Chapter

An Interactive Attack Graph Cascade and Reachability Display

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

Attack graphs for large enterprise networks improve security by revealing critical paths used by adversaries to capture network assets. Even with simplification, current attack graph displays are complex and difficult to relate to the underlying physical networks. We have developed a new interactive tool intended to provide a simplified and more intuitive understanding of key weaknesses discovered by attack graph analysis. Separate treemaps are used to display host groups in each subnet and hosts within each treemap are grouped based on reachability, attacker privilege level, and prerequisites. Users position subnets themselves to reflect their own intuitive grasp of network topology. Users can also single-step the attack graph to successively add edges that cascade to show how attackers progress through a network and learn what vulnerabilities or trust relationships allow critical steps. Finally, an integrated reachability display demonstrates how filtering devices affect host-to-host network reachability and influence attacker actions. This display scales to networks with thousands of hosts and many subnets. Rapid interactivity has been achieved because of an efficient C++ computation engine (a program named NetSPA) that performs attack graph and reachability computations, while a Java application manages the display and user interface.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... Instead, our approach proposes a solution for aggregating and exploring the complete attack graph, without making any restrivtive assumption on it. Williams et al. [13] extended NetSPA by proposing GARNET, a treemap based visualization that reflects physical or logical topology and allows for displaying node reachability and evaluating the actual situation by interacting with the system. Chu et al. [14] proposed NAVIGATOR as an improvement to GARNET. ...
... Let us note that the AG may change across the time, due to changes [10][11][12][13][14][15][16][17][18][19][20][21][22][23][24] in the set of vulnerabilities in the monitored system or changes in the network. Thus, the module must be able to adapt to the evolving situation by taking into account new AGs without the need to restart the entire computation. ...
... In order to estimate the progress, the engine uses some similarity [10][11][12][13][14][15][16][17][18][19][20][21][22][23][24] metrics widely used in the domain of string recognition and text mining. The basic idea is to represent each AP as a reference string. ...
Article
Software vulnerabilities represent one of the main weaknesses of an Information Technology (IT) system w.r.t. cyber attacks and nowadays consolidated official data, like the Common Vulnerability Exposure (CVE) dictionary , provide precise and reliable details about them. This information, together with the identification of priority systems to defend allows for inspecting the network structure and the most probable paths an attacker is likely to follow to reach sensible resources, with the main goal of identify suitable mitigation actions that reduce the risk of an attack. Some of these mitigation actions can be applied without further delay, some of them, instead, imply a high operational impact on the organization business that makes their usage convenient only when an attack is really on the way. Dealing with this issue is particularly challenging in the context of critical infrastructure where, even if patches are available, organization mission constraints create obstacles to their straightforward application. In this scenario, security operators are forced to deal with known vulnerabilities that cannot be patched and they spend a noticeable effort in proactive analysis, devising countermeasures that can mitigate the effect of a possible attack. This paper presents a Multi-step cyber Attack Detection (MAD) Visual Analytics solution aiming at assisting security operators in improving their network security by analyzing the possible attacks and identifying suitable mitigations. Moreover, during an attack, the system visually presents the security operator with the relevant pieces of information allowing a better comprehension of the attack status and its probable evolution, in order to make decisions on the possible countermeasures.
... However, attack graphs are too large and complex to be understood and interpreted by security administrators. To address this problem various approaches have been introduced in [17,[26][27][28][29]. These approaches try to improve the visualization of an attack graph through abstraction [17], data reduction [25], and user interaction [29]. ...
... To address this problem various approaches have been introduced in [17,[26][27][28][29]. These approaches try to improve the visualization of an attack graph through abstraction [17], data reduction [25], and user interaction [29]. ...
... There are approaches to reduce the complexity of attack graph [17,[25][26][27][28][29]. These approaches try to improve the visualization of attack graph through abstraction, data reduction, hierarchical aggregation and user interaction. ...
... For example, an employee might switch from working with his laptop in the office or at home, but anyway he is subject to the ruling of the network which allows the access to some resources just from within the office environment. To the best of our knowledge, models which represent a snapshot of a network, such as Attack Graphs [14] [1] [15] [23] [32] [20] [25] [31] [34], are unable to deal with all these dynamic aspects. We address these dynamic issues by proposing MsAMS, a framework for modelling and simulation of network attacks, the design of which draws heavily on Cardelli's work on Mobile Ambients [5] [6] and formal biology [4], and on Milner's work on bigraphs [21]. ...
... In our approach the Ambient firewall appears once in the graph but contains two filtering rules at its boundary, as it happens in reality. NetSPA tool [14] [34] uses a so-called Multiple-Prerequisite (MP) graph to represent (i) state, i.e. the attacker level of access on a host, (ii) prerequisite, i.e. reachability or a credential needed for exploiting a vulnerability, and (iii) vulnerability instance. Prerequisites allow the exploitation of vulnerabilities, and when the attacker reaches a vulnerability , a change in the attacker state occurs. ...
... For example, an employee might switch from working with his laptop in the office or at home, but anyway he is subject to the ruling of the network which allows the access to some resources just from within the office environment. To the best of our knowledge, models which represent a snapshot of a network, such as Attack Graphs [14, 1, 15, 23, 32, 20, 25, 31, 34], are unable to deal with all these dynamic aspects. We address these dynamic issues by proposing MsAMS, a framework for modelling and simulation of network attacks, the design of which draws heavily on Cardelli's work on Mobile Ambients [5, 6] and formal biology [4], and on Milner's work on bigraphs [21]. ...
Conference Paper
Attackers take advantage of any security breach to pene- trate an organisation perimeter and exploit hosts as stepping stones to reach valuable assets, deeper in the network. The exploitation of hosts is possible not only when vulnerabilities in commercial off-the-shelf (COTS) software components are present, but also, for example, when an attacker acquires a credential on one host which allows exploiting further hosts on the network. Finding attacks involving the latter case re- quires the ability to represent dynamic models. In fact, more dynamic aspects are present in the network domain such as attackers accumulate resources (i.e. credentials) along an attack, and users and assets may move from one environ- ment to another, although always constrained by the ruling of the network. In this paper we address these dynamic issues by presenting MsAMS (Multi-step Attack Modelling and Simulation), an implemented framework, based on Mo- bile Ambients, to discover attacks in networks. The idea of ambients fits naturally into this domain and has the advan- tage of providing flexibility for modelling. Additionally, the concept of mobility allows the simulation of attackers ex- ploiting opportunities derived either from the exploitation of vulnerable and non-vulnerable hosts, through the acquisi- tion of credentials. It also allows expressing security policies embedded in the rules of the ambients.
... Since pure reachability is a rather weak security measure, we extend the edges with a weight of how likely it is that they will be vulnerable to an attack. This results in a kind of attack graph [31] [32] [33]. The audit of security configurations using these attack graphs is concerned about the impact of security group rules with regard to services security, and is based on the previously presented reachability analysis. ...
... Since pure reachability is a rather weak security measure, we extend the edges with a weight of how likely it is that they will be vulnerable to an attack. This results in a kind of attack graph [31, 32, 33]. The audit of security configurations using these attack graphs is concerned about the impact of security group rules with regard to services security, and is based on the previously presented reachability analysis. ...
... Visualization of reachability, attack graphs, and attack paths is very important for administrators in order to effectively leverage these tools and apply the obtained results for improving the security of the network. Sample work in the visualization of attack graphs can be found in [33, 32]. ...
