Rule-based topological vulnerability analysis

Authors:
Vipin Swarup;Sushil Jajodia;Joseph Pamula
Affiliations:
The MITRE Corporation, McLean, VA;Center for Secure Information Systems, George Mason University, Fairfax, VA;Center for Secure Information Systems, George Mason University, Fairfax, VA
Venue:
MMM-ACNS'05 Proceedings of the Third international conference on Mathematical Methods, Models, and Architectures for Computer Network Security
Year:
2005

Citing 11
Cited 5

Models and tools for quantitative assessment of operational security

Information systems security
A graph-based system for network-vulnerability analysis

Proceedings of the 1998 workshop on New security paradigms
Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security

IEEE Transactions on Software Engineering
A requires/provides model for computer attacks

Proceedings of the 2000 workshop on New security paradigms
Scalable, graph-based network vulnerability analysis

Proceedings of the 9th ACM conference on Computer and communications security
Model-based analysis of configuration vulnerabilities

Journal of Computer Security
Privilege Graph: an Extension to the Typed Access Matrix Model

ESORICS '94 Proceedings of the Third European Symposium on Research in Computer Security
Representing TCP/IP Connectivity For Topological Analysis of Network Security

ACSAC '02 Proceedings of the 18th Annual Computer Security Applications Conference
Two Formal Analys s of Attack Graphs

CSFW '02 Proceedings of the 15th IEEE workshop on Computer Security Foundations
Automated Generation and Analysis of Attack Graphs

SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Using Model Checking to Analyze Network Vulnerabilities

SP '00 Proceedings of the 2000 IEEE Symposium on Security and Privacy

A weakest-adversary security metric for network configuration security analysis

Proceedings of the 2nd ACM workshop on Quality of protection
A framework for establishing, assessing, and managing trust in inter-organizational relationships

Proceedings of the 3rd ACM workshop on Secure web services
Extending logical attack graphs for efficient vulnerability analysis

Proceedings of the 15th ACM conference on Computer and communications security
Optimal IDS Sensor Placement and Alert Prioritization Using Attack Graphs

Journal of Network and Systems Management
Assessing the risk of an information infrastructure through security dependencies

CRITIS'06 Proceedings of the First international conference on Critical Information Infrastructures Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

Attack graphs represent known attack sequences that attackers can use to penetrate computer networks. Recently, many researchers have proposed techniques for automatically generating attack graphs for a given computer network. These techniques either use model checkers to generate attack graphs and suffer from scalability problems, or they are based on an assumption of monotonicity and are unable to represent real-world situations. In this paper, we present a vulnerability analysis technique that is more scalable than model-checker-based solutions and more expressive than monotonicity-based solutions. We represent individual attacks as the transition rules of a rule-based system. We define noninterfering rulesets and present efficient, scalable algorithms for those sets. We then consider arbitrary nonmonotonic rulesets and present a series of optimizations which permit us to perform vulnerability assessment efficiently in most practical cases. We motivate the issues and illustrate our techniques using a substantial example.