Attack Graphs for Sensor Placement, Alert Prioritization, and Attack Response

We describe the optimal placement of intrusion detection system (IDS) sensors and prioritization of IDS alarms, using attack graph analysis. Our attack graphs predict the various possible ways of penetrating a network to reach critical assets. In particular, automated analysis of network configuration and attacker exploits provides an attack graph showing all possible paths to critical assets. We then place IDS sensors to cover all these paths, using the fewest number of sensors. The sensor-placement problem we pose is an instance of the NP-hard minimal set cover problem, which we solve through a greedy algorithm. Through our approach, all traffic along vulnerable paths to critical resources is monitored, with no deployment of unnecessary sensors. Then, through our predictive vulnerability-based attack graphs, we prioritize IDS alarms based on their level of threat (attack graph distance) to critical assets. The predictive power of our attack graphs then provides the necessary context for appropriate attack response.