Optimal IDS Sensor Placement and Alert Prioritization Using Attack Graphs

We optimally place intrusion detection system (IDS) sensors and prioritize IDS alerts using attack graph analysis. We begin by predicting all possible ways of penetrating a network to reach critical assets. The set of all such paths through the network constitutes an attack graph, which we aggregate according to underlying network regularities, reducing the complexity of analysis. We then place IDS sensors to cover the attack graph, using the fewest number of sensors. This minimizes the cost of sensors, including effort of deploying, configuring, and maintaining them, while maintaining complete coverage of potential attack paths. The sensor-placement problem we pose is an instance of the NP-hard minimum set cover problem. We solve this problem through an efficient greedy algorithm, which works well in practice. Once sensors are deployed and alerts are raised, our predictive attack graph allows us to prioritize alerts based on attack graph distance to critical assets.

[1]  Sushil Jajodia,et al.  Managing attack graph complexity through visual hierarchical aggregation , 2004, VizSEC/DMSEC '04.

[2]  Sushil Jajodia,et al.  Topological Vulnerability Analysis: A Powerful New Approach For Network Attack Prevention, Detection, and Response , 2008 .

[3]  Sushil Jajodia,et al.  Correlating intrusion events and building attack scenarios through attack graph distances , 2004, 20th Annual Computer Security Applications Conference.

[4]  Steven Skiena,et al.  The Algorithm Design Manual , 2020, Texts in Computer Science.

[5]  Clifford Stein,et al.  Introduction to Algorithms, 2nd edition. , 2001 .

[6]  N. Johnson The MITRE corporation , 1961, ACM National Meeting.

[7]  Lequan Min,et al.  Generalized Synchronization Theorem for Undirectional Discrete Systems with Application in Encryption Scheme , 2007 .

[8]  Sushil Jajodia,et al.  A weakest-adversary security metric for network configuration security analysis , 2006, QoP '06.

[9]  Richard P. Lippmann,et al.  An Annotated Review of Past Papers on Attack Graphs , 2005 .

[10]  Sushil Jajodia,et al.  Rule-Based Topological Vulnerability Analysis , 2005, MMM-ACNS.

[11]  Paul Ammann,et al.  Using model checking to analyze network vulnerabilities , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[12]  Sushil Jajodia,et al.  Minimum-cost network hardening using attack graphs , 2006, Comput. Commun..

[13]  Adam Stotz,et al.  Understanding multistage attacks by attack-track based visualization of heterogeneous event streams , 2006, VizSEC '06.

[14]  Sushil Jajodia,et al.  Attack Graphs for Sensor Placement , Alert Prioritization , and Attack Response , 2008 .

[15]  Martin Pelikan,et al.  Hybrid evolutionary algorithms on minimum vertex cover for random graphs , 2007, GECCO '07.

[16]  Rayford B. Vaughn,et al.  An approach to graph-based modeling of network exploitations , 2005 .

[17]  Karl N. Levitt,et al.  NetKuang - A Multi-Host Configuration Vulnerability Checker , 1996, USENIX Security Symposium.

[18]  Sushil Jajodia,et al.  Multiple coordinated views for network attack graphs , 2005, IEEE Workshop on Visualization for Computer Security, 2005. (VizSEC 05)..

[19]  Duminda Wijesekera,et al.  Scalable, graph-based network vulnerability analysis , 2002, CCS '02.

[20]  Ronald L. Rivest,et al.  Introduction to Algorithms , 1990 .

[21]  Karl N. Levitt,et al.  Models for threat assessment in networks , 2006 .

[22]  Cynthia A. Phillips,et al.  Computer-attack graph generation tool , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[23]  Xinming Ou,et al.  A scalable approach to attack graph generation , 2006, CCS '06.

[24]  Sushil Jajodia,et al.  Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts , 2006, Comput. Commun..

[25]  Somesh Jha,et al.  Minimization and Reliability Analyses of Attack Graphs , 2002 .

[26]  Edmund M. Clarke,et al.  Ranking Attack Graphs , 2006, RAID.

[27]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[28]  Sushil Jajodia,et al.  Measuring the Overall Security of Network Configurations Using Attack Graphs , 2007, DBSec.

[29]  Sushil Jajodia,et al.  Understanding complex network attack graphs through clustered adjacency matrices , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[30]  Peng Ning,et al.  Constructing attack scenarios through correlation of intrusion alerts , 2002, CCS '02.

[31]  Dino Mandrioli,et al.  A formal approach to sensor placement and configuration in a network intrusion detection system , 2006, SESS '06.

[32]  Wenke Lee,et al.  A hardware platform for network intrusion detection and prevention , 2005 .

[33]  Thomas H. Cormen,et al.  Introduction to algorithms [2nd ed.] , 2001 .

[34]  Sushil Jajodia,et al.  Topological analysis of network attack vulnerability , 2006, PST.

[35]  Somak Bhattacharya,et al.  An Artificial Intelligence Based Approach for Risk Management Using Attack Graph , 2007 .