Abstract
Availability of alternate attack paths to an adversary challenges the administrator’s decision of focusing on the single attack path for network hardening. Such single path-based hardening solutions do not stop or deter an adversary from incrementally compromising the network. It is because today’s adversaries are capable of taking alternate attack paths during real-time network intrusion. To evaluate the robustness of a network against the zero-day attacks, researchers have proposed diversity-based metrics. However, there is no way to find out how much portion (in terms of the number of vulnerabilities) an attack path shares with the other available alternate path(s). To what extent they do overlap? To what degree they are unique? In this paper, we propose inter-path diversity metrics namely uniqueness and overlap, to address the said issue. Our objective is to evaluate the quality of each attack path in terms of the resistance posed by each of them during network intrusion. Uniqueness measures the quality of being the novel attack path. Such a novel attack path(s) poses more resistance to the adversary. On the contrary, the overlap measures the degree of overlap in terms of shared resources, attack tools, and techniques, etc., of an attack path with the other paths. Attack paths with highest overlap score act as the focal point for network hardening. We have presented a small case study to demonstrate the applicability of the proposed metrics. The usage of the proposed inter-path diversity metrics generates actionable knowledge that can be utilized for making enterprise network more robust against the zero-day attacks.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Wang, L., Zhang, M., Jajodia, S., Singhal, A., Albanese, M.: Modeling network diversity for evaluating the robustness of networks against zero-day attacks. In: Kutyłowski, M., Vaidya, J. (eds.) ESORICS 2014. LNCS, vol. 8713, pp. 494–511. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11212-1_28
Shandilya, V., Simmons, C.B., Shiva, S.: Use of attack graphs in security systems. J. Comput. Netw. Commun. 2014, Article no. 818957, 13 pages (2014)
Kaynar, K.: A taxonomy for attack graph generation and usage in network security. J. Inf. Secur. Appl. 29, 27–56 (2016)
Pendleton, M., Garcia-Lebron, R., Cho, J.H., Xu, S.: A survey on systems security metrics. ACM Comput. Surv. 49, 62:1–62:35 (2016)
Wang, L., Jajodia, S., Singhal, A., Cheng, P., Noel, S.: k-zero day safety: a network security metric for measuring the risk of unknown vulnerabilities. IEEE Trans. Dependable Secur. Comput. 11, 30–44 (2014)
Wang, L., Jajodia, S., Singhal, A., Noel, S.: k-zero day safety: measuring the security risk of networks against unknown attacks. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 573–587. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15497-3_35
Zhang, M., Wang, L., Jajodia, S., Singhal, A., Albanese, M.: Network diversity: a security metric for evaluating the resilience of networks against zero-day attacks. IEEE Trans. Inf. Forensics Secur. 11, 1071–1086 (2016)
Bopche, G.S., Mehtre, B.M.: Exploiting curse of diversity for improved network security. In: Proceedings of 4th International Conference on Advances in Computing, Communications and Informatics (ICACCI), pp. 1975–1981. IEEE (2015)
Manadhata, P.K., Wing, J.M.: An attack surface metric. IEEE Trans. Softw. Eng. 37, 371–386 (2011)
Jha, S., Sheyner, O., Wing, J.: Two formal analysis of attack graphs. In: Proceedings of the 15th IEEE Workshop on Computer Security Foundations, CSFW 2002, Washington, DC, USA, pp. 49–63. IEEE Computer Society (2002)
Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.: Automated generation and analysis of attack graphs. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 273–284 (2002)
Ou, X., Boyer, W.F.: A scalable approach to attack graph generation. In: Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS), pp. 336–345. ACM Press (2006)
Jajodia, S., Noel, S.: Topological vulnerability analysis: a powerful new approach for network attack prevention, detection, and response. In: Algorithms, Architectures, and Information System Security, pp. 285–305. World Scientific (2009)
Ghosh, N., Ghosh, S.: A planner-based approach to generate and analyze minimal attack graph. Appl. Intell. 36, 369–390 (2012)
Garcia, M., Bessani, A., Gashi, I., Neves, N., Obelheiro, R.: OS diversity for intrusion tolerance: myth or reality? In: Proceedings of the 2011 IEEE/IFIP 41st International Conference on Dependable Systems & Networks, DSN 2011, Washington, DC, USA, pp. 383–394. IEEE Computer Society (2011)
Ou, X., Govindavajhala, S., Appel, A.W.: MulVAL: a logic-based network security analyzer. In: Proceedings of the 14th Conference on USENIX Security Symposium, SSYM 2005, Berkeley, CA, USA, vol. 14, pp. 8–16. USENIX Association (2005)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Bopche, G.S., Rai, G.N., Mehtre, B.M. (2019). Inter-path Diversity Metrics for Increasing Networks Robustness Against Zero-Day Attacks. In: Thampi, S., Madria, S., Wang, G., Rawat, D., Alcaraz Calero, J. (eds) Security in Computing and Communications. SSCC 2018. Communications in Computer and Information Science, vol 969. Springer, Singapore. https://doi.org/10.1007/978-981-13-5826-5_4
Download citation
DOI: https://doi.org/10.1007/978-981-13-5826-5_4
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-13-5825-8
Online ISBN: 978-981-13-5826-5
eBook Packages: Computer ScienceComputer Science (R0)