Research of Network Vulnerability Analysis Based on Attack Capability Transfer

Network vulnerability analysis is one of the important techniques to protect network security. Modeling and classification of network vulnerability are introduced firstly, then the concept of attack capability transfer and the algorithm to produce it are presented, which can aggregate vulnerabilities with the same exploitation attributes and satisfying some constrains to simplify the further analysis. Based on the attack capability transfer, a new method constructing attack graph is presented, and the complexity is O(N2) where N is the number of hosts in a network. Through the analysis of attack graph, network vulnerability quantitative analysis is taken and security hardening method based on approximate greedy algorithm is presented, the complexity of which is O(V), where V is the number of vulnerabilities in a network. Experiment shows the effectiveness of the method.

[1]  Somesh Jha,et al.  Two formal analyses of attack graphs , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[2]  Duminda Wijesekera,et al.  Scalable, graph-based network vulnerability analysis , 2002, CCS '02.

[3]  Sushil Jajodia,et al.  Managing attack graph complexity through visual hierarchical aggregation , 2004, VizSEC/DMSEC '04.

[4]  Hu Ming-zeng Research on privilege-escalating based vulnerability taxonomy with multidimensional quantitative attribute , 2004 .

[5]  Phongphun Kijsanayothin,et al.  Host-Centric Model Checking for Network Vulnerability Analysis , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[6]  Zhang Hai,et al.  Security-State-Region-Based Model of Network Security Evaluation , 2009 .

[7]  Yi-Feng Lian,et al.  Security-State-Region-Based Model of Network Security Evaluation: Security-State-Region-Based Model of Network Security Evaluation , 2009 .

[8]  Phongphun Kijsanayothin,et al.  Analytical Approach to Attack Graph Analysis for Network Security , 2010, 2010 International Conference on Availability, Reliability and Security.

[9]  Yi Zhang,et al.  Two Formal Analysis of Attack Graphs: Two Formal Analysis of Attack Graphs , 2010 .

[10]  Xiaobin Tan,et al.  Network Security Situation Awareness Approach Based on Markov Game Model: Network Security Situation Awareness Approach Based on Markov Game Model , 2011 .

[11]  Tan Xiao Network Security Situation Awareness Approach Based on Markov Game Model , 2011 .

[12]  Cheng Wen-cong Research on the risk adjacency matrix based on attack graphs , 2011 .

[13]  Man Da-peng Network security threat situation evaluation based on spread analysis , 2012 .

[14]  Panos M. Pardalos,et al.  On New Approaches of Assessing Network Vulnerability: Hardness and Approximation , 2012, IEEE/ACM Transactions on Networking.

[15]  Alan T. Murray An overview of network vulnerability modeling approaches , 2013 .