Conference PaperPDF Available

Multiple Coordinated Views for Network Attack Graphs.

Authors:

Abstract and Figures

While efficient graph-based representations have been developed for modeling combinations of low-level network attacks, relatively little attention has been paid to effective techniques for visualizing such attack graphs. This paper describes a number of new attack graph visualization techniques, each having certain desirable properties and offering different perspectives for solving different kinds of problems. Moreover, the techniques we describe can be applied not only separately, but can also be combined into coordinated attack graph views. We apply improved visual clustering to previously described network protection domains (attack graph cliques), which reduces graph complexity and makes the overall attack flow easier to understand. We also visualize the attack graph adjacency matrix, which shows patterns of network attack while avoiding the clutter usually associated with drawing large graphs. We show how the attack graph adjacency matrix concisely conveys the impact of network configuration changes on attack graphs. We also describe a novel attack graph filtering technique based on the interactive navigation of a hierarchy of attack graph constraints. Overall, our techniques scale quadratically with the number of machines in the attack graph.
Content may be subject to copyright.
Multiple Coordinated Views for Network Attack Graphs
Steven Noel Michael Jacobs Pramod Kalapa Sushil Jajodia
Center for Secure Information Systems, George Mason University
A
BSTRACT
While efficient graph-based representations have been
developed for modeling combinations of low-level network
attacks, relatively little attention has been paid to effective
techniques for visualizing such attack graphs. This paper
describes a number of new attack graph visualization techniques,
each having certain desirable properties and offering different
perspectives for solving different kinds of problems. Moreover,
the techniques we describe can be applied not only separately, but
can also be combined into coordinated attack graph views. We
apply improved visual clustering to previously described network
protection domains (attack graph cliques), which reduces graph
complexity and makes the overall attack flow easier to
understand. We also visualize the attack graph adjacency matrix,
which shows patterns of network attack while avoiding the clutter
usually associated with drawing large graphs. We show how the
attack graph adjacency matrix concisely conveys the impact of
network configuration changes on attack graphs. We also
describe a novel attack graph filtering technique based on the
interactive navigation of a hierarchy of attack graph constraints.
Overall, our techniques scale quadratically with the number of
machines in the attack graph.
CR Categories and Subject Descriptors: K.6.5 [Management
of Computing and Information Systems]: Security and Protection
– unauthorized access
Keywords: Network attack modeling, network attack graphs,
topological vulnerability analysis, graph visualization, graph
clustering, graph filtering
1 I
NTRODUCTION
The utility of organizing multi-step network attacks into graphs
is well established. Such attack graphs allow one to see, step by
step, the various ways an attacker can incrementally penetrate a
network. A network vulnerability considered in isolation may not
appear to pose a significant threat. But the interdependency of
vulnerabilities and the connectivity of a network make such
analysis incomplete. Even well administered networks may be
vulnerable to attacks, because of the security ramifications of
offering a variety of services.
Attack graphs allow the security analyst to assess the true
vulnerability of critical network resources, and to understand how
vulnerabilities in individual network services contribute to overall
vulnerability. Attack graphs can function in defensive as well as
offensive modes, in applications as diverse as network hardening
and what-if analysis, fine tuning and alarm correlation for
intrusion detection systems, enemy course-of-action prediction,
automated attack response, and penetration testing.
Attack graphs have traditionally been created manually, e.g., by
security red teams. But more recently, significant progress has
been made toward generating attack graphs automatically from
models of networks and attacker exploits, notably [1–12]. Given
the creation of such models from network discovery tools,
vulnerability databases, etc., the resulting attack graphs are
potentially huge. Despite not generally being reported in the
literature, there are many practitioners today dealing with very
large attack graphs.
While it is currently possible to generate very large and
complex attack graphs, relatively little work has been done for
managing their complexity. Information visualization techniques
have begun to be applied to information security, particularly for
visualizing network traffic [13–16] and intrusion detection events
[17–18]. These techniques are useful for visual clustering, pattern
recognition, anomaly detection, etc. for situational awareness.
But they generally treat attack events independently of one
another, as opposed to forming sequences of events. As such,
they do not address the particular needs of attack graph
complexity management.
In this paper, we describe a number of new techniques for
managing attack graph complexity through visualization. We
introduce a form of visual clustering with reduced complexity and
improved cognitive flow for a previously described attack graph
representation based on the protection domain abstraction [19].
This approach is particularly advantageous as the number of
exploits across protection domains increases.
We also show how direct visualization of the attack graph
adjacency matrix avoids the clutter often associated with the
drawing of large graphs. Here we rely on known attributes of
network machines to help cluster graph edges in the adjacency
matrix visualization. For example, when adjacency matrix rows
and columns are sorted by internet protocol (IP) address,
protection domains (in this case, subnets) are evident from the full
intra-domain connectivity and relatively sparse inter-domain
connectivity. We show how the adjacency matrix lends itself well
to visualizing differences between attack graphs, e.g., as a result
of network configuration changes.
We introduce a novel interactive attack graph filtering scheme
using an attack graph constraint hierarchy (tree). This allows the
user to interactively navigate the tree hierarchy to specify filtering
constraints that control which subset of the attack graph is
currently visible. In our approach, there are navigational links
within the constraint tree itself, as well as bidirectional links
between the constraint tree and the filtered attack graph. We also
show how intrusion alarms associated with vulnerability-based
attack graph exploits can be linked to the constraint tree and
highlighted on the attack graph.
