skip to main content
10.1145/1455770.1455780acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

Extending logical attack graphs for efficient vulnerability analysis

Published: 27 October 2008 Publication History

Abstract

Attack graph illustrates all possible multi-stage, multi-host attacks in an enterprise network and is essential for vulnerability analysis tools. Recently, researchers have addressed the problem of scalable generation of attack graph by logical formulation of vulnerability analysis in an existing framework called MulVAL. In this paper, we take a step further to make attack graph-based vulnerability analysis useful and practical for real networks. Firstly, we extend the MulVAL framework to include more complex security policies existing in advanced operating systems. Secondly, we present an expressive view of the attack graph by including negation in the logical characterization, and we present an algorithm to generate it. Finally, we present an incremental algorithm which efficiently recomputes the attack graph in response to the changes in the inputs of the vulnerability analysis framework. This is particularly useful for mutation or "what-if" analysis, where network administrators want to view the effect of network or host parameter changes to the attack graph before pushing the changes on the network. Preliminary experiments demonstrate the effectiveness of our algorithms.

References

[1]
www.physorg.com/news124982803.html.
[2]
www.skyboxsecurity.com.
[3]
U.A. Acar, G.E. Blelloch, and R. Harper. Adaptive functional programming. In ACM POPL, volume 37, pages 247--259, New York, NY, USA, 2002. ACM Press.
[4]
The National Security Agency. Security Enhanced Linux™.
[5]
Paul Ammann, Duminda Wijesekera, and Saket Kaushik. Scalable, graph-based network vulnerability analysis. In CCS '02, pages 217--224, New York, NY, USA, 2002. ACM Press.
[6]
G. Cohen et. al. System and method for risk detection and analysis in a computer network united states patent 6,952,779, october 2005.
[7]
Sudhakar Govindavajhala and Andrew Appel. A Windows access control demystified. Tech. rep., Princeton University, 2006.
[8]
A. Gupta, I.S. Mumick, and V.S. Subrahmanian. Maintaining views incrementally. In SIGMOD, pages 157--166, 1993.
[9]
Ingols K., Lippmann R., and Piwowarski K. Practical attack graph generation for network defense. In Computer Security Applications Conference, 2006.
[10]
R. Lippmann and K. Ingols. An annotated review of past papers on attack graphs. Technical report, MIT Lincoln Laboratory, USA, March 2005.
[11]
J.W. Lloyd. Foundations of Logic Programming. Springer, 1984.
[12]
Prasad Naldurg, Stefan Schwoon, Sriram Rajamani, and John Lambert. Netra: seeing through access control. In FMSE '06: Proceedings of the fourth ACM workshop on Formal methods in security, pages 55--66, New York, NY, USA, 2006. ACM.
[13]
Steven Noel, Michael Jacobs, Pramod Kalapa, and Sushil Jajodia. Multiple coordinated views for network attack graphs. In VizSEC, page 12, 2005.
[14]
Steven Noel and Sushil Jajodia. Managing attack graph complexity through visual hierarchical aggregation. In VizSEC, pages 109--118, 2004.
[15]
Steven Noel and Sushil Jajodia. Understanding complex network attack graphs through clustered adjacency matrices. In ACSAC, pages 160--169, 2005.
[16]
X. Ou, S. Govindavajhala, and A.W. Appel. MulVAL: A logic-based network security analyzer. In 14th USENIX Security Symposium. Society for Industrial and Applied Mathematics, 2005.
[17]
Xinming Ou. A Logic-Programming Approach to Network Security Analysis. PhD thesis, Department of Computer Science, Princeton University, USA, November 2005.
[18]
Xinming Ou, Wayne F. Boyer, and Miles A. McQueen. A scalable approach to attack graph generation. In CCS '06, pages 336--345, New York, NY, USA, 2006. ACM Press.
[19]
Xinming Ou, Sudhakar Govindavajhala, and Andrew W. Appel. Mulval: a logic-based network security analyzer. In SSYM'05: Proceedings of the 14th conference on USENIX Security Symposium, pages 8--8, Berkeley, CA, USA, 2005. USENIX Association.
[20]
R. Paige and S. Koenig. Finite differencing of computable expressions. TOPLAS, 4(3):402--454, 1982.
[21]
Lippmann R., Ingols K., Scott C., Piwowarski K., Kratkiewicz K., and Cunningham R. Validating and restoring defense in depth using attack graphs. In MILCOM, 2006.
[22]
C.R. Ramakrishnan and R. Sekar. Model-based analysis of configuration vulnerabilities. Journal of Computer Security (JCS), 10(1 / 2):189--209, 2002.
[23]
T. Reps, T. Teitelbaum, and A. Demers. Incremental context-dependent analysis for language-based editors. ACM Trans. Program. Lang. Syst., 5(3):449--477, 1983.
[24]
K. Sagonas, Terrace Swift, and D.S. Warren. XSB as an efficient deductive database engine. In ACM SIGMOD, pages 442--453. ACM, 1994.
[25]
D. Saha and C.R. Ramakrishnan. Incremental evaluation of tabled logic programs. In International Conference on Logic Programming, volume 2916 of LNCS, pages 389--406, 2003.
[26]
D. Saha and C.R. Ramakrishnan. Incremental and demand-driven points-to analysis using logic programming. In Principles and Practice of Declarative Programming. ACM Press, 2005.
[27]
D. Saha and C.R. Ramakrishnan. Incremental evaluation of tabled prolog: Beyond pure logic programs. In Practical Aspects of Declarative Languages, volume 3819 of LNCS, pages 215--229, Charleston, South Carolina, Jan 2006.
[28]
Beata Sarna-Starosta and Scott D. Stoller. Policy analysis for security-enhanced linux. In Proceedings of the 2004 Workshop on Issues in the Theory of Security (WITS), pages 1--12, April 2004. Available at http://www.cs.sunysb.edu/~stoller/WITS2004.html.
[29]
Oleg Sheyner, Somesh Jha, and Jeannette M. Wing. Automated generation and analysis of attack graphs. In Proceedings of the IEEE Symposium on Security and Privacy, May 2002.
[30]
Anu Singh, C.R. Ramakrishnan, I.V. Ramakrishnan, Scott Stoller, and David S. Warren. Security policy analysis using deductive spreadsheets. In 5th ACM Workshop on Formal Methods in Security Engineering (FMSE), Alexandria, Virginia, Nov 2007.
[31]
O.V. Sokolsky and S.A. Smolka. Incremental model checking in the modal mu-calculus. In CAV, volume 818 of LNCS, pages 351--363, 1994.
[32]
Vipin Swarup, Sushil Jajodia, and Joseph Pamula. Rule-based topological vulnerability analysis. In MMM-ACNS, pages 23--37, 2005.
[33]
H. Tamaki and T. Sato. OLDT resolution with tabulation. In International Conference on Logic Programming, pages 84--98, 1986.
[34]
uDraw(Graph). Available at http://www.informatik.uni-bremen.de/uDrawGraph/en/uDrawGraph/uDrawGraph%.html.
[35]
J.D. Ullman. Principles of Database and Knowledge-base Systems, Volume II. Computer Science Press, 1989.
[36]
Lingyu Wang, Anyi Liu, and Sushil Jajodia. Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts. Computer Communications, 29(15):2917--2933, 2006.
[37]
Lingyu Wang, Steven Noel, and Sushil Jajodia. Minimum-cost network hardening using attack graphs. Comput. Commun., 29(18):3812--3824, 2006.
[38]
Lingyu Wang, Chao Yao, Anoop Singhal, and Sushil Jajodia. Interactive analysis of attack graphs using relational queries. In DBSec, pages 119--132, 2006.
[39]
XSB. The XSB logic programming system. Available at http://xsb.sourceforge.net.

