Modeling and Simulating System Exploitations through Exploitation Graphs for Security Engineering

In this paper, we define a process to model and simulate attack scenarios in networked environments. Known system vulnerability data, system configuration data, and vulnerability scanner results are associated to create exploitation graphs (e-graphs) which are used to represent attack scenarios. Experiments carried out in a cluster computing environment showed the usefulness of proposed techniques in providing in-depth attack scenario analyses for security engineering. Critical vulnerabilities can be identified by employing graph algorithms. Several factors were used to measure the difficulty in executing an attack. A cost/benefit analysis was used for more accurate quantitative analysis of attack scenarios. We have also shown how the attack scenario analyses better help deployment of security products and design of network topologies.

[1]  Gregg Schudel,et al.  Adversary work factor as a metric for information assurance , 2001, NSPW '00.

[2]  Duminda Wijesekera,et al.  Scalable, graph-based network vulnerability analysis , 2002, CCS '02.

[3]  Qi Wang,et al.  Quality Assurance – Best Practices for Assessing Online Programs , 2006 .

[4]  Laura Painton Swiler,et al.  A graph-based network-vulnerability analysis system , 1997, S&P 1998.

[5]  Kumar J. Das Attack development for intrusion detector evaluation , 2000 .

[6]  Frédéric Cuppens,et al.  Alert correlation in a cooperative intrusion detection framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[7]  Ulf Lindqvist,et al.  Modeling multistep cyber attacks for scenario recognition , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[8]  Peng Ning,et al.  Constructing attack scenarios through correlation of intrusion alerts , 2002, CCS '02.

[9]  Cynthia A. Phillips,et al.  Computer-attack graph generation tool , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[10]  Paul Ammann,et al.  Using model checking to analyze network vulnerabilities , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[11]  Rayford B. Vaughn,et al.  An approach to graph-based modeling of network exploitations , 2005 .

[12]  Axel W. Krings,et al.  A Formalization of Digital Forensics , 2004, Int. J. Digit. EVid..

[13]  Steven J. Templeton,et al.  A requires/provides model for computer attacks , 2001, NSPW '00.

[14]  J. F. Bouchard,et al.  IEEE TRANSACTIONS ON SYSTEMS , MAN , AND CYBERNETICS — PART A : SYSTEMS AND HUMANS , 2001 .

[15]  Wayne A. Brown A Study of Chief Information Officer Effectiveness in Higher Education , 2004 .

[16]  Rodolphe Ortalo,et al.  Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security , 1999, IEEE Trans. Software Eng..

[17]  Gavin W. Manes,et al.  Network vulnerability analysis , 2002, The 2002 45th Midwest Symposium on Circuits and Systems, 2002. MWSCAS-2002..

[18]  Robert L. DeMichiell,et al.  ENGAGING STUDENTS TO THINK CREATIVELY: AN INSIGHT EXERCISE FOR EDUCATORS IN THE INFORMATION AGE , 2005 .

[19]  Wei Li,et al.  An Access Control Model for Secure Cluster-Computing Environments , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[20]  C. R. Ramakrishnan,et al.  Model-Based Analysis of Configuration Vulnerabilities , 2002, J. Comput. Secur..

[21]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[22]  Wei Li,et al.  The Integration of Security Sensors into Intelligent Intrusion Detection System in a Cluster Environment , 2002 .

[23]  Paul D Nielsen,et al.  Software Engineering Institute: Year in Review 2008 , 2008 .

[24]  Malik F Salesh Semantic Web Knowledge Management , 2006 .

[25]  Somesh Jha,et al.  Two formal analyses of attack graphs , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[26]  Wei Li,et al.  Building compact exploitation graphs for a cluster computing environment , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.