The techniques we describe can be applied not only
individually, but also in combination, to provide coordinated
multiple views of an attack graph. Each view has certain
strengths, and when combined, this provides great flexibility for
Center for Secure Information Systems, George Mason
University, 4400 University Drive, Mail Stop 5B5, Fairfax,
VA 22030-4444. E-mail: [snoel, mjacobs1, pkalapa,
jajodia]@gmu.edu.
user interaction. These techniques apply to general attack graphs,
such as ones generated from network vulnerability data, intrusion
detection alarms, etc. They also apply regardless of whether the
attack graph is constrained to particular starting points(s) and/or
attack goal(s). Overall, the worst-case complexity of these
techniques is quadratic in the number of network machines.
In the next section, we review related work in this area. In
Section 3, we show how visual clustering can reduce attack graph
complexity using the protection domain abstraction. Section 4
shows how attack graph adjacency matrix visualization, when
combined with ordering by IP address, provides a view of attack
connectivity that avoids the clutter of large drawn graphs. This
section also shows the value of the adjacency matrix visualization
for representing attack graph changes. Section 5 introduces a
novel approach for interactive visual attack graph filtering,
including navigational links and highlighting for intrusion alarms.
In Section 6, we summarize our work and present our conclusions.
2 P
REVIOUS
W
ORK
Various approaches have been described for generating attack
graphs. These generally start with models of network security
conditions and sets of rules (attacker exploits) that induce new
conditions based on existing ones. Valid sequences of exploits
are then generated, and organized as a graph. The various
methods fall under the major categories of logic-based
approaches, e.g., symbolic model checking [1–3], and graph-
theoretic approaches [4–12].
Early approaches to generating attack graphs generally had
serious scalability problems, because of the state explosion
problem. More recent approaches represent dependencies among
state transitions (exploits) [8–12] rather than explicitly
enumerating states. This reduces complexity from exponential to
low-order polynomial. Despite the complexity reduction of the
exploit-dependency representation, such attack graphs can still be
difficult to manage for larger, less secure networks. The
particular problems of attack graph complexity management
(from a usability standpoint) have been largely unexplored.
An approach has been proposed [19] that reduces attack graph
complexity within so-called protection domains (cliques of an
attack graph) from quadratic to linear. However, in that approach,
the visual clustering of machines into protection domains is done
via graph edges, which introduces unnecessary complexity and
makes the attack flow more difficult to follow. We show how the
same information can be better conveyed through visual clustering
as opposed to additional graph edges. We also reduce complexity
by removing redundant exploits, i.e., when a set of exploits from
an inter-domain machine is the same as from the intra-domain
machines. Like [19], our approach employs clustered graphs, first
introduced in [20], with more recent work being represented by
[21].
While our new visual representation of protection domains
reduces complexity (in comparison to [19]), for larger and more
complex graphs, edge clutter can still dominate. We therefore
apply adjacency matrix visualizations to attack graphs. We also
visualize these in a novel way by highlighting attack graph
changes caused by changes to the network configuration.
Adjacency matrix visualizations have been applied in other
domains, such as browsing web hyperlinks [22], viewing
networked information spaces [23], assessing project
requirements [24], and managing large software projects [25]. A
number of advantages of adjacency matrix visualizations pointed
out in previous work apply to attack graphs as well. Adjacency
matrices address the edge-clutter problem inherent in traditional
node-link graph visualizations, especially for larger, less secure
networks. They also place a strong emphasis on graph edges, in
this case, attacker exploits. This allows one to access at a glance
where network attacks are possible. With adjacency matrices,
groups of edges can be manipulated as a single unit, which is
particularly convenient for our matrix row/column ordering based
on IP addresses. They also avoid the typically expensive
computations associated with graph layout algorithms, which are
better suited to less dense graphs.
We also go beyond [19] by applying attack graph filtering as a
complementary approach to complexity management. Rather than
employing a general-purpose graph filter (e.g., [26]), we define
filtering constraints based on the network attack problem. We
arrange these constraints in novel forward and backward pointing
trees, which allow interactive constraint specification. In this
way, one can navigate constraints (which uniquely identify attack
graph elements), to interactively select sub-graphs of interest.
3 V
ISUALLY
C
LUSTERED
P
ROTECTION
D
OMAINS
We now show how visual clustering can reduce complexity and
improve cognitive flow for attack graphs using the protection
domain abstraction. Typically, the greatest cause of high attack
graph complexity is unrestricted connectivity (e.g., no firewall
filtering) among a set of machines. When such so-called
protection domains (attack graph cliques) are known, complexity
can be greatly reduced.
In the standard exploit dependency representation, attack graph
complexity is O(scn
2
), for n machines in the attack graph. Here, s
is the average number of exploits against a machine, independent
of any particular attacking machine, which might be in the range
of say one to 30. The factor c is the average number of security
conditions per machine, which in practice is perhaps one to five.
Employing the protection domain abstraction, complexity is
reduced to O(scm
2
), where m the number of machines that have
exploits launched across protection domains only. That is,
exploits among within-subnet machines are implicitly rather than
explicitly represented. Worst-case complexity is thus determined
by the number of machines m involved in across-subnet exploits
only. Clearly m < n in all cases, but for networks in which there is
significant connectivity limitation among protection domains
(e.g., via firewalls), it may be that m << n, resulting in dramatic
improvements in complexity. For example, for a 200-machine
protection domain, with a single exploitable vulnerability on each
machine, complexity is reduced from 200
2
= 40,000 to 200, a
reduction of 2 orders of magnitude.
Figure 1 shows an example low-level attack graph, in which no
aggregation of exploits and security conditions has been applied.
This attack graph was generated from a network model created
from Nessus [27] vulnerability scans, which includes the effects
of firewall filtering. In particular, 16 network machines are
distributed among four subnets, with firewall filtering among
subnets, and no filtering within subnets. The subnets thus each
define protection domains in our model.
