Topological Vulnerability Analysis
Traditionally, network administrators rely on labor-intensive processes for tracking network configurations and vulnerabilities. This requires a great deal of expertise, and is error prone because of the complexity of networks and associated security data. The interdependencies of network vulnerabilities make traditional point-wise vulnerability analysis inadequate. We describe a Topological Vulnerability Analysis (TVA) approach that analyzes vulnerability dependencies and shows all possible attack paths into a network. From models of the network vulnerabilities and potential attacker exploits, we compute attack graphs that convey the impact of individual and combined vulnerabilities on overall security. TVA finds potential paths of vulnerability through a network, showing exactly how attackers may penetrate a network. From this, we identify key vulnerabilities and provide strategies for protection of critical network assets.
KeywordsIntrusion Detection Situational Awareness Attack Scenario Internal Server Network Attack
Unable to display preview. Download preview PDF.
This material is based upon work supported by Homeland Security Advanced Research Projects Agency under the contract FA8750-05-C-0212 administered by the Air Force Research Laboratory/Rome; by Air Force Research Laboratory/Rome under the contract FA8750-06-C-0246; by Federal Aviation Administration under the contract DTFAWA-08-F-GMU18; by Air Force Office of Scientific Research under grant FA9550-07-1-0527 and FA9550-08-1-0157; and by the National Science Foundation under grants CT-0716567, CT-0716323, and CT-0627493. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the sponsoring organizations.
- S. Jajodia, S. Noel, and B. O’Berry, “Topological Analysis of Network Attack Vulnerability,” in Managing Cyber Threats: Issues, Approaches and Challenges, V. Kumar, J. Srivastava, A. Lazarevic (eds.), Kluwer Academic Publisher, 2005, pages 248-266.Google Scholar
- S. Jajodia, S. Noel, “Topological Vulnerability Analysis: A Powerful New Approach for Network Attack Prevention, Detection, and Response,” in Algorithms, Architectures and Information Systems Security (Indian Statistical Institute Platinum Jubilee Series), B. B. Bhattacharya, S. Sur-Kolay, S. C. Nandy, A. Bagchi, eds., World Scientific, New Jersey, 2009, pages 285–305.Google Scholar
- S. Noel, M. Jacobs, P. Kalapa. S. Jajodia, “Multiple Coordinated Views for Network Attack Graphs,” in IEEE Workshop on Visualization for Computer Security (VizSEC2005), Minneapolis, MN, October, 2005, pages 99–106.Google Scholar
- S. Noel, E. Robertson, S. Jajodia, “Correlating Intrusion Events and Building Attack Scenarios through Attack Graph Distances,” in Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC), 2004, pages 350–359.Google Scholar
- R. Deraison, Nessus, http://www.nessus.org.
- eEye Digital Security, Retina Network Security Scanner, http://www.eeye.com/html/Products/Retina/index.html.
- Foundstone, FoundScan Frequently Asked Questions, http://www.foundstone.com/us/index.asp.
- Secure Computing, Sidewinder Firewall Device, http://www.securecomputing.com/.
- Centennial Software, Discovery Asset Management, http://www.centennial-software.com/.
- Symantec, Altiris, http://www.altiris.com/.
- NIST, National Vulnerability Database (NVD), http://nvd.nist.gov/.
- Security Focus, Bugtraq Vulnerabilities, http://www.securityfocus.com/vulnerabilities.
- Symantec Corporation, Symantec DeepSight Threat Management System, https://tms.symantec.com/Default.aspx.
- Open Source Vulnerability Database, http://osvdb.org/.
- MITRE Corporation, CVE - Common Vulnerabilities and Exposures, http://cve.mitre.org/.
- R. Ritchey, B. O’Berry, S. Noel, “Representing TCP/IP Connectivity for Topological Analysis of Network Security,” in Proceedings of the 18th Annual Computer Security Applications Conference (ACSAC), 2002, pages 156–165.Google Scholar
- D. Turner, M. Fossi, E. Johnson, T. Mack, J. Blackbird, S. Entwisle, M. K. Low, D. McKinney, C. Wueest, Symantec Global Internet Security Threat Report Trends, 2008.Google Scholar
- NIST, Security Content Automation Protocol (SCAP), http://nvd.nist.gov/scap.cfm.
- MITRE, Common Platform Enumeration (CPE), http://cpe.mitre.org/.
- MITRE, Oval Language, http://oval.mitre.org/.
- P. Ammann, D. Wijesekera, S. Kaushik, “Scalable, Graph-Based Network Vulnerability Analysis,” in Proceedings of the 9th ACM Conference on Computer and Communications Security, Washington, DC, pages 217–224.Google Scholar
- S. Noel, J. Jajodia, “Understanding Complex Network Attack Graphs through Clustered Adjacency Matrices,” in Proceedings of the 21st Annual Computer Security Applications Conference (ACSAC), 2005, pages 160–169.Google Scholar
- D. Zerkle, K. Levitt, “Netkuang: A Multi-Host Configuration Vulnerability Checker,” in Proceedings of the 6th USENIX Unix Security Symposium, 1996.Google Scholar
- R. Ritchey, P. Ammann, “Using Model Checking to Analyze Network Vulnerabilities,” in Proceedings of the IEEE Symposium on Security and Privacy, 2000.Google Scholar
- L. Swiler, C. Phillips, D. Ellis, S. Chakerian, “Computer-Attack Graph Generation Tool,” in Proceedings of the DARPA Information Survivability Conference & Exposition II, 2001.Google Scholar
- O. Sheyner, J. Haines, S. Jha, R. Lippmann, J. Wing, “Automated Generation and Analysis of Attack Graphs,” in Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA.Google Scholar
- R. Lippmann, K. Ingols, C. Scott, K. Piwowarski, K. Kratkiewicz, M. Artz, R. Cunningham, “Validating and Restoring Defense in Depth Using Attack Graphs,” in Proceedings of the MILCOM Military Communications Conference, 2006.Google Scholar
- S. Noel, S. Jajodia, “Managing Attack Graph Complexity through Visual Hierarchical Aggregation,” in Proceedings of the ACM CCS Workshop on Visualization and Data Mining for Computer Security Fairfax, Virginia.Google Scholar
- W. Li, An Approach to Graph-Based Modeling of Network Exploitations, PhD dissertation, Department of Computer Science, Mississippi State University, 2005.Google Scholar
- F. Cuppens, R. Ortalo, “LAMBDA: A Language to Model a Database for Detection of Attacks,” in 3rd International Workshop on Recent Advances in Intrusion Detection, 2000.Google Scholar
- S. Templeton, K. Levitt, “A Requires/Provides Model for Computer Attacks,” in New Security Paradigms Workshop, 2000.Google Scholar
- Skybox Security, http://www.skyboxsecurity.com/.
- RedSeal Systems, http://www.redseal.net/.
- R. Lippmann, K. Ingols, An Annotated Review of Past Papers on Attack Graphs, Lincoln Laboratory, Technical Report ESC-TR-2005-054, 2005.Google Scholar