A taxonomy for attack graph generation and usage in network security

ARTICLE IN PRESS journal of information security and applications ■■ (2016) ■■–■■

Available online at www.sciencedirect.com

ScienceDirect j o u r n a l h o m e p a g e : w w w. e l s e v i e r. c o m / l o c a t e / j i s a

A taxonomy for attack graph generation and usage in network security Kerem Kaynar * German Turkish Advanced Research Center (GT-ARC), TU Berlin, Ernst Reuter Platz 7, 10587 Berlin, Germany

A R T I C L E

I N F O

A B S T R A C T

Article history:

Attack graphs model possible paths that a potential attacker can use to intrude into a target

Available online

network. They can be used in determining both proactive and reactive security measures. Attack graph generation is a process that includes vulnerability information processing, col-

Keywords:

lecting network topology and application information, determining reachability conditions

Vulnerability

among network hosts, and applying the core graph building algorithm. This article intro-

Full attack graph

duces a classification scheme for a systematical study of the methods applied in each phase

Reachability analysis

of the attack graph generation process, including the usage of attack graphs for network

Exploit

security. The related works in the literature are stated based on the proposed classification

Weakness

scheme and contributive ideas about potential challenges and open issues for attack graph generation and usage are provided. © 2016 Elsevier Ltd. All rights reserved.

1.

Introduction

Ever increasing utilization of computer networks in various areas of public and private sector amplifies the need to find mechanisms for securing data stored and transferred over the networks. Network security administrators employ specific proactive and reactive defense measures to ensure the confidentiality, integrity and availability of the network users’ data. Extracting possible paths that an attacker can use to intrude into a target network is one of the most important activities in determining both proactive and reactive defense measures. It can be used in situational assessment in terms of network security, recognition of ongoing attack scenarios and prediction of future attacks. An attack graph represents possible ways via which a potential attacker can intrude into the target network by exploiting a series of vulnerabilities on various network hosts and gaining certain privileges at each step. In a typical attack graph, the nodes represent the privileges gained by the attacker on the network hosts and the edges represent the software vulner-

ability exploits employed by the attacker to gain these privileges. The attacker may need to have a set of privileges on certain hosts in order to exploit a specific vulnerability on a network host. After successfully exploiting a vulnerability on the host, the attacker gains additional privileges on it and either continues attacking other hosts from this host or tries to elevate her privileges on this host using additional vulnerabilities. The computation of an attack graph requires the computation of the reachability conditions among the network hosts by considering all network protocol layers, modeling attacks and attack paths, and devising an efficient method to compute possibly huge number of attack paths. This computation process should be systematically described in order to provide opportunities to the researchers for improvement in specific areas of attack graph generation in a structured manner. The systematic description should clearly cover the overall scientific landscape in attack graph generation and shed light to the researchers on every aspect on it. According to us, the usage of attack graphs should also be included by the systematic description in order to motivate the researchers to make the necessary refinements to their attack graph structures and

* Corresponding author. Tel.: +4915785300687; fax: +493031474003. E-mail address: [email protected]. http://dx.doi.org/10.1016/j.jisa.2016.02.001 2214-2126/© 2016 Elsevier Ltd. All rights reserved. Please cite this article in press as: Kerem Kaynar, A taxonomy for attack graph generation and usage in network security, journal of information security and applications (2016), doi: 10.1016/j.jisa.2016.02.001

ARTICLE IN PRESS 2

journal of information security and applications ■■ (2016) ■■–■■

generation methods by solidifying their aims of usage of attack graphs at the beginning. This article focuses on a systematic study of the literature related to attack graphs in network security in order to derive a taxonomy for the methods applied in attack graph generation and usage. The different methods proposed in the literature for handling basic problems arising in attack graph generation and usage are abstracted into categories defined by the proposed taxonomy. In this respect, an individual past work in the literature may have introduced more than one method each of which is related to different category. This situation results in putting the corresponding work into more than one category. For instance, if a past work proposes two different methods, one for attack modeling and the other for attack graph core building phase, then we relate each method of this work with a different category, one for each phase. Namely, we put the methods defined in the past works into categories by specifying its proposing work. The systematic study of the proposed methods in the literature is performed by starting with the basic problems leading to the development of these methods. The next section opens the topic by presenting background information on attack graphs and identifying and discussing the basic problems that are encountered during the attack graph generation process. These problems shed light to the formation of the proposed taxonomy for classification of the methods employed during different phases of the attack graph generation process. The proposed taxonomy is detailed in Section 3. The usage of attack graphs for network security is also categorized and exemplified by pointing to the past related works in Section 4. Section 5 provides a tabled categorization of the past works according to the proposed taxonomy, which can be used for quick reference. The description of the proposed taxonomy and the exemplification of the corresponding classification criteria are facilitated and streamlined by grouping the past works according to the laboratory or corporate working on the topic of attack graph generation and usage. The groups are as follows: • Center for Secure Information Systems, George Mason University (G. M. U. Center for Secure Information Systems, 2015) • MIT Lincoln Laboratory (M. Lincoln Laboratory, 2015) • Computer Science Department, Carnegie Mellon University (C. M. U. Computer Science Department, 2015) • Concordia Institute for Information Systems Engineering, Concordia University (C. U. Concordia Institute for Information Systems Engineering, 2015) • Sandia National Laboratories, Albuquerque (A. Sandia National Laboratories, 2015) • Laboratory of Computer Security Problems, St. Petersburg Institute for Informatics and Automation (S. P. I. f. I. Laboratory of Computer Security Problems, 2015) • LAAS-CNRS, France (L. for Analysis, F. Architecture of Systems, 2015) • Core Security Corporate, Buenos Aires, Argentina (A. Core Security Corporate, 2015) • Department of Electrical and Computer Engineering, University of Illinois (D. of Electrical, U. o. I. Computer Engineering, 2015) • The Ruhr Institute for Software Technology University of Duisburg-Essen (T. R. I. f. S. T. U. o. D.-E. PALUNO, 2015) and

Istituto di Informatica e Telematica—Consiglio Nazionale delle Ricerche (T. I. of Informatics, T. of CNR, 2015) In each of the above three sections, the works of the groups are described according to the proposed classification criteria and cited. If the works of a group have no contribution according to a specific classification criterion, they are not mentioned in the description of this criterion. We present the shortcomings of the current state-of-theart methods and the opportunities for further research in the area of attack graph generation and usage in Section 6. Section 7 concludes the paper by summarizing the proposed taxonomy and describing the drawn conclusions.

2. Background on attack graph generation/ usage and basic problems The attack graph generation process is usually driven by a set of initial privileges that the attacker is assumed to posses at the beginning. The eventual target/leaf nodes of a possible attack graph are represented by the goal privileges that the attacker aims to gain at the end. A full attack graph tries to identify all possible attack paths from the initial privileges to the goal privileges, while a partial attack graph shows a portion of these possible attack paths (not necessarily all). An attack graph correlates the vulnerability exploits that can be employed by a potential attacker on the network hosts and shows the evolution of multi-step attacks followed by the attacker. It may be dynamic, i.e., its nodes and edges can be updated, when new products are installed or existing products are uninstalled on the target network hosts. In such cases, new vulnerabilities may be added to the hosts or existing vulnerabilities may be removed. An attack graph may also contain vulnerability exploits as nodes instead of edges or contain nodes representing facts other than the privileges gained on the hosts or the vulnerability exploits. An example may be an attack graph containing information asset usages as its nodes. The usage of an information asset on a host may lead to specific privileges gained on the host or on any host indirectly reachable via this host. An example of such an information asset can be cookie files managed by a web browser on a specific network host. The configuration of the installed software on the target network and the relationships among them determine the contents of the attack graphs produced for the network. A portion of an example attack graph for an example small network is shown in Fig. 2. The example network is shown in Fig. 1. The firewalls in the example network contain simple allowance rules. (The IP addresses in the figure are artificial.) The format of the attack graph shown in Fig. 2 is custom designed and serves just as an example format. The example attack graph is composed of four types of nodes: 1. Privilege nodes indicating attacker privileges that can be obtained on the software installed on the network hosts with specific IP addresses, 2. Nodes indicating vulnerability exploits that can be applied by an attacker on the installed software,

Please cite this article in press as: Kerem Kaynar, A taxonomy for attack graph generation and usage in network security, journal of information security and applications (2016), doi: 10.1016/j.jisa.2016.02.001

ARTICLE IN PRESS journal of information security and applications ■■ (2016) ■■–■■

3

Subnet 2

75.62.2.21 75.62.2.22

Subnet 1

Router 2

Firewall 2

Firewall 1

75.62.2.22 -> 75.62.3.35 75.62.2.22 -> 75.62.3.33

75.62.3.35

88.132.3.24 -> 75.62.2.22

Router 1

Subnet 3

75.62.3.33

75.62.3.34 Router 3

88.132.3.24

88.132.3.26

Fig. 1 – A small example network. 3. Nodes indicating information source usages that can be applied by an attacker, 4. Conjunction (AND) nodes combining more than one privilege required by an attacker to successfully exploit a vulnerability or use an information source. IP Address field shows the IP address related to the corresponding attack graph node. Category field of a privilege indicates the software system right related to the privilege. CPE Id and Application Name fields indicate the unique product identifier of an installed software in Common Product Enumeration (CPE) database (Common Platform Enumeration, 2015) and userdefined name of the installed software. CVE Id field of a vulnerability exploit represents the unique identifier for the exploited vulnerability defined by Common Vulnerability Exposure (CVE) database (CVE, 2015). Information Source Name field shows the name of the used information source. The topmost privilege (on IP address 88.132.3.24) shown in Fig. 2 is the only initial attacker privilege specified before the attack graph building process. The paths on the attack graph are determined by using the reachability conditions among the network hosts imposed by the firewall rules and the vulnerabilities existing in the installed software on the hosts. For instance, since the host with IP address 88.132.3.24 can not reach the host with IP address 75.62.2.21 directly because of the blockage of Firewall 2, there can not be a direct edge from any attacker privilege node related to IP address 88.132.3.24 to any vulnerability exploit node related to IP address 75.62.2.21. A similar condition is true for the host with IP address 88.132.3.24 and the host with IP address 75.62.3.35. Therefore, the attacker uses the host with the IP address 75.62.2.22 as a stepping stone in order to gain privileges on the host with IP address 75.62.3.35.

Attack graphs are used for both off-line and on-line network security analysis. In the off-line case, without intervening with the current operation of the target network, they can be used to determine optimal locations for the firewalls and intrusion detection/prevention systems (Jajodia and Noel, 2010; Noel et al., 2009), compute network security evaluation metrics (LeMay et al., 2010, 2011; Pamula et al., 2006; Wang et al., 2014), perform network security risk analysis (Beckers et al., 2014; Frigault and Wang, 2008; Frigault et al., 2008; Poolsappasit et al., 2012) and compute near-optimal proactive defense measures (Islam and Wang, 2008; Wang et al., 2014a, 2014b, 2014c). Even, attack graphs can be used to measure the risk imposed by zeroday vulnerability exploits on the target network (Wang et al., 2014). In the on-line case, by collecting information from the target network in near real-time, attack graphs can be used to perform intrusion alert/log correlation (Kotenko and Doynikova, 2014; Noel et al., 2004; Roschke et al., 2011; Wang et al., 2005), compute near-optimal reactive defense measures and perform security situational assessment for the target network.

2.1.

Basic problems in attack graph generation

The problems that should be tackled for full or partial attack graph generation may arise in the initial preparation process or during the attack graph core building process. Of particular importance is the initial preparation process, since the structure of the resulting preparation data directly affects the complexity of the attack graph core building process. Four basic problems are determined in this work for attack graph generation: reachability analysis, attack template determination, attack graph structure determination and attack graph core building mechanism. These are detailed further in the following subsections.

Please cite this article in press as: Kerem Kaynar, A taxonomy for attack graph generation and usage in network security, journal of information security and applications (2016), doi: 10.1016/j.jisa.2016.02.001

ARTICLE IN PRESS 4

journal of information security and applications ■■ (2016) ■■–■■

Privilege IP Address: 88.132.3.24 Category: File Access CPE Id: cpe:/o:microsoft:windows_xp::sp2 Application Name: Host 1 Windows XP

Vulnerability Exploit

Vulnerability Exploit

IP Address: 75.62.2.22 CVE Id: CVE-2010-3004 CPE Id: cpe:/ a:microsoft:internet_explorer:10 Application Name: Host 2 Internet Explorer

IP Address: 75.62.2.22 CVE Id: CVE-2011-3544 CPE Id: cpe:/ a:mozilla:thunderbird:17.0.2 Application Name: Host 2 Mozilla Thunderbird

Privilege

Privilege

Privilege

IP Address: 75.62.2.22 Category: File Access CPE Id: cpe:/ a:microsoft:internet_explorer:10 Application Name: Host 2 Internet Explorer

IP Address: 75.62.2.22 Category: Memory Access CPE Id: cpe:/ a:microsoft:internet_explorer:10 Application Name: Host 2 Internet Explorer

IP Address: 75.62.2.22 Category: File Access CPE Id: cpe:/ a:mozilla:thunderbird:17.0.2 Application Name: Host 2 Mozilla Thunderbird

AND

Information Source Usage Vulnerability Exploit IP Address: 75.62.2.22 CPE Id: cpe:/ a:microsoft:internet_explorer:10 Application Name: Host 2 Internet Explorer Information Source Name: Credentials Store X

IP Address: 75.62.3.35 CVE Id: CVE-2012-4576 CPE Id: cpe:/ o:microsoft:windows_xp::sp2 Application Name: Host 3 Windows XP

Privilege

Privilege

IP Address: 75.62.3.33 Category: Authorization CPE Id: cpe:/ a:apache:http_server:2.2.4 Application Name: Host 4 Apache Web Server

IP Address: 75.62.3.35 Category: User Right CPE Id: cpe:/ o:microsoft:windows_xp::sp2 Application Name: Host 3 Windows XP

Fig. 2 – Portion of an attack graph for the example network shown in Fig. 1.

2.1.1.

Reachability analysis

The attack graph core building process utilizes network reachability data to check for the target hosts’ reachability for an attacker from the current attacking host. Network reachability data are mostly represented as a reachability matrix, where the columns and rows include the hosts in the network and each entry represents the reachability condition between the host on the corresponding row and the host on the corresponding column. Each entry in the reachability matrix may be a boolean or indicate the protocols used between the two corresponding hosts to reach each other. A reachability matrix can be used to represent any type of connection among the

hosts; physical, network, transport or application-level connection. Its space complexity is on the order of the square of the number of hosts in the network. A reachability matrix or graph encodes the connectivity conditions among the hosts that may well be a precondition for the exploit of a specific vulnerability. Reachability analysis is usually performed before the attack graph core building process and the resulting reachability matrix is put into a compact form via using specific algorithms to accelerate the attack graph core building process. It is important to determine the common patterns of the reachability conditions for the target network and find the optimal grouping schemes for the reachability con-

Please cite this article in press as: Kerem Kaynar, A taxonomy for attack graph generation and usage in network security, journal of information security and applications (2016), doi: 10.1016/j.jisa.2016.02.001

ARTICLE IN PRESS journal of information security and applications ■■ (2016) ■■–■■

ditions according to these patterns. This can minimize the redundant information in the resulting reachability matrix and speeds up the traversal of the reachability conditions during the attack graph core building process by minimizing the number of look-ups to the reachability matrix. In order to perform network reachability analysis, information about the target network configuration should be obtained. The configuration information can include the following: the topology of the target network, the applications (software or hardware installations) on the network hosts, the employed filtering and access control rules, the intrusion detection/prevention system configurations and trust relations among the network hosts. The more network configuration information is obtained, the more accurate the attack graphs will be. This information directly affects the derivation of the reachability conditions among the target network hosts. Network discovery tools and vulnerability scanners can be used to extract network topology. One example network discovery tool is Nmap (2015). Determining the applications on the hosts includes the determination of both networked and local applications. Networked applications, services, etc. can be determined by using network vulnerability scanners. However, network vulnerability scanners may be blocked by firewalls on the target network. To solve this problem, for each protection domain (subnet), a separate vulnerability scanner session can be performed as exemplified in Noel et al. (2009) and Jajodia and Noel (2010). Examples of network vulnerability scanners are N. Tenable (2015), OpenVAS (2015), GFILanGuard (2015), Retina (2015). The existence of the local applications is determined via asset detectors (host-based application/ vulnerability scanners). The examples of host-based vulnerability scanners are S. Altiris (2015) and OVALdi (2015). However, these scanners may also be blocked by the personal firewalls and anti-virus scanners. Network and host-based application and vulnerability scanners can provide valuable information; however, they can only report isolated vulnerabilities on individual hosts. In fact, the vulnerabilities can be used in an interdependent way by an attacker to intrude into the network and reach critical assets. The vulnerability scanners can not determine chained exploitations of several vulnerabilities. Additionally, it requires a long time to gather vulnerabilities in a network with thousands of hosts and millions of vulnerabilities by using the vulnerability scanners. In this case, some assumptions can be utilized to summarize the application and vulnerability information for a group of hosts in a subnet. For instance, it may be assumed that the network administrator enforces a specific operating system and office software for all the hosts in a specific subnet. These assumptions can help save time, since they can eliminate the need for running host-based scanners for all the hosts in a specific subnet and network-based scanners for all subnets. The access control and filtering rules on the firewalls and routers, intrusion detection/prevention system configurations, trust relations among the network hosts and specific application configuration files have contents affecting the reachability conditions among the network hosts. Collecting and processing access control and filtering rules, and intrusion detection/prevention system configurations is also a cumbersome process, since there is no widely accepted common format. It is also extremely difficult to gather and interpret these

5

rules in large networks. One has to resolve the potential conflicts inside a large number of such rules to compute the reachability conditions correctly. For intrusion detection/ prevention systems, finding that one or more exploits for a vulnerability are blocked by the intrusion prevention signatures does not mean that this vulnerability can not be utilized by an attacker for the target network. There can be an exploit that benefits from the vulnerability and is not blocked by the signatures. Therefore, more elaborate work is needed to cross check the signatures with well-known exploit databases. Processing intrusion detection/prevention system configurations is much more difficult, if they employ specific machine learning (anomaly detection) algorithms. The complex configuration options related to these algorithms mostly affect the detection capability of them. The trust relations among the hosts in the target network are also stored in custom formats for different types of applications, which hinders the utilization of simple common processing methods. There are also information sources (assets) like database tables, cookies and password files which can include sensitive user information for the applications that are totally irrelevant with their containing applications. For instance, a database table contained by a database server application may include user credentials for a web application or another networked application. Therefore, the information sources are also one of the main factors determining the reachability conditions among the network hosts. They can be changed from one installation to another for a specific software product. They can also be changed in time for a specific software installation (application). There is no standard format for the content of different information sources of the same type.