Figure 2 shows the same attack graph as Figure 1, this time
applying the protection domain abstraction. Security conditions
for each machine are aggregated to a single vertex, as are sets of
exploits between each pair of machines. Each machine vertex is
labeled with the number of intra-domain exploits against it, and
within a protection domain all machines can execute those
exploits against each another. Starting and goal machines are
colored green and red, respectively.
In Figure 2, domain membership is indicated by graph edges
from machine to domain, as in [19]. In contrast, consider
Figure 3, in which protection domain membership is indicated by
visual clusters rather than graph edges. Graph complexity is
reduced by avoiding domain member ship edges, i.e., for n
machines there are n fewer edges. With the visual clusters, it is
much easier to see domain membership by not having to follow
graph edges to domain nodes.
Figure 1: Low-level attack graph.
Figure 2: Protection domain membership via graph edges.
Figure 3 includes another improvement over the visual
representation in [19], in the form of a redundancy reduction. In
particular, for instances in which the exploit set across a
protection domain matches the intra-domain exploits for the
victim machine, the exploit set is omitted, since it can be inferred
from the machine label.
The advantage of protection domain membership via visual
clustering is even more obvious as the number of exploits across
protection domains increases. In Figure 4, we change the firewall
filtering in the network model so that there are significantly more
exploits across protection domains. In comparison to Figure 2,
the complexity in Figure 4 has increased considerably.
Figure 5 indicates protection domain membership with visual
clusters as opposed to graph edges, for the same network as in
Figure 4. While complexity has increased considerably for
domain membership via graph edges, it has increased comparably
much less for membership via visual clusters (compare Figure 3
and Figure 5). Figure 6 shows protection domain visual clustering
applied to an even larger network, i.e., 75 machines in 5 subnets,
with a significant number of across-subnet exploits. For this
attack graph, the starting and goal machines are unspecified, and
machines without inter-domain exploits have been aggregated.
4 A
TTACK
G
RAPH
A
DJACENCY
M
ATRIX
V
ISUALIZATION
Despite the complexity reduction provided by protection
domain visual clusters, there are fundamental scalability problems
with drawing graphs directly (so-called node-link visualizations).
As larger graphs are drawn, edge clutter begins to dominate, and it
becomes increasingly difficult to trace edges and distinguish them
from one another.
Figure 3: Protection domain membership via visual clustering
(compare to Figure 2).
An alternative is to visualize the attack graph adjacency matrix.
There are several factors that can make attack graphs larger and
denser, so that adjacency matrices become more attractive. An
obvious factor is the size of the network under analysis. Our
society has become increasingly dependent on networked
computers, and the trend towards larger networks will continue.
For example, there are enterprises today consisting of tens of
thousands of machines. Also, less secure networks clearly have
larger attack graphs. There is a tendency for network
administrators to protect their domain borders, but to leave
machines in their domain relatively unsecured against each other.
This may result in attack subgraphs that are very densely or even
fully connected. Machines might each have several exploitable
vulnerabilities (we have seen cases of as many as 20 per
machine), and exploits are generally linked quadratically. When
considered across an enterprise, especially given global internet
connectivity, attack graphs are potentially huge.
Adjacency matrix visualization could be done for any level of
attack graph aggregation, by assigning individual matrix
rows/columns for any such aggregate nodes. In general,
adjacency matrix rows and columns can be put in arbitrary orders.
But orderings that tend to cluster graph nodes by common edges
are clearly desirable. We could then treat such clusters of
common connectivity as a single unit.
Figure 7 is the adjacency matrix A for the 75-machine attack
graph in Figure 6. Here, the matrix rows and columns are attacker
and victim machines, respectively. An element a
i,j
of A is true
(black) when machine i launches at least one exploit against
machine j in the attack graph, and is otherwise white. We sort the
rows and columns of A according to machine IP address.
From IP address ordering, machines in the same subnet appear
in consecutive rows and columns of the adjacency matrix. The
unrestricted connectivity within subnets (protection domains) thus
causes the fully-connected blocks of machines on the main
diagonal.
Figure 4: Protection domain membership via graph edges (additional inter-domain exploits).
Figure 5: Additional inter-domain exploits (compare to Figure 4).
In Figure 7, block A
i,j
of the adjacency matrix indicates exploits
launched from machines in Subnet i to machines in Subnet j.
There are a number of apparent features in the adjacency matrix.
For example, there are solid blocks of machines (3 in block A
1,2
,
and one each in blocks A
2,3
and A
3,2
) with consecutive ranges of
attacking/attacked IP addresses. In blocks A
1,4
, A
2,5
, and A
4,5
, IP
addresses are scattered rather than consecutive. In block A
4,1
,
machine x.x.4.12 attacks machine x.x.1.6.
Figure 7 also shows how multi-step attacks can be traced on the
adjacency matrix. As an example, it shows two possible multi-
step attacks against Subnet 5 (block A
5,5
), starting from Subnet 1
(A
1,1
). One attack follows the sequence A
1,1
, A
1,4
, A
4,4
, A
4,5
, A
5,5
.
The other attack follows the sequence A
1,1
, A
1,2
, A
2,2
, A
2,5
, A
5,5
.
The adjacency matrix visualization is particularly well suited to
showing differences between attack graphs. This is illustrated in
Figure 8 and Figure 9. Figure 8 shows a baseline attack graph,
before any changes have been made to the network configuration.
Other than the main-diagonal subnets, there are 2 other major
features. The vertical lines extend over all matrix rows,
representing vulnerable web servers scattered through the network
and accessible from all other machines. Also, there are
exploitable vulnerabilities from Subnet 2 to Subnet 3.
Figure 6: Protection domain membership via visual clusters (75-machine network).
Figure 7: Adjacency matrix visualization (75-machine network).
Figure 8: Baseline attack graph.
