Scalable Analysis of Attack Scenarios
Attack graphs have been widely used for attack modeling, alert correlation, and prediction. In order to address the limitations of current approaches – scalability and impact analysis – we propose a novel framework to analyze massive amounts of alerts in real time, and measure the impact of current and future attacks. Our contribution is threefold. First, we introduce the notion of generalized dependency graph, which captures how network components depend on each other, and how the services offered by an enterprise depend on the underlying infrastructure. Second, we extend the classical definition of attack graph with the notion of timespan distribution, which encodes probabilistic knowledge of the attacker’s behavior. Finally, we introduce attack scenario graphs, which combine dependency and attack graphs, bridging the gap between known vulnerabilities and the services that could be ultimately affected by the corresponding exploits. We propose efficient algorithms for both detection and prediction, and show that they scale well for large graphs and large volumes of alerts. We show that, in practice, our approach can provide security analysts with actionable intelligence about the current cyber situation, enabling them to make more informed decisions.
KeywordsAttack graphs dependency graphs vulnerability analysis cyber situation awareness scalability
Unable to display preview. Download preview PDF.
- 3.Bahl, P.V., Barham, P., Black, R., Chandra, R., Goldszmidt, M., Isaacs, R., Kandula, S., Li, L., MacCormick, J., Maltz, D., Mortier, R., Wawrzoniak, M., Zhang, M.: Discovering Dependencies for Network Management. In: Proceedings of the 5th ACM Workshop on Hot Topics in Networking (HotNets) (November 2006)Google Scholar
- 4.Chen, X., Zhang, M., Mao, Z.M., Bahl, P.: Automating network application dependency discovery: experiences, limitations, and new solutions. In: Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation, OSDI 2008, pp. 117–130. USENIX Association, Berkeley (2008)Google Scholar
- 5.Dain, O., Cunningham, R.K.: Fusing a heterogeneous alert stream into scenarios. In: Proceedings of the 2001 ACM Workshop on Data Mining for Security Applications, pp. 1–13 (2001)Google Scholar
- 6.Duong, T., Bui, H., Phung, D., Venkatesh, S.: Activity Recognition and Abnormality Detection with the Switching Hidden Semi-Markov Model. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR 2005), vol. 1, pp. 838–845 (2005)Google Scholar
- 9.Hamid, R., Huang, Y., Essa, I.: ARGMode Activity Recognition Using Graphical Models. In: Proceedings of the IEEE Computer Society International Conference on Computer Vision and Pattern Recognition (CVPR 2003), vol. 3, pp. 38–43 (2003)Google Scholar
- 10.Ingols, K., Lippmann, R., Piwowarski, K.: Practical attack graph generation for network defense. In: Proceedings of 22nd Annual Computer Security Applications Conference (ACSAC 2006), pp. 121–130. IEEE Computer Society, Los Alamitos (2006)Google Scholar
- 14.Lamport, L.: Distributed system (May 1987), http://research.microsoft.com/enus/um/people/lamport/pubs/distributed-system.txt
- 17.Ning, P., Xu, D.: Learning attack strategies from intrusion alerts. In: Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS 2003), pp. 200–209 (2003)Google Scholar
- 18.Ning, P., Xu, D., Healey, C.G., Amant, R.S.: Building attack scenarios through integration of complementary alert correlation methods. In: Proceedings of the 11th Annual Network and Distributed System Symposium (NDSS 2004), pp. 97–111 (2004)Google Scholar
- 19.Noel, S., Robertson, E., Jajodia, S.: Correlating intrusion events and building attack scenarios through attack graph distances. In: Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC 2004), pp. 350–359 (2004)Google Scholar