Conference Paper
Full-text available
Cloud computing has gained remarkable popularity in the recent years by a wide spectrum of consumers, ranging from small start-ups to governments. However, its benefits in terms of flexibility, scalability, and low upfront investments, are shadowed by security challenges which inhibit its adoption. Managed through a web-services interface, users can configure highly flexible but complex cloud computing environments. Furthermore, users misconfiguring such cloud services poses a severe security risk that can lead to security incidents, e.g., erroneous exposure of services due to faulty network security configurations. In this article we present a novel approach in the security assessment of the end-user configuration of multi-tier architectures deployed on infrastructure clouds such as Amazon EC2. In order to perform this assessment for the currently deployed configuration, we automated the process of extracting the configuration using the Amazon API. In the assessment we focused on the reachability and vulnerability of services in the virtual infrastructure, and presented a way for the visualization and automated analysis based on reachability and attack graphs. We proposed a query and policy language for the analysis which can be used to obtain insights into the configuration and to specify desired and undesired configurations. We have implemented the security assessment in a prototype and evaluated it for practical scenarios. Our approach effectively allows to remediate today's security concerns through validation of configurations of complex cloud infrastructures.
... This is mainly due to the fact that real-world attack scenarios can be very complex. As a consequence, many of the attack graph models are too complex to be objectively evaluated by humans in a reasonable time [4,5,14,15,23]. However, efforts have been made to address this issue. ...
... In 2005, they described a filtering approach that allows the user to filter graph elements so that only the attack subgraphs of interest are shown [14]. Williams et al. represent attack graphs on the basis of treemaps (instead of classical node-link graphs), and they make use of spatial grouping and colour-coding to indicate the level of compromise [23]. Furthermore, they automatically group hosts with similar levels of compromise. ...
Chapter
Attack trees are an established concept in threat and risk analysis. They build the basis for numerous frameworks aiming to determine the risk of attack scenarios or to identify critical attacks or attack paths. However, existing frameworks do not provide systematic analyses on the asset-level like the probability of successful or near-successful attacks on specific assets. But these insights are important to enable decision-makers to make more informed decisions. Therefore, a generic approach is presented that extends classical attack tree approaches by asset-specific analyses. For this purpose, the attack steps in the attack trees are annotated with corresponding assets. This allows identifying the attack paths each asset is exposed to. In combination with the standard attack tree parameter “probability of attack success”, a set of complementary attack success and protection metrics can be applied on each step of the paths. Furthermore, an integrated visualisation scheme is proposed that illustrates the results in a comprehensible way so that decision-makers can intuitively understand what the metrics indicate. It also includes several features improving usability and scalability. As proof of concept, we have implemented a prototype of our proposed method.
... This is mainly due the fact that real-world attack scenarios can be very complex. As a consequence, many of the attack graph models are too complex to be objectively evaluated by humans in a reasonable time [3,4,11,12,18]. However, efforts have been made to address this issue. ...
... In 2005, they described a filtering approach that allows the user to filter graph elements so that only the attack subgraphs of interest are shown [11]. Williams et al. represent attack graphs on the basis of treemaps (instead of classical nodelink graphs), and they make use of spatial grouping and colour-coding to indicate the level of compromise [18]. Furthermore, they automatically group hosts with similar levels of compromise. ...
Conference Paper
Attack trees are an established concept in threat and risk analysis. They build the basis for numerous frameworks aiming to determine the risk of attack scenarios or to identify critical attacks or attack paths. However, existing frameworks do not provide systematic analyses on the asset-level like the probability of (un)successful attacks per asset. But these insights are important to enable decision-makers to make more informed decisions. Therefore, a generic approach is presented that extends classical attack tree approaches by asset-specific analyses. For this purpose, the attack steps in the attack trees are annotated with corresponding assets. This allows to identify the attack paths each asset is exposed to. In combination with the standard attack tree parameter "probability of attack success" a set of complementing attack success and protection metrics can be applied on each step of the paths. Furthermore, an integrated visualisation scheme is proposed that illustrates the results in a comprehensible way so that decision-makers can intuitively understand what the metrics indicate. It also includes several features improving the usability and scalability. As a proof of concept, we have implemented a prototype of our proposed method.
... et al. [27] present an efficient computation engine that generates attack graphs step-bystep and provide an interactive opportunity to trace the attacker's path. The computation module is written in C++ for speed while the visualization module is implemented in Java. ...
... In that case it is the budget that decides the measures that serve the preserving of the higher priority security properties. During the dynamic analysis the recommendations are based on the amount of information gathered and processed until the analysis started, as in [27]. Usually it is the identification of the attack path towards an attacker's goal and the recommendation of the measure to thwart that effort with qualified results. ...
Article
Full-text available
Attack graphs have been used to model the vulnerabilities of the systems and their potential exploits. The successful exploits leading to the partial/total failure of the systems are subject of keen security interest. Considerable effort has been expended in exhaustive modeling, analyses, detection, and mitigation of attacks. One prominent methodology involves constructing attack graphs of the pertinent system for analysis and response strategies. This not only gives the simplified representation of the system, but also allows prioritizing the security properties whose violations are of greater concern, for both detection and repair. We present a survey and critical study of state-of-the-art technologies in attack graph generation and use in security system. Based on our research, we identify the potential, challenges, and direction of the current research in using attack graphs.
... Post-processing of attack graphs. In order to make AG more useable, two ranking algorithms were designed for reducing complexity [23,31], visualization techniques were applied to improve understandability [20,13], an incremental algorithms was designed for improving adaptability [30], and a number of systems and tools were developed, such as NetSPA [16], CAULDRON [17], MulVAL [26]. Our work does not focus on the specific generation of AG or system-level vulnerabilities, it rather slightly modifies dependency AG as a design basis of our holistic approach. ...
... • Taking into account the significance of network assets, the metrics in Table 3 were specified as Confidentiality (100), Privilege escalation (50), DoS (30), Integrity loss (20), and Public embarrassment (10). ...
Article
The increasing complexity of today's computer systems, together with the rapid emergence of novel vulnerabilities, make security hardening a formidable challenge for security administrators. Although a large variety of tools and techniques are available for vulnerability analysis, the majority work at system or network level without explicit association with human and organizational factors. This article presents a middleware approach to bridge the gap between system-level vulnerabilities and organization-level security metrics, ultimately contributing to cost-benefit security hardening. In particular, our approach systematically integrates attack graph, a commonly used effective approach to representing and analyzing network vulnerabilities, and Hidden Markov Model (HMM) together, for exploring the probabilistic relation between system observations and states. More specifically, we modify and apply dependency attack graph to represent network assets and vulnerabilities (observations), which are then fed to HMM for estimating attack states, whereas their transitions are driven by a set of predefined cost factors associated with potential attacks and countermeasures. A heuristic searching algorithm is employed to automatically infer the optimal security hardening through cost-benefit analysis. We use a synthetic network scenario to illustrate our approach and evaluate its performance through a set of simulations.
... Recent advances have enabled computing attack graphs for networks with thousands of machines [4, 6]. Even when attack graphs can be efficiently computed, the resulting size and complexity of the graphs is still too large for a human to fully comprehend [9, 10, 11]. While a user will quickly understand that attackers can penetrate the network, it is essentially impossible to know which privileges and vulnerabilities are the most important to the attackers' success. ...
... It has been recognized that the complexity of attack graphs often prevents them from being useful in practice and methodologies have been proposed to better visualize them [9, 10, 11, 22]. The ranks computed by our algorithm could be used in combination with the techniques in those works to help further the visualization process, for example by coloring the visualization based on the computed ranks. ...
