In defending networks against potential intrusions, certain vulnerabilities may seem acceptable risks when considered in isolation, whereas an intruder may combine such vulnerabilities for a multi-step intrusion and successfully infiltrate a seemingly well-guarded network. Relying on human analyst’s experiences and skills to identify such a threat is error-prone and renders the task of network hardening an art, rather than a science. Existing tools based on attack graphs can reveal such threats by enumerating all possible attack paths leading to critical resources, but they cannot provide a direct solution to remove the threats. In this book, we introduce automated solutions for hardening a network against sophisticated multi-step intrusions. Specifically, we first review necessary background information on related concepts, such as attack graphs and their application to network hardening. We then describe a network hardening technique to generate hardening solutions comprised of initially satisfied conditions, which makes the solution more enforceable. Following a discussion of the complexity issues, we devise an improved technique that takes into consideration the dependencies between hardening options and employs a near-optimal approximation algorithm to scale linearly with the size of the inputs, whose performance is validated experimentally.
KeywordsIntrusion Detection Intrusion Detection System Automate Approach Vulnerability Analysis Network Hardening
- 1.P. Ammann, D. Wijesekera, and S. Kaushik. Scalable, graph-based network vulnerability analysis. In Proceedings of ACM CCS’02, 2002.Google Scholar
- 2.R. Deraison. Nessus scanner, 1999. Available at http://www.nessus.org.
- 3.National vulnerability database. available at: http://www.nvd.org, May 9, 2008.
- 4.O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J.M. Wing. Automated generation and analysis of attack graphs. In Proceedings of the IEEE S&P’02, 2002.Google Scholar