A Generation Method of Network Security Hardening Strategy Based on Attack Graphs

A Generation Method of Network Security Hardening Strategy Based on Attack Graphs

Chao Zhao (College of Computer Science and Technology, Harbin Engineering University, Harbin, China), Huiqiang Wang (College of Computer Science and Technology, Harbin Engineering University, Harbin, China), Junyu Lin (College of Computer Science and Technology, Harbin Engineering University, Harbin, China), Hongwu Lv (College of Computer Science and Technology, Harbin Engineering University, Harbin, China) and Yushu Zhang (College of Computer Science and Technology, Harbin Engineering University, Harbin, China)
Copyright: © 2015 |Pages: 17
DOI: 10.4018/IJWSR.2015010104

Abstract

Analyzing attack graphs can provide network security hardening strategies for administrators. Concerning the problems of high time complexity and costly hardening strategies in previous methods, a method for generating low cost network security hardening strategies is proposed based on attack graphs. The authors' method assesses risks of attack paths according to path length and the common vulnerability scoring system, limits search scope with a threshold to reduce the time complexity, and lowers cost of hardening strategies by using a heuristic algorithm. The experimental results show that the authors' method has good scalability, and significantly reduces cost of network security hardening strategies with reasonable running time.
Article Preview

Our work is related to generation of attack graph, risk assessment and network security hardening based on attack graphs.

2.1. Generation of Attack Graph

Attack graph generation goes through a period from manual to automatic. In the study of attack graph generation, researchers propose two models respectively: one is based on system state transformation (Swiler et al., 2001) and the other is based on the dependencies of vulnerabilities and system states (Ammann et al., 2002). The former has a problem of state explosion with problem scale growth. The latter gets widespread attention due to its good scalability. Ammann et al. (2002) first propose the monotonic hypothesis of ability of attackers, providing a speedup for generating attack graph from exponential to polynomial time. A range of attack graph generation algorithms is proposed (Ingols et al, 2006; Ou et al., 2006; Carvalho & Teng, 2010; Jajodia & Noel, 2010), and generation tools are developed, such as MulVAL (Ou et al., 2005), CAULDRON (Jajodia & Noel, 2007) and NetSPA (Ingols et al., 2009). The time complexity of attack graph generation algorithms is further reduced.

Complete Article List

Search this Journal:
Reset
Open Access Articles
Volume 16: 4 Issues (2019): Forthcoming, Available for Pre-Order
Volume 15: 4 Issues (2018): 2 Released, 2 Forthcoming
Volume 14: 4 Issues (2017)
Volume 13: 4 Issues (2016)
Volume 12: 4 Issues (2015)
Volume 11: 4 Issues (2014)
Volume 10: 4 Issues (2013)
Volume 9: 4 Issues (2012)
Volume 8: 4 Issues (2011)
Volume 7: 4 Issues (2010)
Volume 6: 4 Issues (2009)
Volume 5: 4 Issues (2008)
Volume 4: 4 Issues (2007)
Volume 3: 4 Issues (2006)
Volume 2: 4 Issues (2005)
Volume 1: 4 Issues (2004)
View Complete Journal Contents Listing