Towards scalable security analysis using multi-layered security models

Towards scalable security analysis using multi-layered security models

Journal of Network and Computer Applications 75 (2016) 156–168 Contents lists available at ScienceDirect Journal of Network and Computer Application...
Download PDF
2MB Sizes 0 Downloads 75 Views
Report

Journal of Network and Computer Applications 75 (2016) 156–168

Contents lists available at ScienceDirect

Journal of Network and Computer Applications journal homepage: www.elsevier.com/locate/jnca

Towards scalable security analysis using multi-layered security models Jin B. Hong n, Dong Seong Kim Computer Science and Software Engineering, University of Canterbury, Christchurch, New Zealand

art ic l e i nf o

a b s t r a c t

Article history: Received 13 September 2015 Received in revised form 29 February 2016 Accepted 26 August 2016 Available online 31 August 2016

Security models, such as an attack graph (AG), are widely adopted to assess the security of networked systems, such as utilizing various security metrics and providing a cost-effective network hardening solution. There are various methods of generating these models, but the scalability problem exists for single-layered graph-based security models when analyzing all possible attack paths. To address this problem, we propose to use a multi-layer hierarchical attack representation model (HARM) that models various components in the networked system in different layers to reduce the computational complexity. First, we formulate key questions that need to be answered to assess the scalability of security models. Second, we formally define the multi-layer HARM. Last, we conduct experiments to show the scalability of security models. Our experimental results show that using the HARM can improve the scalability of assessing the security of the networked system significantly in comparison to the single-layered security models in various network scenarios. & 2016 Elsevier Ltd. All rights reserved.

Keywords: Attack graphs Attack trees Complexity analysis Scalability Security analysis Security model

1. Introduction Cyber criminals can compromise networked systems by exploiting vulnerabilities, and such events impose a critical socioeconomic impact on enterprises and individuals. An attack surface describes vulnerabilities that cyber criminals can exploit to penetrate through the networked system (Manadhata and Wing, 2011), and so it is of paramount importance to secure the networked system by minimizing the attack surface (e.g., patching vulnerabilities). Security models, or also known as attack representation models (ARMs), are well-defined means of analyzing the security of networked systems in efforts to enhance the fundamental framework for network security (Schumacher and Ghosh, 1997; Lippmann and Ingols, 2005; Kordy et al., 2013). These models can be used to analyze vulnerabilities in the networked system, and provide solutions to effectively manage them (e.g., network hardening) (Ammann et al., 2002; Dewri et al., 2007; Saini et al., 2008; Dawkins and Hale, 2004). However, analyzing all possible attack paths using single-layered graph-based ARMs has a scalability problem (e.g., an attack graph (AG), Sheyner et al., 2002). This is an emerging problem as network systems are becoming large, such as the Cloud (Popovic et al., 2010; Mell and Grance, 2011; Sood, 2012). n

Corresponding author. E-mail addresses: [email protected] (J.B. Hong), [email protected] (D.S. Kim). http://dx.doi.org/10.1016/j.jnca.2016.08.024 1084-8045/& 2016 Elsevier Ltd. All rights reserved.

Two main approaches, namely structural modifications (Ou et al., 2006; Ingols et al., 2006; Xie et al., 2009) and heuristic methods (Homer et al., 2008; Poolsappasit et al., 2012; Chen et al., 2010), are proposed and used (separately or combined) to improve the scalability of ARMs. However, networked systems are becoming larger and highly dynamic (e.g., Cloud networks). Consequently, structural modifications solutions still suffer the scalability problem when the size of the networked system becomes very large (Lippmann and Ingols, 2005; Noel and Jajodia, 2004; Hong and Kim, 2012). Also, heuristic methods are model-centric (i.e., only applicable to a subset of security models). As a result, users may require multiple implementations of different security models to be able to analyze various security metrics (e.g., a security model may not support all security metrics required). Moreover, it becomes difficult to validate the result of security analysis when other security models do not provide the same function. Therefore, there is a need for security modeling and analysis techniques to deal with the scalability problem to compute all possible attack paths to analyze the security of networked systems. We propose to use a multi-layered hierarchical attack representation model (HARM) to improve the scalability problem (Hong and Kim, 2012), and we analyzed the computational complexities of the HARM in each phase of an ARM lifecycle (which is described in Hong and Kim, 2013c) to compare the theoretical performances of different functionalities. The ARM lifecycle consists of five phases (pre-processing, generation, representation, evaluation, and modification), which are required steps in

J.B. Hong, D.S. Kim / Journal of Network and Computer Applications 75 (2016) 156–168

analyzing the security of the networked system. More details can be found in Hong and Kim (2013c). Our previous study in Hong and Kim (2012) showed that the HARM has better or equal computational complexities in comparison to the simplified AG, as well as the performance when taking into account different network topologies and varying number of vulnerabilities (as shown in Hong and Kim, 2013a). In this paper, we extend our previous work in Hong and Kim (2013a) to answer the following questions: (i) Can we improve the performance using more layers in the HARM? (ii) What is the performance of ARMs with respect to more complex network topologies? To answer these questions, the network density is also taken into account in the analysis. The network density describes the average number of edges between hosts, such that a high density value means there are many host pairs connected (e.g., a fully connected network topology), and a low density value means there are not many host pairs connected (e.g., a star network topology). The contributions of this paper are:

 A formal definition of h-layered HARM (h-HARM) using AGs.  Scalability analysis and comparison of h-HARM, an AG and TwoLayered AG (TLAG) with respect to complex network topologies.

 Investigating the effects of the network density for generations and evaluations of ARMs.

The rest of the paper is as organized as follows. In Section 2, related work is introduced, and the overview of the HARM is shown in Section 3. In Section 4, we answer some of the key questions when assessing the scalability of ARMs using complexity analysis. In Section 5, we conduct security analysis using various ARMs, and experimental results are presented in Section 6. Discussion on our findings is presented in Section 7, and we conclude our paper in Section 8.

2. Related work Security is an ongoing problem for enterprises and individuals (Schumacher and Ghosh, 1997), because analyzing the security posture is a difficult task for networked systems with many hosts and vulnerabilities. To improve our understanding of this problem, ARMs are developed and used with an intensive focus on improving the usability and functionalities. Graph-based ARMs are one of the most widely adopted security modeling techniques (Kordy et al., 2013), because they are user-friendly and provide various metrics as well as security analysis methods that were developed during the past decade. One of the first introduced graph-based ARMs by Phillips and Swiler (1998) is an attack graph (AG) that maps all possible attack paths in a given networked system, and Sheyner et al. (2002) formally defined the AG. However, computing all possible attack paths yields an exponential computational complexity, so many researchers presented more efficient methods of generating and evaluating the AG. Either improvements to the full AG using heuristic methods (e.g., graph simplification and clustering) (Noel and Jajodia, 2005; Sawilla and Skillicorn, 2012; Mehta et al., 2006; Hong and Kim, 2013b) or a new graph-based ARM structures (Ou et al., 2006; Ingols et al., 2006; Xie et al., 2009) based on logical references to the networked system properties are proposed to address the scalability problem. However, as the networked system becomes larger and highly dynamic (e.g., a Cloud network, Mell and Grance, 2011; Sood, 2012), these existing solutions still suffer from the scalability problem. Ou et al. (2006) proposed a logical attack graph (LAG) that can be generated with a polynomial computational complexity, but they did not consider analyzing the complexity of security evaluation. Moreover, their experiment assumed that each host has

