Skip to main content
SpringerLink
Log in

Exploiting Domination in Attack Graph for Enterprise Network Hardening

  • Conference paper
  • First Online:
Security in Computing and Communications (SSCC 2015)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 536))

Included in the following conference series:

Abstract

Attack graph proved to be a tool of great value to an administrator while analyzing security vulnerabilities in a networked environment. It shows all possible attack scenarios in an enterprise network. Even though attack graphs are generated efficiently, the size and complexity of the graphs prevent an administrator from fully understanding the information portrayed. While an administrator will quickly perceive the possible attack scenario, it is typically tough to know what vulnerabilities are vital to the success of an adversary. An administrator has to identify such vulnerabilities and associated/enabling preconditions, which really matters in preventing an adversary from successfully compromising the enterprise network. Extraction of such meaningful information aid administrator in efficiently allocating scarce security resources. In this paper, we have applied a well known concept of domination in directed graphs to the exploit-dependency attack graph generated for a synthetic network. The minimal dominating set (MDS) computed over the generated attack graph gives us the set of initial preconditions that covers all the exploits in the attack graph. We model the problem of computing MDS as a set cover problem (SCP). We have presented a small case study to demonstrate the effectiveness and relevancy of the proposed approach. Initial results show that our minimal dominating set-based approach is capable of finding the sets with minimal number of initial conditions that need to be disabled for improved network security.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Phillips, C., Swiler, L.P.: A graph-based system for network-vulnerability analysis. In: Proceedings of the Workshop on New Security Paradigms. NSPW 1998, pp. 71–79. ACM, New York (1998)

    Google Scholar 

  2. Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.: Automated generation and analysis of attack graphs. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 273–284 (2002)

    Google Scholar 

  3. Ammann, P.: Scalable, graph-based network vulnerability analysis. In: Proceedings of the \(9^{th}\) ACM Conference on Computer and Communications Security, pp. 217–224. ACM Press (2002)

    Google Scholar 

  4. Noel, S., Jajodia, S., O’Berry, B., Jacobs, M.: Efficient minimum-cost network hardening via exploit dependency graphs. In: Proceedings of the \(19^{th}\) Annual Computer Security Applications Conference, pp. 86–95 (2003)

    Google Scholar 

  5. Ingols, K., Lippmann, R., Piwowarski, K.: Practical attack graph generation for network defense. In: \(22^{nd}\) Annual Computer Security Applications Conference, ACSAC 2006, pp. 121–130 (2006)

    Google Scholar 

  6. Ou, X., Boyer, W.F.: A scalable approach to attack graph generation. In: \(13^{th}\) ACM Conference on Computer and Communications Security (CCS), pp. 336–345. ACM Press (2006)

    Google Scholar 

  7. Ghosh, N., Ghosh, S.: A planner-based approach to generate and analyze minimal attack graph. Appl. Intel. 36, 369–390 (2012)

    Article  Google Scholar 

  8. Ortalo, R., Deswarte, Y., Kaaniche, M.: Experimenting with quantitative evaluation tools for monitoring operational security. IEEE Trans. Softw. Eng. 25, 633–650 (1999)

    Article  Google Scholar 

  9. Li, W., Vaughn, R.: Cluster security research involving the modeling of network exploitations using exploitation graphs. In: \(6^{th}\) IEEE International Symposium on Cluster Computing and the Grid, CCGRID 2006, vol. 2, p. 26 (2006)

    Google Scholar 

  10. Idika, N., Bhargava, B.: Extending attack graph-based security metrics and aggregating their application. IEEE Trans. Dependable Secure Comput. 9, 75–85 (2012)

    Article  Google Scholar 

  11. Noel, S., Jajodia, S.: Metrics suite for network attack graph analytics. In: CISR 2014, pp. 5–8 (2014)

    Google Scholar 

  12. Jha, S., Sheyner, O., Wing, J.: Two formal analyses of attack graphs. In: Proceedings of the 15th IEEE Workshop on Computer Security Foundations, CSFW 2002, Washington, DC, USA, pp. 49–63. IEEE Computer Society (2002)

    Google Scholar 

  13. Wang, L., Noel, S., Jajodia, S.: Minimum-cost network hardening using attack graphs. Comput. Commun. 29, 3812–3824 (2006)

    Article  Google Scholar 

  14. Man, D., Wu, Y., Wu, Y.: A method based on global attack graph for network hardening. In: \(4^{th}\) International Conference on Wireless Communications, Networking and Mobile Computing, WiCOM 2008, pp. 1–4 (2008)

    Google Scholar 

  15. Islam, T., Wang, L.: A heuristic approach to minimum-cost network hardening using attack graph. In: NTMS 2008, pp. 1–5 (2008)

    Google Scholar 

  16. Chen, F., Liu, D., Zhang, Y., Su, J.: A scalable approach to analyzing network security using compact attack graphs. J. Netw. 5(5), 543–550 (2010)

    Google Scholar 

  17. Keramati, M., Asgharian, H., Akbari, A.: Cost-aware network immunization framework for intrusion prevention. In: IEEE International Conference on Computer Applications and Industrial Electronics (ICCAIE), pp. 639–644 (2011)

    Google Scholar 

  18. Wang, L., Singhal, A., Jajodia, S.: Measuring the overall security of network configurations using attack graphs. In: Barker, S., Ahn, G.-J. (eds.) Data and Applications Security 2007. LNCS, vol. 4602, pp. 98–112. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  19. Pang, C., Zhang, R., Zhang, Q., Wang, J.: Dominating sets in directed graphs. Inf. Sci. 180, 3647–3652 (2010)

    Article  MathSciNet  MATH  Google Scholar 

  20. Ghosh, N., Ghosh, S.: An approach for security assessment of network configurations using attack graph. In: \(1^{st}\) International Conference on Networks and Communications, NETCOM 2009, pp. 283–288 (2009)

    Google Scholar 

  21. SGPlan: 5. (http://wah.cse.cuhk.edu.hk/wah/programs/SGPlan/)

Download references

Author information

Authors and Affiliations

  1. Center for Information Assurance and Management (CIAM), Institute for Development and Research in Banking Technology (IDRBT), Castle Hills, Road No.1, Masab Tank, Hyderabad, 500 057, India

    Ghanshyam S. Bopche & Babu M. Mehtre

  2. School of Computer and Information Sciences (SCIS), University of Hyderabad, Gachibowli, Hyderabad, 500 046, India

    Ghanshyam S. Bopche

Authors
  1. Ghanshyam S. Bopche
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Babu M. Mehtre
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ghanshyam S. Bopche .

Editor information

Editors and Affiliations

  1. Deakin University, Geelong, Victoria, Australia

    Jemal H. Abawajy

  2. IBM Research-India, New Delhi, India

    Sougata Mukherjea

  3. Indian Institute of Information Technology and Management, Kerala, India

    Sabu M. Thampi

  4. University of Murcia, Espinardo, Murcia, Spain

    Antonio Ruiz-Martínez

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Bopche, G.S., Mehtre, B.M. (2015). Exploiting Domination in Attack Graph for Enterprise Network Hardening. In: Abawajy, J., Mukherjea, S., Thampi, S., Ruiz-Martínez, A. (eds) Security in Computing and Communications. SSCC 2015. Communications in Computer and Information Science, vol 536. Springer, Cham. https://doi.org/10.1007/978-3-319-22915-7_32

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-22915-7_32

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-22914-0

  • Online ISBN: 978-3-319-22915-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation