A Protocol Vulnerability Analysis Method Based on Logical Attack Graph

  • Chunrui Zhang
  • Shen WangEmail author
  • Dechen Zhan
Conference paper
Part of the Smart Innovation, Systems and Technologies book series (SIST, volume 82)


The method of analyze the complex protocol vulnerability information from a large number of simple protocol vulnerability information is a tough problem. In this paper, we use attack graph method and construct the protocol vulnerability correlation graph. We also combine the attack target with other information to build the protocol logic attack graph, which is transformed into adjacency matrix. Through the adjacency matrix, we can find and calculate the path of complex attacks and the probability of success and hazard index. The experimental results show that this method can find the correlation among protocol vulnerabilities and can calculate the optimal attack path for protocol vulnerability.


Protocol vulnerability analysis Vulnerability correlation graph Logic attack graph 

1 Introduction and Related Work

In recent years, people pay attention to network attacks, most of which focus on vulnerabilities in computer systems, but less on communication protocols especially on wireless communication protocol security analysis. The main method of analyzing the vulnerability of a protocol is formal analysis [1]. Now attacks against protocols have obtained the characteristics of multi-step and multi-way, which utilizes different stages of communication protocol, and the existing methods lack the ability of correlation analysis of different vulnerabilities. Researchers have used attack graphs [2, 3] to analyze attacking behavior. Common Vulnerability Scoring System (CVSS) [4, 5] can analyze the dependencies of vulnerability, show all the attack path, and finally assessment Comprehensively evaluate system security trends. Holm et al. [6] focused on impact of the basic data provided by CVSS in the assessment of vulnerability. Combined with the shortcomings of CVSS quantification, a specific quantization method was given. But the quantization method was too complicated. Chen et al. [7] proposed an attack graph model for the probability of internal attack intention judgment. Based on the model, he proposed an algorithm to infer the intent of internal attack and maximum probabilistic attack path for that attack target. Liu et al. [8] proposed a game model to obtain optimized attack and defense decisions, which add confidence probability to extend vulnerability attributes. Li et al. [9] studied the correlation of vulnerability utilization. They proposed a kind of horizontal and vertical correlation which is suitable for different components of computer system. For the communication protocol vulnerability analysis, horizontal correlation simplification model will lose some information. In this paper, we proposed a method to generate a protocol attack logic diagram from the vulnerability target by using vulnerability of protocol. It can show every route to reach the target of attack, thus showing the possible complex attack, then search and calculate the optimal attack path at the same time.

2 Basic Concepts and Definitions

Attack target and constraints.

Attacker takes some of the necessary pre-conditions to achieve the target, only when these preconditions are met, the attacker is possible to achieve the target with one means of attack. These necessary preconditions are the constraint for the attack target.

Protocol Vulnerability.

A ternary {VID, CS, RS} is used to represent an atomic vulnerability of communication protocol, where VID is the vulnerability of a protocol against a certain attack, CS is the set of constraints required for attack and RS is the set of posterior results caused by attack. It can be expressed as:

Protocol attack mode.

The attack mode for wireless communication protocol usually includes packet discarding, packet hijacking and forwarding, and so on. Protocol attacks include information such as privilege information, vulnerability information, conditional requirements, attack methods, and attack consequences.

3 Protocol Vulnerabilities Correlation Analysis

Because of certain correlations among preconditions and posterior results, atomic vulnerability set is combined into a protocol vulnerability correlation graph according to the correlation among them. The graph supports the use of multiple atomic vulnerabilities to achieve more advanced and complex attack targets. The graph construction process is described in detail.

3.1 Protocol Vulnerability Correlation Graph Construction

Protocol vulnerability correlation graph construction algorithm is divided into the following two steps, as shown in Fig. 1.
Fig. 1.

Protocol vulnerability correlation graph

  1. 1)

    Traversing the vulnerability of the protocol, generating a sub-tree containing only the current vulnerability and its child nodes by matching the preconditions and posterior results of attack;

  2. 2)

    Using a recursive algorithm, which starts with an empty vulnerability correlation graph by accessing sub-tree of a node and traversing all its leaf nodes. If the leaf node has merged into the vulnerability correlation graph, the node is deleted and the connection to the leaf node points to the corresponding node in the vulnerability correlation graph. If the leaf node does not merge into vulnerability correlation graph, the sub-tree of that node is accessed. This algorithm is executed recursively until all nodes are visited again.


3.2 Protocol Vulnerability Correlation Graph Simplification

The original vulnerability graph is relatively large and needs to be simplified. We design the vulnerability reduction method by loop correlation.

