Improving Attack Graph Scalability for the Cloud Through SDN-Based Decomposition and Parallel Processing

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10542)


Due to its fast growth, Cloud computing is a quick evolving research area. Security, which is among the most required Cloud features, is a very hard and challenging task when it’s addressed for large networked systems. To automate security assessment, one should use an Attack Representation Model (ARM), such as Attack Graph (AG) or Attack Tree, to represent and analyze multi-host multi-stage attacks. In order to improve AG analysis for large-scale networked systems, our framework uses Software-defined Networking (SDN) to build a detailed and dynamic knowledge about the network configuration and the host access control list. Altogether with machine configuration information, our framework will be able to construct loosely connected sub-groups of virtual machines and perform a parallel security analysis. We have performed experimental validation using a real networked system to show the performance improvement in comparison with MULVAL network security analyzer.


Attack Representation Models Scalability Graph theory 


  1. 1.
    Open daylight. Accessed 24 Oct 2017
  2. 2.
    The openvas website. Accessed 24 Oct 2017
  3. 3.
    Beale, J., Deraison, R., Meer, H., Temmingh, R., Walt, C.V.D.: Nessus Network Auditing. Syngress Publishing, Rockland (2004)Google Scholar
  4. 4.
    Ben-Yehuda, M., Day, M.D., Dubitzky, Z., Factor, M., Har’El, N., Gordon, A., Liguori, A., Wasserman, O., Yassour, B.-A.: The turtles project: design and implementation of nested virtualization. OSDI 10, 423–436 (2010)Google Scholar
  5. 5.
    Bui, T.N., Jones, C.: A heuristic for reducing fill-in in sparse matrix factorization. Technical report, Society for Industrial and Applied Mathematics (SIAM), Philadelphia, PA (United States) (1993)Google Scholar
  6. 6.
    Dor, D., Tarsi, M.: Graph decomposition is NP-complete: a complete proof of Holyer’s conjecture. SIAM J. Comput. 26(4), 1166–1187 (1997)CrossRefMATHMathSciNetGoogle Scholar
  7. 7.
    Fishman, A., Rapoport, M., Budilovsky, E., Eidus, I., et al.: HVX: virtualizing the cloud. In: HotCloud. Citeseer (2013)Google Scholar
  8. 8.
    Open Networking Foundation: Software-defined networking: the new norm for networks. ONF White Paper (2012)Google Scholar
  9. 9.
    Gabow, H.N.: Path-based depth-first search for strong and biconnected components. Inf. Process. Lett. 74(3), 107–114 (2000)CrossRefMATHMathSciNetGoogle Scholar
  10. 10.
    Karypis, G., Kumar, V.: Analysis of multilevel graph partitioning. In: Proceedings of the 1995 ACM/IEEE Conference on Supercomputing, p. 29. ACM (1995)Google Scholar
  11. 11.
    Karypis, G., Kumar, V.: Multilevel k-way partitioning scheme for irregular graphs. J. Parallel Distrib. comput. 48(1), 96–129 (1998)CrossRefMATHGoogle Scholar
  12. 12.
    Karypis, G., Schloegel, K., Kumar, V.: Parmetis: parallel graph partitioning and sparse matrix ordering library. Version 1.0, Department of Computer Science, University of Minnesota (1997)Google Scholar
  13. 13.
    Kaynar, K., Sivrikaya, F.: Distributed attack graph generation. IEEE Trans. Dependable Secure Comput. 13(5), 519–532 (2016)CrossRefGoogle Scholar
  14. 14.
    Kernighan, B.W., Lin, S.: An efficient heuristic procedure for partitioning graphs. Bell Syst. Tech. J. 49(2), 291–307 (1970)CrossRefMATHGoogle Scholar
  15. 15.
    Kim, H., Feamster, N.: Improving network management with software defined networking. IEEE Commun. Mag. 51(2), 114–119 (2013)CrossRefGoogle Scholar
  16. 16.
    Lantz, B., Heller, B., McKeown, N.: A network in a laptop: rapid prototyping for software-defined networks. In: Proceedings of the 9th ACM SIGCOMM Workshop on Hot Topics in Networks, p. 19. ACM (2010)Google Scholar
  17. 17.
    Lyon, G.F.: Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning. Insecure, Cheers (2009)Google Scholar
  18. 18.
    McKeown, N.: Software-defined networking. INFOCOM Keynote Talk 17(2), 30–32 (2009)Google Scholar
  19. 19.
    McKeown, N., Anderson, T., Balakrishnan, H., Parulkar, G., Peterson, L., Rexford, J., Shenker, S., Turner, J.: Openflow: enabling innovation in campus networks. ACM SIGCOMM Comput. Commun. Rev. 38(2), 69–74 (2008)CrossRefGoogle Scholar
  20. 20.
    Mell, P., Grance, T.: The NIST definition of cloud computing (2011)Google Scholar
  21. 21.
    Mjihil, O., Kim, D.S., Haqiq, A.: Security assessment framework for multi-tenant cloud with nested virtualization. J. Inf. Assur. Secur. 11(2), 283–292 (2016)Google Scholar
  22. 22.
    Nunes, B.A.A., Mendonca, M., Nguyen, X.-N., Obraczka, K., Turletti, T.: A survey of software-defined networking: past, present, and future of programmable networks. IEEE Commun. Surv. Tutorials 16(3), 1617–1634 (2014)CrossRefGoogle Scholar
  23. 23.
    Ou, X., Boyer, W.F., McQueen, M.A.: A scalable approach to attack graph generation. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, pp. 336–345. ACM (2006)Google Scholar
  24. 24.
    Ou, X., Govindavajhala, S., Appel, A.W.: MulVAL: a logic-based network security analyzer. In: USENIX Security (2005)Google Scholar
  25. 25.
    Schneier, B.: Attack trees. Dr. Dobbs J. 24(12), 21–29 (1999)Google Scholar
  26. 26.
    Sharir, M.: A strong-connectivity algorithm and its applications in data flow analysis. Comput. Math. Appl. 7(1), 67–72 (1981)CrossRefMATHMathSciNetGoogle Scholar
  27. 27.
    Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.M.: Automated generation and analysis of attack graphs. In: Proceedings of 2002 IEEE Symposium on Security and privacy, pp. 273–284. IEEE (2002)Google Scholar
  28. 28.
    Tange, O., et al.: GNU parallel-the command-line power tool. USENIX Mag. 36(1), 42–47 (2011)Google Scholar
  29. 29.
    Tarjan, R.: Depth-first search and linear graph algorithms. SIAM J. Comput. 1(2), 146–160 (1972)CrossRefMATHMathSciNetGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Oussama Mjihil
    • 1
  • Dijiang Huang
    • 2
  • Abdelkrim Haqiq
    • 1
    • 3
  1. 1.Computer, Networks, Mobility and Modeling LaboratoryFST, Hassan 1st UniversitySettatMorocco
  2. 2.School of Computing, Informatics and Decision Systems EngineeringArizona State UniversityTempeUSA
  3. 3.e-NGN Research Group, Africa and Middle EastSettatMorocco

Personalised recommendations