26-05-2012, 03:50 PM
Extending Attack Graph-Based Security Metrics and Aggregating Their Application
Extending Attack Graph.pdf (Size: 571.46 KB / Downloads: 30)
INTRODUCTION
AN enterprise security goal is to remove all network and
host vulnerabilities. The accomplishment of this goal
requires a guarantee that all vulnerabilities have been
identified. Such a requirement in practice is infeasible.
Humans manage networks and are prone to miss latent
vulnerabilities. Even when vulnerabilities are apparent and
have been identified, there may be no known viable
solution to deal with the vulnerabilities. For instance, if
an organization leverages Commercial-Off-the-Shelf
(COTS) software to operate its network, the organization
is exposing itself to any vulnerabilities the software
possesses. Issues such as slow patch release times and
unstable released patches may cause an organization to
operate its network with known vulnerabilities.
THE ATTACK GRAPH
The attack graph is a concise representation of all the ways
an attacker may compromise a security policy through
leveraging dependencies among known vulnerabilities. The
attack graph is derived from a network model description
that consists of at least the following elements: extant
vulnerabilities on hosts, host connectivity, and usually at
least one security policy. Extant vulnerabilities may be
discovered through searching online vulnerability repositories
(e.g., [2]) and/or using vulnerability scanners. Note
that a vulnerability scanner does not have to identify
vulnerabilities that correspond to vulnerabilities found in
an online repository. Network connectivity may be determined
by using firewall rules and a tool like netstat [3]. The
security policies may be obtained from the Chief Security
Officer (CSO) of the organization for which the attack graph
is being used. There is an assortment of representations for
the attack graph [4]. We use the hybrid-dependency
representation of the attack graph [4]. In the hybriddependency
graph, vulnerabilities and conditions appear
as nodes in the attack graph. Vulnerabilities are described
by their postconditions and preconditions.
Nonpath Analysis Attack Graph-Based Security Metrics
Nonpath analysis attack graph-based security metrics do
not take into account the attributes of the attack paths an
attacker must traverse to violate a security policy. Such
attack graph-based security metrics are not the focus of this
work. We include them for completeness.
Path Analysis Attack Graph-Based Security Metrics
Attack graph-based security metrics that describe the attack
paths in the attack graph are considered path analysis
security metrics. Because attackers reach their objective by
following attack paths, we assert that understanding these
attack paths is critical to network security.Wetake a practical
quantitative approach to assessing these security metrics.
This approach differs from attack graph-based security
metrics requiring the usage of probabilities of successful
attack [9], [10], [11]. Such approaches rely on probabilistic
parameters that are currently infeasible to attain in practice.
Another approach used in attack graph-based security
metrics is to assign complexity values to vulnerabilities in
the network to account for differences in difficulty in
exploiting various vulnerabilities [12].
Mean of Path Lengths Metric
In [19], Li and Vaughn mention the Average Path Length
metric. No detailed analysis of the metric is given. Moreover,
no guidance is provided for how to use this metric.
We therefore, provide our own interpretation and refer to
the metric as the Mean of Path Lengths metric.
Addressing Scalability
The complexity of each metric is OðNPðGÞlongestP athðGÞÞ.
That is, each metric’s complexity is in big-oh of the product
of the number of paths in attack graph G and the longest
attack path in G. Because NPðGÞ can grow exponentially
with respect to the number of hosts in the network, some
approaches for reducing how much of G needs to be
traversed to obtain a metric’s value may be important.
If metrics are being used together as it is suggested in
this work (see Section 5), then the attack graph can be
traversed once and numerical values can be obtained for
each attack path that would represent the attack path
length.