Loop Correlation: If attacker has used different types of vulnerability in same constraints, and the formation of loops between the vulnerability to obtain a certain attack results, the vulnerability can be linked, as shown in Fig. 2. This process is called vulnerability loop correlation.
Fig. 2.

Vulnerabilities correlation graph simplification using loop-link

4 Protocol Attack Path Calculation

According to the protocol attack logic graph, we can analyze the attack process (or atomic vulnerability utilization sequence) that can achieve the advanced attack target. We can also make these associated atomic vulnerabilities as a whole and constitute a more advanced composite vulnerability. The protocol attack logic graph construction includes three steps as following description.

4.1 Protocol Attack Logic Graph Construction

The input required to construct the protocol attack logic consists of four aspects: target attack result, protocol vulnerability correlation, protocol attack mode, vulnerabilities set. These input information after being calculated will output protocol attack logic graph which can show the influence of vulnerability and constraints, as shown in Fig. 3.
Fig. 3.

Protocol attack logic graph generation

Protocol attack logic graph construction algorithm is divided into the following two steps: (1) the corresponding transformation of the target and the vulnerability of protocol. According to the target we can search vulnerability which is used by attacking method. (2) Protocol attack logic graph construction algorithm. It needs to merge the same redundant vulnerability nodes and associated paths to generate attack logic graph the correlation tree.

4.2 Logical Attack Graph Calculation

After obtaining the protocol logical attack graph, it is analyzed and calculated to obtain optimal attack path. Since it reaches an attack target, it needs to calculate the logical graph associated with the target, and end nodes in the logical graph of the target is many, which is similar to finding multiple optimization paths in a directed graph. The main steps include the following aspects.
  1. 1.
    First convert the directed graph to an adjacency matrix, as shown in Fig. 4.
    Fig. 4.

    Logical attack graph and adjacency matrix

    The value of each element in the adjacency matrix is calculated by Eq. (1).
    $$ a_{ij} = \left\{ {\begin{array}{*{20}c} 0 \\ 0 \\ 1 \\ \end{array} \begin{array}{*{20}c} {\begin{array}{*{20}c} {} \\ {} \\ {} \\ \end{array} } & \begin{aligned} & i = j \\ & {\text{no directed edge from }}i{\text{ to }}j \\ & {\text{directed edge from }}i{\text{ to }}j \, \\ \end{aligned} \\ \end{array} } \right. $$
  2. 2.

    Calculate the path cost of the logical attack graph by the adjacency matrix.

    Each attack path on the composite attack logic graph is composed of a series of atomic attacks. This paper uses CVSS to quantify the attributes of an atomic vulnerability. The probability \( p_{i} \) used by vulnerability \( i \) is:
    $$ p_{i} = c_{i} \cdot d_{i} \cdot ic_{i} $$

    In (2) \( c_{i} \) is the confidence level of node \( i \), \( d_{i} \) is the degree of vulnerability of node \( i \), and \( ic_{i} \) is the influence coefficient of the constraint that node \( i \) is used.

    Atomic Attack Successful Hazard Index \( h_{i} \)
    $$ h_{i} = p_{i} \cdot k_{i} $$

    In (3) \( k_{i} \) is attacking impact on the confidentiality, integrity, and availability.

The protocol attack logic graph is calculated by adjacency matrix, and the calculation process is shown in the Fig. 5. The steps are shown in Algorithm 1.
Fig. 5.

Logical attack graph calculation

  1. a)

    Find the node with 0 in-degrees; calculate the probability and hazard index of the vulnerability utility from the beginning node to the next node;

  2. b)

    Update adjacent value of start node to next node in the adjacency matrix, while shadowing row and column of start node;

  3. c)

    With the shadowed matrix as input, jump to a;

  4. d)

    Find end node to get the utility value of attack.


In Algorithm 1 Vij.P is probability saved, pij is probability of attack, Vij.H is hazard index saved, hij is hazard index of attack.

4.3 Optimal Attack Path Calculation

By calculating and continually updating the value of the adjacency matrix, we can calculate the benefit achieved by the attack target. The benefits of an atomic attack \( B_{F} \) are generally expressed as a hazard to the communication protocol by the attack. The cost of atomic attack \( C_{T} \) is expressed as the reciprocal of probability of attack. So we can calculate the utility value of the attack \( U \), which is equal to the difference of gain and cost.

The attack cost and benefit for the attack path \( L_{i} \) can have the probability of attack success and the attack hazard index of the path:
$$ U = B_{F} - C_{T} = a_{ij} .h_{ij} - \frac{1}{{a_{ij} .p_{ij} }} = \sum\limits_{j = 1}^{pathlen} {h_{ij} } { - }\frac{ 1}{{\prod\limits_{j = 1}^{pathlen} {p_{ij} } }}\;\;\;\;\;(p_{ij} \ne 0) $$

In (4) \( a_{ij} \) is the non-zero element and it belongs to the node whose out-degree is 0(that is, the terminating node), \( a_{ij} .h_{ij} \) is the hazard index, \( a_{ij} .p_{ij} \) is the probability of the success of the attack on the node.