Conference Paper
Abstract Attack graphs have been proposed as useful tools for analyzing security vulnerabilities in network systems. Even when they are produced efficiently, th e size and complexity of at- tack graphs often prevent a human,from fully comprehending,the information conveyed. A distillation of this overwhelming,amount,of information is crucial to aid network adminis- trators in efficiently allocating scarce human,and financial resources. This paper introduces AssetRank, a generalization of Google’s PageRank algorith m which ranks web pages in web graphs. AssetRank addresses the unique semantics of dependency,attack graphs and incorporates vulnerability data from public databases to c ompute,metrics for the graph ver-
... Noel, et al. suggested that complexity can be reduced through the use of protection domains to represent groups of machines with unrestricted intercon- nectivity [36, 37]. Lippmann, et al. proposed new visualization approaches to emphasize critical attack steps while clearly showing host-to-host reachability [58]. My work benefits from and builds upon results shown in most previous attack graph simplification works. ...
... However, these attack steps are not useful for aFigure 2.5: Energy Management Network -Attack Graph (Inter-subnet Trimming) human to grasp the core security problem. Second, if the subnet does not contain the goal machine, the transition is useful only if B would provide an attacker with access to another subnet that would be deemed useful according to the subnet dominator tree, and even then only if that same access is not available from A. In the attack graph shown inFigure 2.3, the transition from the file server to the workstation is useless, since the workStation would not provide an attacker with new, useful access; however, the transition from the file server to the citrix server is useful, since, from the citrix server, an attacker could access the EMS subnet.Figure 2 1:execCode(commServer,root):0 2:RULE 3 (remote exploit of a server program):0 3:netAccess(commServer,iccpProtocol,iccpPort):0 97:networkServiceInfo(commServer,iccpService,iccpProtocol,iccpPort,root):1 98:vulExists(commServer,iccpVulnerability,iccpService,remoteExploit,privEscalation):1 4:RULE 6 (multi-hop access):0 5:hacl(dataHistorian,commServer,iccpProtocol,iccpPort): Related works have introduced new visualization techniques for attack graphs [16, 37, 58]. Many of these techniques could be productively applied to the trimmed attack graph. ...
Article
Enterprise network security management is a vitally important task, more so now than ever before. Networks grow ever larger and more complex, and corporations, universities, government agencies, etc. rely heavily on the availability of these networks. Security in enterprise networks is constantly threatened by thousands of known software vulnerabilities, with thousands more discovered annually in a wide variety of applications. An overwhelming amount of data is relevant to the ongoing protection of an enterprise network. Previous works have addressed the identification of vulnerabilities in a given network and the aggregated collection of these vulnerabilities in an attack graph, clearly showing how an attacker might gain access to or control over network resources. These works, however, do little to address how to evaluate or properly utilize this information. I have developed a comprehensive approach to enterprise network security management. Compared with previous methods, my approach realizes these issues as a uniform desire for provable mitigation of risk within an enterprise network. Attack graph simplification is used to improve user comprehension of the graph data and to enable more efficient use of the data in risk assessment. A sound and effective quantification of risk within the network produces values that can form a basis for valuation policies necessary for the application of a SAT solving technique. SAT solving resolves policy conflicts and produces an optimal reconfiguration, based on the provided values, which can be verified by a knowledgeable human user for accuracy and applicability within the context of the enterprise network. Empirical study shows the effectiveness and efficiency of these approaches, and also indicates promising directions for improvements to be explored in future works. Overall, this research comprises an important step toward a more automated security management initiative. Doctor of Philosophy Doctoral Department of Computing and Information Sciences Xinming (Simon) Ou
... Williams et al. [49] presented an interactive tool for simplified tracing of the attackers' paths and an intuitive understanding of the attack graph based on the underlying network topology. Their solution was based on NetSPA for graph generation and a Java application for its visualization. ...
Article
Full-text available
Cybersecurity research demands continuous monitoring of the dynamic threat landscape to detect novel attacks. Researchers and security professionals often deploy honeypot networks to intercept and examine real attack data. However, due to the volume and variety of the collected data, it is very challenging for security analysts to investigate the attacks, compare their characteristics and infer their potential connections. To this end, we propose a novel graph-based cyberattack model for storing, analyzing, and visualizing honeynet-captured attacks as the main contribution of our work. Our model enables attack graph analysis and presents the attack data analogous to the Cyber Kill Chain framework to enable intuitive visualizations. We construct the attack graph by decomposing the intercepted attacks into a set of unique entities (represented as nodes) and actions (represented as edges) and merge them into a global attack graph. We develop a user-centric, interactive attack analysis and visualization tool that leverages the proposed model to aid the heuristic cyberattack investigation. We describe the design and technical implementation of the developed model and visual-interactive tool in detail. Finally, we demonstrate the developed tools and validate the model in an analysis of real-world attack data captured on our own distributed honeypot platform. We use the attack model and (sub)graph visualizations to depict attack topologies, identify recurring attackers, and quantify detected malware types. We also leverage graph data science algorithms to uncover and rank malware distribution networks, reveal hidden links between the attackers, and cluster the attack entities to identify potential botnets.
... In particular, the works in [15,16,28,30] use treemaps [36] for visualizing security data and events; however, none of these works copes with vulnerabilities, and our work does not use the classic treemap paradigm [7] but proposes a novel ensemble approach with modified treemap bar chart, allowing to dynamically prioritize elements for analysis, maintaining the right aspect ratio and supporting comparisons among elements. Some other works have sparse information on vulnerabilities, e.g., the work in [46] that allows for a basic grouping of nodes with similar vulnerabilities. ...
Article
Full-text available
Vulnerabilities represent one of the main weaknesses of IT systems and the availability of consolidated official data, like CVE (Common Vulnerabilities and Exposures), allows for using them to compute the paths an attacker is likely to follow. However, even if patches are available, business constraints or lack of resources create obstacles to their straightforward application. As a consequence, the security manager of a network needs to deal with a large number of vulnerabilities, making decisions on how to cope with them. This paper presents VULNUS (VULNerabilities visUal aSsessment), a visual analytics solution for dynamically inspecting the vulnerabilities spread on networks, allowing for a quick understanding of the network status and visually classifying nodes according to their vulnerabilities. Moreover, VULNUS computes the approximated optimal sequence of patches able to eliminate all the attack paths and allows for exploring sub-optimal patching strategies, simulating the effect of removing one or more vulnerabilities. VULNUS has been evaluated by domain experts using a lab-test experiment, investigating the effectiveness and efficiency of the proposed solution.
... In addition, also provides some type of attack graph display. However, the abstract nature of attack graphs, it becomes unmanageable and proven to be a practical weakness in creating an effective display [3]. ...
... В [29] предложен способ представления графов атак, который позволяет спроецировать результаты моделирования атаки на физическую топологию сети. Каждая подсеть представляется в виде карты деревьев, вложенные прямоугольники которой символизируют узлы, с помощью цвета кодируются различные атрибуты узлов, а размер пропорционален числу скомпрометированных узлов в подсети (рис. ...
Article
Full-text available
Для контроля и оценки состояния защищенности информационной системы необходимо постоянно отслеживать и анализировать данные, поступающие от различных сенсоров безопасности. В большинстве случаев эти данные имеют текстовый формат, поэтому для их анализа используются различные методики визуализации. В настоящей работе рассмотрены основные способы графического представления данных для выявления подозрительной деятельности в информационной системе, обнаружения аномалий в сетевом трафике и анализа защищенности сети.
... While this approach efficiently simplifies the attack tree, it is based on the hypothesis that all of the attacker's goals have been properly identified, which might be a strong assumption in some cases. GARNET [18] extends this work by proposing another graph subsystem based on treemaps that reflects physical or logical topology and allows reachability display and evaluation through interactions. NAVIGATOR [2] has been proposed as an improvement to GARNET. ...
