A new perspective of network vulnerability analysis using Network Security Gradient

Computer networks are inevitably attacked as a result of their openness, while network attack usually actualized by exploiting vulnerability existing in network environment. Attack graph, consisted of lots of related atomic attacks, can fully display the exploitation and dependence relations among all of the vulnerabilities existed in network. Thus, it is a very useful tool for network vulnerability analysis and network security evaluation. However, the prevalent Attacker's Ability Monotonic Assumption (AAMA) constraint for attack graph generation could not make full use of the direction of network attack and the hierarchy of defense. As a result, using AAMA to constraint the process of attack graph generation is not only inefficient but also couldn't reduce the complexity of attack graph, especially for large-scale complicated network. According to lots of experiment and theoretical analysis, we found that it is mainly the existence of Circuitous Attack Paths (CAP) in attack graph lead to it complexity and the low efficiency of generation. To address this problem, we proposed the concept of Network Security Gradient (NSG) to reflect the direction of the network attack and the hierarchy of defense, and the Gradient Attack Assumption (GAA) to constraint the process of attack graph generation for the purpose of avoiding CAPs. Testified by a case study, using the GAA to constraint the process of attack graph generation can destruct those circuitous attack paths, therefore, is an effective way to improve the efficiency of attack graph generation and reduce the complexity of attack graph, and make it more useful for vulnerability analysis and network security evaluation.

[1]  Cynthia A. Phillips,et al.  Computer-attack graph generation tool , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[2]  Xinming Ou,et al.  A scalable approach to attack graph generation , 2006, CCS '06.

[3]  Jinshu Su,et al.  Two Scalable Approaches to Analyzing Network Security Using Compact Attack Graphs , 2009, 2009 International Symposium on Information Engineering and Electronic Commerce.

[4]  Sjouke Mauw,et al.  Foundations of Attack Trees , 2005, ICISC.

[5]  James P. McDermott,et al.  Attack net penetration testing , 2001, NSPW '00.

[6]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[7]  Sushil Jajodia,et al.  Efficient minimum-cost network hardening via exploit dependency graphs , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[8]  Sushil Jajodia,et al.  Minimum-cost network hardening using attack graphs , 2006, Comput. Commun..

[9]  Xia Wang,et al.  Software fault tree and coloured Petri net-based specification, design and implementation of agent-based intrusion detection systems , 2007, Int. J. Inf. Comput. Secur..

[10]  Somesh Jha,et al.  Two formal analyses of attack graphs , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[11]  Jeannette M. Wing,et al.  Scenario graphs and attack graphs , 2004 .

[12]  Robert K. Cunningham,et al.  Evaluating and Strengthening Enterprise Network Security Using Attack Graphs , 2005 .

[13]  John Homer From Attack Graphs to Automated Configuration Management — An Iterative Approach , 2008 .

[14]  Duminda Wijesekera,et al.  Scalable, graph-based network vulnerability analysis , 2002, CCS '02.

[15]  Somak Bhattacharya,et al.  An Attack Graph Based Risk Management Approach of an Enterprise LAN , 2008 .

[16]  Zhang Lufeng,et al.  Network Security Evaluation through Attack Graph Generation , .

[17]  Gary Carpenter 동적 사용자를 위한 Scalable 인증 그룹 키 교환 프로토콜 , 2005 .

[18]  Richard P. Lippmann,et al.  An Annotated Review of Past Papers on Attack Graphs , 2005 .

[19]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[20]  Jinshu Su,et al.  An Efficient Approach to Minimum-Cost Network Hardening Using Attack Graphs , 2008, 2008 The Fourth International Conference on Information Assurance and Security.