2.1.2.

Attack template determination

An attack graph contains the privileges gained on the target network hosts by an attacker. These privileges are related to the possible vulnerability exploits. The relationships between a set of privileges and a vulnerability exploit are determined by using an attack template. An attack template specifies the conditions required by an attacker to perform a set of specific attacks successfully. It also describes the conditions gained by an attacker, after the corresponding attacks are successfully performed. The information contained by an attack template is independent from any specific network. The attack templates created collectively form the attack model. The determination of what can be a privilege should be performed in the attack template design process. Example privileges include access levels (e.g., user, root), file access/ modification rights and memory access/modification rights. One can design privileges based on the type of applications that can be installed on a host computer, e.g., file modification rights on browser cookies, system or web server files. When the detail level of the determined privileges increases, the precision of the resulting chains of the vulnerability exploits in the generated attack graphs increases, but the time and space requirements of the attack graph core building process also grow. Vulnerabilities are collected and managed in a publicly accessible database called National Vulnerability Database (NVD) in the U.S. (NIST, 2015). However, the vulnerability descriptions in NVD are not completely machine-readable, impeding

Please cite this article in press as: Kerem Kaynar, A taxonomy for attack graph generation and usage in network security, journal of information security and applications (2016), doi: 10.1016/j.jisa.2016.02.001

ARTICLE IN PRESS 6

journal of information security and applications ■■ (2016) ■■–■■

the easy parsing of the vulnerabilities and the extraction of adequately detailed and accurate pre- and postconditions for them. Without applying complex text processing algorithms, one cannot extract detailed pre- and postconditions which account for, for instance, the application types as described above. For preconditions, only connectivity and authorization requirement could be derived using basic XML parsing on NVD data. The situation is similar for postconditions, as one may not determine application type-based, direct or indirect postconditions by applying only XML parsing to NVD data. For vulnerabilities exploited by an SQL injection attack to a web application, the postconditions derived with basic XML parsing of their NVD descriptions do not indicate that they are indirect privileges gained by an attacker on the back-end database (indirect postconditions of the vulnerability), and instead they falsely indicate that they are direct privileges on the web application on which the vulnerability exists. This is because the (XML) parsable data in NVD vulnerability descriptions indicating pre- and postconditions do not specify anything about the software that are affected by the condition, in this case the back-end database. They contain only the name of the condition. An alternate solution to this problem is to use weakness descriptions in addition to the vulnerability descriptions. A weakness is an abstraction over one or more related vulnerabilities. An example weakness is insufficient input control for special characters. Weaknesses are independent of specific products, while vulnerabilities are product-specific. Therefore, the number of weaknesses is far less than that of vulnerabilities, one can determine pre- and postconditions for weaknesses semi-automatically or manually and relate these conditions with products, when considering vulnerabilities. The Common Weakness Enumeration (CWE) database (CWE, 2015) currently describes around 1000 weaknesses, as of mid-2014. They are hierarchically organized and publicly accessible.

2.1.3.

Attack graph structure determination

The space complexity of a full attack graph may easily reach an exponential order on the number of hosts in the target network, if each permutation of possible vulnerability exploits on the hosts is recorded. To refrain from this exponential space complexity, there are various attack graph structures proposed in the literature. Examples are multiple-prerequisite graphs (Ingols et al., 2006) and vulnerability dependency graphs (Jajodia and Noel, 2010; Noel et al., 2009). Although some of these structures are not as expressive as a full attack graph at the end, others have the same expressive power as a full attack graph by representing all possible attack paths. A specific attack graph structure represents an instance of the attack graph model. Generally, privileges and vulnerability exploits are used as basic attack graph elements. However, in some works in the literature, other kinds of graph elements (for example, reachability conditions in Ingols et al. (2006)) are introduced to reduce the space complexity of a full attack graph and the time complexity of building attack graphs. Even in some other works (e.g. Kotenko and Stepashkin, 2006; Xie et al., 2009), the utilization of different types of abstractions on basic attack graph elements is proposed with the aim of reducing the computational costs for the attack graphs. Only the attack paths

related to the intended network regions or domains can be computed by using these abstractions. The resulting state space of an attack graph is also important in post-processing of the attack graph (defense measures recommendation, risk analysis, etc.). For attack graph postprocessing activities, the coverage of an attack graph is also significant. The attack graph should contain all the necessary states (nodes) and edges that can critically affect the decisions of a specific post-processing activity.

2.1.4.

Attack graph core building mechanism

In both partial and full attack graph generation, the initial privileges possessed by the attacker and the target privileges for the attacker are given as inputs for attack paths determination. For full attack graph generation, each possible attack path from the initial to the target privileges is found. The full attack graph generation process can be formulated as a general graph traversal problem, since it has to find all the attack paths. In essence, most of the attack graph generation algorithms proposed in the literature use some form of searching algorithm to find the corresponding nodes in the resulting attack graph. Some of them introduce specific improvements to the basic prominent search algorithms existing in the artificial intelligence literature (Ammann et al., 2002, 2005; Ingols et al., 2006; Jajodia and Noel, 2010). Full attack graph generation easily suffers from scalability problem even for a target network of moderate size (on the order of 100 hosts) containing a moderate number (on the order of 10s) of vulnerabilities per host as demonstrated in Sheyner et al. (2002) and Sheyner and Wing (2004). It is especially true, when the reachability among the network hosts is not strictly blocked by firewalls. In order to cope with the scalability issue, the monotonicity assumption is introduced by Ammann et al. (2002). This assumption states that the attacker can not relinquish a privilege that she has already owned. Namely, an attack can not negate any of the privileges obtained by the attacker so far. This assumption reduces the time complexity of building attack graphs from exponential to polynomial on the number of network hosts. Additionally, to cope with the scalability issue, the computation of the attack paths can be terminated, when certain conditions are satisfied. Example conditions are pruning the attack paths based on the depth and/or the transitive likelihood of success value of the traversed attack path. In partial attack graph generation, only a number of critical (shortest) attack paths can be found. Such specific partial attack graph generation problems may be formulated as artificial intelligence planning problems. A solution employing a specific planning algorithm to generate partial attack graphs is proposed in Lucangeli et al. (2010). Another issue about both full and partial attack graphs is the existence of cycles on the graphs. These cycles can hinder simple application of graph-based algorithms for attack graph analysis. The works of Pamula et al. (2006), Wang et al. (2006), and Frigault et al. (2008) propose methods to eliminate cycles on attack graphs via storing already obtained network states (attacker privileges) on the traversed attack paths. The cycles on the input attack graph are removed by holding predecessor set for each node in the attack graph during backward graph search. They use cycle-free attack graphs for network

Please cite this article in press as: Kerem Kaynar, A taxonomy for attack graph generation and usage in network security, journal of information security and applications (2016), doi: 10.1016/j.jisa.2016.02.001

ARTICLE IN PRESS journal of information security and applications ■■ (2016) ■■–■■

Reachability Scope

Reachability Analysis Phase

Reachability Content

with examples of each classification criterion from the related literature.

3.1. Attack Model

Attack Graph Modelling Phase

Attack Graph Model

Attack Paths Determination Method

Attack Graph Core Building Phase

Attack Paths Pruning Method

Uses of Attack Graphs

Fig. 3 – Attack graph generation phases and related classification criteria.

security metrics computation and defense recommendation based on attack graph analysis.

3.

Attack graph generation process taxonomy

The activities performed during the whole attack graph generation process can be classified into three high-level phases, as illustrated in Fig. 3. The first phase, reachability analysis, mainly considers the computation of the reachability conditions among the target network hosts. The modeling phase considers how to model individual attack templates and the attack graph structure. In the core building phase, the attack paths are determined and some paths are possibly pruned to construct the attack graph. Uses of attack graphs covers the operations performed on the constructed attack graphs for network security analysis and is detailed in the next section. The remainder of this section provides a systematic description of the overall classification scheme proposed in the article

Reachability analysis phase

The reachability analysis phase mainly investigates the network reachability conditions within the target network, which, in a simplistic viewpoint, determine whether two given hosts can access each other. They can also indicate more detailed information, such as which applications of the two hosts can access each other, which protocols can be used for the communication between the two hosts, etc. The reachability conditions among the network hosts are mainly represented with a single reachability matrix whose rows and columns indicate the network hosts. An entry of a reachability matrix can simply be a boolean indicating the existence of a reachability (accessibility) between the corresponding two hosts, or any complex data structure. Two main classification criteria for the reachability information are reachability scope and reachability content. Reachability scope determines the scope of the network hosts among which the reachability conditions are computed before the attack graph core building process. Reachability content determines the network security objects (entities) that are accounted for in the computation of the reachability information. A detailed classification scheme for reachability analysis is given in Fig. 4.

3.1.1.

Reachability scope

Possible values for the reachability scope classification criterion according to Fig. 4 are: 1. Whole Network Reachability: Single step reachability condition for each pair of hosts on the network is computed. A single step reachability condition denotes direct reachability at any network protocol layer between the two hosts (without any intermediate hosts). 2. Atomic Domains Reachability: Each host (or in the general case, a group of hosts) computes single step reachability conditions for the hosts in its neighbourhood in the target network topology.

Reachability Analysis

Reachability Scope

Whole Network Reachability

Reachability conditions among nodes are computed for whole network (for each pair of nodes)

Reachability Content

Atomic Domains Reachability

Each node computes its own reachability

Filtering and Access Control Rules Modeling

Firewall rules and router access control lists are considered

7

IDS Modeling

IDS signatures are considered

Trust Relationships

Trust relationships among nodes/ applications are considered

Application Relationships

Usage relationships among networked applications are considered

Fig. 4 – Reachability information classification. Please cite this article in press as: Kerem Kaynar, A taxonomy for attack graph generation and usage in network security, journal of information security and applications (2016), doi: 10.1016/j.jisa.2016.02.001

ARTICLE IN PRESS 8

journal of information security and applications ■■ (2016) ■■–■■

Actually, most of the past works related to attack graph generation referenced in this article compute whole network reachability as an input to the attack graph core building process. One exception is Chen et al. (2009), where the authors propose using atomic domains, each of which contains information about one network host and its directly connected hosts, to generate attack graphs. Each atomic domain is computed and cached, when needed during the attack graph building process. There is also no need to generate the whole attack graph from scratch, when one part of the target network topology changes. Only the information in the related atomic domains should be updated. The protection domain abstraction in the NetSPA tool proposed by MIT Lincoln Laboratory in Ingols et al. (2006) can also be considered as an Atomic Domains Reachability abstraction, since it encodes single step reachability conditions for the network hosts in a protected domain, which does not contain any connectivity limitations among its contained network hosts. The protection domain abstraction is also utilized in the TVA tool introduced by Center for Secure Information Systems of George Mason University in Noel et al. (2009) and Jajodia and Noel (2010).

3.1.2.

Reachability content

Possible values for the reachability content classification criterion according to Fig. 4 are: 1. Filtering and Access Control Rules Modeling: Firewalls’ filtering rules and routers’ access control rules are accounted for in the computation of the reachability information. 2. Intrusion Detection System (IDS) Modeling: The signatures defined in the intrusion detection sensors are taken into account in the computation of the reachability information. 3. Trust Relationships: The trust relationships among the target network hosts are accounted for in the computation of the reachability information. 4. Application Relationships: The usage relationships among the networked applications (service usages, etc.) are accounted for in the computation of the reachability information. An early work (Ritchey et al., 2002) of the Center for Secure Information Systems of George Mason University proposes a model of network connectivity at multiple levels of the TCP/ IP stack appropriate for use in a model checker for attack graph construction. By this way, it is possible to represent realistic networks including common network security boundary devices such as firewalls, filtering routers and switches. The four items enumerated above represent the most commonly used network security entities that affect the reachability information computation. The use of relational predicates to represent the trust relationships among the software, and the relationships among the services and clients on the target network hosts is proposed in Sheyner et al. (2002) that is a work of the Computer Science Department of Carnegie Mellon University. The authors model the connectivity among the network hosts by processing the access control rules and the vulnerability signatures on the network intrusion detection sensors. All possible values for the reachability content classification criterion are eligible for this work. The implementation of the

ideas in Sheyner et al. (2002) is presented in Sheyner and Wing (2004). In Ingols et al. (2006), MIT Lincoln Laboratory proposes a method for the computation of a reachability matrix that accounts for the service usages, network and application layer filtering rules on the security boundary devices. The NetSPA tool that is developed in Ingols et al. (2006) is improved in Ingols et al. (2009) by the same group from MIT Lincoln Laboratory. Most notably, the improvements are related to the processing of the rules in personal and proxy firewalls, and the inclusion of signatures in intrusion prevention systems as additional reachability content in network reachability computation. The reachability concepts introduced in Ingols et al. (2006) and Ingols et al. (2009) are utilized in the TVA tool of Center for Secure Information Systems of George Mason University in Noel et al. (2009) and Jajodia and Noel (2010).

3.2.

Attack graph modeling phase

The classification associated with the attack graph modeling phase takes into account the attack model and the attack graph model. An attack model can be considered as a model for forming an attack template describing the elements of a number of attacks, the conditions (required/gained attacker capabilities) for the attack elements and the relations among the elements and the conditions. An attack template defines the utilization logic for a number of attacks. An attack graph model defines a structure used to represent attack instances (successfully applicable attacks) and the connections among them.

3.2.1.

