Skip to main content
SpringerLink
Log in

Optimal IDS Sensor Placement and Alert Prioritization Using Attack Graphs

  • Published:
Journal of Network and Systems Management Aims and scope Submit manuscript

Abstract

We optimally place intrusion detection system (IDS) sensors and prioritize IDS alerts using attack graph analysis. We begin by predicting all possible ways of penetrating a network to reach critical assets. The set of all such paths through the network constitutes an attack graph, which we aggregate according to underlying network regularities, reducing the complexity of analysis. We then place IDS sensors to cover the attack graph, using the fewest number of sensors. This minimizes the cost of sensors, including effort of deploying, configuring, and maintaining them, while maintaining complete coverage of potential attack paths. The sensor-placement problem we pose is an instance of the NP-hard minimum set cover problem. We solve this problem through an efficient greedy algorithm, which works well in practice. Once sensors are deployed and alerts are raised, our predictive attack graph allows us to prioritize alerts based on attack graph distance to critical assets.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Similar content being viewed by others

References

  1. Jajodia, S., Noel, S., O’Berry, B.: Topological analysis of network attack vulnerability. In: Kumar, V., Srivastava, J., Lazarevic, A. (eds.) Managing Cyber Threats: Issues, Approaches and Challenges. Springer (2005)

  2. Jajodia, S., Noel, S.: Topological vulnerability analysis: a powerful new approach for network attack prevention, detection, and response. In: Ghosh, A. (ed.) Indian Statistical Institute Platinum Jubilee Monograph Series titled ‘Statistical Science and Interdisciplinary Research’. World Scientific Press (2008)

  3. Ritchey, R., Ammann, P.: Using model checking to analyze network vulnerabilities. In: Proceedings of the IEEE Symposium on Security and Privacy, Berkeley, California (2000)

  4. Sheyner, O., Haines, J., Jha, S., Lippman, R., Wing, J.: Automated generation and analysis of attack graphs. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, California (2002)

  5. Zerkle, D., Levitt, K.: Netkuang – a multi-host configuration vulnerability checker. In: Proceedings of the 6th USENIX Unix Security Symposium, San Jose, California (1996)

  6. Swiler, L., Phillips, C., Ellis, D., Chakerian, S.: Computer-attack graph generation tool. In: Proceedings of DARPA Information Survivability Conference & Exposition II (2001)

  7. Ammann, P., Wijesekera, D., Kaushik, S.: Scalable, graph-based network vulnerability analysis. In: Proceedings of 9th ACM Conference on Computer and Communications Security, Washington, DC (2002)

  8. Noel, S., Jajodia, S.: Managing attack graph complexity through visual hierarchical aggregation. In: Proceedings of the ACM CCS Workshop on Visualization and Data Mining for Computer Security, Fairfax, Virginia (2004)

  9. Li, W.: An approach to graph-based modeling of network exploitations. Ph.D. dissertation, Department of Computer Science, Mississippi State University (2005)

  10. Swarup, V., Jajodia, S., Pamula, J.: Rule-based topological vulnerability analysis. In: Computer Network Security, selected papers from the 3rd International Workshop on Mathematical Methods, Models, and Architectures for Computer Network Security (2005)

  11. Ou, X., Boyer, W., McQueen, M.: A scalable approach to attack graph generation. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, Alexandria, Virginia (2006)

  12. Danforth, M.: Models for threat assessment in networks. Ph.D. dissertation, University of California, Davis (2006)

  13. Bhattacharya, S., Ghosh, S.: An artificial intelligence based approach for risk management using attack graph. In: Proceedings of the International Conference on Computational Intelligence and Security, Harbin, China (2007)

  14. Noel, S., Jajodia, S.: Understanding complex network attack graphs through clustered adjacency matrices. In: Proceedings of the 21st Annual Computer Security Applications Conference, Tucson, Arizona (2005)

  15. Noel, S., Jacobs, M., Kalapa, P., Jajodia, S.: Multiple coordinated views for network attack graphs. In: Proceedings of the Workshop on Visualization for Computer Security, Minneapolis, Minnesota (2005)

  16. Wang, L., Noel, S., Jajodia, S.: Minimum-cost network hardening using attack graphs. Comput. Commun. 29, 3812–3824 (2006)

    Article  Google Scholar 

  17. Wang, L., Singhal, A., Jajodia, S.: Measuring the overall security of network configurations using attack graphs. In: Proceedings of 21st IFIP WG 11.3 Working Conference on Data and Applications Security, Redondo Beach, California (2007)

  18. Pamula, J., Jajodia, S., Ammann, P., Swarup, V.: A weakest-adversary security metric for network configuration security analysis. In: Proceedings of the 2nd ACM Workshop on Quality of Protection, Alexandria, Virginia (2006)

