Evaluating network security with two-layer attack graphs

Proceedings - Annual Computer Security Applications Conference, ACSAC

Volumn , Issue , 2009, Pages 127-136

  Xie, Anming ^a,b   Cai, Zhuhua ^c   Tang, Cong ^a,b   Hu, Jianbin ^a,b   Chen, Zhong ^a,b  

^a PEKING UNIVERSITY   (China)

^b BEIJING UNIVERSITY OF POSTS AND TELECOMMUNICATIONS   (China)

^c RICE UNIVERSITY   (United States)

Author keywords

Adjacency matrix; Attack graphs; Network security; Prioritized list

Indexed keywords

ADJACENCY MATRICES; ATTACK GRAPH; ATTACK GRAPHS; COMPUTATION COSTS; EVALUATION RESULTS; GRAY-SCALE IMAGES; LARGE NETWORKS; MEASUREMENT METHODOLOGY; NETWORK ADMINISTRATOR; REAL TIME; SECURITY MEASUREMENT; STEPPING STONE; TWO LAYERS; UPPER BOUND; UPPER LAYER; WEIGHT FACTOR;

COMPUTER APPLICATIONS; COST BENEFIT ANALYSIS; GRAPHIC METHODS; MATRIX ALGEBRA;

NETWORK SECURITY;

EID: 77950788192     PISSN: 10639527     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/ACSAC.2009.22     Document Type: Conference Paper

References (25)

1. C. A. Phillips and L. P. Swiler, "A graph-based system for network-vulnerability analysis," in Workshop on New Security Paradigms, 1998, pp. 71-79.
2. O. Sheyner, J. W. Haines, S. Jha, R. Lippmann, and J. M. Wing, "Automated generation and analysis of attack graphs," in IEEE Symposium on Security and Privacy, 2002, pp. 273-284.
3. L. Wang, A. Singhal, and S. Jajodia, "Toward measuring network security using attack graphs," in QoP, G. Karjoth and K. Stølen, Eds. ACM, 2007, pp. 49-54.
4. S. Noel, S. Jajodia, B. O'Berry, and M. Jacobs, "Efficient minimum-cost network hardening via exploit dependency graphs," in ACSAC. IEEE Computer Society, 2003, pp. 86-95.
5. L. Wang, T. Islam, T. Long, A. Singhal, and S. Jajodia, "An attack graph-based probabilistic security metric," in DBSec, ser. Lecture Notes in Computer Science, V. Atluri, Ed., vol. 5094. Springer, 2008, pp. 283-296.
6. J. Pamula, S. Jajodia, P. Ammann, and V. Swarup, "A weakest-adversary security metric for network configuration security analysis," in QoP, G. Karjoth and F. Massacci, Eds. ACM, 2006, pp. 31-38.
7. M. Frigault, L. Wang, A. Singhal, and S. Jajodia, "Measuring network security using dynamic bayesian network," in QoP, A. Ozment and K. Stølen, Eds. ACM, 2008, pp. 23-30.
8. P. Ammann, D. Wijesekera, and S. Kaushik, "Scalable, graph-based network vulnerability analysis," in CCS '02: Proceedings of the 9th ACM conference on Computer and communications security. New York, NY, USA: ACM, 2002, pp. 217-224.
9. S. Jajodia, S. Noel, and B. OBerry, "Topological analysis of network attack vulnerability," in Managing Cyber Threats: Issues, Approaches and Challenges, V. Kumar, J. Srivastava, and A. Lazarevic, Eds. Kluwer Academic Publisher, 2003.
10. R. Hewett and P. Kijsanayothin, "Host-centric model checking for network vulnerability analysis," in ACSAC '08: Proceedings of the 2008 Annual Computer Security Applications Conference. Washington, DC, USA: IEEE Computer Society, 2008, pp. 225-234.
11. R. E. Sawilla and X. Ou, "Identifying critical attack assets in dependency attack graphs," in ESORICS, ser. Lecture Notes in Computer Science, S. Jajodia and J. López, Eds., vol. 5283. Springer, 2008, pp. 18-34.
12. P. Ammann, J. Pamula, J. A. Street, and R. W. Ritchey, "A host-based approach to network attack chaining analysis," in ACSAC. IEEE Computer Society, 2005, pp. 72-84.
13. A. Hecker, "On system security metrics and the definition approaches," in SECURWARE. IEEE, 2008, pp. 412-419.
14. A. Atzeni and A. Lioy, "Why to adopt a security metric? a brief survey," in QoP2005, First Int. Workshop on Quality of Protection, 2005, pp. 1-12.
15. P. Mell, K. Scarfone, and S. Romanosky. Cvss. A Complete Guide to the Common Vulnerability Scoring System Version 2.0. [Online]. Available: http://www.first.org/cvs s/cvss-guide.html
16. Nessus. Open source vulnerability scanner project. [Online]. Available: http://www.nessus.org/nessus
17. M. S. Ahmed, E. Al-Shaer, and L. Khan, "A novel quantitative approach for measuring network security," in The 27th Conference on Computer Communicationsm, INFOCOM, 2008, pp. 1957-11065
18. R. Ortalo, Y. Deswarte, and M. Kaâniche, "Experimenting with quantitative evaluation tools for monitoring operational security," IEEE Trans. Software Eng., vol. 25, no. 5, pp. 633-650, 1999.
19. R. Lippmann, K. Ingols, C. Scott, K. Piwowarski, K. Kratkiewicz, M. Artz, and R. Cunningham, "Validating and restoring defense in depth using attack graphs," in Proceedings of MILCOM2006, Washington, DC, 2006, pp. 1-10.
20. K. Ingols, R. Lippmann, and K. Piwowarski, "Practical attack graph generation for network defense," in ACSAC. IEEE Computer Society, 2006, pp. 121-130.
21. S. Noel and S. Jajodia, "Understanding complex network attack graphs through clustered adjacency matrices," in ACSAC. IEEE Computer Society, 2005, pp. 160-169.
22. S. O'Hare, S. Noel, and K. Prole, "A graph-theoretic visualization approach to network risk analysis," in VizSEC, ser. Lecture Notes in Computer Science, J. R. Goodall, G. J. Conti, and K.-L. Ma, Eds., vol. 5210. Springer, 2008, pp. 60-67.
23. J. Homer, A. Varikuti, X. Ou, and M. A. McQueen, "Improving attack graph visualization through data reduction and attack grouping," in VizSEC, ser. Lecture Notes in Computer Science, J. R. Goodall, G. J. Conti, and K.-L. Ma, Eds., vol. 5210. Springer, 2008, pp. 68-79.
24. Y. Zhang and V. Paxson, "Detecting stepping stones," in SSYM'00: Proceedings of the 9th conference on USENIX Security Symposium. Berkeley, CA, USA: USENIX Association, 2000, pp. 13-13.
25. D. L. Donoho, A. G. Flesia, U. Shankar, V. Paxson, J. Coit, and S. Staniford, "Multiscale stepping-stone detection: Detecting pairs of jittered interactive streams by exploiting maximum tolerable delay," in RAID, 2002, pp. 17-35.