Attack model

An attack model defines the elements and the utilization logic, in terms of required/gained attacker capabilities, of one or more attacks via attack templates. Attack templates can include highlevel abstract adversary and threat models or low-level vulnerability exploit models. Threat models can be formed by defining relations among the vulnerability exploit models. As an example, a specific type of worm that can exploit two different vulnerabilities for infiltration and privilege escalation in its life-cycle can be modeled with a threat model combining the exploitation models of these two vulnerabilities. Adversary models can be formed by incorporating various attacker behavioral profiles and combining the threat models according to these profiles. As an example, a specific hacker can be modeled with an adversary model accounting for the threats that are at her disposal. The adversary model can be refined to determine the transitions among the appropriate threat models by considering the capability of the hacker to hide her existence from the defense applications. Possible values identified for the attack modeling classification criterion are as follows, as also depicted in Fig. 5. 1. Manually-defined Attack Templates: In this case, the attack templates manually formed by security experts are used. 2. Attack Templates based on Historical Data: In this case, the attack templates are formed by using the meta information of the intrusion alerts and system logs collected for the target network in the past. Relations among the meta information are formed via specific alert correlation algorithms in order to deduce the utilization conditions for the attacks

Please cite this article in press as: Kerem Kaynar, A taxonomy for attack graph generation and usage in network security, journal of information security and applications (2016), doi: 10.1016/j.jisa.2016.02.001

ARTICLE IN PRESS journal of information security and applications ■■ (2016) ■■–■■

9

Attack Model

Manually-defined Attack Templates

Emprically defining preand postconditions of attacks

Attack Templates based on Historical Data

Text Processingbased Attack Templates

Determine pre- and postconditions of attacks by correlating alerts and system logs collected throughout the target network

Determine pre- and postconditions of attacks by text processing methods

Fig. 5 – Attack model classification.

and represent the possible transitions (dependencies) among the attacks. 3. Text Processing-based Attack Templates: In this case, the attack templates are formed by applying text processing methods to the information contained in some specific vulnerability, weakness or attack databases. The attack templates formed in each of the above cases define a collection of related attacks with their pre- and postconditions and the relations between them. The pre- and postconditions are generally defined in terms of network state templates that are independent of any specific network and can point to specific system rights obtained on specific application types. Sandia National Laboratories propose attack templates each of which defines a collection of atomic attacks and edges among them in a directed graph (Phillips and Swiler, 1998). There is no indication of semi-automatic or automatic generation of these attack templates. Swiler et al. (2001) describes the implementation of them in a generic attack graph generation tool. In Templeton and Levitt (2000), concepts take the form of atomic attacks. Their pre- and postconditions are defined by capabilities. In this work, there is no indication of semiautomatic or automatic generation of pre- and postconditions of the concepts and capabilities. The attack model employed by the earlier works of Center for Secure Information Systems of George Mason University defines the vulnerabilities, exploits and access level of the attacker on a host computer as its main elements (Ammann et al., 2002, 2005; Ritchey and Ammann, 2000). It also defines the relations among these elements. All these definitions are encapsulated in the manually-defined attack templates. The vulnerabilities and access levels serve as pre- and postconditions for the exploits. The recent works (Jajodia and Noel, 2010; Jajodia et al., 2011; Noel et al., 2009) of the same group process the text data on the public vulnerability databases (NVD (NIST, 2015) and CVE (2015)) to generate the exploitation logic for the vulnerabilities. The Computer Science Department of Carnegie Mellon University models atomic attacks as rules that describe how an attacker (intruder) can change the state of the network or add to her knowledge new facts about the network state (Jha et al., 2002a; Sheyner and Wing, 2004; Sheyner et al., 2002). These rules

form pre- and postcondition relationships with the exploits. In this work, there is also no indication of semi-automatic or automatic generation of pre- and postconditions of the vulnerability exploits defined as atomic attacks, so the attack model can be considered as a collection of manually-defined attack templates taking the form of rules. In Ning and Xu (2003), a model and algorithm for the extraction of hyper alert types by using the collected intrusion alerts are proposed. A hyper alert type represents an attack template containing information about the prerequisites and consequences of the constituent attacks based on the attribute values of the related intrusion alerts. The attack model described in this work exemplifies the utilization of attack templates based on historical data. In the works of Laboratory of Computer Security Problems in St. Petersburg Institute for Informatics and Automation, vulnerability exploits are considered as atomic attacker actions. Vulnerability information in Open Source Vulnerability Database (OSVDB) is processed by text processing methods to extract pre- and postconditions for the vulnerabilities (Kotenko and Stepashkin, 2006). An attack model representing the utilization logic for atomic attacks is formed by using text processing-based attack templates, where each attack template defines the pre- and postconditions for one atomic attack. In Chen and Su (2009), the authors define an abstraction, called attack pattern, over vulnerabilities. The attack patterns are generated by applying text processing methods over the attack pattern enumeration and classification information in the CAPEC database (CAPEC, 2015). They are then used to form the attack templates each of which describes the utilization logic for a set of vulnerabilities with similar weakness types. Attack patterns can represent threat models in this context. In Han et al. (2012), attack scripts that are generated by security experts are combined in the form of directed graphs. The vulnerabilities defined in NVD are processed by a specific text mining method using the keywords in the attack scripts to match the vulnerabilities to the nodes of the directed graphs representing combined attack scripts. Attack scripts can be considered as threat models. Core Security Corporate utilizes exploit definitions in a specific pentesting tool to form a planning description file containing exploit actions with their pre- and postconditions

Please cite this article in press as: Kerem Kaynar, A taxonomy for attack graph generation and usage in network security, journal of information security and applications (2016), doi: 10.1016/j.jisa.2016.02.001

ARTICLE IN PRESS 10

journal of information security and applications ■■ (2016) ■■–■■

Attack Graph Model

State-based Attack Graphs

Attack graph containing network state nodes indicating networked software configuration, attacker privileges, network performance measures etc.

Vulnerability-based Attack Graphs

Host-based Attack Graphs

Attack graph containing vulnerability exploit nodes

Attack graph containing hosts on the target network as nodes

Attack Scenariobased Attack Graphs

Attack graph containing attack scenario nodes each of which indicates a different attack plan/ strategy composed of coordinated attacker actions

Fig. 6 – Attack graph model classification.

(Lucangeli et al., 2010). This illustrates the formation of a text processing-based attack template.

3.2.2.

Attack graph model

An attack graph model defines how to represent attack instances on the target network hosts and the connections among them. Attack graphs can be classified in terms of the content of their nodes as given in Fig. 6 and listed below. There can be overlaps among the classes. 1. State-based Attack Graphs: They contain state nodes indicating the static state of the target network at a specific point on the attack graph. A state can represent the existence of a specific vulnerability or product on a network host, an attacker privilege obtained on a network host, the existence of a reachability condition between any two network hosts or even the effects of the attacks on the network performance. 2. Vulnerability-based Attack Graphs: They contain vulnerability nodes which can indicate vulnerability identifiers (e.g., from CVE (CVE, 2015)) or exploit descriptions/names. 3. Host-based Attack Graphs: They contain nodes representing the target network hosts. 4. Attack Scenario-based Attack Graphs: They contain attack scenario nodes representing coordinated attacker actions or attacker plans. They can be formed by summarizing vulnerability-based attack graphs. Actually, most of the past works related to attack graph generation referenced in this article utilize state and vulnerability nodes in the attack graphs. In Ou et al. (2006), a single level attack graph model containing derivation and fact nodes, defining applied exploits and facts about the network state in order, is used. Ingols et al. (2006) introduce multiple-prerequisite attack graph structure. This structure models attacker privileges and reachability conditions as state nodes in the attack graph. In Zhao et al. (2009), an attack graph model based on virtual performance nodes is proposed. A virtual performance node indicates the negative effects of the attacker activities on the network performance. Privilege nodes are also used in this model.

Some works propose abstractions over state and vulnerability nodes. In Dacier et al. (1996), LAAS-CNRS group proposes an attack graph model consisting of a privilege and intrusion process state graphs. A privilege graph represents the privileges (capabilities) gained by the attacker by its nodes and the atomic attacks to gain these privileges by its edges. An intrusion process state graph summarizes a privilege graph to determine the attack scenarios. An attack scenario can be considered to represent a summary of a single path composed of related atomic attacks in the privilege graph. An intrusion process state graph represents an attack scenario-based attack graph. In another work (Ortalo et al., 1999) of LAAS-CNRS group, Ortalo et al. implement these graphs and uses them in network security monitoring. Ning and Xu (2003) propose a multi-level attack graph model consisting of hyper alert correlation and attack strategy graphs. A hyper alert correlation graph is formed using the correlated intrusion alerts for the target network and its nodes represent atomic attack steps. An attack strategy graph is formed by generalizing the (parts of) hyper alert correlation graphs in order to provide a higher level view to represent attack scenarios. It is an attack scenario-based attack graph. In Kotenko and Stepashkin (2006), the Laboratory of Computer Security Problems in St. Petersburg Institute for Informatics and Automation proposes an attack graph model that contains a hierarchical structure composed of three levels representing low level (atomic) attack instances, attack purposes and stages constituting attack scenarios (mid-level), and combination of attack scenarios (high level). The attack graphs generated illustrate attack scenario-based attack graphs. A work (Ammann et al., 2005) of the Center for Secure Information Systems of George Mason University exemplifies hostbased attack graph formation. A single level attack graph model is introduced, where the nodes represent the hosts on the target network and the edges represent the highest access level that can be obtained by an attacker attacking the target hosts from the source hosts. Xie et al. (2009) propose a two-tier attack graph model where the higher level is formed by host access graphs that are built using sub-attack graphs at the lower level. This work also exemplifies host-based attack graph formation.

Please cite this article in press as: Kerem Kaynar, A taxonomy for attack graph generation and usage in network security, journal of information security and applications (2016), doi: 10.1016/j.jisa.2016.02.001

ARTICLE IN PRESS journal of information security and applications ■■ (2016) ■■–■■

11

Attack Graph Core Building Mechanism

Attack Paths Determination Method

Logic-based Methods

Resolution, model checking

Graph-based Methods

Graph traversal; backwards, forwards and bidirectional search

Attack Paths Pruning Method

Depth-Limited Attack Paths Pruning

Attack paths are pruned after exceeding a predefined depth limit

Probability-based Attack Paths Pruning

Attack paths are pruned according to the likelihood of success value

Goal-oriented Attack Paths Pruning

Multiple edges which allow for reaching to the same goal state can be pruned

Fig. 7 – Attack graph core building mechanism classification.

Albanese et al. (2011) define an attack graph model that incorporates a timespan distribution for each edge that shows the probability of successful exploitation of the related vulnerability during specific time intervals. Additionally, a network entity dependency graph showing the services performed by the network hosts and the dependencies among them is defined. An attack graph is combined with a network entity dependency graph to form an attack scenario graph. The attack scenario graph models the performance reduction in the network services caused by each vulnerability exploit on the attack graph.

2. Graph-based Methods: The attack graph building problem is seen as a graph traversal problem and attack paths are created during backwards, forwards or bidirectional graph search. Graph-based attack graph building algorithms employ some form of searching procedure to generate the nodes and edges of the attack graph on the fly. This searching process may sometimes approach to the logic-based deduction methods, especially when attack templates containing variables indicating network security states and predicates are used, and instantiated during the search.

3.3.

In an early work (Ritchey and Ammann, 2000) of the Center for Secure Information Systems of George Mason University, attack graphs are generated by applying model checking on a state machine that represents possible network states as facts and atomic attacks as logic predicates. The user specifies the security conditions that are not to be reached by an attacker as temporal logic formulas. An attack scenario is generated by applying model checking on the state machine to find the counter examples to the specified logic formulas. The model checking tool developed in Ritchey and Ammann (2000) is improved in Sheyner et al. (2002) to find all the counter examples to a given security condition. Both of these works are examples of the utilization of logic-based methods to compute possible attack paths. As another example of logic-based methods, Ou et al. (2006) apply logic deduction rules to get from the initial facts to the goal facts representing attacker privileges. A reasoning engine, XSB, allowing tabled execution is used for this purpose. Tabled execution aids in preventing duplicate computation of the facts and resolving the loops in the resulting graph. According to the authors, all the rules are seemed to be evaluated simultaneously in parallel with all possible instantiations of the variables in their bodies. This observation is very important in determining the time and storage complexity of their algorithms. Both complexity measures are on the order of the

Attack graph core building phase

The attack graph core building phase refers to the core algorithm used to construct the attack graphs. In this phase, some of the possible attack paths may also be pruned when forming the resulting attack graph. The aim of pruning is to decrease the attack graph building time by computing only the most critical attack paths according to some pre-determined criteria. Fig. 7 shows the proposed classification criteria for the methods that are applied in the attack graph core building phase. An attack graph core building mechanism can be considered from two different perspectives according to the proposed classification. One of them is the attack paths determination method and the other is the attack paths pruning method, which are described next.

3.3.1.

Attack paths determination method

Attack paths determination method indicates the main algorithmic approach to the attack graph core building problem. Possible methods for attack paths determination are: 1. Logic-based Methods: Attack paths are created using logic deduction methods (resolution, model checking, etc.). Network states are represented by facts and vulnerability exploits are represented by relational predicates over these facts.

Please cite this article in press as: Kerem Kaynar, A taxonomy for attack graph generation and usage in network security, journal of information security and applications (2016), doi: 10.1016/j.jisa.2016.02.001

ARTICLE IN PRESS 12

journal of information security and applications ■■ (2016) ■■–■■

square of the number of hosts in the network for which the attack graph is to be computed. Phillips and Swiler (1998) perform a backwards search from the goal states (attacker’s goal privileges) to generate an attack graph. The search process employs a unification mechanism to instantiate the pre-defined attack templates using the provided attacker profile and the target network configuration information. This work is one of the early works exemplifying the utilization of graph-based methods (graph search) to generate possible attack paths. The Center for Secure Information Systems of George Mason University has two prominent contributive works that utilize graph-based methods for attack paths determination. A breadthfirst search algorithm with a specific attribute marking procedure to generate the nodes of a multi-layer graph is introduced in Ammann et al. (2002). Attributes represent possible attacker privileges that can be obtained on the target network hosts. The marking of the attributes is used to determine the termination condition of the proposed algorithm and is used by the additional algorithms (e.g., finding minimal attack paths). Additionally in Ammann et al. (2005), a graph-based method is used to generate an attack graph which shows only the highest access levels that can be obtained, when attacking from a host to other hosts with a direct exploit. After that, a transitive closure on this graph is computed to reflect the effects of indirect application of the exploits. In Chen and Su (2009), a search-based algorithm is used to build an attack graph via unifying attributes (attacker privileges) to the pre-defined attack patterns. This unification mechanism resembles to that in Phillips and Swiler (1998), but in Chen and Su (2009) the authors also define some basic simplifications that can be applied during the unification process to cease the further update of instantiated unsatisfiable attack patterns as early as possible during the search. In Ma et al. (2010), a bidirectional search is applied in parallel (forwards from the initial privileges and backwards from the goal privileges) to generate an attack graph. In a work (Lucangeli et al., 2010) of Core Security Corporate, the configuration of a target network and goal network states are encoded as separate planning description files. The two planning description files are used as inputs to a specific planner to find the possible attack paths reaching the goal states in the form of an attack graph. The exploits in the found attack paths are applied to the target network by using a specific pentesting tool in order to check if the attack paths can be successfully followed by an attacker in the real case.

3.3.2.

Attack paths pruning method

Attack paths pruning methods aim to avoid the combinatorial state explosion problem that may occur in the attack graph building process. Possible approaches for attack paths pruning are: 1. Depth-Limited Attack Paths Pruning: Attack paths are pruned, when their depth values exceed some predetermined threshold. By this way, it is assumed that the attack paths containing a number of exploits more than the predetermined threshold value are less likely to be followed by an attacker.

2. Probability-based Attack Paths Pruning: Each edge (generally exploit) and each node (generally network state, attacker privilege) is assigned a probability of successful occurrence. Using these values, a cumulative probability of success value is computed for each attack path during attack graph building. This cumulative probability value indicates the likelihood of the attack path to be followed by an attacker. The attack paths whose cumulative probability of success value decrease below some predetermined threshold value are not extended further. 3. Goal-oriented Attack Paths Pruning: There may be more than one attack path between two network states, one of which is a goal state (attacker’s goal). Some of these paths can be eliminated by removing corresponding redundant edges. Only the attack paths which lead to the goal state and are more important according to specific criteria are computed. This computation can be performed by taking into account the sub-goals (critical network states) in addition to the end goals of the attacker. Man et al. (2008) utilize both depth-limited and probabilitybased attack paths pruning methods to reduce the effects of the combinatorial state explosion problem. A probability-based attack paths pruning method containing the computation of three different types of probability values is introduced in Zhang et al. (2009). The three different probability value types are used to denote the likelihood of successful exploitation for the vulnerabilities, the effects of inaccurate network configuration information collected before the attack graph building process and the likelihood of the utilization of the attack paths by an attacker. In Ma et al. (2010), the authors apply a simple depth limitation policy to the bidirectional graph search method they use for attack graph building. The attack paths whose lengths are greater than a given threshold are no longer expanded. A work (Ammann et al., 2005) of the Center for Secure Information Systems of George Mason University proposes a method for attack graph computation based on the highest access levels obtained on the target network hosts in order to eliminate the combinatorial state explosion problem. The computed attack graph is not a full attack graph, namely it does not express all possible paths that an attacker can use to intrude into the target network. It only shows the example worstcase attack scenario among each host pair in the network, which can be utilized by an attacker. The proposed method is considered as a goal-oriented attack paths pruning method according to our taxonomy, since it eliminates some paths reaching the goal states according to the importance of the access levels gained as a result of applying the exploits on the paths. Another goal-oriented attack paths pruning method is proposed in Bhattacharya et al. (2008). It is used to identify the attack paths leading to the determined goal states by removing redundant (useless) edges from an input exploit dependency attack graph. The recent works of Core Security Corporate also contribute on attack paths pruning methods. Lucangeli et al. (2010) find only the attack paths requiring minimum time for an attacker to reach the pre-specified goal states for the target network. This work utilizes a a goal-oriented attack paths pruning method. Sarraute et al. (2011) compute the probability of success and execution time (cost) values for atomic attack actions

Please cite this article in press as: Kerem Kaynar, A taxonomy for attack graph generation and usage in network security, journal of information security and applications (2016), doi: 10.1016/j.jisa.2016.02.001

ARTICLE IN PRESS journal of information security and applications ■■ (2016) ■■–■■

13

Uses of Attack Graphs

Network Security Metrics Computation

Computation of metrics indicating the security level of the target network and used for security risk analysis

Near Real-time Security Analysis

Network Hardening

Optimal defense measure recommendation based on attack graph (including determination of optimal locations and configurations for intrusion detection/ prevention and filtering devices)

Includes on-line attack scenario detection, attack prediction and reactive defense measures determination

Fig. 8 – Application areas of attack graphs for network security.