157

the same vulnerabilities (i.e., a homogeneous networked system). Ingols et al. (2006) proposed a predictive graph and a multiple prerequisite graph (MPG). They reported that the scalability of the MPG has the size complexity of O(n log n), where n is the number of hosts in the networked system (i.e., almost linear with respect to the size of the networked system). MPG used graph simplification prior to evaluating the security of networked systems. Also, the number of vulnerabilities was fixed in their experiment (e.g., fixed with 10 vulnerabilities). Xie et al. (2009) used a two-layer attack graph (TLAG), where the upper layer captured the host reachability and the lower layer captured the vulnerability information. This is very similar to 2-HARM (i.e., 2 layered HARM), but the difference is that the lower layer information (i.e., vulnerability models) are stored in each edge between nodes in the upper layer in the TLAG (i.e., construct the vulnerability attack graph between host pairs). In contrast, the lower layer models have a one-to-one relationship with the upper layer nodes in the HARM. As a result, less memory space is required for the HARM than the TLAG. If we assume that the same methods are used for both HARM and TLAG, then the generation and evaluation times of the HARM will be better as there is less number of lower layer models in the HARM than the TLAG. However, authors did not conduct scalability analysis, and the vulnerability information was not given. In a similar way, Machida et al. (2013) proposed an automated composition of a hierarchical stochastic model from SysML to analyze the system availability. It demonstrates the scalability improvement while maintaining the accuracy of the analysis, given the model is decomposable. However, we focus not only on the availability modeling and analysis, but a broad field of security analysis using various security metrics. Heuristic methods avoid computing all possible attack paths (e.g., graph simplification, Chen et al., 2010; Homer et al., 2008; Ingols et al., 2009; Noel and Jajodia, 2005; Sawilla and Skillicorn, 2012, and approximation algorithms, Abadi and Jalili, 2010; Islam and Wang, 2008; Mehta et al., 2006; Hong and Kim, 2013b; Hong et al., 2014). However, a major drawback of these methods is the lack of reusability of them due to their model-centric properties (i.e., methods proposed specific to certain security models and their properties). For example, a probabilistic approach to evaluating the security of the networked system proposed by Wang et al. (2013) requires to use a dependency AG. However, the method proposed specifically requires the use of dependency AG and it cannot be used by other security models directly. There is also a potential loss of security information in the evaluation phase due to taking into account only the subset of security information in the analysis. In this paper, we focus on improving the scalability of ARMs to evaluate all possible attack paths using the HARM that does not depend on the model properties, as well as without any loss of security information in the evaluation phase. A set of key questions that should be considered to assess the scalability of ARMs is given in Section 4, and we try to answer these questions with respect to some of the most recent work on structural modification solutions.

3. Overview of the HARM The main idea of the HARM is to model the system components onto multiple layers in the model. By doing so, we can improve the scalability of utilizing security models, especially for large sized networked systems. For example, a small network shown in Fig. 1 has one malicious host (H0) and two legitimate hosts (H1 and H2). The goal of the attacker H0 is to compromise the root privilege of H2. We can create an AG to model the attack scenario of the given network as shown in Fig. 2. Although with a very small number of

158

J.B. Hong, D.S. Kim / Journal of Network and Computer Applications 75 (2016) 156–168

Fig. 1. A small example networked system.

Fig. 2. An AG of the small example.

hosts and vulnerabilities, a single layer representation by the AG is complicated. On the other hand, the 2 layer HARM (i.e., 2-HARM) is shown in Fig. 3, which captures the host reachability information in the upper layer and the vulnerability information in the lower layers, respectively. Not only the visual representation is simplified, but the computational steps are also simplified using the bottom-up approach (further details are shown in Section 5). Similarly, we can further increase the number of layers by identifying hierarchy in the system (e.g., subnets, containing hosts, containing vulnerabilities).

4. Complexity analysis of ARMs The scalability problem exists for security assessments, as it becomes infeasible to manage the size of ARMs as the networked system becomes larger. Existing studies on ARMs lack in comparative studies to show how well their models scale in various environments and attack scenarios. We formulated five key questions to compare the scalability of ARMs in Hong and Kim (2013a), which are essential to understanding the scalability of ARMs in various networked systems. Those key questions are: Q1 Q2 Q3 Q4 Q5

Was the computational complexity analysis performed? Was the model compared with other ARMs? Were different network topologies considered? Was the effect of variable number of vulnerabilities for hosts considered? Were different types of vulnerabilities (e.g., user and root) considered?

We consider different graph-based ARMs (AG, LAG, MPG, TLAG and HARM with two layers (i.e., h¼ 2)) and compare their scalability in the generation and the evaluation phase (in terms of

complexity) by inspecting their model structures and features. Phases of the ARM lifecycle can be found in Hong and Kim (2013c). We take into account AG used in both upper and lower layers of the 2-HARM, where the upper layer captures the reachability of hosts and the lower layer captures the vulnerability information. Also, if the ARM generates pre-condition and post-condition nodes, then we consider them as a single node (i.e., simplified). The scalability of the evaluation phase is compared by the computational complexity of analyzing a security metric (e.g., system risk) by computing all possible attack paths. Here, the term ‘complexity’ refers to the complexity analysis in algorithms and data structures, so having a better complexity (e.g., in terms of the Big Oh notation) means better scalability. If we are interested in all possible attack paths as an output, then all ARMs (should) generate the same result with similar computational complexities (i.e., we do not consider different data structures used). However, if we use all possible attack paths to evaluate the security (such as system risk, impact, return on investment, attack cost, and probability of an attack success), then the computational complexities vary for all ARMs depending on their structures. We will only consider the number of hosts and vulnerabilities of each ARM to compare the scalability, because they are the major variable factors for the scalability among many others. The answers to the key questions considering the generation and evaluation phases are given in Tables 1 and 2, respectively. If there is a corresponding study to answer the key questions (i.e., there has been an experiment to answer the key question), then the table will indicate Yes to the corresponding question for the model. Otherwise, a No is denoted to indicate there are no such experiments to answer the question. Comprehensive details of these models can be found in Kordy et al. (2013). The main task of the generation phase is to retrieve the network information and generating the relationships between network components specific to the ARM requirements (e.g., connecting a vulnerability node to its subsequent vulnerabilities or hosts based on the reachability, application and port information). We assume that the vulnerabilities of each host can be exploited based on the reachability information only (i.e., only known vulnerabilities and exploits). 4.1. HARM (Hong and Kim, 2012) The generation of the HARM using AGs in its layers has a computational complexity of O (m2n + n2), taking into account n number of hosts and m number of vulnerabilities for each host (Hong and Kim, 2012). If only the number of hosts is taken into account, then the complexity is O(n2). Evaluating the security using the HARM has an exponential computational complexity of O (m ! n!), which is based on the worst case analysis using a fully connected networked system. A scalability analysis based on simulation results showed that using different network topologies improved the scalability of security models (Hong and Kim, 2013a).