5 Experiment Analysis

In order to verify the above algorithm, we use C ++ language programming to implement it. Taking the CCSDS protocol as an example, the list of atomic vulnerability inputted in the experiment is shown in Table 1.
Table 1.

Atomic attack success probability and hazard index



Attack Probability

Hazard index


Address information easy to leak




Not dense or weak




Header type field complete check defect




Header length complete check defect




Header field value is not defined




The message is easily modified




Sync head interference




Weak identity authentication




No time validation



We can verify protocol vulnerability correlation graph generation algorithm. After executing the protocol vulnerability correlation graph generation function, the foreground will display the protocol vulnerability and the relationship in graphical form, as shown in Fig. 6.
Fig. 6.

Protocol vulnerability correlation graph and logic attack graph calculation

According to the analysis of the relationship among vulnerability and constraints of the protocol, the experiment first tests the correctness of the logical attack graph generation algorithm. The calculation of protocol vulnerability based on logical attack graphs includes atomic attack, attack path probability and hazard index evaluation, and path optimal decision algorithm. Then in the experiment, we calculate the path attack success rate and hazard index evaluation value. Finally, the optimal decision is made. The final selection of the path with the greatest attack utility is as shown in Table 2:
Table 2.

Attack success probability and hazard index calculation

Attack path

Attack probability

Hazard index

Attack path utility value

















Path (V6, V7, V1) represents the attack path with the largest attack utility as shown in Fig. 6.

6 Conclusion

The method is relatively brief by attacking logic graph and adjacency matrix calculation. By expressing complex link graph structure, and removing the repeated complex calculation, this method is made to be extensible. However, the experimental data of this paper is less in number. When the amount of data is large, the time overhead is weak when constructing the vulnerability association graph and the attacking logic graph. Thus the algorithm needs to be optimized to fit the calculation of large-scale data.



This work is supported by China Academy of Engineering Physics Project 2014A0403020 and 2015A0403002.


  1. 1.
    Shi, S.: Research on Formal Verification Methods of Security Protocols. Huazhong University of Science and Technology (2009)Google Scholar
  2. 2.
    Wang, L., Islam, T., Long, T., Singhal, A., Jajodia, S.: An attack graph-based probabilistic security metric. In: Atluri, V. (ed.) DBSec 2008. LNCS, vol. 5094, pp. 283–296. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-70567-3_22 CrossRefGoogle Scholar
  3. 3.
    Zhao, C., Wang, H., Lin, J., et al.: A generation method of network security hardening strategy based on attack graphs. Int. J. Web Serv. Res. 12(1), 45–61 (2015)CrossRefGoogle Scholar
  4. 4.
    Keramati, M., Akbari, A., Keramati, M.: CVSS-based security metrics for quantitative analysis of attack graphs. In: International Conference on Computer and Knowledge Engineering, pp. 178–183. IEEE, Piscataway (2013)Google Scholar
  5. 5.
    Harada, T., Kanaoka, A., Okamoto, E., et al.: Identifying potentially-impacted area by vulnerabilities in networked systems using CVSS. In: 10th International Symposium on Applications and the Internet, pp. 367–370. IEEE, Piscataway (2010)Google Scholar
  6. 6.
    Holm, H., Ekstedt, M., Andersson, D.: Empirical analysis of system-level vulnerability metrics through actual attacks. IEEE Trans. Dependable Secure Comput. 9(6), 825–837 (2012)CrossRefGoogle Scholar
  7. 7.
    Chen, X., Fang, B., Tan, Q., et al.: Inferring attack intent of malicious insider based on probabilistic attack graph model. Chin. J. Comput. 37(1), 62–72 (2014)Google Scholar
  8. 8.
    Liu, G., Zhang, H., Li, Q.: Network security optimal attack and defense decision-making method based on game model. J. Nanjing Univ. Sci. Technol. 38(1), 12–21 (2014)Google Scholar
  9. 9.
    Li, Q., Zhang, L., Zhang, C., Yang, T.: Optimization method for attack graph based on vulnerability exploit correlation. Comput. Eng. 38(21), 129–132 (2012)Google Scholar

Copyright information

© Springer International Publishing AG 2018

Authors and Affiliations

  1. 1.Department of Computer Science and TechnologyHarbin Institute of TechnologyHarbinChina
  2. 2.Institute of Computer ApplicationChina Academy of Engineering PhysicsMianyangChina

Personalised recommendations