An Attack Graph Based Approach for Threat Identification of an Enterprise Network

An Attack Graph Based Approach for Threat Identification of an Enterprise Network

Somak Bhattacharya (Indian Institute of Technology, Kharagpur, India), Samresh Malhotra (Indian Institute of Technology, Kharagpur, India) and S. K. Ghosh (Indian Institute of Technology, Kharagpur, India)
DOI: 10.4018/978-1-60566-326-5.ch002
OnDemand PDF Download:


As networks continue to grow in size and complexity, automatic assessment of the security vulnerability becomes increasingly important. The typical means by which an attacker breaks into a network is through a series of exploits, where each exploit in the series satisfies the pre-condition for subsequent exploits and makes a causal relationship among them. Such a series of exploits constitutes an attack path where the set of all possible attack paths form an attack graph. Attack graphs reveal the threat by enumerating all possible sequences of exploits that can be followed to compromise a given critical resource. The contribution of this chapter is to identify the most probable attack path based on the attack surface measures of the individual hosts for a given network and also identify the minimum possible network securing options for a given attack graph in an automated fashion. The identified network securing options are exhaustive and the proposed approach aims at detecting cycles in forward reachable attack graphs. As a whole, the chapter deals with identification of probable attack path and risk mitigation which may facilitate in improving the overall security of an enterprise network.
Chapter Preview


With the increased reliance and dependence on networks, the threats that an enterprise faces, both external as well as internal, has also increased phenomenally. A security administrator is always faced with the challenge of identifying these threats, and in retrospect, securing the organization’s network. The classical approach of identifying the vulnerabilities of individual hosts using commercially available tools, like the Retina and Nessus, does not take into account vulnerability interactions. These vulnerability interrelationships are very important to get a holistic view of network security from the security administrator’s point of view. The vulnerability interactions are best captured by an attack graph, which helps in identifying all the possible ways in which an attacker can reach a critical resource on the network.

The attack graph generation is a first step towards threat identification of an enterprise network. There are two basic approaches of generating an attack graph, namely the state based approach (Ammann et al., 2002; Philips et al., 1998) and host based approach (Ammann et al., 2005; Ingols et al., 2006). Several previous approaches (Ammann et al., 2002; Li et al., 2006) have used the combination of a forward and backward chaining algorithm to identify an attack graph. The state based approach gives information at a more granular level whereas its representation soon becomes very large and complex even for a moderate size network (Sheyner et al., 2002). On the other hand, in a host based attack graph each node will be identified as a network entity and the edges will be privileges obtained after applying exploits among them. The host based approach gives a compact representation which may be useful for a visual representation and handle scalability at the cost of abstracting several low level details related to exploit correlation, vulnerability and attacker privileges. For example, obtaining user level privilege on a host, say host 1, and escalation of that privilege to the super user level can be treated as two distinguished states in a state based approach. On the other hand, a host based approach combines all such individual privileges and retains the highest level privilege as a graph edge. Availability of the low level details in a state based attack graph makes it convenient for proper risk management.

The proposed approach uses the state based forward chaining algorithm (Ammann et al., 2002) to generate an attack graph with necessary exploits. The necessary exploits are the set of exploits, subset of which will be actually used by the attacker to obtain the goal. Therefore, the forward reachable attack graph may contain redundancies. The run time complexity of such forward chaining algorithm can be represented by the polynomial O (|A|2. E) (Ammann et al., 2002), where A is the number of network conditions and E is the number of exploits. Each vertex in the generated attack graph is used to represent network state and the corresponding exploits, the edges are used to represent the causal relationship among network states and exploits. The proposed approach in Ammann et al. (2002) does a backward search to generate attack graph with sufficient exploits from the forward reachable attack graph. Our proposed approach differs from Ammann et al. (2002) in that it works in two dimensions. On one hand it identifies the most probable attack path(s) based on the attack surface measure of the individual hosts, independent of the vulnerabilities or the exploits that may exist and on the other hand that for identifying the actual exploit correlation for risk mitigation rather than generating an attack graph it uses a forward reachable graph and thus identifies all the possible network securing options.