Fig. 3. A 2 layer HARM of the small example.

J.B. Hong, D.S. Kim / Journal of Network and Computer Applications 75 (2016) 156–168

Table 1 Answers to key questions in the generation phase. Attack models

TLAG

LAG

MPG

HARM

Q1 Q2 Q3 Q4 Q5

Yes No No No No

Yes Yes Yes Yes No

Yes Yes No No Yes

Yes Yes Yes Yes Yes

159

number of nodes. But if we consider computing all possible attack paths, the worst case scenario of evaluating the MPG is equivalent to the AG (e.g., consisting of only a single reachability group). If there are multiple prerequisite nodes, then connections between hosts and vulnerabilities are grouped by the prerequisite nodes, and it reduces the complexity in the evaluation. However, their performance analysis did not consider different network topologies or variable number of vulnerabilities that may affect how reachability groups are formed. 4.5. TLAG (Xie et al., 2009)

Table 2 Answers to key questions in the evaluation phase. Attack models

TLAG

LAG

MPG

HARM

Q1 Q2 Q3 Q4 Q5

Yes No No No No

Estimated No No No No

Estimated Yes No No Yes

Yes Yes Yes Yes Yes

4.2. AG (Sheyner et al., 2002) The connections between vulnerabilities and hosts in the AG are independent, so there are more edges in the AG than the HARM. As a result, the computational complexity of generating the AG is greater than the HARM as shown in Hong and Kim (2012). Moreover, because there are a larger number of edges, traversing the AG to compute all possible attack paths has worse computational complexity than the HARM even if the same algorithm was used (as shown in Hong and Kim, 2013a). 4.3. LAG (Ou et al., 2006) The LAG has a generation complexity of O (δn), where n is the number of hosts in the networked system and δ is the time to find the host in the lookup table (Ou et al., 2006). However, they assumed that all vulnerabilities are the same (remote to exploits). Since each derivation node is an AND node, repeated nodes are required for each exploit if there are multiple sources it could be exploited from. If we allow the derivation nodes to be OR nodes, the number of repeated nodes will be reduced and also reduces the size complexity of the LAG. Therefore, the HARM (linear size) has better size complexity that the LAG (polynomial size). Evaluating the LAG is not shown in Ou et al. (2006), and graph simplification and approximation algorithms are used to evaluate the LAG in Homer et al. (2008). We analyze the computational complexity of the LAG to compute all possible attack paths to be the same as the AG, because each fact node (it can be considered as a host node with a given privilege) makes an independent connection to derivation nodes (it can be considered as vulnerability nodes). The number of paths from each fact node increases exponentially as the number of choices increases in the attack path, which is the same property found in the AG. 4.4. MPG (Ingols et al., 2006) The MPG has the number of components linearly proportional to the number of hosts and vulnerabilities in the networked system (Ingols et al., 2006). Additionally, it also requires the use of prerequisite nodes, which decreases the number of independent connections between hosts and vulnerabilities, but increases the size of the MPG. However, their experimental results showed that the number of total nodes in the MPG is negligible compared to the AG when generating the MPG. Evaluating the MPG utilizes graph simplification. As a result, their evaluation complexity is almost linear with respect to the

Generating the TLAG is not described in Xie et al. (2009), but if we consider the same generation method as the HARM with the same computational complexity (i.e., polynomial computational complexity to generate the TLAG). The number of lower layer models is determined based on the number of host pairs (i.e., edges in the upper layer), which can be up to O(n2) number of edges. However, if the lower layer models in the TLAG are identical between different host pairs, they can share the same lower layer model. In the optimal case, where a host will have the same exploit sequence from any source, the number of lower layer models is linearly proportional to the number of hosts in the TLAG. Only the optimal case will show the same number of lower layer models with the HARM. The evaluation of the TLAG considered the overall security using the probability of an attack. Matrix evaluation is used, but this evaluation method lacks in assessing different attack paths and their effects. If we assume the optimal case as mentioned previously, then the performance of the TLAG and HARM will be equivalent. We explore the performance change when a larger number of hierarchies are used in Section 6. The number of hostpair attack graphs (i.e., lower layer information) was not linearly proportional to the number of hosts. Moreover, their performance analysis did not consider different network topologies, number of vulnerabilities, and vulnerabilities with different privileges when exploited. We further analyze the performance of the TLAG in comparison to the HARM in Section 6.

5. Security analysis using ARMs 5.1. Preliminaries First we define an example networked system as shown in Fig. 4. It is composed of three subnets: (i) Demilitarized zone (DMZ), (ii) Internal Networks (INs), and (iii) Database (DB). Firewalls are placed to control the outside access to the INs and DB. We denote Web server as WS, Application server as AS, and Database server as DS, respectively. We assume that an attacker is located on the Internet, and the goal of the attacker is to compromise the backend DB server (i.e., DS3). WSs and ASs have two vulnerabilities v1 and v2, and DSs have one vulnerability v3. The properties of these vulnerabilities are shown in Table 3, where values are reasonable guesstimates. However, real data can also be used as in Hong and Kim (2013c) and Chen et al. (2013). Since the method to evaluate the security of networked systems is the same (e.g., using the exhaustive search method), any security metrics can be used as our major concern which is the scalability of security models and not the security analysis itself. The probability of an attack success specifies the likelihood of an attacker exploiting the vulnerability in any attack events. The impact value specifies the potential impact to the networked system, where higher value means more severe the impact (with a lower boundary of zero). The cost to patch (in dollars) specifies the cost of patching a specific vulnerability. The Risk describes the risk associated with the host

160

J.B. Hong, D.S. Kim / Journal of Network and Computer Applications 75 (2016) 156–168

Fig. 4. An example networked system.

components.

Table 3 Vulnerability properties. Vulnerability ID

Probability of an attack

Impact

Cost to patch

Risk

v1 v2 v3

0.1 0.2 0.01

200 75 500

$50 $30 $100

20 15 5

when there is an attack exploiting that particular vulnerability (i.e., taking into account threats and possible impact on the host, with a lower boundary of zero). The quantitative representation of the Risk is calculated by the product of the probability of an attack and the impact associated with a threat imposed on the networked system. Further details of risk assessment can be found in Dubois et al. (2010).