Figure 9: Attack graph differences.
Figure 9 is a difference matrix that represents a set of attack
graph changes from the baseline. Here, the vulnerable web
servers have been patched, thus removing the exploits against
them (indicated in yellow). Also, new vulnerabilities have been
introduced from Subnet 2 to Subnet 4, with the corresponding
new exploits marked in orange.
5 I
NTERACTIVE
A
TTACK
G
RAPH
F
ILTERING
A complementary approach to attack graph aggregation is to
allow the user to interactively filter the graph according to
selected criteria. We introduce a novel hierarchical organization
of attack graph filtering constraints (the constraint tree), which the
user can navigate via a tree widget.
This approach fulfills a user requirement of showing only an
attack subgraph of interest. For example, one may be comparing
the attack graph to actual exploits carried out on the network, step
by step, in support of penetration testing. Or, one may be
concerned only with the portion of the attack graph in the
neighborhood of detected intrusions. In this sense, our interactive
10 20 30 40 50 60 70
10
20
30
40
50
60
70
From
Subnet 1
From
Subnet 2
From
Subnet 3
From
Subnet 5
From
Subnet 4
To
Subnet 1
To
Subnet 2
To
Subnet 3
To
Subnet 5
To
Subnet 4
A
1,1
A
2,2
A
3,3
A
4,4
A
5,5
10 20 30 40 50 60 70
10
20
30
40
50
60
70
From
Subnet 1
From
Subnet 2
From
Subnet 3
From
Subnet 5
From
Subnet 4
To
Subnet 1
To
Subnet 2
To
Subnet 3
To
Subnet 5
To
Subnet 4
10 20 30 40 50 60 70
10
20
30
40
50
60
70
10 20 30 40 50 60 70
10
20
30
40
50
60
70
From
Subnet 1
From
Subnet 2
From
Subnet 3
From
Subnet 5
From
Subnet 4
To
Subnet 1
To
Subnet 2
To
Subnet 3
To
Subnet 5
To
Subnet 4
A
1,1
A
2,2
A
3,3
A
4,4
A
5,5
100 200 300 400 500 600 700
100
200
300
400
500
600
700
100 200 300 400 500 600 700
100
200
300
400
500
600
700
100 200 300 400 500 600 700
100
200
300
400
500
600
700
100 200 300 400 500 600 700
100
200
300
400
500
600
700
filtering provides focus, while the other visualizations (clustered
graphs and adjacency matrices) provide context.
In our approach, the smallest unit of attack graph constraint is a
pair of exploits linked by a common pre/post condition. Each
exploit in such a pair is parameterized by attacker and victim
machines. Since the exploits are linked by a common condition
(on a particular machine), the victim machine in the “from”
exploit is the attacker machine in the “to” exploit.
Figure 10 demonstrates our attack graph constraint approach.
The constraint tree is in the upper left panel. There are 6 levels in
the tree (from left to right):
1. Attacker machine in the “from” exploit
2. Victim machine in the “from” exploit
3. Specific “from” exploit between attacker and victim
4. Particular postcondition of “from” exploit
5. Victim machine in the “to” exploit
6. Specific “to” exploit to victim
To illustrate this, in Figure 10 the link from exploit
telnet(m12,m8)
to exploit
rpc_cmsd(m8,m10)
is circled, and
the corresponding nodes in the constraint tree are identified. Note
here that the attacker machine in the “from” exploit (Level 1
above) is clipped from view in the figure.
Traversing the tree from the root to a leaf uniquely identifies a
(forward-pointing) condition link between a pair of exploits. Non-
leaf nodes represent sets of links that meet the criteria up to that
level. In other words, a node’s children represent steps in the
attack graph that occur after it. Similarly, one can define a
backward oriented tree that represents links into rather than away
from a selected node.
In our approach, the constraint tree controls which portion of
the full attack is visible. That is, (right) clicking on a tree node
commits a constraint specification according to that node. Higher
(leftmost) nodes in the tree correspond to less specified
constraints, resulting in larger subsets displayed.
Figure 10: Attack graph constraints.
Figure 10 also includes a panel (lower right) for intrusion
detection events, which have navigational links to constraint tree
nodes. Left-clicking an intrusion detection event leads to the
corresponding “from” exploit in the constraint tree. From there,
for example, one could immediately right click to view all
possible exploits (against all possible machines) that directly
follow the intrusion event. Or one could navigate lower into the
tree, at each level specifying more specific constraints. Once the
desired level is reached, right-clicking commits the constraint
specification.
In Figure 10, the filtered attack graph is shown in the right
panel. The full-detail view is shown here, although in general this
panel starts with a higher level overview (such as protection
domains) with detail drilldown. In the figure, intrusion detection
events are highlighted red, and one-step attack responses are
highlighted in orange (remaining exploits are blue).
Additional navigational controls help the user efficiently
explore the attack graph. When a leaf node is reached (in which a
“to” exploit has been specified), ctrl-g brings focus to that part of
the tree in which that “to” exploit is now a “from” exploit. In this
way, the user can continue to grow the attack graph in either a
forward or backward direction, depending on whether the forward
or backward tree is being used. There are also navigational links
from the (filtered) attack graph itself back to the constraint tree,
i.e., to the point where the selected exploit is a “from” exploit.
We note that there is a very close correspondence between our
attack graph constraint tree and the adjacency matrix visualization
described earlier. In particular, sequences of selected points in the
adjacency matrix correspond to sequences of corresponding leaf
nodes in the constraint tree. In fact, these 2 interactive views can
be linked and used interchangeably. This brings all of the views
we have described into a coordinated set, each giving the user
different perspectives on the attack graph.
