Skip to main content
Log in

Exploring Attack Graphs for Security Risk Assessment: A Probabilistic Approach

  • Computer Science
  • Published:
Wuhan University Journal of Natural Sciences

Abstract

The attack graph methodology can be used to identify the potential attack paths that an attack can propagate. A risk assessment model based on Bayesian attack graph is presented in this paper. Firstly, attack graphs are generated by the MULVAL (Multi-host, Multistage Vulnerability Analysis) tool according to sufficient information of vulnerabilities, network configurations and host connectivity on networks. Secondly, the probabilistic attack graph is established according to the causal relationships among sophisticated multi-stage attacks by using Bayesian Networks. The probability of successful exploits is calculated by combining index of the Common Vulnerability Scoring System, and the static security risk is assessed by applying local conditional probability distribution tables of the attribute nodes. Finally, the overall security risk in a small network scenario is assessed. Experimental results demonstrate our work can deduce attack intention and potential attack paths effectively, and provide effective guidance on how to choose the optimal security hardening strategy.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Mell P, Scarfone K, Romanosky S. Common vulnerability scoring system[J]. IEEE Security & Privacy, 2006, 4(6): 85–89.

    Article  Google Scholar 

  2. Ou X, Homer J, Zhang S, et al. MulVal project at Kansas State University[EB/OL]. [2013-11-20]. http://people.cs.ksu. edu/~xou/mulval/.

  3. Jajodia S, Noel S. Topological Vulnerability Analysis: A Powerful New Approach for Network Attack Prevention, Detection, and Response [M]. Singapore: World Scientific Publishing Company, 2008.

    Google Scholar 

  4. Ou X, Boyer W F, McQueen M A. A scalable approach to attack graph generation[C]//Proc 13th ACM Conference on Computer and Communications Security (CCS 2006). New York: ACM, 2006: 336–345.

    Google Scholar 

  5. Sheyner O, Haines J, Jha S, et al. Automated generation and analysis of attack graphs[C]//Pro of the 2002 IEEE Symposium on Security and Privacy(S&P). Washington D C: IEEE, 2002: 273–284.

    Chapter  Google Scholar 

  6. Xie P, Li J, Ou X, et al. Using Bayesian networks for cyber security analysis[C] //Proc 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). Washington D C: IEEE, 2010: 211–220.

    Google Scholar 

  7. Idika N, Bhargava B. Extending attack graph-based security metrics and aggregating their application[J]. IEEE Transactions on Dependable and Secure Computing, 2012, 9(1): 75–85.

    Article  Google Scholar 

  8. Zhang S J, Song S S. A novel attack graph posterior inference model based on Bayesian network[J]. Journal of Information Security, 2011, 2:8–27(Ch).

    Article  Google Scholar 

  9. Chen X J, Fang B X, Tan Q F, et al. Inferring attack intent of malicious insider based on probabilistic attack graph model[J]. Chinese Journal of Computers, 2014, 37(1):62–72(Ch).

    CAS  Google Scholar 

  10. Barik M S, Sengupta A, Mazumdar C. Attack graph generation and analysis techniques[J]. Defence Science Journal, 2016, 66(6): 559–567.

    Article  Google Scholar 

  11. Kaynar K, Sivrikaya F. Distributed attack graph generation[J]. IEEE Transactions on Dependable & Secure Computing, 2016, 13(5):519–532.

    Article  Google Scholar 

  12. National Institute of Standards and Technology (NIST). National vulnerability database(NVD)[EB/OL]. [2017-03-20]. https://nvd.nist. gov/.

  13. The Forum of Incident Response and Security Teams (FIRST). Common vulnerability scoring system (CVSS) [EB/OL]. [2017-07-24]. https://www.first.org/cvss/.

  14. AT&T Labs Research. GraphViz-graph visualization software[EB/OL]. [2017-08-06]. http://www.graphviz.org/.

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Yiyue He.

Additional information

Foundation item: Supported by the National Natural Science Foundation of China (61373176), the Natural Science Foundation of Shaanxi Province of China (2015JQ7278), and the Scientific Research Plan Projects of Shaanxi Educational Committee (17JK0304, 14JK1693)

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Gao, N., He, Y. & Ling, B. Exploring Attack Graphs for Security Risk Assessment: A Probabilistic Approach. Wuhan Univ. J. Nat. Sci. 23, 171–177 (2018). https://doi.org/10.1007/s11859-018-1307-0

Download citation

  • Received:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11859-018-1307-0

Key words

CLC number

Navigation