Efficient Minimum-Cost Network Hardening Via Exploit Dependency Graphs
نویسندگان
چکیده
In-depth analysis of network security vulnerability must consider attacker exploits not just in isolation, but also in combination. The general approach to this problem is to compute attack paths (combinations of exploits), from which one can decide whether a given set of network hardening measures guarantees the safety of given critical resources. We go beyond attack paths to compute actual sets of hardening measures (assignments of initial network conditions) that guarantee the safety of given critical resources. Moreover, for given costs associated with individual hardening measures, we compute assignments that minimize overall cost. By doing our minimization at the level of initial conditions rather than exploits, we resolve hardening irrelevancies and redundancies in a way that cannot be done through previously proposed exploit-level approaches. Also, we use an efficient exploit-dependency representation based on monotonic logic that has polynomial complexity, as opposed to many previous attack graph representations having exponential complexity.
منابع مشابه
Analytical framework for measuring network security using exploit dependency graph
Attack graph is a popular tool for modeling multi-staged, correlated attacks on computer networks. Attack graphs have been widely used for measuring network security risks. A major portion of these works, have used host based or state based attack graphs. These attack graph models are either too restrictive or too resource consuming. Also, a significant portion of these works have used ‘probabi...
متن کاملMinimum-cost network hardening using attack graphs
In defending one’s network against cyber attack, certain vulnerabilities may seem acceptable risks when considered in isolation. But an intruder can often infiltrate a seemingly well-guarded network through a multi-step intrusion, in which each step prepares for the next. Attack graphs can reveal the threat by enumerating possible sequences of exploits that can be followed to compromise given c...
متن کاملA particle swarm optimization algorithm for minimization analysis of cost-sensitive attack graphs
To prevent an exploit, the security analyst must implement a suitable countermeasure. In this paper, we consider cost-sensitive attack graphs (CAGs) for network vulnerability analysis. In these attack graphs, a weight is assigned to each countermeasure to represent the cost of its implementation. There may be multiple countermeasures with different weights for preventing a single exploit. Also,...
متن کاملGenetic Algorithm and Bayesian Attack Graph for Security Risk Analysis and Mitigation P.prakash
Risk assessment determines threats to critical resources and the corresponding loss expectancy.Bayesian network is used to model potential attack paths in a system. Knowledge of attackers and attack mechanisms are used to fetch the subset of attack paths. Security risk assessment and mitigation are two vital processes. Models such as attack graphs and attack trees are used to assess the cause-c...
متن کاملA Particle Swarm Optimization Algorithm for Minimization Analysis of Cost-Sensitive Attack Graphs
To prevent an exploit, the security analyst must implement a suitable countermeasure. In this paper, we consider cost-sensitive attack graphs (CAGs) for network vulnerability analysis. In these attack graphs, a weight is assigned to each countermeasure to represent the cost of its implementation. There may be multiple countermeasures with different weights for preventing a single exploit. Also,...
متن کامل