Conference Paper
Full-text available
Situational awareness is a key concept in cyber-defence. Its goal is to make the user aware of different and complex aspects of the network he or she is monitoring. This paper proposes PERCIVAL, a novel visual analytics environment that contributes to situational awareness by allowing the user to understand the network security status and to monitor security events that are happening on the system. The proposed visualization allows for comparing the proactive security analysis with the actual attack progress, providing insights on the effectiveness of the mitigation actions the system has triggered against the attack and giving an overview of the possible attack's evolution. Moreover, the same visualization can be fruitfully used in the proactive analysis since it allows for getting details on computed attack paths and evaluating the mitigation actions that have been proactively computed by the system. A preliminary user study provided a positive feedback on the prototype implementation of the system. A video of the system is available at: https://youtu.be/uMpYCJCX95k.
... Williams et al. [92], [93] introduce a visual tool to provide a simplified and more intuitive understanding in the attack graph analysis. They merged a treemap visualization with a node-link graph layout. ...
Article
Network and service management encompasses a set of activities, methods, procedures, and tools, whose ultimate goal is to guarantee the proper functioning of a networked system. Computational tools are essential to help network administrators in their daily tasks, and information visualization techniques are of great value in such context. In essence, information visualization techniques associated to visual analytics aim at facilitating the tasks of network administrators in the process of monitoring and maintaining the network health. This paper surveys the use of information visualization techniques as a tool to support the network and service management process. Through a systematic literature review (SLR), we provide a historical overview and discuss the current state of the art in the field. We present a classification of 285 articles and papers from 1985 to 2013, according to an information visualization taxonomy, as well as a network and service management taxonomy. Finally, we point out future research directions and opportunities regarding the use of information visualization in network and service management.
... Consequently, the explosion in the attack-graph's size could yield high risk metrics, often misleading the system administrator's judgment. While one could post-process the graph and remove such redundancy, like in previous works [69, 103], I believe a better approach is to pre-process the input to attack-graph generation so that such redundancy is removed by abstracting the network model, instead of the attack graph. There are a number of benefits of abstracting the network model: ...
... Even with simplification, current attack graph displays are complex and difficult to relate to the underlying physical networks. [32] Proposes a new interactive tool intended to provide a simplified and more intuitive understanding of key weaknesses discovered by attack graph analysis. Separate treemaps are used to display host groups in each subnet and hosts within each treemap are grouped based on reachability, attacker privilege level, and prerequisites. ...
Conference Paper
Vulnerability reconciliation is the process that analyses the output produced by one or more vulnerability scanners and provides a more succinct and high-level view of vulnerabilities and its overall impact factor in the network. Here attack graphs method is used for predicting the various ways of penetrating a network to reach its critical assets. In particular, automated analysis of network configuration and attacker exploits provides an attack graph showing all possible paths to critical assets. The aim is to implement Reconciliation engine for identifying the various critical vulnerabilities and a metric system for identifying the overall impact of the vulnerabilities in that network. The reconciliation process is done by analysing the results obtained from different vulnerability scanners and combining them. As part of this, vulnerability tools from commercial off-the-shelf (COTS), Government off-the-shelf (GOTS), and research laboratory were selected. The automatic extraction of vulnerability information for attack graph prediction is analysed. Vulnerability information describes what is required for a vulnerability to be exploited and what are the after effects of that exploitation. A data structure is analysed which is able to represent pre and post conditions of each vulnerabilities. The combined risk assessment provides a readily comprehensible picture of the risk posture, assisting the analyst in the definition of an acceptable risk posture for an operational system or preliminary system design. We would be finding a metric value for denoting the overall vulnerability of the network after analysing critical vulnerabilities.
... However, although scalability is no longer the main issue, there are three other areas where improvement is still needed: 1) Attack graphs are still difficult to understand by people since they do not fully represent the network topology needed to relate attack paths identified in the graph to the network itself, and to support decisions about countermeasures. Approaches to this problem rely on Aggregation [13], [14] or Clusterization [15] of graph nodes, but these approaches still suffer from the problem that firewalls are only used for calculation of reachability and not clearly represented in the graph. Therefore, if several firewalls are traversed by an attacker it may be difficult, e.g., to identify which ones should be changed. ...
Conference Paper
Abstract—Attack Graphs are an important support for assess- ment and subsequent improvement of network security. They reveal possible paths an attacker can take to break through security perimeters and traverse a network to reach valuable assets deep inside the network. Although scalability is no longer the main issue, Attack Graphs still have some problems that make them less useful in practice. First, Attack Graphs remain difficult to relate to the network topology. Second, Attack Graphs traditionally only consider the exploitation of vulnerable hosts. Third, Attack Graphs do not rely on automatic identification of potential attack targets. We address these gaps in our MsAMS (Multi-step Attack Modelling and Simulation) tool, based on Mobile Ambients. The tool not only allows the modelling of more static aspects of the network, such as the network topology, but also the dynamics of network attacks. In addition to Mobile Ambients, we use the PageRank algorithm to determine targets and hub scores produced by the HITS (Hypertext Induced Topic Search) algorithm to guide the simulation of an attacker searching for targets. Index Terms—Network Security, Vulnerability Assessment, Attack Modelling, PageRank, HITS.
... Attack graph research has generally focused on efficiency, rather than visualization methods. The approach in [11] visualizes single-step attacks and reachability only. Attack graph visualization capabilities in commercial tools remain limited [12][13]. ...
Conference Paper
Full-text available
This paper describes a software system that provides significant new capabilities for visualization and analysis of network attack graphs produced through Topological Vulnerability Analysis (TVA). The TVA approach draws on a database of known exploits and system vulnerabilities to provide a connected graph representing possible cyber-attack paths within a given network. Our visualization approach builds on the extensive functionality of the yWorks suite of graphing tools, providing customized new capabilities for importing, displaying, and interacting with large scale attack graphs, to facilitate comprehensive network security analysis. These visualization capabilities include clustering of attack graph elements for reducing visual complexity, a hierarchical dictionary of attack graph elements, high-level overview with detail drilldown, interactive on-graph hardening of attacker exploits, and interactive graph layouts. This new visualization system is an integrated component of the CAULDRON attack graph tool developed at George Mason University.
Article
Full-text available
As the importance of defending against cyber attacks has increased, various studies have been conducted to analyze and utilize the reachability between hosts. Although this approach effectively explains asset-based threat responses by security personnel, it is limited as a means of strategic judgment by top decision makers considering the tasks of an organization in a large-scale network environment. The purpose of this study is to develop a method for simplifying the characteristics of the attack paths of a large number of hosts by projecting them to a higher-level organization and aiding in visualizing the impacts of threats. To achieve this, a methodology is presented that supports both strategic judgment by top decision makers, considering the tasks of lower-level organizational units, and asset-based responses. This is accomplished by analyzing asset-based impacts through the generation of a Multi-Step Reachability Matrix (MRM2) and the multi-threat synthesis of low-level threat diffusion paths at the asset level, while gradually abstracting the transition information of the corresponding threats to the higher-level organization. In this paper, the diffusion process is modeled through the connectivity between hosts, and it is expected that this approach will contribute to the development of a decision support model that meets the needs of both upper- and lower-level decision makers. This is achieved by reflecting a variety of factors that influence attack and defense. These factors include the importance of the organization’s mission or business to each asset, the criticality of the system function to which the asset belongs, the dependencies between assets, and the unique characteristics of the asset, including vulnerabilities, exploitation conditions, cyber resilience, and lifecycle costs.