5.2. Formalism of HARMs A formalism of a two layer HARM is introduced in Hong and Kim (2014). In this paper, we formally define the HARM with h layers for an arbitrary number of layers. The HARM which consists of a set of security models is denoted by M and a subset of these models that are residing at the ith layer (i.e., a subset) is denoted by Mi. A particular model for a corresponding node in the upper layer node j is denoted as Mij, where a node j is at the i − 1th layer. Definition 1. The HARM has a 3-tuple H = (h, M , C ). h is the number of layers (2 ≤ h). M is the set of all models used in each layer, Mi ∈ M is a subset of models in M at ith layer, and min ∈ M is a member of M at the ith layer linked to a lower layer model n in the i − 1th layer. C = {(min , n)|min ∈ Mi and n ∈ Mi − 1} ⊆ Mi × Mi − 1 is the set of all mappings between HARM components in two different layers, where i is a whole positive number 1 ≤ i ≤ h. Definition 2. An attack graph (AG) in the ith layer in the HARM is a directed graph G i = (N i, E i ), where Ni is a finite set of components at the ith layer and E i ⊆ N i × N i is a set of edges between

5.3. Security analysis We analyze the system risk associated with the networked system shown in Fig. 4 using an AG, 2-HARM, and 3-HARM to show these models compute the same solution. If an enterprise system has many sites, then the number of layers can be further extended to four (i.e., a 4-HARM), where the highest layer captures the reachability of sites, the second layer captures the reachability of subnets, the third layer captures the reachability of hosts in the subnet, and the last layer captures the vulnerability information. Also, the number of layers can be further extended as necessary. Currently, layers are divided manually, but automatic detection of optimal number of layers for a given networked system will be studied in our future work. An example of analyzing the security using the HARM is shown in Hong and Kim (2012), which demonstrates the HARM reducing the number of computational states, which improves the scalability in the evaluation phase. We assume that once a vulnerability is successfully exploited, then the escalated privilege stays (i.e., a monotonic assumption). This assumption is used to cut cycles in the ARM when computing all possible attack paths. Next, we define the system risk, Rsystem, as the sum of risk associated i ∈ path, where path is all possible attack paths in the networked system (as shown in Eq. (1), which is similar to Hong and Kim, 2014). The system risk is represented by summing the risk associated with each attack path in the system to reflect the path information (e.g., more attack paths means higher risk if all vulnerabilities are the same). Also, we only take into account the generation and evaluation phases in our analysis. Details of how the HARM changes its components with respect to changes in the networked system can be found in (Hong and Kim, 2014):

Rsystem =

∑ i ∈ path

Ri

(1)

5.3.1. Analyzing AG We generate an AG as shown in Fig. 5. We denote a

J.B. Hong, D.S. Kim / Journal of Network and Computer Applications 75 (2016) 156–168

v

AS1

v

1

WS 2

v

161

AS 3

1

1

WS1

v

v

1 WS 2

v

An Attacker

AS1

v

2

2

v

1

v

v

AS 4

1

2

v

WS 3

v

2

DS1 3

DS 3 3

1

AS 2

v

WS1

2

v

WS3

v

AS 3

AS 2

v

2

v

AS 4

DS 2 3

2

Fig. 5. The graphical representation of an AG for the example networked system.

vulnerability as vih, where i ∈ {1, 2, 3} (i.e., represents v1, v2, v3) and h ∈ {WS1, WS2, WS3, AS1, AS2 , AS3 , AS4 , DS1, DS2, DS3} (e.g., v2WS2 is a vulnerability v2 in WS2). Although the AG is linearly proportional to the number of vulnerabilities in the networked system, the visualization quickly becomes very complex to comprehend. Calculating the system risk (as described in Eq. (1)) requires traversing all possible attack paths given in the AG. There are total of 448 different attack paths, and we get Rsystem = 44, 800 using Eq. (1).

5.3.2. Analyzing 2-HARM We generate a 2-HARM for the example networked system as shown in Fig. 6. The graphical representation is significantly simplified (i.e., less edges) compared to the AG shown in Fig. 5. To analyze the system risk in the HARM, we use the bottom-up approach as described in Fig. 7. Iterating from the lowest layer (line 5), the risk and the number of attack paths are computed for all models at the ith layer (lines 7 to 9). For each layer of the HARM, the risk is computed by accumulating the risk associated with all possible attack paths for the given model (line 17). Finally, the system risk is computed and presented (line 12). An example is shown in Eq. (2) for an attack path through nodes p ∈ {WS1, WS2, AS1}, given RWS = RAS = 35 (i.e., risk values associated to WS and AS are 35 each). Also, PWS = PAS = 2, where Pn denotes the number of attack paths associated with node n ∈ p, and Pn = 0|i ∉ p. Using the procedure described in Fig. 7, the system risk of the example networked system using the 2-HARM is 44,800, which is an equivalent solution to the AG:

WS 2 Attacker

AS 3

AS1

DS1

WS1 WS3

AS 2

DS3

AS 4

DS 2

(a) HARM upper layer

v1 s

v2

e

(b) WSs and ASs lower layer

s

Fig. 7. System risk computation algorithm using the HARM.

R p = (RWS1 × PWS2 + RWS2 × PWS1) × P AS1 + R AS1 × (PWS1 × PWS2) = (35 × 2 + 35 × 2) × 2 + 35 × (2 × 2) = 140 × 2 + 35 × 4 (2)

= 420

The 2-HARM can be represented as follows using the formalism in Section 5.2: Example 1. The 2-HARM of the example networked system is H′ = (2, M′, C ′). WS1 ,

M′ = {M2servers, M1

WS2 ,

M1

WS3 ,

M1

AS

AS

AS

AS

DS

DS

DS

M1 1, M1 2, M1 3, M1 4, M1 1, M1 2, M1 3}

is a set of all models in the HARM. C ′ = {WS1 ↔ M1WS1, WS2↔

M1WS2, WS3 ↔ M1WS3, AS1 ↔ M1AS1, AS2 ↔ M1AS2, AS3 ↔ M1AS3, AS4 is the ↔ M1AS4, DS1 ↔ M1DS1, DS2 ↔ M1DS2, DS3 ↔ M1DS3}

v3

e

set of all mappings between HARM components (i.e., for each upper layer member to its corresponding lower layer model). Example

(c) DSs lower layer

Fig. 6. 2-HARM of the example networked system.

2 (Upper

layer

HARM). The

AG

of

M2servers

is

G′ 2 = (N′ 2, E′ 2). N′ 2 = {WS1, WS2, WS3, AS1, AS2 , AS3 , AS4 , DS1, DS2, DS3}

is

a

set

162

J.B. Hong, D.S. Kim / Journal of Network and Computer Applications 75 (2016) 156–168

An Attacker

DMZ

IN

DB

(a) HARM upper layer

WS 2

s

AS1

e

WS1

AS 2

(b) DMZ intermediate layer

DS1

s

e

s

WS3

v2

(e) WSs and ASs lower layer

e

(d) DB intermediate layer

v3

s

e

DS3 DS 2

AS 4

(c) IM intermediate layer

v1

s

AS3

e

(f) DSs lower layer

Fig. 8. 3-HARM of the example networked system.

of

all

hosts

(servers)

in

the

networked

system.

E′ 2 = {(A , WS1) , (WS1, WS2) , (WS1, WS3) , (WS2, AS1) , (WS2, AS2) ,

Example 4. The 3-HARM of the example networked system is H″ = (3, M″ , C ″).

(WS3, AS1) , (WS3, AS2) , (AS1, AS3) , (AS1, AS4 ) , (AS2 , AS3) , (AS3 , AS1) ,

M″ = {M3subnets, M2DMZ , M2IN , M2DB, M1WS1, M1WS2, M1WS3, M1AS1, M1AS2, M1AS3,

(AS3 , DS1) , (AS3 , DS2) , (AS4 , DS1) , (AS4 , DS2) , (DS1, DS3) , (DS2, DS3)}

M1AS4, M1DS1, M1DS2, M1DS3}

1

is a set of all edges in G′ , where A is the entry point of an attack (i.e., hosts can be attacked directly without any access through other hosts).

