skip to main content
10.1145/1565799.1565803acmconferencesArticle/Chapter ViewAbstractPublication PagestapiaConference Proceedingsconference-collections
research-article

Maximizing network security given a limited budget

Published: 01 April 2009 Publication History

Abstract

In order to safeguard an organization's networked assets, a network administrator must decide how to harden the network. To aid the decision-making process, network administrators may use attack graphs, which, through analysis, yield network hardening suggestions. A critical drawback of currently available analyses is the lack of consideration for the network administrator's defense budget. We overcome this shortcoming by modeling the problem of choosing security measures given a finite budget as a combinatorial optimization problem. We call this problem the Security Measures Choosing Problem (SMCP). Dynamic programming is used to provide optimal solutions.

References

[1]
P. Ammann, D. Wijesekera, and S. Kaushik. Scalable, graph-based network vulnerability analysis. In Proceedings of CCS 2002: 9th ACM Conference on Computer and Communications Security, November 2002.
[2]
R. Bellman. The theory of dynamic programming. In Proceedings of the National Academy of Sciences, pages 716--719, 1952.
[3]
P. Black. 0--1 knapsack problem. U.S. National Institute of Standards and Technology, July 2008. Available from: http://www.nist.gov/dads/HTML/01KnapsackProblem.html.
[4]
L. Bodin, L. Gordon, and M. Loeb. Evaluating information security investments using the analytic hierarchy process. Communications of the ACM, 48, February 2005.
[5]
P. C. and L. P. Swiler. A graph-based system for network-vulnerability analysis. In NSPW '98: Proceedings of the 1998 workshop on New security paradigms, pages 71--79, New York, NY, USA, 1998. ACM.
[6]
P. Chen, M. Dean, D. Ojoko-Adams, H. Osman, L. Lopez, and N. Xie. Systems quality requirements engineering (square) methodology: Case study on asset management system. Technical report, Carnegie Mellon University/Software Engineering Institute, 2004.
[7]
M. Garey and D. Johnson. Computers and Intractibility, chapter SP8. W. H. Freeman and Company, 1979.
[8]
K. Ingols, R. Lippmann, and K. Piwowarski. Practical attack graph generation for network defense. In Computer Security Applications Conference, pages 121--130, December 2006.
[9]
S. Jajodia, S. Noel, and B. O'Berry. Topological analysis of network attack vulnerability. Managing Cyber Threats: Issues, Approaches and Challenges, V. Kumuar, J. Srivastava, and A. Lazarevic (eds.), 2005.
[10]
S. Jha, O. Sheyner, and J. Wing. Two formal analyses of attack graphs. In Proceedings of the 15th IEEE Computer Security Foundations Workshop, June 2002.
[11]
E. Knipp, B. Browne, W. Weaver, C. T. Baumrucker, L. Chaffin, J. Caesar, V. Osipov, and E. Danielyan. Cisco secure scanner. In Managing Cisco Network Security (Second Edition), pages 479--511. Syngress, Burlington, second edition edition, 2002.
[12]
W. Li and R. Vaughn. Cluster security research involving the modeling of network exploitations using exploitation graphs. In Sixth IEEE International Symposium on Cluster Computing and Grid Workshops, May 2006.
[13]
R. Lippmann, K. Ingols, C. Scott, K. Piwowarski, K. Kratkiewicz, M. Artz, and R. Cunningham. Validating and restoring defense in depth using attack graphs. In Military Communications Conference, October 2006.
[14]
S. Martello and P. Toth. Knapsack Problems: Algorithms and Computer Implementation, chapter 2. John Wiley&Sons, 1990.
[15]
Nessus. http://www.nessus.org, 2008.
[16]
N. M. (Nmap). http://www.nmap.org, 2008.
[17]
S. Noel, M. Jacobs, P. Kalapa, and S. Jajodia. Multiple coordinated views for network attack graphs. In IEEE Workshop on Visualization for Computer Security, pages 99--106, 2005.
[18]
S. Noel and S. Jajodia. Managing attack graph complexity through visual hierarchical aggregation. In Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security, pages 109--118, 2004.
[19]
S. Noel, S. Jajodia, B. O'Berry, and M. Jacobs. Efficient minimum-cost network hardening via exploit dependency graphs. In Proceedings of the 19th Annual Computer Security Applications Conference (ACSAC 2003), 2003.
[20]
X. Ou, S. Govindavajhala, and A. Appel. Mulval: a logic-based network security analyzer. In Proceedings of the 14th conference on USENIX Security Symposium, volume 14, 2005.
[21]
J. Pamula, S. Jajodia, P. Ammann, and V. Swarup. A weakest-adversary security metric for network configuration security analysis. In Proceedings of the 2nd ACM Workshop on Quality of Protection, pages 31--38, 2006.
[22]
B. Schneier. Modeling security threats. Dr. Dobb's Journal, December 1999.
[23]
O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J. M. Wing. Automated generation and analysis of attack graphs. In Proceedings of the 2002 IEEE Symposium on Security and privacy, pages 273--284, 2002.
[24]
B. Skaggs, B. Blackburn, G. Manes, and S. Shenoi. Network vulnerability analysis. Circuits and Systems, 2002. MWSCAS-2002. The 2002 45th Midwest Symposium on, 3:III-493-5 vol. 3, Aug. 2002.
[25]
H. S. Venter and J. H. P. Eloff. Assessment of vulnerability scanners. Network Security, 2003(2):11--16, 2003.
[26]
L. Wang, A. Singhal, and S. Jajodia. Measuring overall security of network configurations using attack graphs. Data and Applications Security XXI, 4602:98--112, August 2007.

