Advertisement

Introduction

  • Lingyu Wang
  • Massimiliano Albanese
  • Sushil Jajodia
Chapter
Part of the SpringerBriefs in Computer Science book series (BRIEFSCOMPUTER)

Abstract

In defending networks against potential intrusions, certain vulnerabilities may seem acceptable risks when considered in isolation, whereas an intruder may combine such vulnerabilities for a multi-step intrusion and successfully infiltrate a seemingly well-guarded network. Relying on human analyst’s experiences and skills to identify such a threat is error-prone and renders the task of network hardening an art, rather than a science. Existing tools based on attack graphs can reveal such threats by enumerating all possible attack paths leading to critical resources, but they cannot provide a direct solution to remove the threats. In this book, we introduce automated solutions for hardening a network against sophisticated multi-step intrusions. Specifically, we first review necessary background information on related concepts, such as attack graphs and their application to network hardening. We then describe a network hardening technique to generate hardening solutions comprised of initially satisfied conditions, which makes the solution more enforceable. Following a discussion of the complexity issues, we devise an improved technique that takes into consideration the dependencies between hardening options and employs a near-optimal approximation algorithm to scale linearly with the size of the inputs, whose performance is validated experimentally.

Keywords

Intrusion Detection Intrusion Detection System Automate Approach Vulnerability Analysis Network Hardening 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

References

  1. 1.
    P. Ammann, D. Wijesekera, and S. Kaushik. Scalable, graph-based network vulnerability analysis. In Proceedings of ACM CCS’02, 2002.Google Scholar
  2. 2.
    R. Deraison. Nessus scanner, 1999. Available at http://www.nessus.org.
  3. 3.
    National vulnerability database. available at: http://www.nvd.org, May 9, 2008.
  4. 4.
    O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J.M. Wing. Automated generation and analysis of attack graphs. In Proceedings of the IEEE S&P’02, 2002.Google Scholar

Copyright information

© The Author(s) 2014

Authors and Affiliations

  • Lingyu Wang
    • 1
  • Massimiliano Albanese
    • 2
  • Sushil Jajodia
    • 2
  1. 1.Concordia Institute for Information Systems Engineering (CIISE)Concordia UniversityMontrealCanada
  2. 2.Center for Secure Information SystemsGeorge Mason UniversityFairfaxUSA

Personalised recommendations