Complete Chapter List

Search this Book:
Editorial Advisory Board
Table of Contents
Merrill Warkentin
Kenneth J. Knapp
Kenneth J. Knapp
Chapter 1
Jaziar Radianti, Jose J. Gonzalez
This chapter discusses the possible growth of black markets (BMs) for software vulnerabilities and factors affecting their spread. It is difficult... Sample PDF
Dynamic Modeling of the Cyber Security Threat Problem: The Black Market for Vulnerabilities
Chapter 2
Somak Bhattacharya, Samresh Malhotra, S. K. Ghosh
As networks continue to grow in size and complexity, automatic assessment of the security vulnerability becomes increasingly important. The typical... Sample PDF
An Attack Graph Based Approach for Threat Identification of an Enterprise Network
Chapter 3
Robert F. Mills, Gilbert L. Peterson, Michael R. Grimaila
The purpose of this chapter is to introduce the insider threat and discuss methods for preventing, detecting, and responding to the threat. Trusted... Sample PDF
Insider Threat Prevention, Detection and Mitigation
Chapter 4
Richard T. Gordon, Allison S. Gehrke
This chapter describes a methodology for assessing security infrastructure effectiveness utilizing formal mathematical models. The goal of this... Sample PDF
An Autocorrelation Methodology for the Assessment of Security Assurance
Chapter 5
Ken Webb
This chapter results from a qualitative research study finding that a heightened risk for management has emerged from a new security environment... Sample PDF
Security Implications for Management from the Onset of Information Terrorism
Chapter 6
Yves Barlette, Vladislav V. Fomin
This chapter introduces major information security management methods and standards, and particularly ISO/IEC 27001 and 27002 standards. A... Sample PDF
The Adoption of Information Security Management Standards: A Literature Review
Chapter 7
Peter R. Marksteiner
Information overload is an increasingly familiar phenomenon, but evolving United States military doctrine provides a new analytical approach and a... Sample PDF
Data Smog, Techno Creep and the Hobbling of the Cognitive Dimension
Chapter 8
John W. Bagby
The public expects that technologies used in electronic commerce and government will enhance security while preserving privacy. These expectations... Sample PDF
Balancing the Public Policy Drivers in the Tension between Privacy and Security
Chapter 9
Indira R. Guzman, Kathryn Stam, Shaveta Hans, Carole Angolano
The goal of our study is to contribute to a better understanding of role conflict, skill expectations, and the value of information technology (IT)... Sample PDF
Human Factors in Security: The Role of Information Security Professionals within Organizations
Chapter 10
Nikolaos Bekatoros HN, Jack L. Koons III, Mark E. Nissen
The US Government is moving apace to develop doctrines and capabilities that will allow the Department of Defense (DoD) to exploit Cyberspace for... Sample PDF
Diagnosing Misfits, Inducing Requirements, and Delineating Transformations within Computer Network Operations Organizations
Chapter 11
Rodger Jamieson, Stephen Smith, Greg Stephens, Donald Winchester
This chapter outlines components of a strategy for government and a conceptual identity fraud enterprise management framework for organizations to... Sample PDF
An Approach to Managing Identity Fraud
Chapter 12
Alanah Davis, Gert-Jan de Vreede, Leah R. Pietron
This chapter presents a repeatable collaboration process as an approach for developing a comprehensive Incident Response Plan for an organization or... Sample PDF
A Repeatable Collaboration Process for Incident Response Planning
Chapter 13
Dean A. Jones, Linda K Nozick, Mark A. Turnquist, William J. Sawaya
A pandemic influenza outbreak could cause serious disruption to operations of several critical infrastructures as a result of worker absenteeism.... Sample PDF
Pandemic Influenza, Worker Absenteeism and Impacts on Critical Infrastructures: Freight Transportation as an Illustration
Chapter 14
Preeti Singh, Pranav Singh, Insu Park, JinKyu Lee
We live in a digital era where the global community relies on Information Systems to conduct all kinds of operations, including averting or... Sample PDF
Information Sharing: A Study of Information Attributes and their Relative Significance During Catastrophic Events
Chapter 15
Gregory B. White, Mark L. Huson
The protection of cyberspace is essential to ensure that the critical infrastructures a nation relies on are not corrupted or disrupted. Government... Sample PDF
An Overview of the Community Cyber Security Maturity Model
Chapter 16
Doug White, Alan Rea
In this chapter the authors present essential server security components and develop a set of logical steps to build hardened servers. The authors... Sample PDF
Server Hardening Model Development: A Methodology-Based Approach to Increased System Security
Chapter 17
Jeff Teo
Computer attacks of all sorts are commonplace in today’s interconnected, globalized society. A computer worm, written and released in one part of... Sample PDF
Trusted Computing: Evolution and Direction
Chapter 18
Miguel Jose Hernandez y Lopez, Carlos Francisco Lerma Resendez
This chapter discusses the basic aspects of Honeypots, how they are implemented in modern computer networks, as well as their practical uses and... Sample PDF
Introduction, Classification and Implementation of Honeypots
About the Contributors