Article
Full-text available
Many communication standards have been proposed recently and more are being developed as a vision for dynamically composable and interoperable medical equipment. However, few have security systems that are sufficiently extensive or flexible to meet current and future safety requirements. This paper aims to analyze the cybersecurity of the Integrated Clinical Environment (ICE) through the investigation of its attack graph and the application of artificial intelligence techniques that can efficiently demonstrate the subsystems’ vulnerabilities. Attack graphs are widely used for assessing network security. On the other hand, they are typically too huge and sophisticated for security administrators to comprehend and evaluate. Therefore, this paper presents a Q-learning-based attack graph analysis approach in which an attack graph that is generated for the Integrated Clinical Environment system resembles the environment, and the agent is assumed to be the attacker. Q-learning can aid in determining the best route that the attacker can take in order to damage the system as much as possible with the least number of actions. Numeric values will be assigned to the attack graph to better determine the most vulnerable part of the system and suggest this analysis to be further utilized for bigger graphs.
Article
Full-text available
Cyberspace is full of uncertainty in terms of advanced and sophisticated cyber threats which are equipped with novel approaches to learn the system and propagate themselves, such as AI-powered threats. To debilitate these types of threats, a modern and intelligent Cyber Situation Awareness (SA) system needs to be developed which has the ability of monitoring and capturing various types of threats, analyzing, and devising a plan to avoid further attacks. This paper provides a comprehensive study on the current state-of-the-art in the cyber SA to discuss the following aspects of SA: key design principles, framework, classifications, data collection, analysis of the techniques, and evaluation methods. Lastly, we highlight misconceptions, insights, and limitations of this study and suggest some future work directions to address the limitations.
Article
The complexity of IoT based networks and an exponential increase in new vulnerabilities has increased the demand for security assessment strategies manifold. Attack graphs or Penetration layouts play a paramount role to harden and analyze such complex networks. As the size of the network grows, administrators may find it difficult to comprehend penetration layout. In this article, we present a methodology to bridge the gap between large networks and penetration layouts leading to a strategy that automatically generates, optimizes, and improves visualization of penetration layout in large networks. More specifically, we take the network model as input to the designed simulator which analyzes the network and generates the penetration layout. Additionally, we have designed an algorithm to optimize the size of the penetration layout at various levels. This will also improve the visualization of the graph. We designed a simulator that uses a real-time network blueprint to visualize and analyze the effect and performance of the proposed approach. The results show that there is a lossless reduction in the size of penetration layout by 99.95% for the example real-time network.
Article
Full-text available
Threat models and attack graphs have been used more than 20 years by enterprises and organizations for mapping the actions of potential adversaries, analyzing the effects of vulnerabilities and visualizing attack scenarios. Although efficient when describing high-level interactions in simpler enterprise networks, they fall short in modern decentralized systems, especially in microservices architectures and multi-cloud environments with increased complexity and interactions. Most current research focuses on automatically generating attach graphs for such complex environments and deals with scaling and mapping issues, while neglecting to address the overall complexity of actually analyzing and extracting useful information from these overly convoluted models. In this paper, we present a method for automatically analyzing complex attack graphs both in microservices-based and multi-cloud infrastructures. We piggyback on previous research to automatically create complex attack graphs for such enterprise networks and use it as input to relate microservices, virtual system states and cloud services (represented as graph nodes) with prioritization algorithms that use mathematical graph series and group clustering. Our tool prioritizes existing vulnerabilities, analyzes the effect of system states to the overall network and proposes which system states, vulnerabilities and configurations have the biggest overall risk to the ecosystem, while taking into consideration every potential sub-attack path and subliminal path on an attack graph. We test the efficiency of our software on two real-world use cases: one multi-cloud enterprise network and a NetFlixOSS microservices Docker architecture.
Article
Full-text available
With the increasing size and complexity of next-generation communication networks, it is critical to utilize interactive visualizations to support the monitoring, planning, and management of networks. Effectively visualizing large-scale networks is difficult with traditional methods because of the high link density and complex node relationships. Given the limited screen space, to assist Internet Service Provider’s (ISP) network planning and management activities, investigating how to present ultra-large-scale network data efficiently is crucial. This paper presents a real-time interactive visualization system that combines the design strategies of progressive disclosure and multiple panels to elegantly visualize the large-scale networks and avoid the information-overload problem. The system also visualizes the configuration of the network elements and provides the network performance information, including the port-level Quality of Service (QoS) metrics. Furthermore, the system enables navigation through the port-level connection and provides different modes for multiple purposes.
Conference Paper
Full-text available
The paper proposes an approach for visualizationof access control systems based on triangular matrices. Theapproach is used for visualization of access control securitymodel that based in methods of RBAC and Take-Grant. Incomparison with regular access matrices, the sparseness oftriangular matrices is less, and the approach is able to visualizenesting at the level of rights. The paper outlines a new triangular visualization model, its interpretation, management methods, and the results of experiments for visualization of an access control system in an IT company.
Chapter
Full-text available
There is a line of research extending over the last 20+ years applying graph-based methods for assessing and improving the security of operational computer networks, maintaining situational awareness, and assuring organizational missions. This chapter reviews a number of key developments in these areas, and places them within the context of a number of complementary dimensions. These dimensions are oriented to the requirements of operational security, to help guide practitioners towards matching their use cases with existing technical approaches. One dimension we consider is the phase of security operations (prevention, detection, and reaction) to which an approach applies. Another dimension is the operational layer (network infrastructure, security posture, cyberspace threats, mission dependencies) that an approach spans. We also examine the mathematical underpinnings of the various approaches as they apply to security requirements. Finally, we describe architectural aspects of various approaches, especially as they contribute to scalability and performance.
Conference Paper
As a model of vulnerability information, attack graph has seen successes in many automated analyses for defending computer networks against potential intrusions. On the other hand, attack graph has long been criticized for the lack of scalability when serving as a visualization model for conveying vulnerability information to human analysts. In this paper, we propose two novel approaches to improving attack graph visualization. First, we employ recent advances in network security metrics to design metric-driven visualization techniques, which render the most critical information the most visible. Second, existing techniques usually aim at an one-size-fits-all solution, which actually renders them less effective for specific applications, and hence we propose to design application-specific visualization solutions for network overview and situational awareness. We discuss the models, algorithms, implementation, and simulation results.
Conference Paper
Sophisticated cyber-attacks have become prominent with the growth of the Internet and web technology. Such attacks are multi-stage ones, and correlate vulnerabilities on intermediate hosts to compromise an otherwise well-protected critical resource. Conventional security assessment approaches can leave out some complex scenarios generated by these attacks. In the literature, these correlated attacks have been modeled using attack graphs. Although a few attack graph-based network security assessment tools are available, they are either commercial products or developed using proprietary databases. In this paper, we develop a customized tool, NetSecuritas, which implements a novel heuristic-based attack graph generation algorithm and integrates different phases of network security assessment. NetSecuritas leverages open-source libraries, tools and publicly available databases. A cost-driven mitigation strategy has also been proposed to generate network security recommendations. Experimental results establish the efficacy of both attack graph generation and mitigation approach.
Conference Paper
Visualization is the essential part of Security Information and Event Management (SIEM) systems. The paper suggests a common framework for SIEM visualization which allows incorporating different visualization technologies and extending easily the application functionality. To illustrate the framework, we developed a SIEM visualization component VisSecAnalyzer. The paper demonstrates its possibilities for the tasks of attack modeling and security assessment. To increase the efficiency of the visualization techniques we applied the principles of the human information perception and interaction.