M1WS1

1

1

1

Example 3 (Lower layer HARM). The AG of is G′ = (N′ , E′ ). N′ 1 = {v1, v2} is a set of all vulnerabilities in WS1. E′ 1 = {(s, v1) , (s, v2) , (v1, e ) , (v2, e )} is a set of all edges in G′ 1, where s is the entry point of an attack (i.e., vulnerabilities can be attacked directly without any access) and e is the exit point of an attack (i.e., gained required privilege). 5.3.3. Analyzing 3-HARM We generate a 3-HARM as shown in Fig. 8. The upper layer models the relationship between subnets, the intermediate layer models the relationship between servers in each subnet, and the lower layer models the relationship between vulnerabilities in each server. The same approach (as shown in Fig. 7) is used to compute the system risk using the 3-HARM. The system risk of the example networked system using the 3-HARM is 44,800, which is an equivalent solution to the AG and 2-HARM. An example of evaluating the upper layer is shown in Eq. (3) for an attack path through nodes p^ ∈ {DMZ , IN , DB}, given RDMZ = 280, RIN = 1540, and RDB = 20 (i.e., risk values associated to the DMZ, IN and DB are 280, 20, 160 and 20, respectively). Also, PDMZ = 8, PIN = 28 and PDB = 2:

R p^ = (RDMZ × PIN + RIN × PDMZ ) × PDB + RDB × (PDMZ × PIN )

is a set of all models in the HARM. WS1 ,

C ″ = {DMZ ↔ M2DMZ , IN ↔ M2IN , DB ↔ M2DB, WS1 ↔ M1 WS3 ,

↔ M1

DS

AS

AS

DS

DS

AS

WS2 ,

WS2 ↔ M1

WS3 is

AS

AS1 ↔ M1 1, AS2 ↔ M1 2, AS3 ↔ M1 3, AS4 ↔ M1 4, DS1

↔ M1 1, DS2 ↔ M1 2, DS3 ↔ M1 3}

the set of all mappings between HARM components. Example 5 (Upper layer HARM). The AG of M3subnets is G″ 3 = (N″ 3, E″ 3). N″ 3 = {DMZ , IN , DB} is a set of all hosts (i.e., subnets) in the networked system. E″ 3 = {(s, DMZ ), (DMZ , IN ), (IN , DB )} is a set of all edges in G″ 3, where s is the entry point of an attack (i.e., subnets can be attacked directly without any access through other paths). Example 6 (Intermediate layer HARM). The AG of M2DMZ is G″ 2 = (N″ 2, E″ 2). N″ 2 = {WS1, WS2, WS3} is a set of all hosts (servers) in DMZ. E″ 2 = {(s, WS1) , (WS1, WS2) , (WS1, WS3) , (WS2, e ) , (WS2, e )} is a set of all edges in G″ 2, where s is the entry point of an attack (i.e., hosts can be attacked directly without any access through other hosts) and e is the exit point in the subnet. Example 7 (Lower layer HARM). The AG of M1WS1 is G″ 1 = (N″ 1, E″ 1). N″ 1 = {v1, v2} is a set of all vulnerabilities in WS1. E″ 1 = {(s, v1) , (s, v2) , (v1, e ) , (v2, e )} is a set of all edges in G′ 1, where s is the entry point of an attack (i.e., vulnerabilities can be attacked directly without any access) and e is the exit point of an attack (i.e., gained required privilege). 5.4. Benefit and ROI analysis

= (280 × 28 + 1540 × 8) × 2 + 20 × (8 × 28) = 20, 160 × 2 + 20 × 224 = 44, 800

(3)

The 3-HARM can be represented as follows using the formalism in Section 5.2:

ARMs can be used to compute different security metrics (e.g., benefit and ROI (return on investment)). In this section, we describe computing different security metrics, namely Benefit and ROI similarly as in Roy et al. (2012), using the HARM. We describe

J.B. Hong, D.S. Kim / Journal of Network and Computer Applications 75 (2016) 156–168

163

Fig. 9. Changes in benefit and ROI when patching vulnerabilities.

Fig. 10. A networked system configuration for simulation.

Benefit as the change in the system risk when a countermeasure is enforced. We consider vulnerability patching as our defense using metrics described in Table 3. Eq. (4) describes the computation of Benefit, Bv, when a vulnerability v is patched. The change in benefit is the difference between the system risk before patching any vulnerabilities and after patching a vulnerability, which is handled by the model analyzer. ROI is the proportion of benefit in exchange to implementation cost. Eq. (5) describes the computation of ROI when patching a vulnerability v, ROIv, where Cv is the cost of patching the vulnerability. Once the vulnerability is patched, it is removed from the HARM and the system risk is recalculated. Then, Eqs. (4) and (5) are used to compute Benefit and ROI, respectively. Fig. 9 shows the different benefits and ROIs when patching vulnerabilities in the example networked system:

Bv = ΔRsystem

ROIv =

Bv − Cv Cv

(4)

(5)

6. Simulation results using a practical network scenario We conduct simulations to investigate the scalability of ARMs. The scalability of AG, 2-HARM, 3-HARM and TLAG in terms of generation and evaluation are compared using a networked

164

J.B. Hong, D.S. Kim / Journal of Network and Computer Applications 75 (2016) 156–168

system with various number of hosts, topologies, vulnerabilities and network densities. We used an AG in each layer of both 2-HARM and 3-HARM (i.e., all layers are modeled using the AG). For the simulation, we have only taken into account variables that affect the five key questions defined in Section 4 (i.e., number of hosts and vulnerabilities, types of vulnerabilities, network topologies, and types of vulnerabilities). More details of empirical experiment processes for evaluating the properties of the networked system can be found in Wohlin et al. (2012). The simulation was conducted using Python, and network components are arbitrarily generated in accordance with the security model specifications. An

abstraction of a networked system is used to model and analyze the scalability of security models, as the major scalability factor is the number of nodes, vulnerabilities and the relationship between them (i.e., the reachability information). 6.1. A practical network structure The attack scenario used in the simulation is similar to that in the experiment conducted in Ingols et al. (2006) and Hong and Kim (2013a), which is shown in Fig. 10. This figure forms the skeletal basis for simulations in later sections that incorporates

Fig. 11. Scalability comparison of ARMs. (a) shows the performance (in terms of time) of generating ARMs. (b), (c), (d) and (e) show the performance of evaluating hybrid complex network topologies in the order of star–star, tree–star, ring–star and mesh–star topologies, respectively. (f) shows the performance of 2-HARM and 3-HARM evaluating various network topologies and their density values.