Figure 11 shows additional drilldown capabilities for our
approach. Beginning on the left, and continuing clockwise, one
starts at a higher-level aggregate view, e.g., machines and exploit
sets between them. Clicking on an exploit set moves to individual
exploit sets for each direction of attack between the 2 machines.
Figure 11: Attack graph drilldown.
Selecting one of the exploit sets in Figure 11 in shows all
exploits in the set, with all relevant conditions included in the
attack graph. Clicking an exploit shows its full set of
preconditions and postconditions. From there, one can query a
vulnerability database for details about specific conditions.
6 I
MPLEMENTATION
D
ETAILS
There are a number of key challenges in implementing the
techniques we describe here. These include (1) collecting and
managing data about networks and their vulnerabilities, (2)
building network attack models in terms of security conditions
and attacker exploits, (3) analyzing the models through simulated
attacks to produce attack graphs, (4) aggregating and filtering the
attack graphs, (5) drawing the graphs, and (7) providing
interactive controls for attack graph navigation.
Our implementation employs a layered architecture. Data
collection is handled in two (parallel) layers. Data about the
network is collected via vulnerability scanning tool(s) such as
Nessus [27]. Data about reported vulnerabilities in various
hardware and software components (e.g., Bugtraq [28] and many
others) is collected and maintained in a relational database. From
the vulnerability scanner data, network models are created
automatically. From the data on reported vulnerabilities, exploits
are modeled. Exploit modeling is generally done manually, for
assured accuracy, although when included as part of the standard
process for accessing reported vulnerabilities this usually takes
little extra effort.
Creation of attack graphs (from the network attack model) is
carried out by a custom intelligent analysis engine. This analysis
engine simulates incremental network penetration through the
application of modeled exploits against the network model.
Throughout analysis, the engine maintains the network security
state as it evolves under incremental attacker penetration, and
forms the attack graph by matching exploit preconditions and
postconditions.
In the aggregation/filtering layer, elements of the attack graph
are clustered according to machine, exploits between pairs of
machines, etc. Each cluster is in turn mapped to the original
subgraph it represents. To handle attack graph constraints, graph
edges are stored in hierarchical data structures that mirror the
forward and backward pointing constraint trees. Graph drawing is
performed via AT&T Graphviz [29]. The resulting graph images
are rendered, and embedded with interactive links from graph
clusters to their corresponding subgraphs. These results are all
web content, which can be shared with others who do not have the
tool themselves
Our attack graph generation and visualization technology has
been transitioned to a commercial product – Secure Element’s C5
Attack Predictor (C5 AP) [30]. C5 AP is designed for security
experts (e.g., penetration testers) who want to use predictive
modeling for non-invasive vulnerability analysis on client
networks, and includes daily updates on new vulnerabilities and
exploits.
7 S
UMMARY AND
C
ONCLUSIONS
In this paper, we have described a complementary collection of
coordinated views for network attack graphs. Each view provides
different perspectives, and the views can be linked to increase
their effectiveness. While most previous work has focused on
attack graph generation, we develop ways to visually analyze the
potentially very large graphs that may result.
We reduced the visual complexity for a previously described
attack graph representation based on the protection domain (attack
graph clique) abstraction. We showed how this visual
representation is particularly advantageous as the number of inter-
domain exploits increases.
We also described visualization of the attack graph adjacency
matrix, in which we took advantage of IP address ordering to help
cluster adjacency matrix rows and columns. We showed how the
adjacency matrix is ideal for highlighting the impact of network
configuration changes on the attack graph.
We introduced a novel interactive attack graph filtering
technique, based on a hierarchy of attack graph constraints. It
allows the user to interactively navigate the constraint hierarchy to
control the visible subset of the attack graph. We also link
intrusion detection events to the constraint tree, which allows
exploration of intrusion origin/impact.
The techniques we described apply to general attack graphs,
including ones based on network vulnerabilities and/or intrusion
detection alarms. They also apply to either fully unconstrained
graphs, or graphs constrained to by starting/goal conditions.
Overall, these techniques have quadratic worst-case complexity.
8 A
CKNOWLEDGEMENTS
We wish to thank John Monastra for introducing the idea of
attack graph filtering based on arbitrary user-defined constraints.
We also thank Robert Weierbach for his support, including
vulnerability data collection/analysis and exploit modeling. This
work was partially supported by the Air Force Research
Laboratory, Rome under the grant F30602-00-2-0512, the Army
Research Office under the grant DAAD19-03-1-0257, and the
National Science Foundation under the grants IIS-0430402 and
IIS-0242237.
R
EFERENCES
[1] C. Ramakrishnan, R. Sekar, “Model-Based Analysis of
Configuration Vulnerabilities,” in Proceedings of the 7th ACM
Conference on Computer and Communication Security, November
2000.
[2] R. Ritchey, P. Ammann, “Using Model Checking to Analyze
Network Vulnerabilities,” in Proceedings of the IEEE Symposium on
Security and Privacy, Oakland, CA, 2000.
[3] O. Sheyner, J. Haines, S. Jha, R. Lippmann, J. Wing, “Automated
Generation and Analysis of Attack Graphs,” in Proceedings of the
IEEE Symposium on Security and Privacy, Oakland, CA, 2002.
[4] R. Baldwin, Kuang: Rule Based Security Checking, Technical
Report, MIT Lab for Computer Science, May 1994.
[5] D. Zerkle, K. Levitt, “Netkuang – A Multi-Host Configuration
Vulnerability Checker,” in Proceedings of the 6th USENIX Unix
Security Symposium, San Jose, CA, 1996.
[6] C. Phillips, L. Swiler, “A Graph-Based System for Network-
Vulnerability Analysis,” in Proceedings of the New Security
Paradigms Workshop, Charlottesville, VA, 1998.