Conference Paper
In the current scenario, even the well-administered enterprise networks are extremely susceptible to sophisticated multi-stage cyber attacks. These attacks combine multiple network vulnerabilities and use causal relationship between them in order to get incremental access to enterprise critical resources. Detection of such multi-stage attacks is beyond the capability of present day vulnerability scanners. These correlated “multi-host, multi-stage” attacks are potentially much more harmful than the single point?isolated attacks. Security researchers have proposed an Attack Graph-based approach to detect such correlated attack scenarios. Attack graph is a security analysis tool used extensively in a networked environment to automate the process of evaluating network’s susceptibility to “multi-host, multi-stage” attacks. In the last decade, a lot of research has been done in the area of attack graph-generation, visualization and analysis. Despite significant progress, still there are issues and challenges before the security community that needs to be addressed. In this paper, we have tried to identify current issues and important avenues of research in the area of attack graph generation, visualization and analysis.
Article
Purpose – This paper aims to propose a comprehensive model to find out the most preventive subset of security controls against potential security attacks inside the limited budget. Deploying the appropriate collection of information security controls, especially in information system-dependent organizations, ensures their businesses' continuity alongside with their effectiveness and efficiency. Design/methodology/approach – Impacts of security attacks are measured based on interdependent asset structure. Regarding this objective, the asset operational dependency graph is mapped to the security attack graph to assess the risks of attacks. This mapping enables us to measure the effectiveness of security controls against attacks. The most effective subset is found by mapping its features (cost and effectiveness) to items’ features in a binary knapsack problem, and then solving the problem by a modified version of the classic dynamic programming algorithm. Findings – Exact solutions are achieved using the dynamic programming algorithm approach in the proposed model. Optimal security control subset is selected based on its implementation cost, its effectiveness and the limited budget. Research limitations/implications – Estimation of control effectiveness is the most significant limitation of the proposed model utilization. This is caused by lack of experience in risk management in organizations, which forces them to rely on reports and simulation results. Originality/value – So far, cost-benefit approaches in security investments are followed only based on vulnerability assessment results. Moreover, dependency weights and types in interdependent structure of assets have been taken into account by a limited number of models. In the proposed model, a three-dimensional graph is used to capture the dependencies in risk assessment and optimal control subset selection, through a holistic approach.
Article
Full-text available
As the number of information asset and their vulnerabilities are increasing, it becomes more difficult for network security administrators to assess security vulnerability of their system and network. There are several researches for vulnerability analysis based on quantitative approach. However, most of them are based on experts' subjective evaluation or they require a lot of manual input for deriving quantitative assessment results. In this paper, we propose HRMS(Hacking and Response Measurement System) for enumerating attack path using automated vulnerability measurement automatically. HRMS can estimate exploitability of systems or applications based on their known vulnerability assessment metric, and enumerate attack path even though system, network and application's information are not fully given for vulnerability assessment. With this proposed method, system administrators can do proactive security vulnerability assessment.
Conference Paper
The paper proposes the architecture of the visualization component for the Security Information and Event Management (SIEM) system. The SIEM systems help to comprehend large amounts of the security data. Visualization is the essential part of the SIEM systems. The suggested architecture of the visualization component allows incorporating different visualization technologies and extending easily the application functionality. To illustrate the approach, we developed the prototype of the SIEM visualization component. The paper demonstrates the graphical user interface of the attack modeling component. To increase the efficiency of the visualization techniques we applied principles of the human information perception and interaction issues when designing graphical components.
Article
This paper presents the current state of the art on attack and defense modeling approaches that are based on directed acyclic graphs (DAGs). DAGs allow for a hierarchical decomposition of complex scenarios into simple, easily understandable and quantifiable actions. Methods based on threat trees and Bayesian networks are two well-known approaches to security modeling. However there exist more than 30 DAG-based methodologies, each having different features and goals. The objective of this survey is to present a complete overview of graphical attack and defense modeling techniques based on DAGs. This consists of summarizing the existing methodologies, comparing their features and proposing a taxonomy of the described formalisms. This article also supports the selection of an adequate modeling technique depending on user requirements.
Article
To cope with a large amount of data in current sensed environments, decision aid tools should provide their understanding of situations in a time-efficient manner, so there is an increasing need for real-time network security situation awareness and threat assessment. In this study, the state transition model of vulnerability in the network based on semi-Markov process is proposed at first. Once events are triggered by an attacker's action or system response, the current states of the vulnerabilities are known. Then we calculate the transition probabilities of the vulnerability from the current state to security failure state. Furthermore in order to improve accuracy of our algorithms, we adjust the probabilities that they exploit the vulnerability according to the attacker's skill level. In the light of the preconditions and post-conditions of vulnerabilities in the network, attack graph is built to visualize security situation in real time. Subsequently, we predict attack path, recognize attack intention and estimate the impact through analysis of attack graph. These help administrators to insight into intrusion steps, determine security state and assess threat. Finally testing in a network shows that this method is reasonable and feasible, and can undertake tremendous analysis task to facilitate administrators' work.
Article
Attack graphs provide a comprehensive overview of attack vectors. Unfortunately, their complexity dramatically increases as the number of hosts in a network grows. For realistic networks, the human eye cannot discern the state of a network without tracing individual attack paths. In order to combat this complexity, we discuss and implement mitigation techniques and the use of collaborative multi-touch environments for an intuitive, natural approach to visual analytics.
Conference Paper
Full-text available
Network administrators must rely on labour-intensive processes for tracking network configurations and vulnerabilities, which requires a lot of expertise and error prone. Organizational network vulnerabilities and interdependencies are so complex to make traditional vulnerability analysis become inadequate. Decision support capabilities let analysts make tradeoffs between security and optimum availability, and indicates how best to apply limited security resources. Recent work in network security has focused on the fact that a combination of exploitation is the typical way in which the invader breaks into the network. Researchers have proposed various algorithms to generate graphs based attack tree (or graph). In this paper, we present a framework, Architecture and Approach to Vulnerability Analysis. I. INTRODUCTION While we cannot predict the origin and timing of attacks, we can reduce their impact by knowing the possible attack paths through our networks. Reliance on manual processes and mental models is inadequate. Automated tools are needed for analysing and visualizing vulnerability dependencies and attack paths, for understanding overall security posture [1]. Attack graphs are constructed by starting an adversary at a given network location and, using information about the network topology and host vulnerabilities, examining how the attacker can progressively compromise vulnerable hosts that are reachable from already compromised hosts. Vulnerability scanners and analyses of filtering performed by firewalls and routers are used to obtain information about host vulnerabilities and to determine host-to-host reachability in a network. Almost all approaches have a method of generating recommendations to patch critical vulnerabilities or make firewalls more restrictive. In addition, most of the existing implementations provide some type of attack graph display. However, the abstract nature of attack graphs has proven to be a serious practical weakness in creating an effective display [2]. Recently, in order to analyse the vulnerabilities in a network of hosts, many methods have been proposed. One significant method is attack graph analysis [1,2,3]. The attack graph depicts the attack paths of a potential attacker, for a
Article
Full-text available
This project delivers an approach for visualization, correlation, and prediction of potentially large and complex attack graphs. These attack graphs show multi-step cyber attacks against networks, based on system vulnerabilities, network connectivity, and potential attacker exploits. We introduce a new paradigm for attack graph analysis that augments the traditional graph-centric view, based on graph adjacency matrices. In our approach, the analysis includes all known network attack paths, while still keeping complexity manageable. It supports pre-attack network hardening, correlation of detected attack events, and attack origin/impact prediction for post-attack responses. The goal of this system is to transform large quantities of network security data into actionable intelligence. The utility of organizing combinations of network attacks as graphs is well established. Traditionally, such attack graphs have been formed manually by security red teams (penetration testers). We have demonstrated the capability for computational generation of attack graphs, rather than relying on manual creation. This approach is based on models of network security conditions and potential attacker exploits. Because of vulnerability interdependencies across networks, a topological attack graph approach is needed, especially for proactive defense against insidious multi-step attacks. The traditional approach that treats network data and events in isolation, without the context provided by attack graphs, is clearly insufficient.