(exploits) and incorporate them in attack trees. The choose and combine primitives are defined to find respectively, the optimal exploit in an exploit set and optimal ordered set of exploits in ordered exploit sets. An attack tree between two directly reachable assets (network nodes) is processed by using the primitives to derive optimal attack paths between the two assets. A modified version of Floyd–Warshall and Dijkstra algorithm is proposed to compute the optimal attack paths between indirectly reachable assets. An attack path is optimal, if it minimizes the expected execution time and maximizes the probability of success to reach the selected goal asset(s). This work also utilizes a a goal-oriented attack paths pruning method. Another work (Sarraute et al., 2012) of Core Security Corporate utilizes Partially Observable Markov Decision Processes (POMDPs) for optimal attack paths planning to represent incomplete (uncertain) target network configuration and probabilistic dependencies between exploits. It is known that POMDPs are not scalable for large number of states (large number of network nodes in this context). The authors alleviate the scalability problem of POMDPs by decomposing the network into biconnected components including possibly more than one subnet. POMDPs are only used to find the optimal attacks on individual network nodes. On the subnet and biconnected component level, the results from the lower levels are combined with domain-specific algorithms. This work illustrates a probability-based attack paths pruning method.

4.

Using attack graphs for network security

Once an attack graph is generated, it can be used for a variety of purposes with positive or negative effects. This section is mainly concerned with the use of attack graphs for increasing the security level of the network, e.g. by determining the networked applications presenting higher security risk values and near-optimal security measures based on the generated attack graphs. Major application areas of the attack graphs for network security can be listed as follows, which are also depicted in Fig. 8.

1. Network Security Metrics Computation: Attack graphs can be used to derive network security metrics used for global security assessment of the target network. These metrics can be used to perform security risk analysis for the target network. Each node (generally indicating a network state) and each edge (generally indicating a vulnerability exploit) on the attack graph can be assigned a probability of occurrence. A node can also be assigned a possible damage value, if the corresponding network state for the node indicates the compromise of some information source for a network host. From these probability and damage values, the cumulative risk values are computed for each network state on the attack graph. 2. Network Hardening: Attack graphs can be used for recommending near-optimal security defense measures. The defense measures can be in the form of vulnerability patches, modifications for filtering rules on firewalls and routers, optimal IDS/IPS and firewall locations, user rights on host applications or topological changes among others. 3. Near Real-time Security Analysis: Attack graphs can be used for on-line security situational assessment (monitoring) and detecting ongoing attack scenarios by performing highlevel correlation and aggregation of the intrusion alerts and system logs collected throughout the target network. The detected attack scenarios can be used to perform future attack predictions and determine reactive defense measures. In fact, all of the application areas for attack graphs described above can be effectively employed in practice, if we assume that the attack graphs are updated continuously with the updates of the target network configuration. In the following subsections, each major application area for attack graphs is discussed with references to the related prominent works in the literature.

4.1.

Network security metrics computation

Network security metrics computation includes the definition of the metrics used to evaluate network security based on attack graphs. It also describes the computation of the values for the metrics using the generated attack graphs. It can provide

Please cite this article in press as: Kerem Kaynar, A taxonomy for attack graph generation and usage in network security, journal of information security and applications (2016), doi: 10.1016/j.jisa.2016.02.001

ARTICLE IN PRESS 14

journal of information security and applications ■■ (2016) ■■–■■

an indication of the critical attack paths and the associated weakest links. In an early work (Dacier et al., 1996) of LAASCNRS group, a network security evaluation and metrics computation framework based on attack graphs is proposed, which can be used to perform risk analysis and defense measure recommendation to evaluate and increase the security level of the target network. The two works (Jha et al., 2002a, 2002b) of the Computer Science Department of Carnegie Mellon University perform reliability analysis on an attack graph via annotating its edges (possibly not all edges) with probability values and interpreting the attack graph as a Markov Decision Process (MDP). The likelihood of success of an attacker starting from any state on the attack graph to reach the goal privileges can be computed by the reliability analysis via value iteration methods for MDPs. Another work (Mehta et al., 2006) of the Computer Science Department of Carnegie Mellon University proposes two methods for ranking the state nodes of an attack graph. The rank for a state node indicates the probability of an attacker reaching to this node. The ranked attack graphs can be used to measure the security strength of the target network. One of the methods for ranking is based on Google’s PageRank algorithm. The other method is based on random walk model for the attacker. Both methods can work in the absence of likelihood of exploitation values for vulnerabilities a priori. In one of the works (Pamula et al., 2006) of the Center for Secure Information Systems of George Mason University in the subject of attack graphs, Pamula et al. propose a quantitative network security metric whose value is computed based on the analysis of an attack graph. The computation of the metric includes the determination of the minimal set of initial network privileges that a weakest-adversary (e.g., requiring least amount of effort) should possess to obtain the specified goal privileges. The metric computation method is based on backwards search from the goal privileges on the attack graph and handles cycles on the attack graph via storing already processed attack graph nodes. It does not use any subjective or qualitative values, such as risk likelihoods. The Concordia Institute for Information Systems Engineering of Concordia University has prominent contributions for network security metrics computation. The works in Frigault and Wang (2008) and Frigault et al. (2008) interpret attack graphs as Bayesian networks to provide a general network security metrics computation framework. A network security metric, called k-zero day safety metric and based on an attack graphs, is formally defined in another work (Wang et al., 2014) of the Institute. It is computed by using a metric function taking a set of assets (conditions) on the input attack graph as parameter. The input attack graph is enhanced by introducing zero day exploit nodes in it. The shortest paths from the initial conditions to the asset nodes on the attack graph are considered during the metric computation. The computed metric value represents the maximum number of distinct zero day vulnerabilities that must be exploited by an attacker to compromise the input assets (obtain the related conditions). The proposed k-zero day safety metric is used to evaluate the effectiveness of possible network hardening solutions such as patching solutions, diversifying the remote services available

on the target network and changing the connectivity conditions by modifying the filtering rules. The Department of Electrical and Computer Engineering of University of Illinois contributes to the network security metrics computation by two significant works. In LeMay et al. (2010), a method for security metrics computation based on attacker behavioral profiles is proposed. An attacker behavior profile could specify the attacker’s skill level, initial system knowledge and system access rights. An attack execution graph showing all possible attack paths for a target network is used together with the defined attacker profiles to find the attack paths that could be followed by the corresponding attacker types. For this purpose, discrete-event simulation is utilized. The user could choose among the predefined security metrics and the values of the chosen metrics are computed for the target network via simulation. This allows both systemfocused and adversary-focused quantitative security assessment of the target network. LeMay et al. (2011) explain the implementation details of the concepts proposed in LeMay et al. (2010). In Poolsappasit et al. (2012), the authors propose network security risk evaluation and mitigation plan assessment methods based on Bayesian attack graphs they formally define. Albanese et al. (2013) propose a set of polynomial algorithms for evaluating the k-zero-day safety of large networks efficiently. The algorithms do not require pre-computing the full attack graph which includes all possible zero-day attacks. In a work (Beckers et al., 2014) of The Ruhr Institute for Software Technology of University of Duisburg-Essen and Istituto di Informatica e Telematica—Consiglio Nazionale delle Ricerche, Beckers et al. propose a method combining high-level attack tree and low-level attack graph analysis to compute the probability of success values for the attacker goals in a specific attacker plan. The attacker plan is designated by an attack tree which contains the attacker’s main goal, subgoals and the relations among them. The attack graph contains attacker privileges, vulnerability exploits and the relations among them. The proposed method finds the subgraph of the attack graph which satisfies each (sub)goal of the attacker in the attack tree and computes the probability of reaching each (sub)goal by using the likelihood of success values for the vulnerability exploits in the attack graph. The computation of the attack graphs and the probability of reaching each (sub)goal in an attack tree is enriched by incorporating the effects of social engineering threats in Beckers et al. (2015).

4.2.

Network hardening

Network hardening is related to determining near-optimal, proactive and reactive defense measures based on attack graphs. It generally uses the attack graphs generated by accounting for the goal privileges pointing to the critical network assets. There are actually two main types of algorithms utilized in attack graph-based optimal defense measure recommendation. One type is based on the application of graph traversal methods. In this case, the prominent graph search algorithms can be applied starting from the goal privileges. The aim is to find a minimum-cost combination of the initially satisfied privileges that can be negated (eliminated) by the network

Please cite this article in press as: Kerem Kaynar, A taxonomy for attack graph generation and usage in network security, journal of information security and applications (2016), doi: 10.1016/j.jisa.2016.02.001

ARTICLE IN PRESS journal of information security and applications ■■ (2016) ■■–■■

administrator. The elimination of these privileges gives rise to the elimination of the attack paths reaching the goal conditions. The second type of the algorithms utilized in attack graphbased near-optimal defense measure recommendation is based on the application of the prominent combinatorial optimization methods. A single- or multi-objective optimization method can be utilized. Among the different optimization criteria that can be specified are minimizing the total cost of the applied defense measures, maximizing the number of eliminated attack paths reaching the goal conditions, minimizing the total residual damage on the target network hosts after applying the near-optimal set of defense measures, etc. When evaluating the optimization criteria, the interactions among the different applicable defense measures should be taken into account. An example interaction is that an application of one defense measure to eliminate a specific attack path may make the application of a set of other measures redundant for eliminating the same attack path. In an early work (Phillips and Swiler, 1998) of Sandia National Laboratories, a counter-measure recommendation method is introduced, which takes into account the cost values for the recommended defense measures and the total budget for the target network to spend for the defense measures. The Computer Science Department of Carnegie Mellon University has contributions on network hardening based on attack graphs. Sheyner et al. (2002) compute the minimal and minimum atomic attack sets, which prevent the attacker from reaching her goals, based on attack graphs via utilization of the algorithms for the minimum cover problem. In Jha et al. (2002a) and Jha et al. (2002b), the problem of finding the minimum set of attacks (or measures) to eliminate all the attack paths to the goal privileges is reduced to the minimum hitting set problem and proved to be NP-complete. A greedy algorithm for this problem is proposed. Additionally, attack graphs are annotated with edge probability values and it is shown that Markov Decision Process algorithms such as value iteration can be used to compute which attack incurs the most damage to the target network and decide if deploying an intrusion detection system at a specific location inside the target network could increase the likelihood of thwarting this attack. A graph search-based near-optimal defense measure recommendation method that represents the conjunction of negated goals as a logic proposition of the initially satisfied conditions on the attack graph is proposed in Wang et al. (2006) which is one of the works of the Center for Secure Information Systems of George Mason University. In another work (Jajodia and Noel, 2010) of the same group, Jajodia et al. introduce an integrated network security evaluation tool called TVA, which provides support for the determination of the nearoptimal locations for the firewalls and intrusion detection/ prevention systems on the target network based on attack graphs. Additionally, Albanese et al. (2012) remove the assumption of independently negating each initial condition in an attack graph, which is adopted in previous works, by accounting for the interdependencies between the defense measures. The Concordia Institute for Information Systems Engineering of Concordia University has prominent contributions in the subject of network hardening. In Islam and Wang (2008), a

15

heuristic-based search solution approach to the minimum cost network hardening problem is proposed. Wang et al. (2014b) propose a solution for hardening a network against multistep intrusions by using attack graphs. It represents the specified critical resources as a logic proposition of the initial security conditions. After simplifying the proposition, the minimumcost defense measure set in terms of negating the initial security conditions is determined. In Wang et al. (2014a), the network hardening problem using attack graphs is formally defined and the applicability of the graph-theoretic, heuristic approaches to this problem is discussed. Wang et al. (2014c) define formally the concept of a defense measure action, the interdependencies among these actions and the concept of a hardening strategy that can combine multiple, possibly interdependent defense measure actions into a composite representing a defense plan. They also propose a near-optimal approximation algorithm for the network hardening problem that employs attack graphs and scales linearly with the size of the graphs. Dewri et al. (2007) define the near-optimal defense measure recommendation problem as a multi-objective optimization problem. The objectives are minimizing the total cost and residual damage. Their residual damage model computes a damage value for each node in the attack graph. The authors apply a genetic algorithm to solve the optimization problem, but they do not take into account the interactions among the available defense measures in the generation of new candidate solutions (new generations in the genetic algorithm). Instead, the candidate solutions seem to be generated simply by random crossover and mutation processes in their genetic algorithm, independent of such interactions. These interactions may indicate the common attack paths that are eliminated by different defense measures, they can be utilized to prevent the optimization process from being caught in local optima and help speed up the optimization process. In Chen et al. (2008), a solution to the minimum cost network hardening problem based on Reduced Ordered Binary Decision Diagrams (ROBDDs) is presented. The solution is used for determining the minimum cost defense-measure recommendations that minimize the number of the attack paths reaching the attacker’s goal privileges. In Poolsappasit et al. (2012), both single and multi-objective genetic optimization algorithms are applied to find the near optimal defense measure solution. However, similar to Dewri et al. (2007), the candidate solutions are generated randomly without utilizing the commonality of the effects induced by the defense measures on the target network. Jun-chun and Ji-yin (2012) formalize a mathematical model employing attack graphs to represent the network hardening problem as a non-restraint optimization problem with penalty. A parallel, genetic algorithm is used to solve the resulting optimization problem. In Yigit et al. (2014), a heuristic method to find a cost-effective network hardening solution with a limited budget is proposed. The method uses as input an attack graph that contains only the possible attack paths which can reach pre-specified critical resources in the target network. The exploit or initial security condition contributing most to the elimination of these attack paths with least cost is selected at each step of the attack graph traversal until the total cost exceeds the allocated budget.

