Abstract
Attack graph proved to be a tool of great value to an administrator while analyzing security vulnerabilities in a networked environment. It shows all possible attack scenarios in an enterprise network. Even though attack graphs are generated efficiently, the size and complexity of the graphs prevent an administrator from fully understanding the information portrayed. While an administrator will quickly perceive the possible attack scenario, it is typically tough to know what vulnerabilities are vital to the success of an adversary. An administrator has to identify such vulnerabilities and associated/enabling preconditions, which really matters in preventing an adversary from successfully compromising the enterprise network. Extraction of such meaningful information aid administrator in efficiently allocating scarce security resources. In this paper, we have applied a well known concept of domination in directed graphs to the exploit-dependency attack graph generated for a synthetic network. The minimal dominating set (MDS) computed over the generated attack graph gives us the set of initial preconditions that covers all the exploits in the attack graph. We model the problem of computing MDS as a set cover problem (SCP). We have presented a small case study to demonstrate the effectiveness and relevancy of the proposed approach. Initial results show that our minimal dominating set-based approach is capable of finding the sets with minimal number of initial conditions that need to be disabled for improved network security.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Phillips, C., Swiler, L.P.: A graph-based system for network-vulnerability analysis. In: Proceedings of the Workshop on New Security Paradigms. NSPW 1998, pp. 71–79. ACM, New York (1998)
Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.: Automated generation and analysis of attack graphs. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 273–284 (2002)
Ammann, P.: Scalable, graph-based network vulnerability analysis. In: Proceedings of the \(9^{th}\) ACM Conference on Computer and Communications Security, pp. 217–224. ACM Press (2002)
Noel, S., Jajodia, S., O’Berry, B., Jacobs, M.: Efficient minimum-cost network hardening via exploit dependency graphs. In: Proceedings of the \(19^{th}\) Annual Computer Security Applications Conference, pp. 86–95 (2003)
Ingols, K., Lippmann, R., Piwowarski, K.: Practical attack graph generation for network defense. In: \(22^{nd}\) Annual Computer Security Applications Conference, ACSAC 2006, pp. 121–130 (2006)
Ou, X., Boyer, W.F.: A scalable approach to attack graph generation. In: \(13^{th}\) ACM Conference on Computer and Communications Security (CCS), pp. 336–345. ACM Press (2006)
Ghosh, N., Ghosh, S.: A planner-based approach to generate and analyze minimal attack graph. Appl. Intel. 36, 369–390 (2012)
Ortalo, R., Deswarte, Y., Kaaniche, M.: Experimenting with quantitative evaluation tools for monitoring operational security. IEEE Trans. Softw. Eng. 25, 633–650 (1999)
Li, W., Vaughn, R.: Cluster security research involving the modeling of network exploitations using exploitation graphs. In: \(6^{th}\) IEEE International Symposium on Cluster Computing and the Grid, CCGRID 2006, vol. 2, p. 26 (2006)
Idika, N., Bhargava, B.: Extending attack graph-based security metrics and aggregating their application. IEEE Trans. Dependable Secure Comput. 9, 75–85 (2012)
Noel, S., Jajodia, S.: Metrics suite for network attack graph analytics. In: CISR 2014, pp. 5–8 (2014)
Jha, S., Sheyner, O., Wing, J.: Two formal analyses of attack graphs. In: Proceedings of the 15th IEEE Workshop on Computer Security Foundations, CSFW 2002, Washington, DC, USA, pp. 49–63. IEEE Computer Society (2002)
Wang, L., Noel, S., Jajodia, S.: Minimum-cost network hardening using attack graphs. Comput. Commun. 29, 3812–3824 (2006)
Man, D., Wu, Y., Wu, Y.: A method based on global attack graph for network hardening. In: \(4^{th}\) International Conference on Wireless Communications, Networking and Mobile Computing, WiCOM 2008, pp. 1–4 (2008)
Islam, T., Wang, L.: A heuristic approach to minimum-cost network hardening using attack graph. In: NTMS 2008, pp. 1–5 (2008)
Chen, F., Liu, D., Zhang, Y., Su, J.: A scalable approach to analyzing network security using compact attack graphs. J. Netw. 5(5), 543–550 (2010)
Keramati, M., Asgharian, H., Akbari, A.: Cost-aware network immunization framework for intrusion prevention. In: IEEE International Conference on Computer Applications and Industrial Electronics (ICCAIE), pp. 639–644 (2011)
Wang, L., Singhal, A., Jajodia, S.: Measuring the overall security of network configurations using attack graphs. In: Barker, S., Ahn, G.-J. (eds.) Data and Applications Security 2007. LNCS, vol. 4602, pp. 98–112. Springer, Heidelberg (2007)
Pang, C., Zhang, R., Zhang, Q., Wang, J.: Dominating sets in directed graphs. Inf. Sci. 180, 3647–3652 (2010)
Ghosh, N., Ghosh, S.: An approach for security assessment of network configurations using attack graph. In: \(1^{st}\) International Conference on Networks and Communications, NETCOM 2009, pp. 283–288 (2009)
SGPlan: 5. (http://wah.cse.cuhk.edu.hk/wah/programs/SGPlan/)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Bopche, G.S., Mehtre, B.M. (2015). Exploiting Domination in Attack Graph for Enterprise Network Hardening. In: Abawajy, J., Mukherjea, S., Thampi, S., Ruiz-MartÃnez, A. (eds) Security in Computing and Communications. SSCC 2015. Communications in Computer and Information Science, vol 536. Springer, Cham. https://doi.org/10.1007/978-3-319-22915-7_32
Download citation
DOI: https://doi.org/10.1007/978-3-319-22915-7_32
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-22914-0
Online ISBN: 978-3-319-22915-7
eBook Packages: Computer ScienceComputer Science (R0)