Conference Paper
Full-text available
A significant challenge in evaluating network security stems from the scale of modern enterprise networks and the vast number of vulnerabilities regularly found in software applications. A common technique to deal with this complexity is attack graphs, where a tool automatically computes all possible ways a system can be broken into by analyzing the configuration of each host, the network, and the discovered vulnerabilities. Past work has proposed methodologies that post-process “raw” attack graphs so that the result can be abstracted and becomes easier for a human user to grasp. We notice that, while visualization is a major problem caused by the multitude of attack paths in an attack graph, a more severe problem is the distorted risk picture it renders to both human users and quantitative vulnerability assessment models. We propose that abstraction be done before attack graphs are computed, instead of after. This way we can prevent the distortion in quantitative vulnerability assessment metrics, at the same time improving visualization as well. We developed an abstract network model generator that, given reachability and configuration information of a network, provides an abstracted model with much more succinct information about the system than the raw model. The model is generated by grouping hosts based on their network reachability and vulnerability information, as well as grouping vulnerabilities with similar exploitability. We show that the attack graphs generated from this type of abstracted inputs are not only much smaller, but also provide more realistic quantitative vulnerability metrics for the whole system. We conducted experiments on both synthesized and production systems to demonstrate the effectiveness of our approach.
Conference Paper
Various tools exist to analyze enterprise network systems and to produce attack graphs detailing how attackers might penetrate into the system. These attack graphs, however, are often complex and difficult to comprehend fully, and a human user may find it problematic to reach appropriate configuration decisions. This paper presents methodologies that can 1) automatically identify portions of an attack graph that do not help a user to understand the core security problems and so can be trimmed, and 2) automatically group similar attack steps as virtual nodes in a model of the network topology, to immediately increase the understandability of the data. We believe both methods are important steps toward improving visualization of attack graphs to make them more useful in configuration management for large enterprise networks. We implemented our methods using one of the existing attack-graph toolkits. Initial experimentation shows that the proposed approaches can 1) significantly reduce the complexity of attack graphs by trimming a large portion of the graph that is not needed for a user to understand the security problem, and 2) significantly increase the accessibility and understandability of the data presented in the attack graph by clearly showing, within a generated visualization of the network topology, the number and type of potential attacks to which each host is exposed.
Conference Paper
Attack graphs enable computation of important network security metrics by revealing potential attack paths an adversary could use to gain control of network assets. This paper presents GARNET (Graphical Attack graph and Reachability Network Evaluation Tool), an interactive visualization tool that facilitates attack graph analysis. It provides a simplified view of critical steps that can be taken by an attacker and of host-to-host network reachability that enables these exploits. It allows users to perform "what-if" experiments including adding new zero-day attacks, following recommendations to patch software vulnerabilities, and changing the attacker starting location to analyze external and internal attackers. Users can also compute and view metrics of assets captured versus attacker effort to compare the security of complex networks. For adversaries with three skill levels, it is possible to create graphs of assets captured versus attacker steps and the number of unique exploits required. GARNET is implemented as a Java application and is built on top of an existing C++ engine that performs reachability and attack graph computations. An initial round of user evaluations described in this paper led to many changes that significantly enhance usability.
Article
Full-text available
An important aspect of IT security governance is the proactive and continuous identification of possible attacks in computer networks. This is complicated due to the complexity and size of networks, and due to the fact that usually network attacks are performed in several steps. This thesis proposes an approach called MsAMS (Multi-step Attack Modelling and Simulation), demonstrated by a proof-of-concept tool, to automatically find such multi-step attacks. The novelty of MsAMS is the fact that it applies Mobile Ambients and Combinatorial Optimization, more specifically Heuristic Search, to the domain of multi-step network attacks. A variant of ambient calculus is used to model networks, and heuristic search is used to simulate attackers searching for possible attacks in the modelled network. Additionally, and in support to these two aspects, MsAMS uses algorithms from the domain of Link Analysis Ranking, traditionally applied to the domain of Web search. Mobile Ambients allow us to fully represent the hierarchical topology of a network as part of the network model itself. This is essential to relate insights gained from the model to the real network. Furthermore, we can represent dynamics of attacks such as credential theft, what increases the spectrum of possibilities available for attackers since it allows considering non-vulnerable as well as vulnerable hosts as attack steps. Optimization allows managing the complexity of the problem of finding multi-step attacks involving credentials without compromising the scalability of the approach for practical use. Therefore, the MsAMS approach comprises: (i) a formal representation of the solution which allows its automatic computation, in our case, the representation of an attack step in a notation based on Mobile Ambients, (ii) a search engine which implements a heuristic method for composing attack steps into multi-step attacks, and (iii) fitness functions used by the search engine for the selection of attack steps among alternatives, according to automatically computed metrics. Similar to search engines that use the structure of the World Wide Web to score webpages, the MsAMS approach proposes the use of the structure of a network to score network assets. In particular, MsAMS uses PageRank and HITS ranking schemes as sources of scalable metrics to: 1. assign asset value automatically to all ambients represented in the network, based on network connectivity rather than on financial value, providing an absolute and comparable view of asset value. Those values support the network administrator in the process of selecting a target. 2. assign a cost value automatically to all ambients represented in the network, also based on network connectivity rather than on financial value, providing an absolute and comparable view of cost for attack steps. Such a measure of cost allows the incorporation of rationality to the ambient-attacker which simulates a strategy of a real-attacker.
Article
Full-text available
Defense in depth is a common strategy that uses layers of firewalls to protect Supervisory Control and Data Acquisition (SCADA) subnets and other critical resources on enterprise networks. A tool named NetSPA is presented that analyzes firewall rules and vulnerabilities to construct attack graphs. These show how inside and outside attackers can progress by successively compromising exposed vulnerable hosts with the goal of reaching critical internal targets. NetSPA generates attack graphs and automatically analyzes them to produce a small set of prioritized recommendations to restore defense in depth. Field trials on networks with up to 3,400 hosts demonstrate that firewalls often do not provide defense in depth due to misconfigurations and critical unpatched vulnerabilities on hosts. In all cases, a small number of recommendations was provided to restore defense in depth. Simulations on networks with up to 50,000 hosts demonstrate that this approach scales well to enterprise-size networks.
Conference Paper
Full-text available
We apply adjacency matrix clustering to network attack graphs for attack correlation, prediction, and hypothesizing. We self-multiply the clustered adjacency matrices to show attacker reachability across the network for a given number of attack steps, culminating in transitive closure for attack prediction over all possible number of steps. This reachability analysis provides a concise summary of the impact of network configuration changes on the attack graph. Using our framework, we also place intrusion alarms in the context of vulnerability-based attack graphs, so that false alarms become apparent and missed detections can be inferred. We introduce a graphical technique that shows multiple-step attacks by matching rows and columns of the clustered adjacency matrix. This allows attack impact/responses to be identified and prioritized according to the number of attack steps to victim machines, and allows attack origins to be determined. Our techniques have quadratic complexity in the size of the attack graph.