  19. Mehta, V., Bartzis, C., Zhu, H., Clarke, E., Wing, J.: Ranking attack graphs. In: Proceedings of Recent Advances in Intrusion Detection, Hamburg, Germany (2006)

  20. Lippmann, R., Ingols, K.: An annotated review of past papers on attack graphs. Technical Report ESC-TR-2005-054, MIT Lincoln Laboratory (2005)

  21. Ning, P., Cui, Y., Reeves, D.: Constructing attack scenarios through correlation of intrusion alerts. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, Washington DC (2002)

  22. Wang, L., Liu, A., Jajodia, S.: Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts. Comput. Commun. 29, 2917–2933 (2006)

    Article  Google Scholar 

  23. Mathew, S., Giomundo, R., Upadhyaya, S., Sudit, M., Stotz, A.: Understanding multistage attacks by attack-track based visualization of heterogeneous event streams. In: Proceedings of the 3rd International Workshop on Visualization for Computer Security, Alexandria, Virginia (2006)

  24. Noel, S., Robertson, E., Jajodia, S.: Correlating intrusion events and building attack scenarios through attack graph distances. In: Proceedings of the 20th Annual Computer Security Applications Conference, Tucson, Arizona (2004)

  25. Clark, C., Lee, W., Schimmel, D., Contis, D., Koné, M., Thomas, A.: A hardware platform for network intrusion detection and prevention. In: Proceedings of 3rd Workshop on Network Processors & Applications, Madrid, Spain (2004)

  26. Rolando, M., Rossi, M., Sanarico, N., Mandrioli, D.: A formal approach to sensor placement and configuration in a network intrusion detection system. In: Proceedings of the ACM International Workshop on Software Engineering for Secure Systems, Shanghai, China (2006)

  27. Jha, S., Sheyner, O., Wing, J.: Minimization and reliability analyses of attack graphs. Technical Report CMU-CS-02-109, School of Computer Science, Carnegie Mellon University (2002)

  28. Noel, S., Jajodia, S.: Attack Graphs for Sensor Placement, Alert Prioritization, and Attack Response. Cyberspace Research Workshop, Shreveport, Louisiana (2007)

    Google Scholar 

  29. Nessus vulnerability scanner, Tenable Network Security, http://www.nessus.org/nessus/. Accessed 15 April 2008

  30. Retina vulnerability scanner, eEye Digital Security, http://www.eeye.com/html/products/Retina/. Accessed 3 April 2008

  31. FoundScan vulnerability scanner, Foundstone (a division of McAfee), http://www.mcafee.com/us/local_content/datasheets/ds_foundtsone60.pdf. Accessed 20 March 2008

  32. Cormen, T., Leiserson, C., Rivest, R., Stein, C.: Introduction to Algorithms, 2nd edn. MIT Press and McGraw-Hill (2001)

  33. Nessus vulnerability number 10671 (IIS Remote Command Execution), Tenable Network Security, http://www.nessus.org/plugins/index.php?view=single&id=10671. Accessed 19 April 2008

  34. Common Vulnerabilities and Exposures (CVE), The MITRE Corporation, http://cve.mitre.org/. Accessed 24 March 2008

  35. Karp, R.: Reducibility among combinatorial problems. in Complexity of Computer Computations, (1972)

  36. Feige, U.: A threshold of Ln N for approximating set cover. J. ACM 45(4), 634–652 (1998)

    Article  MATH  MathSciNet  Google Scholar 

  37. Skiena, S.: The Algorithm Design Manual. Springer-Verlag, New York (1997)

    MATH  Google Scholar 

  38. Kalapala, R., Pelikan, M., Hartmann, A.: Hybrid evolutionary algorithms on minimum vertex cover for random graphs. MEDAL Report No. 2007004, University of Missouri-St. Louis (2007)

Download references

Acknowledgments

This material is based upon work supported by Homeland Security Advanced Research Projects Agency under the Contract FA8750-05-C-0212 administered by the Air Force Research Laboratory/Rome; by Air Force Research Laboratory/Rome under the Contract FA8750-06-C-0246; and by Federal Aviation Administration under the Contract DTFAWA-04-P-00278/0001.

Author information

Authors and Affiliations

  1. Center for Secure Information Systems, George Mason University, 4400 University Drive, Mail Stop 5B5, Fairfax, VA, 22030-4422, USA

    Steven Noel & Sushil Jajodia

Authors
  1. Steven Noel
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sushil Jajodia
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Steven Noel.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Noel, S., Jajodia, S. Optimal IDS Sensor Placement and Alert Prioritization Using Attack Graphs. J Netw Syst Manage 16, 259–275 (2008). https://doi.org/10.1007/s10922-008-9109-x

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10922-008-9109-x

Keywords

Search

Navigation