Automated Attack Path Enumeration Method based on System Vulnerabilities Analysis

As the number of information asset and their vulnerabilities are increasing, it becomes more difficult for network security administrators to assess security vulnerability of their system and network. There are several researches for vulnerability analysis based on quantitative approach. However, most of them are based on experts' subjective evaluation or they require a lot of manual input for deriving quantitative assessment results. In this paper, we propose HRMS(Hacking and Response Measurement System) for enumerating attack path using automated vulnerability measurement automatically. HRMS can estimate exploitability of systems or applications based on their known vulnerability assessment metric, and enumerate attack path even though system, network and application's information are not fully given for vulnerability assessment. With this proposed method, system administrators can do proactive security vulnerability assessment.

[1]  Sushil Jajodia,et al.  Topological analysis of network attack vulnerability , 2006, PST.

[2]  R. Cunningham,et al.  Validating and Restoring Defense in Depth Using Attack Graphs , 2006, MILCOM 2006 - 2006 IEEE Military Communications conference.

[3]  Chen Shan,et al.  A Minimum Cost of Network Hardening Model Based on Attack Graphs , 2011 .

[4]  Karen A. Scarfone,et al.  The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.2 , 2009 .

[5]  Tomi Männistö,et al.  Improving CVSS-based vulnerability prioritization and response with context information , 2009, ESEM 2009.

[6]  Karen Scarfone,et al.  Common Vulnerability Scoring System , 2006, IEEE Security & Privacy.

[7]  Siv Hilde Houmb,et al.  Estimating ToE Risk Level Using CVSS , 2009, 2009 International Conference on Availability, Reliability and Security.

[8]  Bin Wu,et al.  EVMAT: an OVAL and NVD based enterprise vulnerability modeling and assessment tool , 2011, ACM-SE '11.

[9]  Karen A. Scarfone,et al.  SP 800-126 Rev. 2. The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.2 , 2011 .

[10]  Richard Lippmann,et al.  An Interactive Attack Graph Cascade and Reachability Display , 2007, VizSEC.

[11]  Ling Gao,et al.  An Improved CVSS-based Vulnerability Scoring Mechanism , 2011, 2011 Third International Conference on Multimedia Information Networking and Security.

[12]  Sushil Jajodia,et al.  Managing attack graph complexity through visual hierarchical aggregation , 2004, VizSEC/DMSEC '04.

[13]  Sushil Jajodia,et al.  An Attack Graph-Based Probabilistic Security Metric , 2008, DBSec.