Automated Generation of Attack Graphs Using NVD

Today's computer networks are prone to sophisticated multi-step, multi-host attacks. Common approaches of identifying vulnerabilities and analyzing the security of such networks with naive methods such as counting the number of vulnerabilities, or examining the vulnerabilities independently produces incomprehensive and limited security assessment results. On the other hand, attack graphs generated from the identified vulnerabilities at a network illustrate security risks via attack paths that are not apparent with the results of the primitive approaches. One common technique of generating attack graphs requires well established definitions and data of prerequisites and postconditions relating to the known vulnerabilities. A number of works suggest prerequisite and postcondition categorization schemes for software vulnerabilities. However, generating them in an automated way is an open issue. In this paper, we first define a model that evolves over the previous works to depict the requirements of exploiting vulnerabilities for generating attack graphs. Then we describe and compare the results of two different novel approaches (rule-based and machine learning-employed) that we propose for generating attacker privilege fields as prerequisites and postconditions from the National Vulnerability Database (NVD) in an automated way. We observe that prerequisite and postcondition privileges can be generated with overall accuracy rates of 88,8 % and 95,7 % with rule-based and machine learning-employed (Multilayer Perceptron) models respectively.

[1]  Christoph Meinel,et al.  Towards Unifying Vulnerability Information for Attack Graph Construction , 2009, ISC.

[2]  Robert K. Cunningham,et al.  Evaluating and Strengthening Enterprise Network Security Using Attack Graphs , 2005 .

[3]  Richard Lippmann,et al.  Practical Attack Graph Generation for Network Defense , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[4]  Simon Haykin,et al.  Neural Networks and Learning Machines , 2010 .

[5]  Anoop Singhal,et al.  Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs , 2011 .

[6]  Indrajit Ray,et al.  Automated Extraction of Vulnerability Information for Home Computer Security , 2014, FPS.

[7]  A. Buttner,et al.  Common Platform Enumeration (CPE) - Specification , 2011 .

[8]  Ahmad Salahi,et al.  Predicting Network Attacks Using Ontology-Driven Inference , 2012, ArXiv.

[9]  Anoop Singhal,et al.  Security Risk Analysis of Enterprise Networks Using Attack Graphs , 2012 .

[10]  Maurice van Keulen,et al.  Analysis of the NIST database towards the composition of vulnerabilities in attack scenarios , 2008 .

[11]  Andrew W. Appel,et al.  MulVAL: A Logic-based Network Security Analyzer , 2005, USENIX Security Symposium.

[12]  R. Cunningham,et al.  Validating and Restoring Defense in Depth Using Attack Graphs , 2006, MILCOM 2006 - 2006 IEEE Military Communications conference.

[13]  Kemal Bicakci,et al.  A quantitative CVSS-based cyber security risk assessment methodology for IT systems , 2017, 2017 International Carnahan Conference on Security Technology (ICCST).

[14]  Christopher C. White,et al.  Focus on Durability, PATH Research at the National Institute of Standards and Technology | NIST , 2001 .

[15]  Andrew James Simmonds,et al.  An Ontology for Network Security Attacks , 2004, AACC.

[16]  Risto Miikkulainen,et al.  Evolving Neural Networks through Augmenting Topologies , 2002, Evolutionary Computation.

[17]  Xinming Ou,et al.  A scalable approach to attack graph generation , 2006, CCS '06.

[18]  Karen A. Scarfone,et al.  A Complete Guide to the Common Vulnerability Scoring System Version 2.0 | NIST , 2007 .

[19]  Sushil Jajodia,et al.  Topological analysis of network attack vulnerability , 2006, PST.