ABSTRACT
Sophisticated cyber-attacks have become prominent with the growth of the Internet and web technology. Such attacks are multi-stage ones, and correlate vulnerabilities on intermediate hosts to compromise an otherwise well-protected critical resource. Conventional security assessment approaches can leave out some complex scenarios generated by these attacks. In the literature, these correlated attacks have been modeled using attack graphs. Although a few attack graph-based network security assessment tools are available, they are either commercial products or developed using proprietary databases. In this paper, we develop a customized tool, NetSecuritas, which implements a novel heuristic-based attack graph generation algorithm and integrates different phases of network security assessment. NetSecuritas leverages open-source libraries, tools and publicly available databases. A cost-driven mitigation strategy has also been proposed to generate network security recommendations. Experimental results establish the efficacy of both attack graph generation and mitigation approach.
- Ammann, P., Wijesekera, D., and Kaushik, S. Scalable, graph-based network vulnerability analysis. In Proceedings of CCS 2002: 9th ACM Conference on Computer and Communications Security (2002), ACM Press, pp. 217--224. Google ScholarDigital Library
- Artz, M. NetSPA: A Network Security Planner. PhD thesis, Massachusettes Institute of Technology, May 2002.Google Scholar
- Chen, F., Su, J., and Zhang, Y. A scalable approach to full attack graphs generation. In Engineering Secure Software and Systems, F. Massacci, J. Redwine, SamuelT., and N. Zannone, Eds., vol. 5429 of Lecture Notes in Computer Science. Springer Berlin Heidelberg, 2009, pp. 150--163. Google ScholarDigital Library
- Cynthia Phillips, L. P. S. A graph based system for network-vulnerability analysis. NSPW 98 Proceedings of the 1998 workshop on New Security Paradigms, ACM, pp. 71--79. Google ScholarDigital Library
- Dawkins, J., and Hale, J. A systematic approach to multi-stage network attack analysis. In Proceedings of the Second IEEE Internation Information Assurance Workshop (IWIA '04) (2004), IEEE Computer Society, pp. 48--56. Google ScholarDigital Library
- Ghosh, N., and Ghosh, S. A planner-based approach to generate and analyze minimal attack graph. Applied Intelligence 36 (2012), 369--390. Google ScholarDigital Library
- Ingols, K., Lippmann, R., and Piwowarski, K. Practical attack graph generation for network defense. In Proceedings of the 22nd Annual Computer Security Applications Conference (ACSAC '06) (December 2006), pp. 121--130. Google ScholarDigital Library
- Jajodia, S., Noel, S., and O'Berry, B. Topological analysis of network attack vulnerability. In Managing Cyber Threats: Issues, Approaches and Challenges (2005), vol. V, Springer US, pp. 247--266.Google ScholarCross Ref
- Jha, S., Sheyner, O., and J. Wing. Two formal analyses of attack graphs. Proceedings of the 15th IEEE Computer Security Foundations Workshop (CSFW02). Google ScholarDigital Library
- Lingyu Wang, Anyi Liu, S. J. Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts. Computer Communication 29, Issue15 (September 2006), 2917--2933. Google ScholarDigital Library
- Liu, X., Fang, C., Xiao, D., and Xu, H. A goal-oriented approach for modeling and analyzing attack graph. In Information Science and Applications (ICISA), 2010 International Conference on (April 2010), pp. 1--8.Google ScholarCross Ref
- Noel, S., Jajodia, S., O'Berry, B., and Jacobs, M. Efficient minimum-cost network hardening via exploit dependency graph. In Proceedings of 19th Annual Computer Security Applications Conference (ACSAC 2003) (2003), pp. 86--95. Google ScholarDigital Library
- Ortalo, R., Deswarte, Y., and Kanniche, M. Experimenting with quantitative evaluation tools for monitoring operational security. In IEEE Transactions on Software Engineering, 25(5) (October 1999), pp. 633--650. Google ScholarDigital Library
- Ou, X., Govindavajhala, S., and Appel, A. W. Mulval: A logic-based network security analyzer. In Proceedings of the 14th USENIX Security Symposium (July 31 -- August 5 2005), pp. 113--128. Google ScholarDigital Library
- Phillips, C., and Swiler, L. P. A graph-based system for network-vulnerability analysis. In Proceedings of the Workshop on New Security Paradigms (NSPW) (22-26 September 1998), pp. 71--79. Google ScholarDigital Library
- Poolsappasit, N., Dewri, R., and Ray, I. Dynamic security risk management using bayesian attack graphs. Dependable and Secure Computing, IEEE Transactions on 9, 1 (2012), 61--74. Google ScholarDigital Library
- Ritchey, R. W., and Ammann, P. Using model checking to analyze network vulnerabilities. In Proceedings of the 2000 IEEE Symposium on Security and Privacy (May 2000), pp. 156--165. Google ScholarDigital Library
- Schiffman, M. Common vulnerability scoring system (cvss). http://www.first.org/cvss/ (accessed on October 2014).Google Scholar
- Sheynar, O., Jha, S., Wing, J. M., Lippmann, R. P., and Haines, J. Automated generation and analysis of attack graphs. In Proceedings of the 2002 IEEE Symposium on Security and Privacy (2002), pp. 273--284. Google ScholarDigital Library
- Swiler, L. P., Phillips, C., Ellis, D., and Chakerian, S. Computer-attack graph generation tool. In Proceedings of the 2nd DARPA Information Survivability Conference & Exposition (DISCEX II) (2001), vol. II, IEEE Computer Society, pp. 307--321.Google ScholarCross Ref
- Templeton, S., and Levitt, K. A requires/provides model for computer attacks. In Proceedings of the 2000 Workshop on New Security Paradigms (18-21 September 2001), ACM Press, pp. 31--38. Google ScholarDigital Library
- Tidwell, T., Larson, R., K. Fitch, and Hale, J. Modelling internet attacks. In Proceedings of the Second Annual IEEE SMC Information Assurance Workshop (June 2001), IEEE Press, pp. 54--59.Google Scholar
- Wang, L., Noel, S., and Jajodia, S. Minimum cost-network hardening using attack graphs. Computer Communications, 29(18) (November 2006), 3812--3824. Google ScholarDigital Library
- Williams, L., Lippmann, R., and Ingols, K. An interactive attack graph cascade and reachability display. VizSEC 2007 (2008), 221--236.Google Scholar
- Williams, L., Lippmann, R., and Ingols, K. GARNET: A graphical attack graph and reachability network evaluation tool. Visualization for Computer Security (2008), 44--59. Google ScholarDigital Library
Index Terms
- NetSecuritas: An Integrated Attack Graph-based Security Assessment Tool for Enterprise Networks
Recommendations
A Graph-Theoretic Visualization Approach to Network Risk Analysis
VizSec '08: Proceedings of the 5th international workshop on Visualization for Computer SecurityThis paper describes a software system that provides significant new capabilities for visualization and analysis of network attack graphs produced through Topological Vulnerability Analysis (TVA). The TVA approach draws on a database of known exploits ...
A Method for Automatic Penetration Testing and Mitigation: A Red Hat Approach
AbstractRecently in the cybersecurity landscape, various figures have spread with different peculiarities. For instance there are the Black Hat hackers, aimed to perpetrate damage on the system or to silently exfiltrate sensitive information but there ...
A planner-based approach to generate and analyze minimal attack graph
In the present scenario, even well administered networks are susceptible to sophisticated cyber attacks. Such attack combines vulnerabilities existing on different systems/services and are potentially more harmful than single point attacks. One of the ...
Comments