Skip to main content
SpringerLink
Log in
Book cover

International Conference on Security and Privacy in Communication Systems

SecureComm 2013: Security and Privacy in Communication Networks pp 270–287Cite as

Scalable Security Model Generation and Analysis Using k-importance Measures

  • Conference paper

Abstract

Attack representation models (ARMs) (such as attack graphs, attack trees) can be used to model and assess security of a networked system. To do this, one must generate an ARM. However, generation and evaluation of the ARM suffer from a scalability problem when the size of the networked system is very large (e.g., 10,000 computer hosts in the network with a complex network topology). The main reason is that computing all possible attack scenarios to cover all aspects of an attack results in a state space explosion. One idea is to use only important hosts and vulnerabilities in the networked system to generate and evaluate security. We propose to use k-importance measures to generate a two-layer hierarchical ARM that will improve the scalability of model generation and security evaluation computational complexities. We use k 1 number of important hosts based on network centrality measures and k 2 number of significant vulnerabilities of hosts using host security metrics. We show that an equivalent security analysis can be achieved using our approach (using k-importance measures), compared to an exhaustive search.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.: Automated generation and analysis of attack graphs. Technical report, CMU (May 2002)

    Google Scholar 

  2. Schneier, B.: Secrets and Lies: Digital Security in a Networked World. John Wiley and Sons Inc. (2000)

    Google Scholar 

  3. Albanese, M., Jajodia, S., Noel, S.: Time-efficient and cost-effective network hardening using attack graphs. In: Proc. of Dependable Systems and Networks (DSN 2012). IEEE Computer Society, Los Alamitos (2012)

    Google Scholar 

  4. Roy, A., Kim, D., Trivedi, K.: Scalable optimal countermeasure selection using implicit enumeration on Attack Countermeasure Trees. In: Proc. of Dependable Systems and Networks (DSN 2012). IEEE Computer Society, Los Alamitos (2012)

    Google Scholar 

  5. Lippmann, R., Ingols, K.: An Annotated Review of Past Papers on Attack Graphs. ESC-TR-2005-054 (2005)

    Google Scholar 

  6. Ou, X., Boyer, W., McQueen, M.: A scalable approach to attack graph generation. In: Proc. of ACM Conference on Computer and Communications Security (CCS 2006). ACM (2006)

    Google Scholar 

  7. Ingols, K., Lippmann, R., Piwowarski, K.: Practical attack graph generation for network defense. In: Proc. of Computer Security Applications Conference, ACSAC 2006 (2006)

    Google Scholar 

  8. Edge, K.: A Framework for Analyzing and Mitigating the Vulnerabilities of Complex Systems via Attack and Protection Trees. PhD thesis, Air Force Institute of Technology (2007)

    Google Scholar 

  9. Roy, A., Kim, D., Trivedi, K.: Attack Countermeasure Trees (ACT): towards unifying the constructs of attack and defense trees. Security and Communication Networks 5(8) (2012)

    Google Scholar 

  10. Xie, A., Cai, Z., Tang, C., Hu, J., Chen, Z.: Evaluating network security with two-layer attack graphs. In: Proc. of Computer Security Applications Conference, ACSAC 2009 (2009)

    Google Scholar 

  11. Hong, J., Kim, D.: HARMs: Hierarchical Attack Representation Models for Network Security Analysis. In: Proc. of the 10th Australian Information Security Management Conference on SECAU Security Congress, SECAU 2012 (2012)

    Google Scholar 

  12. Noel, S., Jajodia, S.: Managing attack graph complexity through visual hierarchical aggregation. In: Proc. of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security (VizSec 2004), pp. 109–118. ACM (2004)

    Google Scholar 

  13. Noel, S., Jajodia, S.: Understanding complex network attack graphs through clustered adjacency matrices. In: Proc. of the 21st Annual Computer Security Applications Conference (ACSAC 2005), pp. 160–169 (2005)

    Google Scholar 

  14. Abadi, M., Jalili, S.: A particle swarm optimization algorithm for minimization analysis of cost-sensitive attack graphs. The ISC International Journal of Information Security (ISeCure 2010) 2(1), 13–32 (2010)

    Google Scholar 

  15. Islam, T., Wang, L.: A Heuristic Approach to Minimum-Cost Network Hardening Using Attack Graph. In: Proc. of New Technologies, Mobility and Security, NTMS 2008 (2008)