[7] J. Dawkins, C. Campbell, J. Hale, “Modeling Network Attacks:
Extending the Attack Tree Paradigm,” in Proceedings of the
Workshop on Statistical and Machine Learning Techniques in
Computer Intrusion Detection, Johns Hopkins University, June
2002.
[8] P. Ammann, D. Wijesekera, S. Kaushik, “Scalable, Graph-Based
Network Vulnerability Analysis,” in Proceedings of the 9th ACM
Conference on Computer and Communications Security,
Washington, DC, November 2002.
[9] S. Jajodia, S. Noel, B. O’Berry, “Topological Analysis of Network
Attack Vulnerability,” in Managing Cyber Threats: Issues,
Approaches and Challenges, V. Kumar, J. Srivastava, A. Lazarevic
(eds.), Kluwer Academic Publisher, 2005.
[10] F. Cuppens, A. Miege, “Alert Correlation in a Cooperative Intrusion
Detection Framework,” in Proceedings of the 2002 IEEE Symposium
on Security and Privacy, May 2002.
[11] P. Ning, D. Xu, C. Healey, R. St. Amant, “Building Attack Scenarios
through Integration of Complementary Alert Correlation Methods,”
in Proceedings of the 11th Annual Network and Distributed System
Security Symposium, February, 2004.
[12] S. Noel, E. Robertson, S. Jajodia, “Correlating Intrusion Events and
Building Attack Scenarios through Attack Graph Distances,” in
Proceedings of the 20th Annual Computer Security Applications
Conference, Tucson, Arizona, December 2004.
[13] K. Lakkaraju, W. Yurcik, A. Lee, “NVisionIP: NetFlow
Visualizations of System State for Security Situational Awareness,”
in Proceedings of the CCS Workshop on Visualization and Data
Mining for Computer Security, Fairfax, VA, October 2004.
[14] J. McPherson, K.–L. Ma, P. Krystosek, T. Bartoletti, M. Christensen,
“PortVis: A Tool for Port-Based Detection of Security Events,” in
Proceedings of the CCS Workshop on Visualization and Data
Mining for Computer Security, Fairfax, VA, October 2004.
[15] X. Yin, W. Yurcik, M. Treaster, Y. Li, K. Lakkaraju,
“VisFlowConnect: NetFlow Visualizations of Link Relationships for
Security Situational Awareness,” in Proceedings of the CCS
Workshop on Visualization and Data Mining for Computer Security,
Fairfax, VA, October 2004.
[16] S. Lau, “The Spinning Cube of Potential Doom,” Communications of
the ACM, 47(6), June 2004.
[17] S. Axelsson, “Combining A Bayesian Classifier with Visualization:
Understanding the IDS,” in Proceedings of the CCS Workshop on
Visualization and Data Mining for Computer Security, Fairfax, VA,
October 2004.
[18] “Secure Decisions,” web page, http://www.securedecisions.com/,
last accessed May 2005.
[19] S. Noel, S. Jajodia, “Managing Attack Graph Complexity through
Visual Hierarchical Aggregation,” in Proceedings of the CCS
Workshop on Visualization and Data Mining for Computer Security,
Fairfax, VA, October 2004
[20] P. Eades, Q.-W. Feng, “Multilevel Visualization of Clustered
Graphs,” in Proceedings of the Symposium on Graph Drawing,
September, 1996.
[21] M. Raitner, Maintaining Hierarchical Graph Views for Dynamic
Graphs, Technical Report, MIP-0403, University of Passau, January,
2004.
[22] C. Kunz, V. Botsch, “Visual Representation and Contextualization
of Search Results – List and Matrix Browser,” in Proceedings of the
International Conference on Dublin Core and Metadata for E-
Communities, Florence, Italy, 2002.
[23] J. Ziegler, C. Kunz, V. Botsch, J. Schneeberger, “Visualizing and
Exploring Large Networked Information Spaces with Matrix
Browser,” in Proceedings of the IEEE Conference on Information
Visualization, London, England, 2002.
[24] M. Graham, J. Kennedy, “Exploring and Examining Assessment
Data via a Matrix Visualisation,” in Proceedings of the Working
Conference on Advanced Visual Interfaces, Gallipoli, Italy, 2004.
[25] F. van Ham, “Using Multilevel Call Matrices in Large Software
Projects,” in Proceedings of the IEEE Symposium on Information
Visualization, Seattle, WA, 2003.
[26] E. Gansner, S. North, “An Open Graph Visualization System and Its
Applications to Software Engineering,” Software – Practice and
Experience, 30(11), 2000.
[27] “Nessus Open Source Vulnerability Scanner Project,” web page,
http://www.nessus.org/, last accessed July 2005.
[28] “Security Focus,” web page, http://www.securityfocus.com/bid, last
accessed July 2005.
[29] “Graphviz Graph Visualization Software,” web page,
http://www.graphviz.org/, last accessed July 2005
[30] “C5 Attack Predictor Overview,” web page, http://www.secure-
elements.com/products/c5ap/, last accessed July 2005.
... This is mainly due to the fact that real-world attack scenarios can be very complex. As a consequence, many of the attack graph models are too complex to be objectively evaluated by humans in a reasonable time [4,5,14,15,23]. However, efforts have been made to address this issue. ...
... Noel and Jajodia have proposed a technique to collapse attack graph elements through hierarchical aggregation so that attack graphs can be viewed and analysed at different abstraction levels [15]. In 2005, they described a filtering approach that allows the user to filter graph elements so that only the attack subgraphs of interest are shown [14]. Williams et al. represent attack graphs on the basis of treemaps (instead of classical node-link graphs), and they make use of spatial grouping and colour-coding to indicate the level of compromise [23]. ...