J.B. Hong, D.S. Kim / Journal of Network and Computer Applications 75 (2016) 156–168

various network topologies. Also, the abstract version of the networked system consisting of the number of hosts, vulnerabilities, and connections between these components are taken into account, as they are the major factors for the scalability of security models. A networked system in our simulation setup used four sites, with each site consisting of a DMZ, Internal Network and Database subnets. Different network topologies are assigned in each subnet in the following sections. The attacker is located on the Internet, and the attack goal is to compromise a host in the Database (i.e., a sequential attack) in each site. The same algorithm is used for all security models to compute all possible attack paths with the given networked system. Hence, the scalability of security models is measured in terms of the time taken to compute all possible attack paths from the attacker to the target. In the simulation, the number of hosts is increased in each site (i.e., the number of sites are fixed at four). 6.2. Scalability simulations 6.2.1. Complex network topologies The number of hosts in DMZ and Internal Network was increased to compare the scalability between the AG, 2-HARM, 3-HARM and also the TLAG. The scalability comparison is shown in Fig. 11. Fig. 11(a) shows that generating these models is almost equivalent because their generating algorithms are the same, which generates a linearly proportional number of nodes with respect to the number of hosts in the networked system. Four hybrid network topologies are considered: (i) star–star, (ii) tree– star, (iii) ring–star, and (iv) mesh–star. Each hybrid topology creates a complex mesh structure as a result of mixing topologies. For example, a ring–star topology is created by generating a ring topology first, then each node of the ring topology is further extended as a ring topology. By mixing different network topologies, a complex mesh network topology is created with various network density values. Fig. 11(b) shows the performance of ARMs evaluating the star–star topology. It shows that all models have a similar trend in performance, but the 3-HARM outperforms the AG, 2-HARM and TLAG by a small margin. Similarly in Fig. 11(c)–(e), the 3-HARM performs the best, then followed by 2-HARM, TLAG and AG, respectively. We observe that the evaluation time significantly increases for topologies ring–star and mesh–star. So we looked at different performance of different network topologies in Fig. 11(f). It shows that as the network density increases, time to evaluate the network increases. The network density is the measure of network connections between hosts in the networked

165

system (i.e., normalized degree centrality measure). 6.2.2. Varying the number of vulnerabilities We also conduct the effect of varying number of vulnerabilities as shown in Fig. 12 using the star–star topology as described above. Additional vulnerabilities had the same properties, where exploiting any one of them would grant the required privilege (e.g., a root privilege) to compromise the host. No other settings have been changed. Fig. 12(a) shows that it affects the AG significantly compared to hierarchical models (e.g., HARM and TLAG), where it is almost negligible to notice any changes in the HARM and TLAG with respect to the AG. A larger number of vulnerabilities are used in Fig. 12(b), which show the gradual increase in the evaluation time for TLAG and 2-HARM, where in comparison 3-HARM is relatively constant. Due to having a higher number of lower layer models, TLAG took longer to evaluate in comparison to the 2-HARM. 6.2.3. Varying the network density We conducted further simulations to investigate the effect of network density when analyzing the security of networked systems. For this experiment, we used a mesh topology and changed the network density. To achieve the given network density value, hosts in the networked system are randomly connected to other hosts in the networked system. The number of connections to other hosts is uniformly distributed with a mean value of the network density value (NDV), and the standard deviation of NDV . 2

Fig. 13 shows the performance of ARMs with respect to the network density. Fig. 13(a) shows that the performance of the AG and 2-HARM is significantly worse than the 3-HARM. Fig. 13(b) shows that both AG, TLAG and 2-HARM converge to the worst case performance when the network density is greater than 0.4. The proportion represents the performance proportionality compared to that when density equals to 1. We also observe that the proportionality of 3-HARM converges to the worst case performance significantly slower than the AG and 2-HARM. For the network density at 0.5, we observed that AG reached 99.7% of the worst case performance, while 2-HARM and TLAG reached 98.8% and 3-HARM reached 90.0%.

7. Discussion and future work We listed some key questions to compare the scalability of ARMs, and showed the efficiency of the HARM by answering these

Fig. 12. Effect on security evaluation with varying number of vulnerabilities.

166

J.B. Hong, D.S. Kim / Journal of Network and Computer Applications 75 (2016) 156–168

Fig. 13. Effect on security evaluation with network density.

questions. Our experimental results showed that the HARM is more scalable than the AG and TLAG, especially the 3-HARM over 2-HARM (i.e., more scalable using more hierarchy). However, there is a lack of understanding various attack scenarios which should be reflected in the ARMs. We discuss some of the experimental results and limitations of our work in this section. 7.1. Experimental results Section 4 described that the computational complexity of generating the AG is greater than the HARM, but the simulation result in Fig. 11(a) shows a minimal difference between them. However, it becomes apparent when evaluating these models, where a single layered AG scales significantly worse than the HARM of two and three layers (Fig. 11(b)–(e)). Moreover, Fig. 11 (f) shows that the scalability of evaluating security models are dependent on the network topology, especially for varying network density. A further experiment on the changes in the network density values in Section 6.2.3 shows that the scalability of security models are significantly worse when the network density value is high (e.g., greater than 0.4). This shows that a careful design of the networked system which has a low network density value can aid scalable security analysis of the networked system. The number of vulnerabilities also affects the scalability of security models, especially for a single layered AG. Since the AG is required to create individual connections between host nodes and vulnerability nodes, increasing the number of vulnerability nodes rapidly increases the number of possible attack paths. Consequently, the AG is not scalable as the number of vulnerabilities grows (as shown in Fig. 12(a)). On the other hand, a multiple layered HARM groups the connections from host nodes to vulnerability nodes, reducing the number of computations required. As more layers are added to the HARM, it became more scalable (as shown in Fig. 12(b)). However, analyzing all possible attack paths yields the same computational complexity with a single layered AG, which is not considered in the analysis. 7.2. Usability of the HARM Various tools are available to generate security models (e.g., NAVIGATOR, Chu et al., 2010, MulVAL, Ou and Govindavajhala, 2005, CyberSAGE, Tippenhauer et al., 2014), and provide functionalities to evaluate various security metrics. However, one shortcoming of the HARM is that there is no publicly available tool yet. Hence, it is difficult to validate the results shown using real networked systems, which may affect these results due to various

network properties not taken into account in the simulation. The HARM tool is currently under development and we wish to make it available to the public very soon. 7.3. Increasing the number of layers in the HARM Our experimental analysis in Section 6 shows that increasing the level of hierarchy improves the scalability. This is due to simplifying computational steps by aggregating calculations in each layer (similar for calculating fully expanded and factorized equations). Of course, computing metrics, such as all possible attack paths, yields the same computational complexity. An issue is when creating the HARM, there may be complications with the system design such that it may not be possible to model the network onto multiple layers. But in the HARM structure, however, considers two important factors in security analysis, which are network reachability and vulnerabilities. Network hosts (which forms the reachability) and vulnerabilities are two different entities in the model, where vulnerabilities are one of the components in a host (similarly, hosts in a subnet). Therefore, we can always use two or more layers in the HARM by modeling hosts and vulnerabilities onto two different layers. Computing the optimal number of layers is also of an interest, but due to different designs of systems, it is not always possible to model the system with a specified number of layers. However, we will investigate the extension of the number of layers in the HARM for optimal scalability in our future work. 7.4. Network structure and attack scenarios In a real life networked systems, network topologies are complex with many combinations of simple topologies (e.g., combinations of star, tree, ring and mesh topologies). The worst case complexity defined by analyzing a fully connected topology gives the upper bound performance. Although we created a few complex network topologies in our experiment, it is difficult to estimate the scalability of ARMs when deployed in real systems. However, our experimental results are based on a variety of network topologies, which provides a good scalability estimation for various other networked systems with complex network topologies. A shortcoming of our research is a lack of experimenting on a real system. Although we assume that the observed performance in the simulation would be linearly proportional to the real systems, the complexities in real systems are difficult to estimate in a simulation. Also we have not considered other factors (e.g.,

