012, AISM 2012.

[106]  William H. Sanders,et al.  Model-based evaluation: from dependability to security , 2004, IEEE Transactions on Dependable and Secure Computing.

[107]  Peng Ning,et al.  Constructing attack scenarios through correlation of intrusion alerts , 2002, CCS '02.

[108]  Sushil Jajodia,et al.  Advances in Topological Vulnerability Analysis , 2009, 2009 Cybersecurity Applications & Technology Conference for Homeland Security.

[109]  Dong Seong Kim,et al.  Attack countermeasure trees (ACT): towards unifying the constructs of attack and defense trees , 2012, Secur. Commun. Networks.

[110]  Olga Gadyatskaya,et al.  Attack Trees for Practical Security Assessment: Ranking of Attack Scenarios with ADTool 2.0 , 2016, QEST.

[111]  Stefano Bistarelli,et al.  Strategic Games on Defense Trees , 2006, Formal Aspects in Security and Trust.

[112]  Kishor S. Trivedi,et al.  SPNP: Stochastic Petri Nets. Version 6.0 , 2000, Computer Performance Evaluation / TOOLS.

[113]  Richard Lippmann,et al.  Modeling Modern Network Attacks and Countermeasures Using Attack Graphs , 2009, 2009 Annual Computer Security Applications Conference.

[114]  Florian Kammüller,et al.  Transforming Graphical System Models to Graphical Attack Models , 2015, GraMSec@CSF.

[115]  Chen-Ching Liu,et al.  Vulnerability Assessment of Cybersecurity for SCADA Systems Using Attack Trees , 2007, 2007 IEEE Power Engineering Society General Meeting.

[116]  Somesh Jha,et al.  Two formal analyses of attack graphs , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.