Minimum-Cost Network Hardening

  • Lingyu Wang
  • Massimiliano Albanese
  • Sushil Jajodia
Part of the SpringerBriefs in Computer Science book series (BRIEFSCOMPUTER)


In defending one’s network against cyber attacks, certain vulnerabilities may seem acceptable risks when considered in isolation. But an intruder can often infiltrate a seemingly well-guarded network through a multi-step intrusion, in which each step prepares for the next. Attack graphs can reveal the threat by enumerating possible sequences of exploits that can be followed to compromise given critical resources. However, attack graphs do not directly provide a solution to remove the threat. Finding a solution by hand is error-prone and tedious, particularly for larger and less secure networks whose attack graphs are overly complicated. In this chapter, we propose a solution to automate the task of hardening a network against multi-step intrusions. More specifically, we first represent given critical resources as a logic proposition of initial conditions. We then simplify the proposition to make hardening options explicit. Among the options we finally choose solutions with the minimum cost.


Goal Condition Logic Proposition Critical Resource Disjunctive Normal Form Forward Search 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    P. Ammann, D. Wijesekera, and S. Kaushik. Scalable, graph-based network vulnerability analysis. In Proceedings of ACM CCS’02, 2002.Google Scholar
  2. 2.
    R. Deraison. Nessus scanner, 1999. Available at
  3. 3.
    S. Jha, O. Sheyner, and J.M. Wing. Two formal analysis of attack graph. In Proceedings of the 15th Computer Security Foundation Workshop (CSFW’02), 2002.Google Scholar
  4. 4.
    E. Mendelson. Introduction to Mathematical Logic, 4th ed. Chapman & Hall, 1997.Google Scholar
  5. 5.
    S. Noel, S. Jajodia, B. O’Berry, and M. Jacobs. Efficient minimum-cost network hardening via exploit dependency grpahs. In Proceedings of the 19th Annual Computer Security Applications Conference (ACSAC’03), 2003.Google Scholar
  6. 6.
    O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J.M. Wing. Automated generation and analysis of attack graphs. In Proceedings of the IEEE S&P’02, 2002.Google Scholar

Copyright information

© The Author(s) 2014

Authors and Affiliations

  • Lingyu Wang
    • 1
  • Massimiliano Albanese
    • 2
  • Sushil Jajodia
    • 2
  1. 1.Concordia Institute for Information Systems Engineering (CIISE)Concordia UniversityMontrealCanada
  2. 2.Center for Secure Information SystemsGeorge Mason UniversityFairfaxUSA

Personalised recommendations