    Google Scholar 

  16. Georgiadis, G., Kirousis, L.: Lightweight centrality measures in networks under attack. Complexus 3(1), 147–157 (2006)

    Article  Google Scholar 

  17. Cadini, F., Zio, E., Petrescu, C.-A.: Using centrality measures to rank the importance of the components of a complex network infrastructure. In: Setola, R., Geretshuber, S. (eds.) CRITIS 2008. LNCS, vol. 5508, pp. 155–167. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  18. Gallon, L., Bascou, J.: Using CVSS in Attack Graphs. In: Proc. of the Sixth International Conference on Availability, Reliability and Security (ARES 2011), pp. 59–66 (2011)

    Google Scholar 

  19. Sharma, A., Kalbarczyk, Z., Barlow, J., Iyer, R.: Analysis of security data from a large computing organization. In: Proc. of Dependable Systems Networks, DSN 2011 (2011)

    Google Scholar 

  20. Zhu, Y., Hu, H., Ahn, G., Huang, D., Wang, S.: Towards temporal access control in cloud computing. In: Proc. of Annual IEEE International Conference on Computer Communications (INFOCOM 2012), pp. 2576–2580 (2012)

    Google Scholar 

  21. Mirkovic, J., Benzel, T., Faber, T., Braden, R., Wroclawski, J., Schwab, S.: The DETER project: Advancing the science of cyber security experimentation and test. In: Proc. of IEEE International Conference on Technologies for Homeland Security (HST 2010), pp. 1–7 (2010)

    Google Scholar 

  22. Alata, E., Nicomette, V., Kaaniche, M., Dacier, M., Herrb, M.: Lessons learned from the deployment of a high-interaction honeypot. In: Proc. of Sixth European Dependable Computing Conference (EDCC 2006), pp. 39–46 (October 2006)

    Google Scholar 

  23. Zonouz, S., Khurana, H., Sanders, W., Yardley, T.: RRE: A game-theoretic intrusion Response and Recovery Engine. In: Proc. of IEEE/IFIP International Conference on Dependable Systems Networks (DSN 2009), pp. 439–448 (2009)

    Google Scholar 

  24. Chen, F., Liu, D., Zhang, Y., Su, J.: A scalable approach to analyzing network security using compact attack graphs. Journal of Networks 5(5) (2010)

    Google Scholar 

  25. Mehta, V., Bartzis, C., Zhu, H., Clarke, E., Wing, J.: Ranking attack graphs. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 127–144. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  26. Sawilla, R., Skillicorn, D.: Partial cuts in attack graphs for cost effective network defence. In: Proc. of IEEE Conference on Technologies for Homeland Security, HST 2012 (2012)

    Google Scholar 

  27. Beale, J., Deraison, R., Meer, H., Temmingh, R., Walt, C.: The NESSUS project. Syngress Publishing (2002)

    Google Scholar 

  28. Floyd, R.: Algorithm 97: Shortest path. Commun. ACM 5(6), 345 (1962)

    Article  Google Scholar 

  29. Ou, X., Govindavajhala, S.: Mulval: A logic-based network security analyzer. In: Proc. of the 14th USENIX Security Symposium (USENIX Security 2005), pp. 113–128 (2005)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Computer Science and Software Engineering, University of Canterbury, Christchurch, New Zealand

    Jin B. Hong & Dong Seong Kim

Authors
  1. Jin B. Hong
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Dong Seong Kim
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. School of Computing and Mathematics, Charles Sturt University, Wagga Wagga, NSW, Australia

    Tanveer Zia

  2. School of Information Technologies, University of Sydney, Darlington, NSW, Australia

    Albert Zomaya

  3. Department of Computing, Macquarie University, Australia, Australia

    Vijay Varadharajan

  4. Department of EECS, University of Michigan, Ann Arbor, MI, USA

    Morley Mao

Rights and permissions

Reprints and permissions

Copyright information

© 2013 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Cite this paper

Hong, J.B., Kim, D.S. (2013). Scalable Security Model Generation and Analysis Using k-importance Measures. In: Zia, T., Zomaya, A., Varadharajan, V., Mao, M. (eds) Security and Privacy in Communication Networks. SecureComm 2013. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 127. Springer, Cham. https://doi.org/10.1007/978-3-319-04283-1_17

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-04283-1_17

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-04282-4

  • Online ISBN: 978-3-319-04283-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation