Abstract
Attack representation models (ARMs) (such as attack graphs, attack trees) can be used to model and assess security of a networked system. To do this, one must generate an ARM. However, generation and evaluation of the ARM suffer from a scalability problem when the size of the networked system is very large (e.g., 10,000 computer hosts in the network with a complex network topology). The main reason is that computing all possible attack scenarios to cover all aspects of an attack results in a state space explosion. One idea is to use only important hosts and vulnerabilities in the networked system to generate and evaluate security. We propose to use k-importance measures to generate a two-layer hierarchical ARM that will improve the scalability of model generation and security evaluation computational complexities. We use k 1 number of important hosts based on network centrality measures and k 2 number of significant vulnerabilities of hosts using host security metrics. We show that an equivalent security analysis can be achieved using our approach (using k-importance measures), compared to an exhaustive search.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.: Automated generation and analysis of attack graphs. Technical report, CMU (May 2002)
Schneier, B.: Secrets and Lies: Digital Security in a Networked World. John Wiley and Sons Inc. (2000)
Albanese, M., Jajodia, S., Noel, S.: Time-efficient and cost-effective network hardening using attack graphs. In: Proc. of Dependable Systems and Networks (DSN 2012). IEEE Computer Society, Los Alamitos (2012)
Roy, A., Kim, D., Trivedi, K.: Scalable optimal countermeasure selection using implicit enumeration on Attack Countermeasure Trees. In: Proc. of Dependable Systems and Networks (DSN 2012). IEEE Computer Society, Los Alamitos (2012)
Lippmann, R., Ingols, K.: An Annotated Review of Past Papers on Attack Graphs. ESC-TR-2005-054 (2005)
Ou, X., Boyer, W., McQueen, M.: A scalable approach to attack graph generation. In: Proc. of ACM Conference on Computer and Communications Security (CCS 2006). ACM (2006)
Ingols, K., Lippmann, R., Piwowarski, K.: Practical attack graph generation for network defense. In: Proc. of Computer Security Applications Conference, ACSAC 2006 (2006)
Edge, K.: A Framework for Analyzing and Mitigating the Vulnerabilities of Complex Systems via Attack and Protection Trees. PhD thesis, Air Force Institute of Technology (2007)
Roy, A., Kim, D., Trivedi, K.: Attack Countermeasure Trees (ACT): towards unifying the constructs of attack and defense trees. Security and Communication Networks 5(8) (2012)
Xie, A., Cai, Z., Tang, C., Hu, J., Chen, Z.: Evaluating network security with two-layer attack graphs. In: Proc. of Computer Security Applications Conference, ACSAC 2009 (2009)
Hong, J., Kim, D.: HARMs: Hierarchical Attack Representation Models for Network Security Analysis. In: Proc. of the 10th Australian Information Security Management Conference on SECAU Security Congress, SECAU 2012 (2012)
Noel, S., Jajodia, S.: Managing attack graph complexity through visual hierarchical aggregation. In: Proc. of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security (VizSec 2004), pp. 109–118. ACM (2004)
Noel, S., Jajodia, S.: Understanding complex network attack graphs through clustered adjacency matrices. In: Proc. of the 21st Annual Computer Security Applications Conference (ACSAC 2005), pp. 160–169 (2005)
Abadi, M., Jalili, S.: A particle swarm optimization algorithm for minimization analysis of cost-sensitive attack graphs. The ISC International Journal of Information Security (ISeCure 2010) 2(1), 13–32 (2010)
Islam, T., Wang, L.: A Heuristic Approach to Minimum-Cost Network Hardening Using Attack Graph. In: Proc. of New Technologies, Mobility and Security, NTMS 2008 (2008)
Georgiadis, G., Kirousis, L.: Lightweight centrality measures in networks under attack. Complexus 3(1), 147–157 (2006)
Cadini, F., Zio, E., Petrescu, C.-A.: Using centrality measures to rank the importance of the components of a complex network infrastructure. In: Setola, R., Geretshuber, S. (eds.) CRITIS 2008. LNCS, vol. 5508, pp. 155–167. Springer, Heidelberg (2009)
Gallon, L., Bascou, J.: Using CVSS in Attack Graphs. In: Proc. of the Sixth International Conference on Availability, Reliability and Security (ARES 2011), pp. 59–66 (2011)
Sharma, A., Kalbarczyk, Z., Barlow, J., Iyer, R.: Analysis of security data from a large computing organization. In: Proc. of Dependable Systems Networks, DSN 2011 (2011)
Zhu, Y., Hu, H., Ahn, G., Huang, D., Wang, S.: Towards temporal access control in cloud computing. In: Proc. of Annual IEEE International Conference on Computer Communications (INFOCOM 2012), pp. 2576–2580 (2012)
Mirkovic, J., Benzel, T., Faber, T., Braden, R., Wroclawski, J., Schwab, S.: The DETER project: Advancing the science of cyber security experimentation and test. In: Proc. of IEEE International Conference on Technologies for Homeland Security (HST 2010), pp. 1–7 (2010)
Alata, E., Nicomette, V., Kaaniche, M., Dacier, M., Herrb, M.: Lessons learned from the deployment of a high-interaction honeypot. In: Proc. of Sixth European Dependable Computing Conference (EDCC 2006), pp. 39–46 (October 2006)
Zonouz, S., Khurana, H., Sanders, W., Yardley, T.: RRE: A game-theoretic intrusion Response and Recovery Engine. In: Proc. of IEEE/IFIP International Conference on Dependable Systems Networks (DSN 2009), pp. 439–448 (2009)
Chen, F., Liu, D., Zhang, Y., Su, J.: A scalable approach to analyzing network security using compact attack graphs. Journal of Networks 5(5) (2010)
Mehta, V., Bartzis, C., Zhu, H., Clarke, E., Wing, J.: Ranking attack graphs. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 127–144. Springer, Heidelberg (2006)
Sawilla, R., Skillicorn, D.: Partial cuts in attack graphs for cost effective network defence. In: Proc. of IEEE Conference on Technologies for Homeland Security, HST 2012 (2012)
Beale, J., Deraison, R., Meer, H., Temmingh, R., Walt, C.: The NESSUS project. Syngress Publishing (2002)
Floyd, R.: Algorithm 97: Shortest path. Commun. ACM 5(6), 345 (1962)
Ou, X., Govindavajhala, S.: Mulval: A logic-based network security analyzer. In: Proc. of the 14th USENIX Security Symposium (USENIX Security 2005), pp. 113–128 (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Hong, J.B., Kim, D.S. (2013). Scalable Security Model Generation and Analysis Using k-importance Measures. In: Zia, T., Zomaya, A., Varadharajan, V., Mao, M. (eds) Security and Privacy in Communication Networks. SecureComm 2013. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 127. Springer, Cham. https://doi.org/10.1007/978-3-319-04283-1_17
Download citation
DOI: https://doi.org/10.1007/978-3-319-04283-1_17
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-04282-4
Online ISBN: 978-3-319-04283-1
eBook Packages: Computer ScienceComputer Science (R0)