Conferences >2009 International Conference...

Two Scalable Analyses of Compact Attack Graphs for Defending Network Security

Download PDF
Download References
Request Permissions
Save to
Alerts

Abstract:

The compact attack graphs implicitly reveal the threat of sophisticated multi-step attacks by enumerating possible sequences of exploits leading to the compromising given...Show More

Metadata

Abstract:

The compact attack graphs implicitly reveal the threat of sophisticated multi-step attacks by enumerating possible sequences of exploits leading to the compromising given critical resources in enterprise networks with thousands of hosts. For security analysts, the challenge is how to analyze the complex attack graphs with possible ten thousands of nodes for defending the security of network. In the paper, we will essentially discuss two issues about it. The first is to compute non-loop attack paths with the distance less than the given number that the real attacker may take practically in realistic attack scenarios. The second is to find the solution to removing vulnerabilities in such a way that given critical resources cannot be compromised while the cost for such removal incurs the least cost. We propose two scalable approaches to solve the above two issues respectively. These two approaches are proved to have a polynomial time complexity and can scale to the attack graphs with ten thousands of nodes corresponding large enterprise networks.

Published in: 2009 International Conference on Networks Security, Wireless Communications and Trusted Computing

Date of Conference: 25-26 April 2009

Date Added to IEEE Xplore: 05 May 2009

ISBN Information:

DOI: 10.1109/NSWCTC.2009.268

Conference Location: Wuhan, China

Citations are not available for this document.

Contents

I. Introduction

When defending an isolated network with critical resources, some vulnerabilities may seem to be insignificant. Attackers, however, can often infiltrate a seemingly well-guarded network using multi-step attacks by exploiting sequences of related vulnerabilities. Attack graphs can reveal such potential threats by enumerating all possible sequences attackers can exploit. The earlier methods [1]–2, 6–[13] can only generate state-based attack graphs for the small target network of size ten. Hence, the scalability of attack graphs generation is a serious issue. Recently, researchers propose some novel approaches to construct compact attack graphs utilizing monotonicity assumption: an attacker never relinquishes any obtained capabilities [14]–[17]. The Ou's method even can generate compact attack graphs for the enterprise network with the size of thousands [15]. Consequently, security analysts face the challenge to analyze the sophisticated attack graphs with possible ten thousands of nodes. In the paper, we will discuss two essential issues.

Cites in Patents (1)Patent Links Provided by 1790 Analytics

Bowers, Kevin D.; van Dijk, Marten E.; Juels, Ari; Oprea, Alina M.; Rivest, Ronald L.; Triandopoulos, Nikolaos, "Graph-based approach to deterring persistent security threats"

Patent No. 8813234 Patent Office Google Scholar

References is not available for this document.

Two Scalable Analyses of Compact Attack Graphs for Defending Network Security

Abstract:

Metadata

Abstract:

I. Introduction

Cites in Patents (1)Patent Links Provided by 1790 Analytics

References

IEEE Account

Purchase Details

Profile Information

Need Help?

Two Scalable Analyses of Compact Attack Graphs for Defending Network Security

Alerts

Abstract:

Metadata

Abstract:

I. Introduction

Cites in Patents (1)Patent Links Provided by 1790 Analytics

References