Abstract
To assess the security risk of a given computer network, it is imperative to understand how individual vulnerabilities can be combined to launch a multistage, multi-host Cyber attack. Attack graphs are instrumental in modeling how potential adversaries can combine multiple network-related vulnerabilities for incremental network compromises. Hence, attack graph provides a decision support to security analyst by enumerating critical attack sequences. However, for a reasonable size network, it is not possible to patch all the vulnerabilities with many attack paths available. To mitigate the said problem, in this paper, we propose a diversity-aware, cost-effective network hardening solution to pro-actively secure the network. First, we compute the risk of each of the goal-oriented attack path which ends in a predetermined critical resource. Unlike other solutions, while calculating the risk of a goal-oriented attack path, we consider the reduction in attackers effort due to the repetition of already exploited vulnerabilities along the attack path. Next, the risk of all such goal-oriented attack paths is summed up to compute the risk of an entire network. Finally, an initial condition or an exploit which contributes most to the security risk of a network and having least disabling or patching cost will be chosen for removal. This process continues iteratively, and come to a halt until the total cost of network hardening exceeds the allocated security budget or network risk becomes zero, whichever comes first. To validate our approach, we have presented a small case study. Experimental results show that our method of network hardening is complementary to the existing attack graph-based network hardening solutions.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Jha, S., Sheyner, O., Wing, J.: Two formal analysis of attack graphs. In: Proceedings of the 15th IEEE Workshop on Computer Security Foundations, CSFW 2002, pp. 49–63. IEEE Computer Society, Washington (2002)
Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.: Automated generation and analysis of attack graphs. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 273–284 (2002)
Ou, X., Boyer, W.F.: A scalable approach to attack graph generation. In: Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS), pp. 336–345. ACM Press (2006)
Jajodia, S., Noel, S.: Topological vulnerability analysis: a powerful new approach for network attack prevention, detection, and response. In: Proceedings of Algorithms, Architectures, and Information System Security, pp. 285–305. Indian Statistical Institute Platinum Jubilee Series (2009)
Ghosh, N., Ghosh, S.: A planner-based approach to generate and analyze minimal attack graph. Appl. Intell. 36, 369–390 (2012)
Phillips, C., Swiler, L.P.: A graph-based system for network-vulnerability analysis. In: Proceedings of the 1998 Workshop on New Security Paradigms, NSPW 1998, pp. 71–79. ACM, New York (1998)
Ortalo, R., Deswarte, Y., Kaaniche, M.: Experimenting with quantitative evaluation tools for monitoring operational security. IEEE Trans. Softw. Eng. 25, 633–650 (1999)
Li, W., Vaughn, R.: Cluster security research involving the modeling of network exploitations using exploitation graphs. In: Proceedings of the 6th IEEE International Symposium on Cluster Computing and the Grid, CCGRID 2006, vol. 2, p. 26 (2006)
Idika, N., Bhargava, B.: Extending attack graph-based security metrics and aggregating their application. IEEE Trans. Dep. Secur. Comp. 9, 75–85 (2012)
Wang, L., Islam, T., Long, T., Singhal, A., Jajodia, S.: An attack graph-based probabilistic security metric. In: Atluri, V. (ed.) DBSec 2008. LNCS, vol. 5094, pp. 283–296. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-70567-3_22
Wang, L., Singhal, A., Jajodia, S.: Measuring the overall security of network configurations using attack graphs. In: Barker, S., Ahn, G.-J. (eds.) DBSec 2007. LNCS, vol. 4602, pp. 98–112. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73538-0_9
Chen, F., Liu, D., Zhang, Y., Su, J.: A scalable approach to analyzing network security using compact attack graphs. J. Netw. 5 (2010)
Yigit, B., Gür, G., Alagüz, F.: Cost-aware network hardening with limited budget using compact attack graphs. In: Proceedings of the IEEE Military Communications Conference, pp. 152–157 (2014)
Suh-Lee, C., Jo, J.: Quantifying security risk by measuring network risk conditions. In: 2015 Proceedings of the 14th International Conference on Computer and Information Science (ICIS), pp. 9–14. IEEE/ACIS (2015)
Mell, P., Scarfone, K., Romanosky, S.: Common vulnerability scoring system. IEEE Secur. Priv. 4, 85–89 (2006)
FIRST: Common vulnerability scoring system v3.0: Spec. Doc., June 2015
MITRE: Common weakness scoring system (2016). https://cwe.mitre.org/cwss/
Wang, L., Noel, S., Jajodia, S.: Minimum-cost network hardening using attack graphs. Comput. Commun. 29, 3812–3824 (2006)
Keramati, M., Asgharian, H., Akbari, A.: Cost-aware network immunization framework for intrusion prevention. In: Proceedings of the IEEE International Conference on Computer Applications and Industrial Electronics (ICCAIE), pp. 639–644 (2011)
Ghosh, N., Ghosh, S.: An approach for security assessment of network configurations using attack graph. In: Proceedings of the International Conference on Networks & amp; Communications, pp. 283–288 (2009)
Wang, L., Jajodia, S., Singhal, A., Noel, S.: k-zero day safety: measuring the security risk of networks against unknown attacks. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 573–587. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15497-3_35
Wang, L., Jajodia, S., Singhal, A., Cheng, P., Noel, S.: k-zero day safety: a network security metric for measuring the risk of unknown vulnerabilities. IEEE Trans. Dependable Secure Comput. 11, 30–44 (2014)
Albanese, M., Jajodia, S., Noel, S.: Time-efficient and cost-effective network hardening using attack graphs. In: IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012), pp. 1–12 (2012)
Wang, L., Singhal, A., Jajodia, S.: Toward measuring network security using attack graphs. In: Proceedings of the 2007 ACM Workshop on Quality of Protection. QoP 2007, pp. 49–54. ACM, New York (2007)
Man, D., Wu, Y., Yang, Y.: A method based on global attack graph for network hardening. In: Proceedings of the 4th International Conference on Wireless Communications, Networking and Mobile Computing, pp. 1–4 (2008)
Islam, T., Wang, L.: A heuristic approach to minimum-cost network hardening using attack graph. In: Proceedings of the New Technologies, Mobility and Security, pp. 1–5 (2008)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Jabbar, M.A., Bopche, G.S., Deekshatulu, B.L., Mehtre, B.M. (2017). Diversity-aware, Cost-effective Network Security Hardening Using Attack Graph. In: Thampi, S., Martínez Pérez, G., Westphall, C., Hu, J., Fan, C., Gómez Mármol, F. (eds) Security in Computing and Communications. SSCC 2017. Communications in Computer and Information Science, vol 746. Springer, Singapore. https://doi.org/10.1007/978-981-10-6898-0_1
Download citation
DOI: https://doi.org/10.1007/978-981-10-6898-0_1
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-10-6897-3
Online ISBN: 978-981-10-6898-0
eBook Packages: Computer ScienceComputer Science (R0)