Chapter
Attack trees are an established concept in threat and risk analysis. They build the basis for numerous frameworks aiming to determine the risk of attack scenarios or to identify critical attacks or attack paths. However, existing frameworks do not provide systematic analyses on the asset-level like the probability of successful or near-successful attacks on specific assets. But these insights are important to enable decision-makers to make more informed decisions. Therefore, a generic approach is presented that extends classical attack tree approaches by asset-specific analyses. For this purpose, the attack steps in the attack trees are annotated with corresponding assets. This allows identifying the attack paths each asset is exposed to. In combination with the standard attack tree parameter “probability of attack success”, a set of complementary attack success and protection metrics can be applied on each step of the paths. Furthermore, an integrated visualisation scheme is proposed that illustrates the results in a comprehensible way so that decision-makers can intuitively understand what the metrics indicate. It also includes several features improving usability and scalability. As proof of concept, we have implemented a prototype of our proposed method.
... This design consists of different windows in which different projections or visualizations of the same data entity are displayed [37,164,268]. For comparative analysis, any comparison technique can be used separately in each coordinated view. ...
... Integrated-view visualisation frequently causes information overshadowing and confusion (Rosenholtz et al. 2005), which hinders information foraging, tracking and more complicated cognitive operations. Multiple-view, to some extent, can alleviate the cognitive load during object identification within the viewport, thus becoming a mainstream alternative for system designers from the domain of network attack monitoring (Noel et al. 2005), chemical reaction observation (Dasgupta, Kosara, and Gosink 2015) to web searching (Dörk et al. 2008;Hubmann-Haidvogel, Scharl, and Weichselbraun 2009). ...
Article
Full-text available
Multiple-view visualisation leads to additional switching cost on attention management between viewports. In this study, we compare the cueing effect of chromatic and achromatic colours on mitigating viewport switching cost in multiple-view visualisations through the dual-task paradigm. There is a concurrent need for managing attention within and between viewports, and performing a three single-digit mental addition task, which poses challenge for the capacity-limited working memory (WM). Response time and total fixation count support the benefit of chromatic colours in within-viewport attention management. First-pass progressive fixation time reveals that chromatic colours lead to better coherence within the viewport than achromatic colours, and there exist a correction process for attention misguidance in invalid cueing conditions. We employed re-visitation count and duration as direct measures of WM reinstatement. Fewer re-visitation count and shorter duration in the valid chromatic cueing condition indicate that more WM resources were freed up for the primary task, and reduced resources were depleted on overcoming the viewport switching cost. The positive role of valid chromatic colour cues become increasingly evident when more viewports presented simultaneously. The study provides eye movement evidence that chromatic cues can effectively lessen the switching cost on attention management in multiple-view visualisations. ARTICLE HISTORY
... Recent advances have enabled computing attack graphs for large and complex networks [9,10,26]. However, even when attack graphs can be efficiently computed, the resulting size and complexity of the graphs is still too large and complex for a human to fully comprehend [27,28]. Even for relatively small networks, produced attack graphs are still complex and difficult to understand and analyze for network administrators and security officers. ...
Article
Full-text available
Threat models and attack graphs have been used more than 20 years by enterprises and organizations for mapping the actions of potential adversaries, analyzing the effects of vulnerabilities and visualizing attack scenarios. Although efficient when describing high-level interactions in simpler enterprise networks, they fall short in modern decentralized systems, especially in microservices architectures and multi-cloud environments with increased complexity and interactions. Most current research focuses on automatically generating attach graphs for such complex environments and deals with scaling and mapping issues, while neglecting to address the overall complexity of actually analyzing and extracting useful information from these overly convoluted models. In this paper, we present a method for automatically analyzing complex attack graphs both in microservices-based and multi-cloud infrastructures. We piggyback on previous research to automatically create complex attack graphs for such enterprise networks and use it as input to relate microservices, virtual system states and cloud services (represented as graph nodes) with prioritization algorithms that use mathematical graph series and group clustering. Our tool prioritizes existing vulnerabilities, analyzes the effect of system states to the overall network and proposes which system states, vulnerabilities and configurations have the biggest overall risk to the ecosystem, while taking into consideration every potential sub-attack path and subliminal path on an attack graph. We test the efficiency of our software on two real-world use cases: one multi-cloud enterprise network and a NetFlixOSS microservices Docker architecture.
Article
Full-text available
Interdependent systems confront rapidly growing cybersecurity threats. This paper delves into the realm of security decision-making within these complex interdependent systems. We design a resource allocation framework to improve the security of interdependent systems managed by a single defender. Our framework models these systems and their potential attack vulnerabilities using the notion of attack graphs. We propose four defense mechanisms, incorporating a popular network analysis algorithm called PageRank which is used to identify the importance of different critical assets in the system. These mechanisms stem from existing graph theories widely used in graphical models (including Adjacent Nodes, In-degree Nodes, Min-Cut Edges, and Markov Blanket). We adopt the PageRank algorithm to extract useful information about the attack graphs we use. Our approaches show low sensitivity to the number of concurrent attacks launched over interdependent systems. We evaluate our decision-making framework via ten attack graphs, which include multiple real-world interdependent systems. We quantify the level of security improvement under our defense methods compared to four well-known resource allocation algorithms and other proposed approaches. Our proposed framework leads to better resource allocations compared to these algorithms in most test cases. According to our results and statistical tests, our defense resource allocation framework enhances security decision-making under various circumstances. Moreover, We release the full implementation of our framework for the research community to leverage it and build on it with new methods and datasets.