Please cite this article in press as: Kerem Kaynar, A taxonomy for attack graph generation and usage in network security, journal of information security and applications (2016), doi: 10.1016/j.jisa.2016.02.001

ARTICLE IN PRESS 16

4.3.

journal of information security and applications ■■ (2016) ■■–■■

Near real-time security analysis

Near real-time security analysis comprises the correlation of the intrusion alerts and system/application logs, collected throughout the target network, based on attack graphs in order to perform real-time security situation assessment. Near realtime security analysis using attack graphs can generally be performed in practice in two ways. In the first way, a full attack graph is generated and stored off-line, and used for intrusion alert correlation on-line. In the second way, there is no offline, statically generated full attack graph. Instead, partial and depth-limited attack graphs are generated on-line using the collected intrusion alerts and logs as inputs. The partial attack graphs are expanded with the reception of additional related intrusion alerts and logs. Independent of whether a full attack graph is statically generated or not, the correlated intrusion alerts and logs on the full attack graph or partial attack graphs are used to determine ongoing attack scenarios and reactive defense measures, and predict future attacks. Templeton and Levitt (2000) describe ongoing attack scenario detection as a possible utilization method for the attack graphs generated off-line to support near real-time security analysis. It is also mentioned that the detected attack scenarios can be used for future attack prediction for the target network. In Ning and Xu (2003), the authors propose computing a similarity measure between two attack graphs that is used during intrusion alert correlation to identify and hypothesize the attacks missed by the intrusion detection/prevention sensors. The identification of missed attacks can lead to more accurate detection of ongoing attack scenarios for the target network. In a work (Noel et al., 2004) of the Center for Secure Information Systems of George Mason University, Noel et al. propose an intrusion alert correlation method based on the distances among the exploits on an all-paths attack graph for the target network. The attack graph for the target network is built offline by taking into account the network vulnerability information and exploit models derived using the information on the public vulnerability databases on the Internet. After the attack graph is built, the distances of the shortest paths between each pair of exploits on the attack graph are computed and stored. When an intrusion event is received, it is mapped to the corresponding exploit on the attack graph and checked for correlation with the previous intrusion events. Two intrusion events are correlated, if the distance between their corresponding exploits on the attack graph is not infinite. In another work (Wang et al., 2005) of the Center for Secure Information Systems of George Mason University, Wang et al. propose a new attack graph-based algorithm for intrusion alert correlation and attack prediction, which is called queue graphs. The main factor causing the development of this new algorithm is a need to eliminate the disadvantages of the nested loop-based intrusion alert correlation methods. An obvious disadvantage of the nested loop-based alert correlation is the introduction of a sliding time window for the processing of the alerts and the comparison of a new alert with all the previous alerts for correlation. Even if in-memory indices are used for locating the previously received alerts, some of these indices must be deleted according to a sliding time window because of memory limitations. In contrary to the nested loop-based

approach, the queue graph approach takes into account only the latest alert corresponding to each exploit. In an all-paths attack graph consisting of exploit and security condition (privilege) nodes, each exploit node contains a queue of length one to store the latest intrusion alert related with the exploit node. When a new alert is received, its corresponding exploit is found in the attack graph, the alert is enqueued to the queue of the exploit and a breadth-first search is started backwards in the attack graph. When hypothesized alerts are not generated (in the basic correlation algorithm), the search stops, when an empty queue is reached. When hypothesized alerts are generated (in the improved version), the search generates an hypothesized alert when an exploit with an empty queue is reached. The search continues backwards from the hypothesized alert until an explained exploit (with non-empty queue) is reached. The hypothesized alerts correspond to attacks missed by the intrusion detection sensors. Additionally, an attack prediction method, which uses forward pointers on the edges of a queue graph, is proposed in Wang et al. (2005). A potential drawback of the search methods applied in this work is that the backwards breadth-first search is performed over the whole all-paths attack graph and it may be very timeconsuming because of the possible traversal of the large parts of the attack graph that are unrelated to the received alerts (especially if the all-paths attack graph is large). An adaptive intrusion response system using a graph of intrusion goals (I-Graph) is proposed in Foo et al. (2005). An I-Graph is formed by using the vulnerability descriptions and the service dependency graph for the target network. The system can be used with any number of detectors that can generate security alerts. The alerts are mapped to the nodes of the I-Graph. For each node to which an alert is mapped, a confidence value is computed by using the confidence values of its children. The nodes for which responses are deployed are determined according to their confidence values. The responses deployed are determined by computing an effectiveness and disruptiveness value for them. These values are updated by accounting for the previous success conditions for the responses. This gives rise to the adaptive selection of responses by improving the responses deployed against similar attacks over time. In Xie et al. (2010), Bayesian networks are generated from attack graphs by incorporating specific uncertainties defined in the context of near real-time security analysis. These uncertainties are related to the false positive and negative intrusion alerts. In Roschke et al. (2011), an attack graphbased approach to intrusion alert correlation is presented. Specific methods for mapping the received intrusion alerts to the attack graph nodes, alert aggregation, building alert dependency graphs and selecting suspicious subsets of the alerts from the created alert dependency graphs are proposed. Each of these methods are parametrized to adjust the accuracy and speed of the overall correlation algorithm. In Albanese et al. (2011), an index data structure used for mapping the intrusion alerts to the attack scenario graph and an update procedure for the index data structure are proposed that allows handling of large attack graphs and large volumes of intrusion alerts. One of the works of the Laboratory of Computer Security Problems in St. Petersburg Institute for Informatics and Automation, which contributes in the subject of near real-time

Please cite this article in press as: Kerem Kaynar, A taxonomy for attack graph generation and usage in network security, journal of information security and applications (2016), doi: 10.1016/j.jisa.2016.02.001

ARTICLE IN PRESS journal of information security and applications ■■ (2016) ■■–■■

17

Table 1 – Classification of the methods applied in the past works according to the reachability scope criterion. Group

Reachability scope Whole network reachability

Center for Secure Information Systems, George Mason University

Ammann et al., 2002, 2005; Ritchey and Ammann, 2000

MIT Lincoln Laboratory Computer Science Department, Carnegie Mellon University Concordia Institute for Information Systems Engineering, Concordia University Sandia National Laboratories, Albuquerque Laboratory of Computer Security Problems, St. Petersburg Institute for Informatics and Automation LAAS-CNRS, France Core Security Corporate, Buenos Aires, Argentina Department of Electrical and Computer Engineering, University of Illinois The Ruhr Institute for Software Technology University of DuisburgEssen and Istituto di Informatica e Telematica— Consiglio Nazionale delle Ricerche Individual works

Sheyner et al., 2002 Jha et al., 2002a; Sheyner and Wing, 2004; Sheyner et al., 2002 Frigault and Wang, 2008; Frigault et al., 2008; Islam and Wang, 2008; Wang et al., 2008 Phillips and Swiler, 1998; Swiler et al., 2001 Kotenko and Doynikova, 2014; Kotenko and Stepashkin, 2006

Atomic domains reachability Jajodia and Noel, 2010; Jajodia et al., 2011; Noel et al., 2009; Wang et al., 2014a, 2014b, 2014c Ingols et al., 2006, 2009

Wang et al., 2014a, 2014b, 2014c

Dacier et al., 1996; Ortalo et al., 1999 Lucangeli et al., 2010; Sarraute et al., 2011, 2012 Ford et al., 2013; LeMay et al., 2010, 2011 Beckers et al., 2014, 2015

Chen and Su, 2009; Ma et al., 2010; Ning and Xu, 2003; Ou et al., 2006; Poolsappasit et al., 2012; Templeton and Levitt, 2000; Xie et al., 2009; Zhang et al., 2009; Zhao et al., 2009

security analysis, is Kotenko and Doynikova (2014). The procedure proposed in Kotenko and Doynikova (2014) takes the network topology, the full attack graph for the network and the security events collected across the network as inputs. It processes the security events one by one. During the processing of each event, it tries to find two attack paths. One is the path that was most likely followed by the attacker up to the generation of the last security event. The other is the path that will most likely be followed by the attacker in the future and it is computed according to computed risk values. According to this second path, the attacker goals are found. These paths and attacker goals are updated with the processing of each new security event. The authors form a sample network and attack graph for this network. They try to show the processing of their security assessment procedure with respect to them and some artificially generated security events. There is no verification of their algorithms’ results according to well-known intrusion alert data sets.

5. Evaluation of the previous works for attack graph generation and usage This section presents a tabled classification of the methods applied by the previous works according to the proposed attack graph generation and usage taxonomy. The tabled classification can be used as a quick reference. We summarize the results

Chen et al., 2009

of the analysis of the previous works that is presented in the previous sections. By this way, we provide an opportunity for the readers to evaluate the maturity and completeness of the approaches proposed by each group or laboratory. In this section, the descriptions about the attack graph generation and analysis tools generated by different groups are also presented.

5.1. Classification of the methods applied by the previous works In this section, we present a classification of the methods applied in the previous works related to attack graph generation and usage according to the proposed taxonomy. In each table presented in this section, only the past works concentrating specifically on the criteria related to the table are cited. Namely, if a past work utilizes the concepts proposed by other works or has no contribution to the corresponding criteria, it is not cited in the corresponding table. In Tables 1 and 2, the past works for each group (laboratory or corporate) are cited according to the methods they apply for the classification criteria for reachability analysis. In Table 3, the related past works are cited according to the methods they apply to create attack models. In Table 4, the related past works are cited according to the attack graph models they use. In Table 5, the classification of the methods of the past works related to attack paths determination and pruning is shown. Table 6 presents the classification of the methods applied in the past works related to the usage of attack graphs.

Please cite this article in press as: Kerem Kaynar, A taxonomy for attack graph generation and usage in network security, journal of information security and applications (2016), doi: 10.1016/j.jisa.2016.02.001

18

Group

Reachability content Filtering and access control rules modeling

Center for Secure Information Systems, George Mason University

MIT Lincoln Laboratory

Core Security Corporate, Buenos Aires, Argentina Department of Electrical and Computer Engineering, University of Illinois The Ruhr Institute for Software Technology University of Duisburg-Essen and Istituto di Informatica e Telematica—Consiglio Nazionale delle Ricerche Individual works

Jajodia and Noel, 2010; Jajodia et al., 2011; Noel et al., 2009

Ingols et al., 2009; Sheyner et al., 2002 Sheyner and Wing, 2004; Sheyner et al., 2002

Trust relationships Ammann et al., 2002, 2005; Jajodia and Noel, 2010; Jajodia et al., 2011; Noel et al., 2009; Ritchey and Ammann, 2000; Wang et al., 2014a, 2014b, 2014c Ingols et al., 2006, 2009; Sheyner et al., 2002 Jha et al., 2002a; Sheyner and Wing, 2004; Sheyner et al., 2002 Frigault and Wang, 2008; Frigault et al., 2008; Islam and Wang, 2008; Wang et al., 2008, 2014a, 2014b, 2014c

Kotenko and Doynikova, 2014; Kotenko and Stepashkin, 2006

Lucangeli et al., 2010; Sarraute et al., 2011, 2012 Ford et al., 2013; LeMay et al., 2010, 2011

Dacier et al., 1996; Ortalo et al., 1999 Lucangeli et al., 2010; Sarraute et al., 2011, 2012 Ford et al., 2013; LeMay et al., 2010, 2011

Beckers et al., 2015

Beckers et al., 2015

Chen et al., 2009; Chen and Su, 2009; Ma et al., 2010; Ning and Xu, 2003; Ou et al., 2006; Poolsappasit et al., 2012; Templeton and Levitt, 2000; Xie et al., 2009; Zhang et al., 2009; Zhao et al., 2009

Chen et al., 2009; Chen and Su, 2009; Ma et al., 2010; Ning and Xu, 2003; Ou et al., 2006; Templeton and Levitt, 2000; Xie et al., 2009; Zhao et al., 2009

Application relationships Jajodia and Noel, 2010; Jajodia et al., 2011; Noel et al., 2009

Ingols et al., 2006, 2009 Sheyner and Wing, 2004; Sheyner et al., 2002

ARTICLE IN PRESS

Computer Science Department, Carnegie Mellon University Concordia Institute for Information Systems Engineering, Concordia University Sandia National Laboratories, Albuquerque Laboratory of Computer Security Problems, St. Petersburg Institute for Informatics and Automation LAAS-CNRS, France

Ammann et al., 2002, 2005; Jajodia and Noel, 2010; Jajodia et al., 2011; Noel et al., 2009; Ritchey et al., 2002; Ritchey and Ammann, 2000; Wang et al., 2014a, 2014b, 2014c Ingols et al., 2006, 2009; Sheyner et al., 2002 Jha et al., 2002a; Sheyner and Wing, 2004; Sheyner et al., 2002 Frigault and Wang, 2008; Frigault et al., 2008; Islam and Wang, 2008; Wang et al., 2008, 2014a, 2014b, 2014c Phillips and Swiler, 1998; Swiler et al., 2001 Kotenko and Doynikova, 2014; Kotenko and Stepashkin, 2006

IDS modeling

journal of information security and applications ■■ (2016) ■■–■■

Please cite this article in press as: Kerem Kaynar, A taxonomy for attack graph generation and usage in network security, journal of information security and applications (2016), doi: 10.1016/j.jisa.2016.02.001

Table 2 – Classification of the methods applied in the past works according to the reachability content criterion.

ARTICLE IN PRESS journal of information security and applications ■■ (2016) ■■–■■

19

Table 3 – Classification of the methods applied in the past works according to the attack modeling criterion. Group

Attack model Manually-defined attack templates

Center for Secure Information Systems, George Mason University

Ammann et al., 2002, 2005; Ritchey et al., 2002; Ritchey and Ammann, 2000

MIT Lincoln Laboratory

Ingols et al., 2006, 2009; Sheyner et al., 2002 Jha et al., 2002a; Sheyner and Wing, 2004; Sheyner et al., 2002 Frigault and Wang, 2008; Frigault et al., 2008; Islam and Wang, 2008; Wang et al., 2008, 2014a, 2014b, 2014c Phillips and Swiler, 1998; Swiler et al., 2001

Computer Science Department, Carnegie Mellon University Concordia Institute for Information Systems Engineering, Concordia University Sandia National Laboratories, Albuquerque Laboratory of Computer Security Problems, St. Petersburg Institute for Informatics and Automation LAAS-CNRS, France Core Security Corporate, Buenos Aires, Argentina Department of Electrical and Computer Engineering, University of Illinois The Ruhr Institute for Software Technology University of Duisburg-Essen and Istituto di Informatica e Telematica—Consiglio Nazionale delle Ricerche Individual works

Attack templates based on historical data

Text processing-based attack templates Jajodia and Noel, 2010; Jajodia et al., 2011; Noel et al., 2009; Wang et al., 2014a, 2014b, 2014c

Kotenko and Doynikova, 2014; Kotenko and Stepashkin, 2006

Dacier et al., 1996; Ortalo et al., 1999 Sarraute et al., 2011, 2012

Lucangeli et al., 2010

Ford et al., 2013; LeMay et al., 2010, 2011 Beckers et al., 2014, 2015

Chen et al., 2008, 2009; Jun-chun and Ji-yin, 2012; Ma et al., 2010; Ou et al., 2006; Poolsappasit et al., 2012; Templeton and Levitt, 2000; Xie et al., 2009; Zhang et al., 2009; Zhao et al., 2009

Each group has conducted prominent works related to the different phases of attack graph generation. The LAAS-CNRS group and Sandia National Laboratories perform the earliest works modeling attack templates and attack graphs. The LAASCNRS group defines abstractions over their attack graph elements (network states and vulnerability exploits) to represent attack scenarios. These abstractions are among the first attempts to form compact, hierarchical attack graphs that can be analyzed efficiently. Some groups work in designing and implementing methods related to nearly all the phases of attack graph generation and also to attack graph usage. An example of these groups are Center for Secure Information Systems of George Mason University, Computer Science Department of Carnegie Mellon University and LAAS-CNRS. In fact, all of these groups have also created integrated tools for attack graph generation and analysis which contain various functionalities like attack modeling, attack graph modeling, attack graph generation and visualization, network security metrics computation, network hardening and intrusion alert correlation. Even the

Ning and Xu, 2003

Chen and Su, 2009; Han et al., 2012

tool TVA developed by the Center for Secure Information Systems of George Mason University can compute the optimal locations on the target network for firewalls and IDS/IPSs via using attack graphs. MIT Lincoln Laboratory proposes prominent contributions in the field of reachability analysis. The common patterns of the reachability conditions are grouped in order to decrease the space requirements of the reachability matrix and speedup the graph-based attack graph core building algorithm. The reachability groups are also used as nodes in the attack graph models (multiple-prerequisite attack graphs) that are employed by the laboratory. The Center for Secure Information Systems of George Mason University has some earlier prominent works on logic-based attack graph generation. The Computer Science Department of Carnegie Mellon University builds upon these works to define logic-based attack template constructs and improves the logicbased algorithms for attack graph core building. Their algorithms can compute all the counter-example paths to the

Please cite this article in press as: Kerem Kaynar, A taxonomy for attack graph generation and usage in network security, journal of information security and applications (2016), doi: 10.1016/j.jisa.2016.02.001

ARTICLE IN PRESS 20

journal of information security and applications ■■ (2016) ■■–■■

Table 4 – Classification of the attack graph models used in the past works according to the attack graph modeling criterion. Group

Center for Secure Information Systems, George Mason University

MIT Lincoln Laboratory Computer Science Department, Carnegie Mellon University Concordia Institute for Information Systems Engineering, Concordia University Sandia National Laboratories, Albuquerque Laboratory of Computer Security Problems, St. Petersburg Institute for Informatics and Automation LAAS-CNRS, France Core Security Corporate, Buenos Aires, Argentina Department of Electrical and Computer Engineering, University of Illinois The Ruhr Institute for Software Technology University of DuisburgEssen and Istituto di Informatica e Telematica—Consiglio Nazionale delle Ricerche Individual works

Attack graph model State-based attack graphs

Vulnerability-based attack graphs

Host-based attack graphs

Ammann et al., 2002, 2005; Jajodia and Noel, 2010; Jajodia et al., 2011; Noel et al., 2009; Ritchey et al., 2002; Ritchey and Ammann, 2000; Wang et al., 2014a, 2014b, 2014c Ingols et al., 2006, 2009; Sheyner et al., 2002 Jha et al., 2002a; Sheyner and Wing, 2004; Sheyner et al., 2002 Frigault and Wang, 2008; Frigault et al., 2008; Islam and Wang, 2008; Wang et al., 2008, 2014a, 2014b, 2014c Phillips and Swiler, 1998; Swiler et al., 2001

Ammann et al., 2002, 2005; Jajodia and Noel, 2010; Jajodia et al., 2011; Noel et al., 2009; Ritchey et al., 2002; Ritchey and Ammann, 2000; Wang et al., 2014a, 2014b, 2014c Ingols et al., 2006, 2009; Sheyner et al., 2002 Jha et al., 2002a; Sheyner and Wing, 2004; Sheyner et al., 2002 Frigault and Wang, 2008; Frigault et al., 2008; Islam and Wang, 2008; Wang et al., 2008, 2014a, 2014b, 2014c

Ammann et al., 2005

Kotenko and Doynikova, 2014; Kotenko and Stepashkin, 2006

Kotenko and Doynikova, 2014; Kotenko and Stepashkin, 2006

Dacier et al., 1996; Ortalo et al., 1999 Lucangeli et al., 2010; Sarraute et al., 2011, 2012 Ford et al., 2013; LeMay et al., 2010, 2011

Lucangeli et al., 2010; Sarraute et al., 2011 Ford et al., 2013; LeMay et al., 2010, 2011

Beckers et al., 2014, 2015

Beckers et al., 2014

Chen et al., 2008, 2009; Chen and Su, 2009; Jun-chun and Ji-yin, 2012; Ma et al., 2010; Ou et al., 2006; Poolsappasit et al., 2012; Templeton and Levitt, 2000; Zhang et al., 2009; Zhao et al., 2009

Chen et al., 2008, 2009; Chen and Su, 2009; Jun-chun and Ji-yin, 2012; Ma et al., 2010; Ou et al., 2006; Poolsappasit et al., 2012; Templeton and Levitt, 2000; Zhang et al., 2009; Zhao et al., 2009

given security property. In later works of the Center for Secure Information Systems of George Mason University, developing graph search-based approaches to attack graph core building has gained more importance. Also, host access graphs are utilized in some of these works to reduce the time complexity of attack graph building. The Laboratory of Computer Security Problems in St. Petersburg Institute for Informatics and Automation has also proposed some abstractions over stateand host-based attack graphs to further contribute to the reduction of this time complexity.

