Introduction to mathematical logic (3rd ed.)
Introduction to mathematical logic (3rd ed.)
A graph-based system for network-vulnerability analysis
Proceedings of the 1998 workshop on New security paradigms
Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security
IEEE Transactions on Software Engineering
Scalable, graph-based network vulnerability analysis
Proceedings of the 9th ACM conference on Computer and communications security
Model-based analysis of configuration vulnerabilities
Journal of Computer Security
Representing TCP/IP Connectivity For Topological Analysis of Network Security
ACSAC '02 Proceedings of the 18th Annual Computer Security Applications Conference
Two Formal Analys s of Attack Graphs
CSFW '02 Proceedings of the 15th IEEE workshop on Computer Security Foundations
Automated Generation and Analysis of Attack Graphs
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Using Model Checking to Analyze Network Vulnerabilities
SP '00 Proceedings of the 2000 IEEE Symposium on Security and Privacy
Efficient Minimum-Cost Network Hardening Via Exploit Dependency Graphs
ACSAC '03 Proceedings of the 19th Annual Computer Security Applications Conference
Correlating Intrusion Events and Building Attack Scenarios Through Attack Graph Distances
ACSAC '04 Proceedings of the 20th Annual Computer Security Applications Conference
NetKuang: a multi-host configuration vulnerability checker
SSYM'96 Proceedings of the 6th conference on USENIX Security Symposium, Focusing on Applications of Cryptography - Volume 6
An efficient and unified approach to correlating, hypothesizing, and predicting intrusion alerts
ESORICS'05 Proceedings of the 10th European conference on Research in Computer Security
Toward measuring network security using attack graphs
Proceedings of the 2007 ACM workshop on Quality of protection
Information Assurance: Dependability and Security in Networked Systems
Information Assurance: Dependability and Security in Networked Systems
Implementing interactive analysis of attack graphs using relational databases
Journal of Computer Security - 20th Annual IFIP WG 11.3 Working Conference on Data and Applications Security (DBSec'06)
An Attack Graph-Based Probabilistic Security Metric
Proceeedings of the 22nd annual IFIP WG 11.3 working conference on Data and Applications Security
A Graph-Theoretic Visualization Approach to Network Risk Analysis
VizSec '08 Proceedings of the 5th international workshop on Visualization for Computer Security
Authenticating the query results of text search engines
Proceedings of the VLDB Endowment
Extending logical attack graphs for efficient vulnerability analysis
Proceedings of the 15th ACM conference on Computer and communications security
Measuring network security using dynamic bayesian network
Proceedings of the 4th ACM workshop on Quality of protection
Optimal IDS Sensor Placement and Alert Prioritization Using Attack Graphs
Journal of Network and Systems Management
A Scalable Approach to Full Attack Graphs Generation
ESSoS '09 Proceedings of the 1st International Symposium on Engineering Secure Software and Systems
Formal Technique for Discovering Complex Attacks in Computer Systems
Proceedings of the 2007 conference on New Trends in Software Methodologies, Tools and Techniques: Proceedings of the sixth SoMeT_07
Using game theory to configure P2P SIP
Proceedings of the 3rd International Conference on Principles, Systems and Applications of IP Telecommunications
Sat-solving approaches to context-aware enterprise network security management
IEEE Journal on Selected Areas in Communications - Special issue on network infrastructure configuration
Privacy-preserving similarity-based text retrieval
ACM Transactions on Internet Technology (TOIT)
Defensive configuration with game theory
IM'09 Proceedings of the 11th IFIP/IEEE international conference on Symposium on Integrated Network Management
Measuring the overall security of network configurations using attack graphs
Proceedings of the 21st annual IFIP WG 11.3 working conference on Data and applications security
Formal approach to security metrics.: what does "more secure" mean for you?
Proceedings of the Fourth European Conference on Software Architecture: Companion Volume
Event-driven architecture based on patterns for detecting complex attacks
International Journal of Critical Computer-Based Systems
k-zero day safety: measuring the security risk of networks against unknown attacks
ESORICS'10 Proceedings of the 15th European conference on Research in computer security
Objective Risk Evaluation for Automated Security Management
Journal of Network and Systems Management
Formal analysis of security metrics and risk
WISTP'11 Proceedings of the 5th IFIP WG 11.2 international conference on Information security theory and practice: security and privacy of mobile devices in wireless communication
Challenges in secure sensor-cloud computing
SDM'11 Proceedings of the 8th VLDB international conference on Secure data management
Distilling critical attack graph surface iteratively through minimum-cost SAT solving
Proceedings of the 27th Annual Computer Security Applications Conference
A planner-based approach to generate and analyze minimal attack graph
Applied Intelligence
Attack modeling of SIP-Oriented SPIT
CRITIS'07 Proceedings of the Second international conference on Critical Information Infrastructures Security
Indices of power in optimal IDS default configuration: theory and examples
GameSec'11 Proceedings of the Second international conference on Decision and Game Theory for Security
Authentication of moving range queries
Proceedings of the 21st ACM international conference on Information and knowledge management
A vulnerability attack graph generation method based on scripts
ICICA'12 Proceedings of the Third international conference on Information Computing and Applications
Aggregating vulnerability metrics in enterprise networks using attack graphs
Journal of Computer Security
Hi-index | 0.24 |
In defending one's network against cyber attack, certain vulnerabilities may seem acceptable risks when considered in isolation. But an intruder can often infiltrate a seemingly well-guarded network through a multi-step intrusion, in which each step prepares for the next. Attack graphs can reveal the threat by enumerating possible sequences of exploits that can be followed to compromise given critical resources. However, attack graphs do not directly provide a solution to remove the threat. Finding a solution by hand is error-prone and tedious, particularly for larger and less secure networks whose attack graphs are overly complicated. In this paper, we propose a solution to automate the task of hardening a network against multi-step intrusions. Unlike existing approaches whose solutions require removing exploits, our solution is comprised of initially satisfied conditions only. Our solution is thus more enforceable, because the initial conditions can be independently disabled, whereas exploits are usually consequences of other exploits and hence cannot be disabled without removing the causes. More specifically, we first represent given critical resources as a logic proposition of initial conditions. We then simplify the proposition to make hardening options explicit. Among the options we finally choose solutions with the minimum cost. The key improvements over the preliminary version of this paper include a formal framework of the minimum network hardening problem, and an improved one-pass algorithm in deriving the logic proposition while avoiding logic loops.