Article
Full-text available
A four-pass algorithm for drawing directed graphs is presented. The fist pass finds an optimal rank assignment using a network simplex algorithm. The seconds pass sets the vertex order within ranks by an iterative heuristic, incorporating a novel weight function and local transpositions to reduce crossings. The third pass finds optimal coordinates for nodes by constructing and ranking an auxiliary graph. The fourth pass makes splines to draw edges. The algorithm creates good drawings and is fast
Article
Full-text available
We present a new focus+context (fisheye) technique for visualizing and manipulating large hierarchies. Our technique assigns more display space to a portion of the hierarchy while still embedding it in the context of the entire hierarchy. The essence of this scheme is to lay out the hierarchy in a uniform way on a hyperbolic plane and map this plane onto a circular display region. This supports a smooth blending between focus and context, as well as continuous redirection of the focus. We have developed effective procedures for manipulating the focus using pointer clicks as well as interactive dragging, and for smoothly animating transitions across such manipulation. A laboratory experiment comparing the hyperbolic browser with a conventional hierarchy browser was conducted.
Article
This report reviews past research papers that describe how to construct attack graphs, how to use them to improve security of computer networks, and how to use them to analyze alerts from intrusion detection systems. Two commercial systems are described 1, 2, and a summary table compares important characteristics of past research studies. For each study, information is provided on the number of attacker goals, how graphs are constructed, sizes of networks analyzed, how well the approach scales to larger networks, and the general approach. Although research has made significant progress in the past few years, no system has analyzed networks with more than 20 hosts, and computation for most approaches scales poorly and would be impractical for networks with more than even a few hundred hosts. Current approaches also are limited because many require extensive and difficult-to-obtain details on attacks, many assume that host-to-host reachability information between all hosts is already available, and many produce an attack graph but do not automatically generate recommendations from that graph. Researchers have suggested promising approaches to alleviate some of these limitations, including grouping hosts to improve scaling, using worst-case default values for unknown attack details, and symbolically analyzing attack graphs to generate recommendations that improve security for critical hosts. Future research should explore these and other approaches to develop attack graph construction and analysis algorithms that can be applied to large enterprise networks.
Article
To determine the security impact software vulnerabilities have on a particular network, one must consider interactions among multiple network elements. For a vulnerability analysis tool to be useful in practice, two features are crucial. First, the model used in the analysis must be able to automatically integrate formal vulnerability specifications from the bug-reporting community. Second, the analysis must be able to scale to networks with thousands of machines. We show how to achieve these two goals by presenting MulVAL, an end-to-end framework and reasoning system that conducts multihost, multistage vulnerability analysis on a network. MulVAL adopts Datalog as the modeling language for the elements in the analysis (bug specification, configuration description, reasoning rules, operating-system permission and privilege model, etc.). We easily leverage existing vulnerability-database and scanning tools by expressing their output in Datalog and feeding it to our MulVAL reasoning engine. Once the information is collected, the analysis can be performed in seconds for networks with thousands of machines. We implemented our framework on the Red Hat Linux platform. Our framework can reason about 84% of the Red Hat bugs reported in OVAL, a formal vulnerability definition language. We tested our tool on a real network with hundreds of users. The tool detected a policy violation caused by software vulnerabilities and the system administrators took remediation measures.
Conference Paper
Attack graphs are a valuable tool to network defenders, illustrating paths an attacker can use to gain access to a targeted network. Defenders can then focus their efforts on patching the vulnerabilities and configuration errors that allow the attackers the greatest amount of access. We have created a new type of attack graph, themultiple-prerequisite graph, that scales nearly linearly as the size of a typical network increases. We have built a prototype system us- ing this graph type. The prototype uses readily available source data to automatically compute network reachability, classify vulnerabilities, build the graph, and recommend ac- tions to improve network security. We have tested the proto- type on an operational network with over 250 hosts, where it helped to discover a previously unknown configuration er- ror. It has processed complex simulated networks with over 50,000 hosts in under four minutes.
Conference Paper
Traditionally, node link diagrams are the prime choice when it comes to visualizing software architectures. However, node link diagrams often fall short when used to visualize large graph struc- tures. In this paper we investigate the use of call matrices as visual aids in the management of large software projects. We argue that call matrices have a number of advantages over traditional node link diagrams when the main object of interest is the link instead of the node. Matrix visualizations can provide stable and crisp layouts of large graphs and are inherently well suited for large multilevel visu- alizations because of their recursive structure. We discuss a number of visualization issues, using a very large software project currently under development at Philips Medical Systems as a running exam- ple.
Article
Networks have remained a challenge for information visualization designers because of the complex issues of node and link layout coupled with the rich set of tasks that users present. This paper offers a strategy based on two principles: (1) layouts are based on user-defined semantic substrates, which are non-overlapping regions in which node placement is based on node attributes, (2) users interactively adjust sliders to control link visibility to limit clutter and thus ensure comprehensibility of source and destination. Scalability is further facilitated by user control of which nodes are visible. We illustrate our semantic substrates approach as implemented in NVSS 1.0 with legal precedent data for up to 1122 court cases in three regions with 7645 legal citations.
Conference Paper
We present a novel tree browser that builds on the conventional node link tree diagrams. It adds dynamic rescaling of branches of the tree to best fit the available screen space, optimized camera movement, and the use of preview icons summarizing the topology of the branches that cannot be expanded. In addition, it includes integrated search and filter functions. This paper reflects on the evolution of the design and highlights the principles that emerged from it. A controlled experiment showed benefits for navigation to already previously visited nodes and estimation of overall tree topology.
Conference Paper
This paper presents a tool for assessment of security attributes and vulnerabilities in computer networks. The tool generates attack graphs (Phillips and Swiler, 1998). Each node in the attack graph represents a possible attack state. Edges represent a change of state caused by a single action taken by the attacker or unwitting assistant, and are weighted by some metric (such as attacker effort or time to succeed). Generation of the attack graph requires algorithms that match information about attack requirements (specified in attack templates) to information about the network configuration and assumed attacker capabilities (attacker profile). The set of near-optimal shortest paths indicates the most exploitable components of the system configuration. This paper presents the status of the tool and discusses implementation issues, especially focusing on the data input needs and methods for eliminating redundant paths and nodes in the graph
Conference Paper
A method for visualizing hierarchically structured information is described. The tree-map visualization technique makes 100% use of the available display space, mapping the full hierarchy onto a rectangular region in a space-filling manner. This efficient use of space allows very large hierarchies to be displayed in their entirety and facilitates the presentation of semantic information. Tree-maps can depict both the structure and content of the hierarchy. However, the approach is best suited to hierarchies in which the content of the leaf nodes and the structure of the hierarchy are of primary importance, and the content information associated with internal nodes is largely derived from their children
http://www.skyboxsecurity.com. Accessed 6
  • Skybox Security Inc
Skybox Security Inc. (2007) http://www.skyboxsecurity.com. Accessed 6 Sept 2007 SWIG (2007) http://www.swig.org. Accessed 6 Sept 2007
Managing attack graph complexity through visual hierarchical aggregation . VizSEC/DMSEC '04: Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security
  • S Noel
  • S Jajodia
Noel S, Jajodia S (2004) Managing attack graph complexity through visual hierarchical aggregation. VizSEC/DMSEC '04: Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security,,New York, NY, USA, ACM Press, 109–118
National Vulnerability Database http://nvd.nist.gov/. Accessed 6
NVD (2007) National Vulnerability Database http://nvd.nist.gov/. Accessed 6 Sept 2007
15 Views of a node-link graph: an infovis portfolio
  • T Munzner
Munzner T (2006) 15 Views of a node-link graph: an infovis portfolio. http://www.cs.ubc.ca/~tmm/talks.html. Accessed 6 Sept 2007.