Attack scenario-based attack graphs

Kotenko and Doynikova, 2014; Kotenko and Stepashkin, 2006

Xie et al., 2009

Albanese et al., 2011; Ning and Xu, 2003

Core Security Corporate utilizes planning-based approaches for attack graph building. An important contribution from this group is checking the exploitability of the computed attack paths in real world by using third-party penetration testing tools. The group has also developed some important methods for attack paths pruning during attack graph building. The recent works concentrate mainly on the usage of attack graphs. The Concordia Institute for Information Systems Engineering in Concordia University, Department of Electrical and Computer Engineering in University of Illinois and The Ruhr

Please cite this article in press as: Kerem Kaynar, A taxonomy for attack graph generation and usage in network security, journal of information security and applications (2016), doi: 10.1016/j.jisa.2016.02.001

Group

Attack paths determination method Graph-based methods

Center for Secure Information Systems, George Mason University

Ritchey and Ammann, 2000

MIT Lincoln Laboratory Computer Science Department, Carnegie Mellon University Concordia Institute for Information Systems Engineering, Concordia University

Sheyner et al., 2002 Sheyner and Wing, 2004; Sheyner et al., 2002

Ammann et al., 2002, 2005; Jajodia and Noel, 2010; Jajodia et al., 2011; Noel et al., 2009; Ritchey et al., 2002; Wang et al., 2014a, 2014b, 2014c Ingols et al., 2006, 2009

Sandia National Laboratories, Albuquerque Laboratory of Computer Security Problems, St. Petersburg Institute for Informatics and Automation LAAS-CNRS, France Core Security Corporate, Buenos Aires, Argentina Department of Electrical and Computer Engineering, University of Illinois The Ruhr Institute for Software Technology University of DuisburgEssen and Istituto di Informatica e Telematica—Consiglio Nazionale delle Ricerche Individual works

Depth-limited attack paths pruning

Frigault and Wang, 2008; Frigault et al., 2008; Islam and Wang, 2008; Wang et al., 2008, 2014a, 2014b, 2014c Phillips and Swiler, 1998; Swiler et al., 2001

Frigault and Wang, 2008; Frigault et al., 2008; Islam and Wang, 2008; Wang et al., 2008, 2014a, 2014b, 2014c

Kotenko and Doynikova, 2014; Kotenko and Stepashkin, 2006

Kotenko and Doynikova, 2014; Kotenko and Stepashkin, 2006

Sarraute et al., 2012

Lucangeli et al., 2010; Sarraute et al., 2011

Ford et al., 2013; LeMay et al., 2010, 2011

Beckers et al., 2014, 2015

Chen et al., 2008, 2009; Chen and Su, 2009; Ma et al., 2010; Zhang et al., 2009; Zhao et al., 2009

Goal-oriented attack paths pruning Ammann et al., 2005

Dacier et al., 1996; Ortalo et al., 1999 Lucangeli et al., 2010; Sarraute et al., 2011, 2012 Ford et al., 2013; LeMay et al., 2010, 2011

Ou et al., 2006

Probability-based attack paths pruning

Beckers et al., 2014, 2015

Ma et al., 2010; Man et al., 2008

Man et al., 2008; Poolsappasit et al., 2012; Zhang et al., 2009

Bhattacharya et al., 2008

ARTICLE IN PRESS

Logic-based methods

Attack paths pruning method

journal of information security and applications ■■ (2016) ■■–■■

21

Please cite this article in press as: Kerem Kaynar, A taxonomy for attack graph generation and usage in network security, journal of information security and applications (2016), doi: 10.1016/j.jisa.2016.02.001

Table 5 – Classification of the methods applied in the past works according to the attack graph core building mechanism criteria.

ARTICLE IN PRESS 22

journal of information security and applications ■■ (2016) ■■–■■

Table 6 – Classification of the methods applied in the past works according to the usage of attack graphs. Group

Center for Secure Information Systems, George Mason University

Uses of attack graphs Network security metrics computation

Network hardening

Jajodia and Noel, 2010; Jajodia et al., 2011; Noel et al., 2009; Pamula et al., 2006; Wang et al., 2014

Albanese et al., 2012; Ammann et al., 2005; Jajodia and Noel, 2010; Jajodia et al., 2011; Noel et al., 2009; Wang et al., 2006, 2014a, 2014b, 2014c Ingols et al., 2006; Sheyner et al., 2002 Jha et al., 2002a, 2002b; Sheyner and Wing, 2004; Sheyner et al., 2002 Islam and Wang, 2008; Wang et al., 2014a, 2014b, 2014c

MIT Lincoln Laboratory Computer Science Department, Carnegie Mellon University

Mehta et al., 2006

Concordia Institute for Information Systems Engineering, Concordia University Sandia National Laboratories, Albuquerque Laboratory of Computer Security Problems, St. Petersburg Institute for Informatics and Automation LAAS-CNRS, France

Frigault and Wang, 2008; Frigault et al., 2008; Wang et al., 2008, 2014

Core Security Corporate, Buenos Aires, Argentina Department of Electrical and Computer Engineering, University of Illinois The Ruhr Institute for Software Technology University of Duisburg-Essen and Istituto di Informatica e Telematica—Consiglio Nazionale delle Ricerche Individual works

Phillips and Swiler, 1998; Swiler et al., 2001

Near real-time security analysis Noel et al., 2004; Wang et al., 2005

Phillips and Swiler, 1998; Swiler et al., 2001 Kotenko and Doynikova, 2014

Dacier et al., 1996; Ortalo et al., 1999 Lucangeli et al., 2010; Sarraute et al., 2011, 2012 Ford et al., 2013; LeMay et al., 2010, 2011

Dacier et al., 1996; Ortalo et al., 1999

Ortalo et al., 1999

Chen et al., 2008; Dewri et al., 2007; Jun-chun and Ji-yin, 2012; Poolsappasit et al., 2012; Yigit et al., 2014

Albanese et al., 2011; Foo et al., 2005; Ning and Xu, 2003; Roschke et al., 2011; Templeton and Levitt, 2000; Xie et al., 2010

Beckers et al., 2014, 2015

Poolsappasit et al., 2012

Institute for Software Technology in University of DuisburgEssen (together with Istituto di Informatica e Telematica—Consiglio Nazionale delle Ricerche) have prominent contributions in this respect. These groups mainly work on network security evaluation frameworks that use network security metrics to evaluate the security state of the target network. The network security metrics are defined and computed based on attack graphs. Their computation can even include the effects of potential zero-day vulnerabilities. The Concordia Institute for Information Systems Engineering has also works on network hardening via using graph search techniques over attack graphs. In these works, the minimal and minimum attack sets that prevents the attacker to reach her goals are formally defined. Additionally, the tool Cauldron developed by the Center for Secure Information Systems of George Mason University can perform near real-time network security monitoring by providing support for collecting intrusion alerts and mapping them to the parts of the full attack graph.

5.2. Attack graph generation and analysis tools generated by the previous works One of the earlier attack graph generation and analysis tools is the Attack Graph Generation Tool that is implemented by Sandia National Laboratories. Swiler et al. (2001) describe the Attack Graph Generation Tool that computes attack graphs based on three inputs: the attacker profile, network configuration file and attack template library. The attacker profile lists the tools and capabilities possessed by the attacker. The network configuration file describes the topology of the target network by specifying the running processes and operating systems on the network hosts. It is formed by using external network scanning tools. The attack template library contains pre- and postconditions for atomic attack steps. It is stated in Swiler et al. (2001) that the reports of the external network vulnerability scanners are used partially in the formation of the attack template library.

Please cite this article in press as: Kerem Kaynar, A taxonomy for attack graph generation and usage in network security, journal of information security and applications (2016), doi: 10.1016/j.jisa.2016.02.001

ARTICLE IN PRESS journal of information security and applications ■■ (2016) ■■–■■

A node of an attack graph represents a set of system state changes for the target network. A system state change includes the level of penetration by the attacker (gaining a root privilege on a specific network host, etc.) and configuration changes induced by the attack steps on the network hosts (modification of access control for an operating system object, placement of Trojan horses, etc.). A vulnerability corresponds to a set of system state changes. The Attack Graph Generation Tool rank vulnerabilities (impose partial order on them according to their pre- and postconditions) in order to eliminate redundant attack paths containing same subset of vulnerabilities in different orders. It also computes only interesting attack paths that lead to a new vulnerability on each attack step and performs cycle elimination on attack graphs. In addition, the Attack Graph Generation Tool finds the e-optimal shortest paths on the generated attack graphs. These paths are found by assigning weights on each attack step (edge) that represents the cost of the attack step to the attacker. They represent the attack paths for the target network that have the high likelihood of being followed by the attacker. The Computer Science Department of Carnegie Mellon University introduces a tool for attack graph generation called NuSMV that is based on model checking (Sheyner et al., 2002). The configuration of the target network and the model for atomic attacks are used to compute all the attack paths in the form of an attack graph. A safety property is also given as an input and the computed attack paths show the paths that violate the safety property. The generation of the model of the network and atomic attack model are not performed by the tool NuSMV. By using NuSMV, the minimal critical attack sets that prevent an attacker to reach her goals are computed. The computation executes a greedy algorithm on an attack graph. The complexity of the corresponding algorithm is given as O(mn), where m is the number of the edges of the attack graph and n is the number of the atomic attacks that can be employed by an attacker. By using the tool NuSMV, the authors also perform probabilistic reliability analysis on attack graphs. Markov Decision Processes (MDPs) are used to compute the probability of the attacker to reach her goals starting from each state on the attack graph. By using the computed values, the maximum success probability of the attacker to satisfy her goals is computed. Additionally, since NuSMV uses model checking techniques, it can compute the attack paths violating a safety property that is specified using temporal logic. Such a safety property can indicate a liveness property, an example of which is a user will always be able to access a specific server on the target network even in the case of attacks. This property would not be true, if there is a Denial-of-Service (DoS) attack disabling the functionality of the corresponding server. The Attack Graph Toolkit introduced also by Computer Science Department of Carnegie Mellon University in (Sheyner and Wing, 2004) uses as its basis a network attack model consisting of the definition of the following items for the target network and a potential attacker: • Hosts contained by the network, • Connectivity relations among the hosts, • Software configuration (operating system, running services and applications) for each host,

23

• Intrusion detection systems contained by the network (their location, the attacks that can be detected by them), • Attacker’s store of knowledge about the target network including the known host addresses, vulnerabilities, user passwords and information gathered via port scans, • Attacker’s actions (vulnerability exploits, port scan tools that can be employed by the attacker) An instance of the network attack model together with a security property are given as input to the Attack Graph Toolkit. The toolkit uses the modified model checker NuSMV to generate attack graphs. In Sheyner and Wing (2004), the integration of the three external tools with the Attack Graph Toolkit which are used to generate the data to instantiate the network attack model automatically is explained. These tools (MITRE Corporation’s Outpost, Lockheed Martin’s ANGI and Nessus vulnerability scanner) are used to find the hosts, topology, operating system and services running on the hosts and the vulnerabilities on the hosts automatically for the target network. Although the utilization of such tools highly automates the process of attack graph generation, there is still an important part of the network attack model that needs automation which is the modeling of attacker’s actions. This includes the automatic determination of the pre- and postconditions of the vulnerability exploits that can be employed by a potential attacker. The Adversary View Security Evaluation (ADVISE) tool that is implemented by Department of Electrical and Computer Engineering in University of Illinois and described in LeMay et al. (2011) provides a discrete-event simulation environment for producing network security metric values. LeMay et al. (2011) formalize the model for the inputs of the tool which are attack execution graph for the target network, attacker profile and network security metrics. An attack execution graph is a set of paths comprised of attack steps. An attack step can be performed successfully by an attacker, if the required skills, access conditions and knowledge items has already been obtained by the attacker. The attacker profile holds the skills of the attacker and his initial knowledge about the target network. The ADVISE tool mimics the progress of the attacker inside the network (on the input attack execution graph) as a series of attack steps according to the attacker profile. It achieves this mimicry via simulation. During a simulation instance, the ADVISE tool computes values for the network security metrics which can be state or event metrics. A state is defined in terms of the knowledge items and access conditions. A state metric measures the average amount of time the target network is in a specific state during the simulation. An event is defined in terms of the attack steps and addition/removal of the knowledge items to a state. An event metric measures the average number of times an event occurs during the simulation. The attack decision function used by the ADVISE tool accounts for the cost, payoff and detection probability when determining the next attack step for the attacker. The attractiveness values for the possible attack steps in terms of three criteria can be computed by looking ahead a specific number of layers in the input attack execution graph. A data structure called State Look-ahead Tree (SLAT) is introduced to model the possible attack steps that can be taken by the attacker for

Please cite this article in press as: Kerem Kaynar, A taxonomy for attack graph generation and usage in network security, journal of information security and applications (2016), doi: 10.1016/j.jisa.2016.02.001

ARTICLE IN PRESS 24

journal of information security and applications ■■ (2016) ■■–■■

her n future actions, where n is the planning horizon value. An SLAT is traversed bottom up to compute the attractiveness value for each attack step possible for the current action. Future attack decisions affect the attack step selected as the current action. Ford et al. (2013) describe the implementation of the modeling formalism of the ADVISE tool in the Mbius modeling and simulation tool. The implementation details for the adversary decision and action functions of the ADVISE tool are described. The adversary decision function is executed for each state reached during the simulations. The function computes the best attractive next attack action to be taken by the attacker via using a state look-ahead tree (SLAT). Two techniques used for optimizing the execution of the adversary decision function are explained. One of the techniques is the caching of the decision taken for a state. The other technique is the caching of a sub-tree of an SLAT that is rooted at a specific state with its look-ahead level. The cached sub-tree is used, if the same state is encountered at the same look-ahead level during the simulations. The adversary action function changes the model state according to the outcome of the current attack action that is selected stochastically. A mission-centric cyber security situational assessment tool called Cauldron is developed by the Center for Secure Information Systems of George Mason University and described in Jajodia et al. (2011). The tool correlates, aggregates, normalizes and fuses data from various data sources such as vulnerability databases (NVD, OSVDB and Symantec DeepSight), vulnerability scanners (Nessus, Altiris Asset Inventory) and firewall policy providers to find all paths of vulnerability for the target network. According to these paths, Cauldron computes near-optimal defense measures by using the following criteria for selecting the vulnerabilities to be patched: • vulnerabilities with CVSS scores higher than a pre-specified threshold value, • vulnerabilities that are related with the maximum number of hosts on the target network, • vulnerabilities that enable an attacker to jump from one subnet to another the maximum number of times are selected. The last option above provides the most effective defense solution in the example cases described in Jajodia et al. (2011). The Cauldron tool provides alert correlation by mapping alerts generated by the IDSs to the full attack graph and hypothesizing missed alerts on the attack graph. The tool also performs mission impact analysis and provides for attack mitigation based on mission workflows in this context. The services on the network hosts that must be protected for a mission are determined and Cauldron prioritizes the recommended defense measures in order to survive the mission. The tool also handles overlapping or redundant mission service dependencies. The TVA tool described in Noel et al. (2009) and Jajodia and Noel (2010) forms the basis of Cauldron. The works of MIT Lincoln Laboratory about attack graphs (Ingols et al., 2006, 2009) are quite important for the Cauldron tool. There are some other tools that are considered important for the generation of attack graphs. An example is the tool called MulVal that is introduced in Ou et al. (2006). The idea in this

work is to model vulnerability exploits as logic propositions and apply logic deduction to reach from the initial facts to the goal facts representing the attacker’s initial and goal privileges respectively. A reasoning engine, XSB, allowing tabled execution is used for this purpose. Tabled execution aids in preventing duplicate computation of facts and resolving loops in the resulting attack graph. According to the authors, all the rules are seemed to be evaluated simultaneously in parallel with all possible instantiation of the variables in their bodies. This observation is very important in determining the time and space complexity of their algorithms. Both complexity measures are on the order of square of the number of the hosts in the target network. The main contribution of this work is to model the security domain objects as facts and rules (propositional logic formulas). The approach takes into account the following three important points: • A successful application of an exploit may depend on more than one precondition in a conjunctive manner. • A successful application of an exploit may result in more than one postcondition. • A specific condition may be the result of more than one successful exploit in a disjunctive manner, namely there may be more than one exploit that results in the same postcondition.

