Authors: Fangfang Chen, Chunlu Wang, Zhihong Tian, Shuyuan Jin, Tianle Zhang

Abstract:

Attack graph is an integral part of modeling the overview of network security. System administrators use attack graphs to determine how vulnerable their systems are and to determine what security measures to deploy to defend their systems. Previous methods on AGG(attack graphs generation) are aiming at the whole network, which makes the process of AGG complex and non-scalable. In this paper, we propose a new approach which is simple and scalable to AGG by decomposing the whole network into atomic domains. Each atomic domain represents a host with a specific privilege. Then the process for AGG is achieved by communications among all the atomic domains. Our approach simplifies the process of design for the whole network, and can gives the attack graphs including each attack path for each host, and when the network changes we just carry on the operations of corresponding atomic domains which makes the process of AGG scalable.

Keywords: atomic domain, vulnerability, attack graphs, generation, computer security

Digital Object Identifier (DOI): doi.org/10.5281/zenodo.1085437

Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 1607

References:

[1] Rattikorn Hewett and Phongphun Kijsanayothin, Host-Centric Model Checking for Network Vulnerability Analysis, Proceedings of 2008 Annuual Computer Security Applications Conference, pp.225-234,2008
[2] Robert Richardson, 2008 CSI Computer Crime Security Servy, http://www.gocsi.com/index.jhtml
[3] Lingyu Wang, Steven Noel and Sushil Jajodia, Minimum-cost Network Hardening Using Attack Graphs, Computer Communications, Volume 29, Issue 18 , 28 November 2006, Pages 3812-3824
[4] Ou X., W. Boyer, and M.McQueen, A scalable approach to attack graph generation, Proc. Of ACM conf. On Comp. And Com. Security,pp.336-345,2006
[5] The NuSMV (A New Symbolic Model Checker) System, Aval on http://nusmv.itc.it/ ,2009.
[6] Oleg Sheyner, Scenario Graphs and Attack Graphs, PhD thesis,Cainehic Mellon University,2004
[7] O. Sheyner, S. Jha, J. Mwing, R. P. Lippmann and J. Haines, Automated Generation and Analysis of Attack Graphs, Proceeding of the IEEE Symposium on Security and Privacy,pp.273-284,2002
[8] O. Sheyner and J. Wing, Tools for Generating and Analyzing Attack Graphs, Proceeding of Workshop on Formal Methods for Comp. And Objects,pp.344-371,2004
[9] C. Phillips and L. Swiler, A graph-based system for network-vulnerability analysis, Proceeding of the workshop on new security paradigms,pp.71-79,1998
[10] Paul Ammann, Joseph Pamula and Ronald Ritchey, A host-based approach to network attack chaining analysis, Proceeding of the 21th Annual Computer Security Applications Conference,pp.72-84,2005.
[11] Paul Ammann, Duminda Wijesekera and Saket Kaushik,Scalable, Graph-Based Network Vulnerability Analysis, Proceeding of ACM conference on Comp. Com.Sec.,pp.217-224,2002.
[12] F. Cuppens, Alert Correlation in a Cooperative Intrusion Detection Framework, Proceedings of the 2002 IEEE Symposium on Security and Privacy,Washington,DC,IEEE Computer Society,2002.
[13] P. Ning and D. Xu, Learning attack strategies from intrusion alerts, Proceedings of the 10th ACM Conference on Computer and Communications Security,New York:ACM Press,2003,200-209.
[14] M. Artz, NETspa, A Network Security Planning Architecture, M.S. Thesis, Cambridge: Massachusetts Institute of Technology, May 2002.
[15] J. P. McDermott, Attack Net Penetration Testing, Proceedings of the 2000 Workshop on New Security Paradings.New York:ACM Press,2001,pp.15-21.
[16] S. Jha,O. Sheyner,and J. Wing, Two formal analysis of attack graphs, Proccedings of the 15th IEEE Computer Security Foundations Workshop,pp.49-63,2002.
[17] CVSS-Common Vulnerability Scoring System, Avail. on http://nvd.nist.gov/cvss.cfm?version=2, March , 2009
[18] M. Artz, NETspa, A Network Security Planning Architecture, M.S. Thesis,Cambridge:Massachusetts Institute of Technology,May 2002
[19] Network Mapper. http://nmap.org/, 2009
[20] R. P. Lippmann and K. W. Ingols, An Annotated Review of Past Papers on Attack Graphs, Technical report,Massachusetts Institute of Techonology Lincoln Laboratory,March 2005.
[21] L. Swiler, C. Phillips, D. Ellis and S. Chakerian, Computer-attack graph generation tool, Proc. DARPA Info. Surv. Conf. Expo. ,vol.2,pp.307- 321,2001.
[22] R. Ritchey and P. Amman, Using Model Checking to Analyze Network Vulnerabilities, Proceedings of the 2000 IEEE Symposiums on Security and Privacy,pp.156-165,2000
[23] Somesh Jha and Jeannette Wing, Survivability analysis of networked systems, Proceedings of the International Conference on Software Engineering,Toronto,Canada,May 2001