Network Hardening

In defending networks against potential intrusions, certain vulnerabilities may seem acceptable risks when considered in isolation, whereas an intruder may combine such vulnerabilities for a multi-step intrusion and successfully infiltrate a seemingly well-guarded network. Relying on human analyst’s experiences and skills to identify such a threat is error-prone and renders the task of network hardening an art, rather than a science. Existing tools based on attack graphs can reveal such threats by enumerating all possible attack paths leading to critical resources, but they cannot provide a direct solution to remove the threats. In this book, we introduce automated solutions for hardening a network against sophisticated multi-step intrusions. Specifically, we first review necessary background information on related concepts, such as attack graphs and their application to network hardening. We then describe a network hardening technique to generate hardening solutions comprised of initially satisfied conditions, which makes the solution more enforceable. Following a discussion of the complexity issues, we devise an improved technique that takes into consideration the dependencies between hardening options and employs a near-optimal approximation algorithm to scale linearly with the size of the inputs, whose performance is validated experimentally.