J.B. Hong, D.S. Kim / Journal of Network and Computer Applications 75 (2016) 156–168

performance factors such as QoS, delay, and delivery rate), which may affect the performance of security analysis. These problems will be considered in our future work. 7.5. Security evaluation and overhead We demonstrated that various security metrics can be computed using the HARM (e.g., system risk, benefit, and ROI), which are equivalent to existing ARMs such as an AG. However, the complexity analyses (Section 4) and experimental results (Section 6) show an improvement in the scalability using the HARM over an AG, which is a single layered security model. We believe that other single layered security models evaluating all possible attack paths would have similar scalability as the AG. Using the hierarchy improves the scalability because multiple computations can be grouped, whereas a single layered ARM does not have such property. For example, the bottom-up approach analyzes all of the lower layer components first, then the computed values are used in the upper layers when they are analyzed. An example of this process can be found in Hong and Kim (2012). However, if we expect an output of all possible attack scenarios, then there exists an overhead in the HARM to evaluate top-down to correlate lower layer components, which we did not consider analyzing in this paper. We will consider analyzing the overhead of using the HARM in our future work.

8. Conclusion Security models are widely adopted to analyze and harden networked systems. However, existing studies did not consider analyzing the scalability of these models in various network scenarios. As networked systems are becoming large and dynamic (e.g., a Cloud network), traditional solutions are facing scalability and adaptability problems. Structural modification solutions (e.g., LAG, MPG, and TLAG) cannot evaluate all possible attack scenarios in a scalable manner, and heuristic solutions are model-centric which are often not usable by other security models. As a result, network and security administrators are facing difficulty determining the security posture to efficiently deploy defense strategies. This paper presents a method that improves the scalability of security models, namely using the hierarchy to simplify evaluating all possible attack scenarios. A multi-layered HARM (i.e., h-HARM with a h number of layers) is presented and defined. The complexity of the HARM and other security models are analyzed, and various network scenarios are taken into account in our simulations to compare the scalability of the HARM against the AG and TLAG. The result showed that even using the same algorithm to evaluate the security of networked systems, the 3-HARM (i.e., 3 layered HARM) is much more scalable than the AG (which is only a single layered model) and TLAG (other hierarchical security model with different underlying structure). Moreover, we demonstrated that various security metrics can be computed as same as the existing ARMs, while there was a significant improvement in the scalability of evaluating all possible attack paths.

References Abadi, M., Jalili, S., 2010. A particle swarm optimization algorithm for minimization analysis of cost-sensitive attack graphs. ISC Int. J. Inf. Secur. 2, 13–32. Ammann, P., Wijesekera, D., Kaushik, S., 2002. Scalable, graph-based network vulnerability analysis. In: Proceedings of the 9th ACM Conference on Computer and communications security (CCS 2002). ACM, New York, NY, USA, pp. 217– 224. http://dx.doi.org/10.1145/586110.586140. Chen, B., Kalbarczyk, Z., Nicol, D., Sanders, W., Tan, R., Temple, W., Tippenhauer, N.,

167

Vu, A., Yau, D., 2013. Go with the flow: toward workflow-oriented security assessment. In: Proceedings of the 2013 Workshop on New Security Paradigms Workshop (NSPW 2013). ACM, New York, NY, USA, pp. 65–76. http://dx.doi.org/ 10.1145/2535813.2535821. Chen, F., Liu, D., Zhang, Y., Su, J., 2010. A Scalable approach to analyzing network security using compact attack graphs. J. Netw. 5, 543–550, URL: 〈https://www. academypublisher.com/  academz3/ojs/index.php/jnw/article/view/ 0505543550〉. Chu, M., Ingols, K., Lippmann, R., Webster, S., Boyer, S., 2010. Visualizing attack graphs, reachability, and trust relationships with NAVIGATOR. In: Proceedings of the 7th International Workshop on Visualization for Cyber Security (VizSec 2010). ACM, New York, NY, USA, pp. 22–33. http://dx.doi.org/10.1145/1850795. 1850798. Dawkins, J., Hale, J., 2004. A systematic approach to multi-stage network attack analysis. In: Proceedings of Second IEEE International Information Assurance Workshop (IWIA 2004), pp. 48–56. http://dx.doi.org/10.1109/IWIA.2004. 1288037. Dewri, R., Poolsappasit, N., Ray, I., Whitley, D., 2007. Optimal security hardening using multi-objective optimization on attack tree models of networks. In: Proceedings of ACM Conference on Computer and Communications Security (CCS 2007). ACM, New York, NY, USA, pp. 204–213. http://dx.doi.org/10.1145/ 1315245.1315272. Dubois, E., Heymans, P., Mayer, N., Matulevicius, R., 2010. A systematic approach to define the domain of information system security risk management. In: Nurcan, S., Salinesi, C., Souveyet, C., Ralyt, J. (Eds.), Intentional Perspectives on Information Systems Engineering. Springer, Berlin, Heidelberg, pp. 289–306. http://dx.doi.org/10.1007/978-3-642-12544-7_16. Homer, J., Varikuti, A., Ou, X., McQueen, M., 2008. Improving attack graph visualization through data reduction and attack grouping. In: Goodall, J., Conti, G., Ma, K. (Eds.), Visualization for Computer Security. Lecture Notes in Computer Science, vol. 5210. Springer, Berlin, Heidelberg, pp. 68–79. http://dx.doi.org/10. 1007/978-3-540-85933-8_7. Hong, J., Kim, D., 2012. HARMs: hierarchical attack representation models for network security analysis. In: Proceedings of the 10th Australian Information Security Management Conference on SECAU Security Congress (SECAU 2012), pp. 1–8. Hong, J., Kim, D., 2013a. Performance analysis of scalable attack representation models. In: Janczewski, L., Wolfe, H., Shenoi, S. (Eds.), Security and Privacy Protection in Information Processing Systems (SEC 2013). IFIP Advances in Information and Communication Technology, vol. 405. Springer, Berlin, Heidelberg, pp. 330–343. http://dx.doi.org/10.1007/978-3-642-39218-4_25. Hong, J., Kim, D., 2013b. Scalable security analysis in hierarchical attack representation model using centrality measures. In: Proceedings of the 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshop (DSNW 2013), pp. 1–8. http://dx.doi.org/10.1109/DSNW.2013. 6615507. Hong, J., Kim, D., 2013c. Scalable Security model generation and analysis using k-importance measures. In: Zia, T., Zomaya, A., Varadharajan, V., Mao, M. (Eds.), Security and Privacy in Communication Networks (SecureComm 2013). Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol. 127. Springer International Publishing, New York, NY, USA, pp. 270–287. http://dx.doi.org/10.1007/978-3-319-04283-1_17. Hong, J., Kim, D., 2014. Scalable security models for assessing effectiveness of moving target defenses. In: Proceedings of the 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2014), pp. 515– 526. http://dx.doi.org/10.1109/DSN.2014.54. Hong, J., Kim, D., Haqiq, A., 2014. What vulnerability do we need to patch first? In: Proceedings of the 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshop (DSNW 2014), pp. 684–689. http:// dx.doi.org/10.1109/DSN.2014.68. Ingols, K., Chu, M., Lippmann, R., Webster, S., Boyer, S., 2009. Modeling modern network attacks and countermeasures using attack graphs. In: Proceedings of the 25th Annual Computer Security Applications Conference (ACSAC 2009), pp. 117–126. http://dx.doi.org/10.1109/ACSAC.2009.21. Ingols, K., Lippmann, R., Piwowarski, K., 2006. Practical attack graph generation for network defense. In: Proceedings of the 22nd Annual Computer Security Applications Conference (ACSAC 2006), pp. 121–130. http://dx.doi.org/10.1109/AC SAC.2006.39. Islam, T., Wang, L., 2008. A heuristic approach to minimum-cost network hardening using attack graph. In: Proceedings of New Technologies, Mobility and Security (NTMS 2008), pp. 1–5. http://dx.doi.org/10.1109/NTMS.2008.ECP.9. Kordy, B., Pietre-Cambacedes, L., Schweitzer, P., 2013. DAG-based attack and defense modeling: don't miss the forest for the attack trees. CoRR abs/1303.7397. Lippmann, R., Ingols, K., 2005. An Annotated Review of Past Papers on Attack Graphs. ESC-TR-2005-054. Machida, F., Xiang, J., Tadano, K., Maeno, Y., 2013. Composing hierarchical stochastic model from SysML for system availability analysis. In: Proceedings of the 24th IEEE International Symposium on Software Reliability Engineering (ISSRE 2013), pp. 51–60. http://dx.doi.org/10.1109/ISSRE.2013.6698904. Manadhata, P., Wing, J., 2011. An attack surface metric. IEEE Trans. Softw. Eng. 37, 371–386. http://dx.doi.org/10.1109/TSE.2010.60. Mehta, V., Bartzis, C., Zhu, H., Clarke, E., Wing, J., 2006. Ranking attack graphs. In: Proceedings of the 9th international conference on Recent Advances in Intrusion Detection (RAID 2006). Springer-Verlag, Berlin, Heidelberg, pp. 127–144. http://dx.doi.org/10.1007/11856214_7. Mell, P., Grance, T., 2011. SP 800-145. The NIST Definition of Cloud Computing.