Conference Paper
The use of gamified learning platforms as a method of introducing cyber security education, training and awareness has risen greatly. With this rise, the availability of platforms to create, host or otherwise provide the challenges that make up the foundation of this education has also increased. In order to identify the best of these platforms, we need a method to compare their feature sets. In this paper, we compare related work on identifying the best platforms for a gamified cyber security learning platform as well as contemporary literature that describes the most needed feature sets for an ideal platform. We then use this to develop a metric for comparing these platforms, before then applying this metric to popular current platforms.
Article
Full-text available
We describe a package of practical tools and libraries for manipulating graphs and their drawings. Our design, which is aimed at facilitating the combination of the package components with other tools, includes stream and event interfaces for graph operations, high-quality static and dynamic layout algorithms, and the ability to handle sizeable graphs. We conclude with a description of the applications of this package to a variety of software engineering tools. Copyright (C) 2000 John Wiley & Sons, Ltd.
Chapter
Full-text available
To understand overall vulnerability to network attack, one must consider attacker exploits not just in isolation, but also in combination. That is, one must analyze how low-level vulnerabilities can be combined to achieve high-level attack goals. In this chapter, we describe a tool that implements an integrated, topological approach to network vulnerability analysis. Our Topological Vulnerability Analysis (TVA) tool automates the labor-intensive type of analysis usually performed by penetration-testing experts. It is ideal for inexpensive what-if analyses of the impact of various network configurations on overall network security. The TVA tool includes modeling of network security conditions and attack techniques (exploits), automatic population of models via the Nessus vulnerability scanner, and analysis of exploit sequences (attack paths) leading to specific attack goals. Moreover, the tool generates a graph of dependencies among exploits that represents all possible attack paths without having to enumerate them. This representation enables highly scalable methods of vulnerability analysis, such as computing network configurations that guarantee the security of given network resources. Finally, this chapter describes some of the open technical challenges for the TVA approach.
Conference Paper
Full-text available
Several alert correlation methods were proposed in the past several years to construct high-level attack scenarios from low-level intrusion alerts reported by intrusion de-tection systems (IDSs). These correlation methods have different strengths and limitations; none of them clearly dominate the others. However, all of these methods de-pend heavily on the underlying IDSs, and perform poorly when the IDSs miss critical attacks. In order to improve the performance of intrusion alert correlation and reduce the impact of missed attacks, this paper presents a se-ries of techniques to integrate two complementary types of alert correlation methods: (1) those based on the sim-ilarity between alert attributes, and (2) those based on prerequisites and consequences of attacks. In particular, this paper presents techniques to hypothesize and reason about attacks possibly missed by IDSs based on the indi-rect causal relationship between intrusion alerts and the constraints they must satisfy. This paper also discusses additional techniques to validate the hypothesized attacks through raw audit data and to consolidate the hypothe-sized attacks to generate concise attack scenarios. The ex-perimental results in this paper demonstrate the potential of these techniques in building high-level attack scenarios and reasoning about possibly missed attacks.
Conference Paper
Full-text available
Even well administered networks are vulnerable to attack. Recent work in network security has focused on the fact that combinations of exploits are the typical means by which an attacker breaks into a network. Researchers have proposed a variety of graph-based algorithms to generate attack trees (or graphs). Either structure represents all possible sequences of exploits, where any given exploit can take advantage of the penetration achieved by prior exploits in its chain, and the final exploit in the chain achieves the attacker's goal. The most recent approach in this line of work uses a modified version of the model checker NuSMV as a powerful inference engine for chaining together network exploits, compactly representing attack graphs, and identifying minimal sets of exploits. However, it is also well known that model checkers suffer from scalability problems, and there is good reason to doubt whether a model checker can handle directly a realistic set of exploits for even a modest-sized network. In this paper, we revisit the idea of attack graphs themselves, and argue that they represent more information explicitly than is necessary for the analyst. Instead, we propose a more compact and scalable representation. Although we show that it is possible to produce attack trees from our representation, we argue that more useful information can be produced, for larger networks, while bypassing the attack tree step. Our approach relies on an explicit assumption of monotonicity, which, in essence, states that the precondition of a given exploit is never invalidated by the successful application of another exploit. In other words, the attacker never needs to backtrack. The assumption reduces the complexity of the analysis problem from exponential to polynomial, thereby bringing even very large networks within reach of analysis
Conference Paper
Full-text available
This paper presents a new approach for visualizing and exploring large networked information structures which may represent, for instance, linked information resources or metadata structures such as ontologies. An interactive matrix display is used for showing relations between concepts and concept hierarchies displayed along the two axes of a matrix. The new approach also focuses on the engineering process to create these information networks. Initial user testing shows performance advantages as well as reduced visual search in comparison to conventional graph representations.
Conference Paper
Full-text available
We present a visualization design to enhance the ability of an administrator to detect and investigate anomalous traffic between a local network and external domains. Central to the design is a parallel axes view which displays NetFlow records as links between two machines or domains while employing a variety of visual cues to assist the user. We describe several filtering options that can be employed to hide uninteresting or innocuous traffic such that the user can focus his or her attention on the more unusual network flows. This design is implemented in the form of VisFlowConnect, a prototype application which we used to study the effectiveness of our visualization approach. Using VisFlowConnect, we were able to discover a variety of interesting network traffic patterns. Some of these were harmless, normal behavior, but some were malicious attacks against machines on the network.
Conference Paper
Full-text available
The number of attacks against large computer systems is currently growing at a rapid pace. Despite the best efforts of security analysts, large organizations are having trouble keeping on top of the current state of their networks. In this paper, we describe a tool called NVisionIP that is designed to increase the security analyst's situational awareness. As humans are inherently visual beings, NVisionIP uses a graphical representation of a class-B network to allow analysts to quickly visualize the current state of their network. We present an overview of NVisionIP along with a discussion of various types of security-related scenarios that it can be used to detect.