Abstract
To understand overall vulnerability to network attack, one must consider attacker exploits not just in isolation, but also in combination. That is, one must analyze how low-level vulnerabilities can be combined to achieve high-level attack goals. In this chapter, we describe a tool that implements an integrated, topological approach to network vulnerability analysis. Our Topological Vulnerability Analysis (TVA) tool automates the labor-intensive type of analysis usually performed by penetration-testing experts. It is ideal for inexpensive what-if analyses of the impact of various network configurations on overall network security. The TVA tool includes modeling of network security conditions and attack techniques (exploits), automatic population of models via the Nessus vulnerability scanner, and analysis of exploit sequences (attack paths) leading to specific attack goals. Moreover, the tool generates a graph of dependencies among exploits that represents all possible attack paths without having to enumerate them. This representation enables highly scalable methods of vulnerability analysis, such as computing network configurations that guarantee the security of given network resources. Finally, this chapter describes some of the open technical challenges for the TVA approach.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
R. Deraison, Nessus, Retrieved from http://www.nessus.org, May 2003.
World Wide Web Consortium, Extensible Markup Language (XML), Retrieved from http://www.w3.org/XML/, May 2003.
World Wide Web Consortium, The Extensible Stylesheet Language (XSL), Retrieved from http://www.w3.org/Style/XSL/, May 2003.
World Wide Web Consortium, XSL Transformations (XSLT) Version 1.0., Retrieved from http://www.w3.org/TR/xslt, May 2003.
L. Swiler, C. Phillips, D. Ellis, and S. Chakerian, Computer-attack graph generation tool, In Proceedings of the DARPA Information Survivability Conference & Exposition II, 307–321, 2001.
S. Templeton and K. Levitt, A requires/provides model for computer attacks, In Proceedings of New Security Paradigms Workshop, 19–21, 2000.
K. Daley, R. Larson, and J. Dawkins, A structural framework for modeling multistage network attacks, Presented at International Conference on Parallel Processing Workshops, 5–10, 2002.
R. Ritchey and P. Ammann, Using model checking to analyze network vulnerabilities, In Proceedings of the IEEE Symposium on Security and Privacy, 156–165, 2000.
O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J. Wing, Automated generation and analysis of attack graphs, In Proceedings of the IEEE Symposium on Security and Privacy, 254–265, 2002.
P. Ammann, D. Wijesekera, and S. Kaushik, Scalable, graph-based network vulnerability analysis, In Proceedings of 9th ACM Conference on Computer and Communications Security (ACM-CCS 2002), 217–224, 2002.
R. Ritchey, B. O’Berry and S. Noel, Representing TCP/IP connectivity for topological analysis of network security, In Proceedings of 18th Annual Computer Security Applications Conference, 156–165, 2002.
World Wide Web Consortium, Semantic Web, Retrieved from www.w3.org/2001/sw/, May 2003.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer Science+Business Media, Inc.
About this chapter
Cite this chapter
Jajodia, S., Noel, S., O’Berry, B. (2005). Topological Analysis of Network Attack Vulnerability. In: Kumar, V., Srivastava, J., Lazarevic, A. (eds) Managing Cyber Threats. Massive Computing, vol 5. Springer, Boston, MA. https://doi.org/10.1007/0-387-24230-9_9
Download citation
DOI: https://doi.org/10.1007/0-387-24230-9_9
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-24226-2
Online ISBN: 978-0-387-24230-9
eBook Packages: Computer ScienceComputer Science (R0)