Cited By

View all
  • (2024)Cubic-DUCAG: A New Modeling and Probabilistic Computing Approach for Cyclic Network Attacks2024 IEEE International Conferences on Internet of Things (iThings) and IEEE Green Computing & Communications (GreenCom) and IEEE Cyber, Physical & Social Computing (CPSCom) and IEEE Smart Data (SmartData) and IEEE Congress on Cybermatics10.1109/iThings-GreenCom-CPSCom-SmartData-Cybermatics62450.2024.00033(60-66)Online publication date: 19-Aug-2024
  • (2024)Industry-Specific Vulnerability AssessmentWeb Information Systems Engineering – WISE 202410.1007/978-981-96-0576-7_10(123-139)Online publication date: 27-Nov-2024
  • (2023)A Survey of MulVAL Extensions and Their Attack Scenarios CoverageIEEE Access10.1109/ACCESS.2023.325772111(27974-27991)Online publication date: 2023
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
CCS '08: Proceedings of the 15th ACM conference on Computer and communications security
October 2008
590 pages
ISBN:9781595938107
DOI:10.1145/1455770
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 October 2008

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. attack graphs
  2. incremental analysis
  3. logic programming

Qualifiers

  • Research-article

Conference

CCS08
Sponsor:

Acceptance Rates

CCS '08 Paper Acceptance Rate 51 of 280 submissions, 18%;
Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)35
  • Downloads (Last 6 weeks)6
Reflects downloads up to 18 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Cubic-DUCAG: A New Modeling and Probabilistic Computing Approach for Cyclic Network Attacks2024 IEEE International Conferences on Internet of Things (iThings) and IEEE Green Computing & Communications (GreenCom) and IEEE Cyber, Physical & Social Computing (CPSCom) and IEEE Smart Data (SmartData) and IEEE Congress on Cybermatics10.1109/iThings-GreenCom-CPSCom-SmartData-Cybermatics62450.2024.00033(60-66)Online publication date: 19-Aug-2024
  • (2024)Industry-Specific Vulnerability AssessmentWeb Information Systems Engineering – WISE 202410.1007/978-981-96-0576-7_10(123-139)Online publication date: 27-Nov-2024
  • (2023)A Survey of MulVAL Extensions and Their Attack Scenarios CoverageIEEE Access10.1109/ACCESS.2023.325772111(27974-27991)Online publication date: 2023
  • (2023)Attack graph analysisComputers and Security10.1016/j.cose.2022.103081126:COnline publication date: 1-Mar-2023
  • (2022)Cleaning the NVD: Comprehensive Quality Assessment, Improvements, and AnalysesIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2021.312527019:6(4255-4269)Online publication date: 1-Nov-2022
  • (2022)A multi-objective cost–benefit optimization algorithm for network hardeningInternational Journal of Information Security10.1007/s10207-022-00586-721:4(813-832)Online publication date: 1-Aug-2022
  • (2021)Analysis of Challenges in Modern Network Forensic FrameworkSecurity and Communication Networks10.1155/2021/88712302021Online publication date: 1-Jan-2021
  • (2020)Cyclic Bayesian Attack Graphs: A Systematic Computational Approach2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom50675.2020.00030(129-136)Online publication date: Dec-2020
  • (2019)Design Procedure of Knowledge Base for Practical Attack Graph GenerationProceedings of the 2019 ACM Asia Conference on Computer and Communications Security10.1145/3321705.3329853(594-601)Online publication date: 2-Jul-2019
  • (2018)iOracleProceedings of the 2018 on Asia Conference on Computer and Communications Security10.1145/3196494.3196527(117-131)Online publication date: 29-May-2018
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media