Cited By

View all
  • (2017)Model-Based Quantitative Network Security Metrics: A SurveyIEEE Communications Surveys & Tutorials10.1109/COMST.2017.274550519:4(2704-2734)Online publication date: Dec-2018
  • (2013)Methods for strengthening a Computer network security2013 Joint International Conference on Rural Information & Communication Technology and Electric-Vehicle Technology (rICT & ICeV-T)10.1109/rICT-ICeVT.2013.6741559(1-4)Online publication date: Nov-2013
  • (2012)Extending Attack Graph-Based Security Metrics and Aggregating Their ApplicationIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2010.619:1(75-85)Online publication date: 1-Jan-2012
  • Show More Cited By

Index Terms

  1. Maximizing network security given a limited budget

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Conferences
      TAPIA '09: The Fifth Richard Tapia Celebration of Diversity in Computing Conference: Intellect, Initiatives, Insight, and Innovations
      April 2009
      123 pages
      ISBN:9781605582177
      DOI:10.1145/1565799
      • Conference Chair:
      • Nina Berry
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

      Sponsors

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 01 April 2009

      Permissions

      Request permissions for this article.

      Check for updates

      Author Tags

      1. attack graphs
      2. countermeasures
      3. network hardening
      4. network security
      5. security measures

      Qualifiers

      • Research-article

      Conference

      TAPIA '09
      Sponsor:

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)3
      • Downloads (Last 6 weeks)0
      Reflects downloads up to 13 Feb 2025

      Other Metrics

      Citations

      Cited By

      View all
      • (2017)Model-Based Quantitative Network Security Metrics: A SurveyIEEE Communications Surveys & Tutorials10.1109/COMST.2017.274550519:4(2704-2734)Online publication date: Dec-2018
      • (2013)Methods for strengthening a Computer network security2013 Joint International Conference on Rural Information & Communication Technology and Electric-Vehicle Technology (rICT & ICeV-T)10.1109/rICT-ICeVT.2013.6741559(1-4)Online publication date: Nov-2013
      • (2012)Extending Attack Graph-Based Security Metrics and Aggregating Their ApplicationIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2010.619:1(75-85)Online publication date: 1-Jan-2012
      • (2009)Collaborative attacks in WiMAX networksSecurity and Communication Networks10.1002/sec.1272:5(373-391)Online publication date: 6-Jul-2009

      View Options

      Login options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Figures

      Tables

      Media

      Share

      Share

      Share this Publication link

      Share on social media