6.

Potential challenges and open issues

Although there is vast amount of literature on attack graph generation and usage, there are still important open issues that need to be solved. The major potential challenges in the area are discussed in the following subsections. In essence, the challenges related to reachability analysis and attack graph modeling arise from the need to form realistic attack paths in attack graphs. The attack paths should indicate what can be happened in the real world. The formation of such attack paths requires to collect the network configuration information in a fine-grained and accurate manner in order to represent the reachability conditions accurately. It also requires to process the vulnerability information in the public databases precisely in order to represent possible chains of vulnerability exploits accurately. The major potential challenges related to attack graph core building are caused by the scalability problem arising when the size of the target network grows large. This size includes the number of network hosts, the number of installed software on the network hosts and the number of vulnerabilities on each installed software. The scalability problem has also effects on the algorithms used to compute near-optimal defense measures (network hardening) and perform near real-time network security analysis based on attack graphs. The main problem related to network security metrics computation is the lack of standardized evaluation criteria for the generated metrics.

6.1.

Reachability analysis

Actually, most of the previous works cited in this article model reachability conditions among the target network hosts by

Please cite this article in press as: Kerem Kaynar, A taxonomy for attack graph generation and usage in network security, journal of information security and applications (2016), doi: 10.1016/j.jisa.2016.02.001

ARTICLE IN PRESS journal of information security and applications ■■ (2016) ■■–■■

abstracting or disregarding the reachability conditions among the installed software on the hosts. Even the ones that account for the software application relationships represent only the reachability conditions among the hosts. This modeling gives rise to the formation of attack paths that may not be satisfiable by an attacker in the real world. Because, it is assumed that if an attacker has access to the target host, she can have a chance to use the vulnerabilities of any installed software on this host. This inaccurate modeling can be improved by matching the results of the external vulnerability scanners with the filtering rules employed on the target network. The IP address of a networked software application can be obtained by running an external vulnerability scanner on the target network. Then, the IP address is searched among the filtering rules. The filtering rules related to the IP address are used to define the reachability of the corresponding networked software with the other networked software. It is important to incorporate the application relationships on the target network as detailed as possible in the generation of the reachability conditions. As a future work, some specific information sources, which are contained by any installed software and point to other software, can be found and incorporated into the reachability graph generation process. An example of such an information source may be a database table which resides in a database server that is accessed by a web application. The database table may store user credentials for an application A that is completely different from the web application. When an attacker obtains file access right on the database server by, for instance, applying an SQL injection attack to the web application, she can read the user credentials for the application A and access this application. This kind of relationship is not included by any reachability computation process in the previous works. It may not be derived by using just vulnerability scanners and host-based asset managers. Cookies are another example for information sources. If an attacker can access the cookie store of a web browser, she can get authorization right on the web applications pointed to by clear-text cookies directly. One of the major challenges in the computation of the reachability conditions is related to making the resulting reachability graph or matrix as compact as possible. Since the resulting reachability graph or matrix is traversed during the attack graph core building phase, it should eliminate as much redundancy as possible. Although this compaction serves to reduce computational complexity for attack graph core building algorithms, most of the previous works cited in this paper do not deal with this issue. Two of the previous works that have significant contributions in this issue are Ingols et al. (2006) and Ingols et al. (2009). These two works can also be improved by grouping common patterns of reachability conditions more aggressively. The compaction of a reachability graph is actually an instance of a combinatorial optimization problem that tries to minimize the number of edges and nodes of the resulting graph by combining the network hosts (or installed software) that have similar reachability patterns. The node(s) of the reachability graph to which a network host belongs should be decided during the execution of the optimization process. Inaccurate or incorrect target network configuration information collected by using external vulnerability scanners can

25

also lead to unrealistic attack paths. These inaccurate or incorrect information should be eliminated by using more than one external scanner and cross-checking the results of the used external scanners. Additionally, the variety of the filtering rule formats used by different firewall appliances and possible conflicting filtering rules can cause difficulties in computing accurate reachability conditions. For this purpose, specialized toolkits for modeling and analyzing filtering rules employed across the target network can be used. An example of such a toolkit is described in Yuan et al. (2006). A modeling and static analysis approach for firewall access control lists (ACLs) based on symbolic model checking is proposed in Yuan et al. (2006). A firewall ACL is treated as a specialized program. The program has a state consisting of accepted, denied and forwarded packets before executing each ACL rule. Each rule execution changes this state. This analysis method is also used for distributed firewalls with the addition of the definition of an ACL tree. An ACL tree contains distributed firewalls and protection domains as its nodes. Edges represent the topological connections among the nodes. The root of the tree indicates the network portion to be protected (internal network). The authors define the rules for the state changes during the traversal of an ACL tree in addition to the rules for the state changes inside an ACL tree node (a single firewall ACL). The authors formally define misconfigurations and redundancies (inefficiencies) for firewall configurations. They have implemented a tool, called FIREMAN, and analyzed some firewall configurations used in production environments. Obtaining the IPS locations and signatures and using them to compute the reachability conditions give more precise results compared to just using the filtering and access control rules, and trust relationships. It can eliminate the attack paths employing exploits that are blocked by the IPS signatures. However, it is better to introduce some uncertainty measure in this process or use exploits and vulnerabilities together in the generation of attack graphs, because there can be a set of exploits for a vulnerability, some of which are blocked and some of which are not blocked by the IPS signatures. Using only vulnerabilities in the generation of attack graphs without incorporating exploits may not give complete attack paths in this situation.

6.2.

Attack graph modeling

In order to form attack paths based on vulnerabilities realistically, the pre- and postconditions of the vulnerabilities should be determined accurately. There are open vulnerability databases on the Internet, such as NVD (NIST, 2015) and OSVDB (OSVDB, 2015), which contain descriptions and values for some metrics (for example, CVSS (Mell et al., 2007) metrics) for the published and candidate vulnerabilities. These descriptions can be used to determine pre- and postconditions, however the descriptions are generally human-readable and do not allow to infer detailed values for pre- and postconditions by using simple text parsing methods. In order to solve this challenge, machinelearning-based text processing algorithms can be utilized by using possibly more than one vulnerability database. Another solution may be to obtain exploits for the vulnerabilities on the Internet and parse the exploit codes in order to determine pre- and postconditions.

Please cite this article in press as: Kerem Kaynar, A taxonomy for attack graph generation and usage in network security, journal of information security and applications (2016), doi: 10.1016/j.jisa.2016.02.001

ARTICLE IN PRESS 26

journal of information security and applications ■■ (2016) ■■–■■

Validating the determined pre- and postconditions for the vulnerabilities is another issue. There is no well-known validation method. For this purpose, the intrusion alert data sets available on the Internet can be utilized. Although the data sets do not contain alerts related to all the published vulnerabilities, they can give examples of chains of vulnerability exploits. These chains are cross-checked with the pre- and postconditions derived by applying text processing methods on the descriptions on the public vulnerability databases. Whether the derived conditions make the exploits of the vulnerabilities in a chain possible or not can be checked and according to the results the derived conditions can be adjusted.

6.3.

Attack graph core building

The main challenges related to attack graph core building phase are caused by the scalability problem occurring when the size of the target network grows large. When the number of the installed software on the network increases, the vulnerabilities on the hosts also increases giving rise to larger full attack graphs. All of the previous works cited in this article employ a serial algorithm to build attack graphs. The number of nodes in the full attack graphs generated in the experiments performed by these works is generally not considered in the evaluation of the performance of the proposed attack graph building algorithms. Also, the filtering rules used in the experiments are not generally considered in this evaluation. These filtering rules can give rise to very small reachability graphs, if they block most of the network traffic. Most of the experiments in the previous works are performed with simulated networks or field networks with small sizes. We consider that serial algorithms for attack graph building suffer from the scalability problem for even middle-sized enterprise networks (containing on the order of 100 hosts) deployed in the real world. Distributed and/or hierarchical algorithms can alleviate the scalability problem. The distributed computation can also allow for the distributed collection of the network configuration information and selective updates on the specific attack graph parts, when the configuration of only a part of the network changes. Attack graph building can be viewed as an instance of graph search problem and treated by using distributed search algorithms. Hierarchical computation allows for the selective computation and update of the attack graph parts related to the specific parts of the target network. It also allows to define abstractions (e.g., subnets, sub-domains) over the network hosts and compacts the visualization of large attack graphs. As a future work for partial attack graph core building phase, one can try to apply heuristics-based search algorithms (A*, Iterative Deepening A*, D*, etc.) for partial attack graph generation, after developing network security domain-specific heuristics. The target privileges, determined as input by the network security administrators for partial attack graph generation, will be the goal states for heuristics-based search algorithms. These algorithms generally find the shortest paths, however they may be modified to give a range of critical attack paths to the specified target privileges. In order to use these search algorithms, a cost value must be assigned to each edge to appear on the resulting attack graph. These costs may indicate the likelihood of the vulnerability exploits, if the edges on the attack graph represent vulnerability exploits.

6.4.

Using attack graphs for network security

Related to the usage of attack graphs is network security risk analysis which computes risk values for any intended node in the attack graph by using the likelihood of successful exploit and the damage values for the vulnerabilities. These likelihood and damage values are usually taken from CVSS (Mell et al., 2007) vulnerability scoring system. There is also another system for scoring weaknesses, which is called CWSS (CWSS, 2015) and provides a mechanism for prioritizing the software weaknesses in a consistent, flexible and open manner. Both CWSS and CVSS incorporate temporal and environmental (network specific) parameters into the computation of the corresponding score values. The specification of the values of these parameters should be performed by the network administrators. This may give rise to the problem of inaccurate or incorrect risk value computations. The lack of standardized methods and frameworks to evaluate the computed risk values amplifies the effects of the problem. For network security risk analysis, another challenge may be the difficulty of obtaining accurate relationships among the installed software. The cascading effects of an attack on the dependent software are modeled by using these relationships. Near-optimal defense measure recommendation as one usage of attack graphs suffers from the scalability problem caused by the growing size of the target network and attack graphs. Also, the increased number of defense measures available to the network administrator can cause a scalability problem. In order to alleviate these problems, distributed algorithms can be used. Another problem related to nearoptimal defense measure recommendation based on attack graphs is the ignorance of the interdependencies among available defense measures. Among the previous works cited in this paper, only the method proposed in Albanese et al. (2012) accounts for these kinds of interdependencies. These interdependencies model the similar effects on the target network introduced by the application of different defense measures. As a future work for the combinatorial optimizationbased defense measure recommendation methods, new candidate selection functions (e.g., mutators for genetic algorithms) accounting for these interdependencies can be designed. These functions can allow the optimization method to find the near-optimal defense measure set(s) fast without being caught at the local optima quickly. In near real-time network security analysis, the intrusion alerts and system/application logs collected throughout the target network can be correlated to determine the ongoing attack scenarios in the form of partial attack graphs. The alerts and logs are used to create and update the partial attack graphs. In order to be able to perform the create/update operations in near real-time, the newly received alerts and logs should be matched to the correct partial attack graphs (attack scenarios) quickly. As a future work, specific criteria can be formed and used in determining which attack scenarios are given precedence in processing the newly received alerts and logs. Realtime scheduling algorithms can be used to schedule the attack scenarios for this purpose. Various heuristics accounting for the detected attack scenarios’ structural and content-wise properties can be developed to be used in real-time scheduling of attack scenarios. New attack prediction schemes

Please cite this article in press as: Kerem Kaynar, A taxonomy for attack graph generation and usage in network security, journal of information security and applications (2016), doi: 10.1016/j.jisa.2016.02.001

ARTICLE IN PRESS journal of information security and applications ■■ (2016) ■■–■■

depending on the detected attack scenarios can also be investigated. All of the previous works cited in this article do not utilize from the secondary logs in near real-time security analysis. A secondary log is a software log event that does not indicate a security event directly. However, a collection of secondary logs can indicate a security event. Examples are all the logs generated by the operating systems and application software other than the security (virus, trojan, intrusion, etc.) alerts. These logs can represent the actions taken by a malware on a network host, after it has infected the host without being detected by any anti-virus software or intrusion detection system. As a future work, secondary logs can also be processed by using behavioral malware signatures. The collections of secondary logs that match these signatures can be determined. By using the matched signatures, the security events indicated by the collections of secondary logs can be determined. These security events can be incorporated into the generated partial attack graphs each representing an ongoing attack scenario.

27

of attack graphs for network security. The basic problems, potential challenges and open issues in attack graph generation and usage are described. Recommendations for future work are discussed for reachability analysis, attack graph modeling, attack graph core building and usage of attack graphs. We believe that the proposed taxonomy allows the future works in the area to be developed in a more structured manner, the stated challenges and open issues shed light on the future developments.

Acknowledgments Parts of this work were supported by funding from the German Federal Ministry of Education and Research under grant 01IS13003. The responsibility of this publication lies solely with the authors.

REFERENCES

7.

Conclusions

Each attack graph generation approach examined in the context of this article uses a specific methodology to model network security domain objects (vulnerabilities, atomic attacks, privileges, etc.) and apply specific techniques (resolution or model checking in the case of logic-based approaches, graph traversal and search in the case of graph-based approaches) to incrementally generate the partial or full attack graph for the target network. Most of the works described in the earlier sections introduce some kind of abstraction over vulnerabilities, atomic attacks, etc. in order to reduce the time and space complexity of the attack graph core building process. These abstractions also aid in the simplification of vulnerability preand postcondition extraction and reachability analysis. We realize that the earlier works mostly concentrate on reachability analysis, attack graph modeling and core building issues. They focus on solving the scalability problem for full attack graph generation. However, the recent works mostly focus on the usage of attack graphs for network security evaluation and monitoring by utilizing partial attack graphs and attack graph pruning methods. The significance of the computation and usage of attack paths which are critical with respect to the specific pre-determined criteria increases. The idea of presenting compact, hierarchical attack graphs that are easily manageable by the network administrators is getting more focus. The devise of abstractions for attack graph parts, which allows efficient execution of network security analysis methods and the network administrator to focus on the critical and targeted network areas, is becoming more important. In this article, a taxonomy of the applied algorithms and models associated with reachability analysis, attack graph modeling, and core building phases of attack graph generation process is developed. The algorithms and models employed by the selected prominent works in the literature related to attack graph generation process are explained by categorizing them according to the presented classification scheme. The proposed classification scheme also takes into account the usage

A. Core Security Corporate, Buenos Aires, Research and Development Center, Core Security Corporate, Buenos Aires, Argentina. Attack intelligence, vulnerability prioritization & consolidation | Core Security, ; 2015. A. Sandia National Laboratories, New Mexico, Sandia National Laboratories, New Mexico, Albuquerque. Exceptional service in the national interest, ; 2015. Albanese M, Jajodia S, Pugliese A, Subrahmanian VS. Scalable analysis of attack scenarios. In: Proceedings of the 16th European conference on research in computer security, ESORICS’11. Berlin, Heidelberg: Springer-Verlag; 2011. p. 416– 33, . Albanese M, Jajodia S, Noel S. Time-efficient and cost-effective network hardening using attack graphs. In: Swarz RS, Koopman P, Cukier M, editors. DSN. IEEE Computer Society; 2012. p. 1–12. Albanese M, Jajodia S, Singhal A, Wang L. An efficient approach to assessing the risk of zero-day vulnerabilities. In: Proceedings of the 10th international conference on security and cryptography (ICETE 2013); 2013. p. 207–18. doi:10.5220/ 0004530602070218. Ammann P, Wijesekara D, Kaushik S. Scalable, graph-based network vulnerability analysis. Proceedings of the 9th ACM conference on computer and communications security; 2002;50(1):217–24. Ammann P, Pamula J, Street J, Ritchey R. A host-based approach to network attack chaining analysis. Proceedings of the 21st annual computer security applications conference; 2005;50(1):72–84. Beckers K, Heisel M, Krautsevich L, Martinelli F, Meis R, Yautsiukhin A. Determining the probability of smart grid attacks by combining attack tree and attack graph analysis. In: Cuellar J, editor. Lecture notes in computer science, vol. 8448. Smart grid security. Springer International Publishing; 2014. p. 30–47. Beckers K, Krautsevich L, Yautsiukhin A. Analysis of social engineering threats with attack graphs. In: Garcia-Alfaro J, Herrera-Joancomart J, Lupu E, Posegga J, Aldini A, Martinelli F, et al., editors. Lecture notes in computer science, vol. 8872. Data privacy management, autonomous spontaneous security, and security assurance. Springer International Publishing; 2015. p. 216–32.