168

J.B. Hong, D.S. Kim / Journal of Network and Computer Applications 75 (2016) 156–168

Technical Report. NIST, Gaithersburg, MD, USA. Noel, S., Jajodia, S., 2004. Managing attack graph complexity through visual hierarchical aggregation. In: Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security (VizSec 2004). ACM, New York, NY, USA, pp. 109–118. http://dx.doi.org/10.1145/1029208.1029225. Noel, S., Jajodia, S., 2005. Understanding complex network attack graphs through clustered adjacency matrices. In: Proceedings of the 21st Annual Computer Security Applications Conference (ACSAC 2005), pp. 10–169. http://dx.doi.org/ 10.1109/CSAC.2005.58. Ou, X., Boyer, W., McQueen, M., 2006. A scalable approach to attack graph generation. In: Proceedings of the 13th ACM Conference on Computer and communications security (CCS 2006). ACM, New York, NY, USA, pp. 336–345. http:// dx.doi.org/10.1145/1180405.1180446. Ou, X., Govindavajhala, S., 2005. MulVAL: a logic-based network security analyzer. In: Proceedings of the 14th USENIX Security Symposium (USENIX Security 2005), pp. 113–128. Phillips, C., Swiler, L., 1998. A graph-based system for network-vulnerability analysis. In: Proceedings of the 1998 Workshop on New Security Paradigms (NSPW 1998). ACM, New York, NY, USA, pp. 71–79. http://dx.doi.org/10.1145/310889. 310919. Poolsappasit, N., Dewri, R., Ray, I., 2012. Dynamic security risk management using Bayesian attack graphs. IEEE Trans. Dependable Secure Comput. 9, 61–74. http: //dx.doi.org/10.1109/TDSC.2011.34. Popovic, K., Hocenski, Z., 2010. Cloud computing security issues and challenges. In: Proceedings of the 33rd International Convention on Information and Communication Technology, Electronics and Microelectronic (MIPRO 2010), pp. 344–349. Roy, A., Kim, D., Trivedi, K., 2012. Scalable optimal countermeasure selection using implicit enumeration on attack countermeasure trees. In: Proceedings of the 42nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012). IEEE Computer Society, Los Alamitos, CA, USA, pp. 1–12.

URL: 〈http://doi.ieeecomputersociety.org/10.1109/DSN.2012.6263940〉. Saini, V., Duan, Q., Paruchuri, V., 2008. Threat modeling using attack trees. J. Comput. Sci. Coll. 23, 124–131, URL: 〈http://dl.acm.org/citation.cfm? id ¼ 1352079.1352100〉. Sawilla, R., Skillicorn, D., 2012. Partial cuts in attack graphs for cost effective network defence. In: Proceedings of IEEE Conference on Technologies for Homeland Security (HST 2012), pp. 291–297. http://dx.doi.org/10.1109/THS.2012. 6459864. Schumacher, H., Ghosh, S., 1997. A fundamental framework for network security. J. Netw. Comput. Appl. 20, 305–322. http://dx.doi.org/10.1006/jnca.1997.0058, URL: 〈http://www.sciencedirect.com/science/article/pii/S1084804597900588〉. Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J., 2002. Automated Generation and Analysis of Attack Graphs. Technical Report. CMU. Sood, S., 2012. A combined approach to ensure data security in cloud computing. J. Netw. Comput. Appl. 35, 1831–1838. http://dx.doi.org/10.1016/j. jnca.2012.07.007, URL: 〈http://www.sciencedirect.com/science/article/pii/ S1084804512001592〉. Tippenhauer, N., Temple, W., Hoa Vu, A., Chen, B., Nicol, D., Kalbarczyk, Z., Sanders, W., 2014. Automatic generation of security argument graphs. ArXiv e-prints arXiv:1405.7475. Wang, S., Zhang, Z., Kadobayashi, Y., 2013. Exploring attack graph for cost–benefit security hardening: a probabilistic approach. Comput. Secur. 32, 158–169. http: //dx.doi.org/10.1016/j.cose.2012.09.013, URL: 〈http://www.sciencedirect.com/ science/article/pii/S0167404812001496〉. Wohlin, C., Runeson, P., Host, M., Ohlsson, M., Regnell, B., Wesslen, A., 2012. Experimentation in Software Engineering, 1st ed. Springer Science & Business Media,Springer, Berlin, Heidelberg. Xie, A., Cai, Z., Tang, C., Hu, J., Chen, Z., 2009. Evaluating network security with twolayer attack graphs. In: Proceedings of the 25th Annual Computer Security Applications Conference (ACSAC 2009), pp. 127–136. http://dx.doi.org/10.1109/ ACSAC.2009.22.