Please cite this article in press as: Kerem Kaynar, A taxonomy for attack graph generation and usage in network security, journal of information security and applications (2016), doi: 10.1016/j.jisa.2016.02.001

ARTICLE IN PRESS 28

journal of information security and applications ■■ (2016) ■■–■■

Bhattacharya S, Malhotra S, Ghsoh SK. A scalable representation towards attack graph generation. Information technology, 2008. IT 2008. 1st international conference; 2008;50(1):1–4. C. M. U. Computer Science Department, Computer Science Department, Carnegie Mellon University, ; 2015. C. U. Concordia Institute for Information Systems Engineering, Concordia Institute for Information Systems Engineering, Concordia University, ; 2015. CAPEC, Common Attack Pattern Enumeration and Classification, ; 2015. Chen F, Wang L, Su J. An efficient approach to minimum-cost network hardening using attack graphs. In: Information assurance and security, 2008. ISIAS ’08. Fourth international conference on; 2008. p. 209–12. doi:10.1109/IAS.2008.38. Chen F, Wang C, Tian Z, Jin S, Zhang T. An atomic-domainsbased approach for attack graph generation, ; 2009. Chen YZF, Su J. Engineering secure software and systems. Berlin, Germany: Springer Berlin Heidelberg; 2009. p. 150–63. A scalable approach to full attack graphs generation A Scalable Approach to Full Attack Graphs Generation. Common Platform Enumeration, ; 2015. CVE, Common Vulnerabilities and Exposures, ; 2015. CWE, Common Weakness Enumeration, ; 2015. CWSS, Common Weakness Scoring System (CWSS), ; 2015. D. of Electrical, U. o. I. Computer Engineering, Department of Electrical and Computer Engineering, University of Illinois. Home :: ECE ILLINOIS, ; 2015. Dacier M, Deswarte Y, Ka¢niche M. Quantitative assessment of operational security: models and tools; 1996. Dewri R, Poolsappasit N, Ray I, Whitley D. Optimal security hardening using multi-objective optimization on attack tree models of networks. In: Proceedings of the 14th ACM conference on computer and communications security, CCS ’07. New York, NY, USA: ACM; 2007. p. 204–13. doi:10.1145/ 1315245.1315272. Foo B, Wu Y-S, Mao Y-C, Bagchi S, Spafford E. Adepts: adaptive intrusion response using attack graphs in an e-commerce environment. In: Dependable systems and networks, 2005. DSN 2005. Proceedings. International conference; 2005. p. 508– 17. Ford MD, Keefe K, LeMay E, Sanders WH, Muehrcke C. Implementing the advise security modeling formalism in möbius. In: Proceedings of the 2013 43rd annual IEEE/IFIP international conference on dependable systems and networks (DSN), DSN ’13. Washington, DC, USA: IEEE Computer Society; 2013. p. 1–8. doi:10.1109/DSN.2013.6575362. Frigault M, Wang L. Measuring network security using Bayesian network-based attack graphs. In: COMPSAC. IEEE Computer Society; 2008. p. 698–703. Frigault M, Wang L, Singhal A, Jajodia S. Measuring network security using dynamic Bayesian network. In: Proceedings of the 4th ACM workshop on quality of protection, QoP ’08. New York, NY, USA: ACM; 2008. p. 23–30. G. M. U. Center for Secure Information Systems, Center for Secure Information Systems, George Mason University, ; 2015. GFILanGuard, Gfilanguard network security scanner and patch management, ; 2015. Han B, Wang Q, Yu F, Zhang X. A vulnerability attack graph generation method based on scripts. In: Proceedings of the

third international conference on information computing and applications, ICICA’12. Berlin, Heidelberg: Springer-Verlag; 2012. p. 45–50. Ingols K, Lippmann R, Piwowarski K. Practical attack graph generation for network defense. Proceedings of the 22nd annual computer security applications conference; 2006;50(1):121–30. Ingols K, Chu M, Lippmann R, Webster S, Boyer S. Modeling modern network attacks and countermeasures using attack graphs. Proceedings of the 2009 annual computer security applications conference; 2009;50(1):117–26. Islam T, Wang L. A heuristic approach to minimum-cost network hardening using attack graph. In: New technologies, mobility and security, 2008. NTMS ’08; 2008. p. 1–5. doi:10.1109/ NTMS.2008.ECP.9. Jajodia S, Noel S. Topological vulnerability analysis. In: Jajodia S, Liu P, Swarup V, Wang C, editors. Advances in information security, vol. 46. Cyber situational awareness. Springer; 2010. p. 139–54. Jajodia S, Noel S, Kalapa P, Albanese M, Williams J. Cauldron mission-centric cyber situational awareness with defense in depth. In: Military communications conference, 2011 – MILCOM 2011; 2011. p. 1339–44. doi:10.1109/ MILCOM.2011.6127490. Jha S, Sheyner O, Wing J. Two formal analyses of attack graphs. In: Computer security foundations workshop, 2002. Proceedings. 15th IEEE; 2002a. p. 49–63. doi:10.1109/ CSFW.2002.1021806. Jha S, Sheyner O, Wing J. Minimization and reliability analyses of attack graphs, ; 2002b. Jun-chun M, Ji-yin S. Optimal network hardening model based on parallel genetic algorithm. In: Industrial control and electronics engineering (ICICEE). 2012 international conference; 2012. p. 546–9. Kotenko I, Doynikova E. Security assessment of computer networks based on attack graphs and security events. In: Mahendra M, Neuhold E, Tjoa A, You I, editors. Lecture notes in computer science, vol. 8407. Information and communication technology. Springer Berlin Heidelberg; 2014. p. 462–71. Kotenko I, Stepashkin M. Attack graph based evaluation of network security. In: Proceedings of the 10th IFIP TC-6 TC-11 international conference on communications and multimedia security, CMS’06. Berlin, Heidelberg: Springer-Verlag; 2006. p. 216–27. L. for Analysis, F. Architecture of Systems, LAAS-CNRS, Laboratory for Analysis and Architecture of Systems, France, ; 2015. LeMay E, Unkenholz W, Parks D, Muehrcke C, Keefe K, Sanders WH. Adversary-driven state-based system security evaluation. In: Proceedings of the 6th international workshop on security measurements and metrics, MetriSec ’10. New York, NY, USA: ACM; 2010. p. 5:1–9. doi:10.1145/ 1853919.1853926. LeMay E, Ford M, Keefe K, Sanders W, Muehrcke C. Model-based security metrics using adversary view security evaluation (advise). In: Quantitative evaluation of systems (QEST), 2011 eighth international conference on; 2011. p. 191–200. doi:10.1109/QEST.2011.34. Lucangeli J, Sarraute C, Richarte G. Attack planning in the real world, workshop on intelligent security (SecArt 2010). M. Lincoln Laboratory, Lincoln Laboratory, MIT, ; 2015. Ma J, Wang Y, Sun J, Hu X. A scalable, bidirectional-based search strategy to generate attack graphs. Computer and Information Technology, International Conference on 0; 2010;2976–81.

Please cite this article in press as: Kerem Kaynar, A taxonomy for attack graph generation and usage in network security, journal of information security and applications (2016), doi: 10.1016/j.jisa.2016.02.001

ARTICLE IN PRESS journal of information security and applications ■■ (2016) ■■–■■

Man D, Zhang B, Yang W, Jin W, Yang Y-T. A method for global attack graph generation, networking, sensing and control, 2008. ICNSC 2008. IEEE international conference; 2008;50(1):236–41. Mehta V, Bartzis C, Zhu H, Clarke E, Wing J. Ranking attack graphs. In: Proceedings of the 9th international conference on recent advances in intrusion detection, RAID’06. Berlin, Heidelberg: Springer-Verlag; 2006. p. 127–44. Mell P, Scarfone K, Romanosky S. CVSS: a complete guide to the common vulnerability scoring system version 2.0. National Institute of Standards and Technology; 2007. N. Tenable, Nessus vulnerability scanner, ; 2015. Ning P, Xu D. Learning attack strategies from intrusion alerts. Proceedings of the 10th ACM conference on computer and communications security; 2003;50(1):200–9. NIST, National vulnerability database, ; 2015. Nmap, Nmap security scanner, ; 2015. Noel S, Robertson E, Jajodia S. Correlating intrusion events and building attack scenarios through attack graph distances. In: ACSAC. IEEE Computer Society; 2004. p. 350–9. Noel S, Elder M, Jajodia S, Kalapa P, O’Hare S, Prole K. Advances in topological vulnerability analysis. In: Proc. of the 2009 Cybersecurity Applications & Technology Conf. for Homeland Security, CATCH ’09. Washington, DC, USA; 2009. p. 124–9. OpenVAS, Openvas open source vulnerability scanner and manager, ; 2015. Ortalo R, Deswarte Y, Kaaniche M. Experimenting with quantitative evaluation tools for monitoring operational security. IEEE Trans Softw Eng 1999;633–50. OSVDB, The open source vulnerability database, ; 2015. Ou X, Boyer WF, McQueen MA. A scalable approach to attack graph generation. Proceedings of the 13th ACM conference on computer and communications security; 2006;50(1): 336–45. OVALdi, Ovaldi — an open-source local vulnerability assessment scanner, ; 2015. Pamula J, Jajodia S, Ammann P, Swarup V. A weakest-adversary security metric for network configuration security analysis. In: Proceedings of the 2Nd ACM workshop on quality of protection, QoP ’06. New York, NY, USA: ACM; 2006. p. 31–8. doi:10.1145/1179494.1179502. Phillips C, Swiler LP. A graph-based system for networkvulnerability analysis. Proceedings of the 1998 workshop on new security paradigms; 1998;50(1):71–9. Poolsappasit N, Dewri R, Ray I. Dynamic security risk management using Bayesian attack graphs. IEEE Trans Dependable Secure Comput 2012;9(1):61–74. Retina, Retina Network Security Scanner Unlimited, ; 2015. Ritchey R, O’Berry B, Noel S. Representing tcp/ip connectivity for topological analysis of network security. In: Computer security applications conference, 2002. Proceedings. 18th annual; 2002. p. 25–31. doi:10.1109/CSAC.2002.1176275. Ritchey RW, Ammann P. Using model checking to analyze network vulnerabilities. Proceedings of the 2000 IEEE symposium on security and privacy; 2000;50(1): 36–44. Roschke S, Cheng F, Meinel C. A new alert correlation algorithm based on attack graph. In: Proceedings of the 4th international conference on computational intelligence in security for information systems, CISIS’11. Berlin, Heidelberg: Springer-Verlag; 2011. p. 58–67.

29

S. Altiris, Endpoint management powered by Altiris technology. ; 2015. S. P. I. f. I. Laboratory of Computer Security Problems, Automation, Laboratory of Computer Security Problems, St. Petersburg Institute for Informatics and Automation, ; 2015. Sarraute C, Richarte G, Lucángeli Obes J. An algorithm to find optimal attack paths in nondeterministic scenarios. In: Proceedings of the 4th ACM workshop on security and artificial intelligence, AISec ’11. New York, NY, USA: ACM; 2011. p. 71–80. doi:10.1145/2046684.2046695. Sarraute C, Buffet O, Hoffmann J. POMDPs make better hackers: accounting for uncertainty in penetration testing. In: Proceedings of the twenty-sixth AAAI conference on artificial intelligence. Toronto, Ontario, Canada; 2012. Sheyner O, Wing J. Tools for generating and analyzing attack graphs. In: Proceedings of formal methods for components and objects. LNCS; 2004. p. 344–71. Sheyner O, Haines J, Ja S, Lippmann R, Wing JM. Automated generation and analysis of attack graphs. Proceedings of the 2002 IEEE symposium on security and privacy; 2002;50(1):36– 44. Swiler LP, Phillips CA, Ellis DE, Chakerian S. Computer-attack graph generation tool, vol. 2; 2001. p. 307–21. T. I. of Informatics, T. of CNR, Istituto di informatica e telematica — consiglio nazionale delle ricerche, ; 2015. T. R. I. f. S. T. U. o. D.-E. PALUNO, Paluno, the Ruhr Institute for Software Technology University of Duisburg-Essen. paluno: Welcome, ; 2015. Templeton SJ, Levitt K. A requires/provides model for computer attacks. Proceedings of the 2000 workshop on new security paradigms; 2000;50(1):31–8. Wang L, Liu A, Jajodia S. An efficient and unified approach to correlating, hypothesizing, and predicting intrusion alerts. In: Proceedings of the 10th European conference on research in computer security, ESORICS’05. Berlin, Heidelberg: SpringerVerlag; 2005. p. 247–66. Wang L, Noel S, Jajodia S. Minimum-cost network hardening using attack graphs. Comput Commun 2006;29(18):3812–24. doi:10.1016/j.comcom.2006.06.018. Wang L, Islam T, Long T, Singhal A, Jajodia S. An attack graphbased probabilistic security metric. In: Proceedings of the 22nd annual IFIP WG 11.3 working conference on data and applications security. Berlin, Heidelberg: Springer-Verlag; 2008. p. 283–96. Wang L, Jajodia S, Singhal A, Cheng P, Noel S. K-zero day safety: a network security metric for measuring the risk of unknown vulnerabilities. IEEE Trans Dependable Secure Comput 2014;11(1):30–44. Wang L, Albanese M, Jajodia S. Attack graph and network hardening. In: Network hardening, SpringerBriefs in computer science. Springer International Publishing; 2014a. p. 15–22. Wang L, Albanese M, Jajodia S. Minimum-cost network hardening. In: Network hardening, SpringerBriefs in computer science. Springer International Publishing; 2014b. p. 23–38. Wang L, Albanese M, Jajodia S. Linear-time network hardening. In: Network hardening, SpringerBriefs in computer science. Springer International Publishing; 2014c. p. 39–58. Xie A, Chen G, Wang Y, Chen Z, Hu J. A new method to generate attack graphs. Secure system integration and reliability improvement; 2009;401–6. Xie P, Li JH, Ou X, Liu P, Levy R. Using Bayesian networks for cyber security analysis. In: Dependable systems and networks

Please cite this article in press as: Kerem Kaynar, A taxonomy for attack graph generation and usage in network security, journal of information security and applications (2016), doi: 10.1016/j.jisa.2016.02.001

ARTICLE IN PRESS 30

journal of information security and applications ■■ (2016) ■■–■■

(DSN), 2010 IEEE/IFIP international conference; 2010. p. 211– 20. doi:10.1109/DSN.2010.5544924. Yigit B, Gur G, Alagoz F. Cost-aware network hardening with limited budget using compact attack graphs. In: Military communications conference (MILCOM), 2014 IEEE; 2014. p. 152–7. Yuan L, Chen H, Mai J, Chuah C-N, Su Z, Mohapatra P. Fireman: a toolkit for firewall modeling and analysis. In: Security and privacy, 2006 IEEE symposium; 2006. p. 15–213.

Zhang L, Hu J-B, Chen Z. A probability-based approach to attack graphs generation, electronic commerce and security, 2009. ISECS ’09. Second international symposium 2009;50(1): 343–7. Zhao Y, Wang Z, Zhang X, Zheng J. An improved algorithm for generation of attack graph based on virtual performance node. Multimedia information networking and security, international conference; 2009;2:466–9.

Please cite this article in press as: Kerem Kaynar, A taxonomy for attack graph generation and usage in network security, journal of information security and applications (2016), doi: 10.1016/j.jisa.2016.02.001