Abstract
With the increase of network size, there are more and more potential vulnerabilities, which makes it difficult to conduct penetration testing in multihost networks. Attack graph is a useful tool for penetration testing to analyze the relevance of vulnerabilities between hosts and provides a visual view for attack path planning. However, previous works on attack graph generation are inefficient and not applicable to practical penetration testing process. In this paper, we propose an automated vulnerability modeling and verification approach for penetration testing, which generates attack graph efficiently and can be applied to attack process. Petri net is adopted for vulnerability modeling and attack graph synthesis. We implement a prototype system named Automatic Penetration Testing System to verify our method. The system is tested in real networks and the experiment results show the efficiency of our approach.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Guo, P., Wang, J., Li, B., Lee, S.: A variable threshold-value authentication architecture for wireless mesh networks. J. Internet Technol. 15(6), 929–936 (2014)
Phillips, C., Swiler, L.P.: A graph-based system for network-vulnerability analysis. In: Proceedings of the Workshop on New Security Paradigms, pp. 71–79. ACM (1998)
Shen, J., Tan, H., Wang, J., Wang, J., Lee, S.: A novel routing protocol providing good transmission reliability in underwater sensor networks. J. Internet Technol. 16(1), 171–178 (2015)
Tinghuai, M., Jinjuan, Z., Meili, T., Yuan, T., Abdullah, A.-D., Mznah, A.-R., Sungyoung, L.: Social network and tag sources based augmenting collaborative recommender system. IEICE Trans. Inf. Syst. 98(4), 902–910 (2015)
McDermott, J.P.: Attack net penetration testing. In: Proceedings of the Workshop on New Security Paradigms, pp. 15–21. ACM (2001)
Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.M.: Automated generation and analysis of attack graphs. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 273–284. IEEE (2002)
Ou, X., Boyer, W.F., McQueen, M.A.: A scalable approach to attack graph generation. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, pp. 336–345. ACM (2006)
Bishop, M.: About penetration testing. IEEE Secur. Priv. 5(6), 84–87 (2007)
Yun, Y., Xishan, X., Zhichang, Q., Xueyang, W.: Attack graph generation algorithm for large-scale network system. J. Comput. Res. Dev. 10, 011 (2013)
Qiu, X., Wang, S., Jia, Q., Xia, C., Lv, L.: Automatic generation algorithm of penetration graph in penetration testing. In: Proceedings of the 2014 Ninth International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, pp. 531–537. IEEE (2014)
Jha, S., Sheyner, O., Wing, J.: Two formal analyses of attack graphs. In: Proceedings of the 15th IEEE Workshop on Computer Security Foundations, pp. 49–63. IEEE (2002)
Ou, X., Govindavajhala, S., Appel, A.W.: MulVAL: a logic-based network security analyzer. In: Proceedings of the 14th Conference on USENIX Security Symposium, vol. 14, p. 8. USENIX Association (2005)
Jajodia, S., Noel, S., O’Berry, B.: Topological analysis of network attack vulnerability. In: Kumar, V., Srivastava, J., Lazarevic, A. (eds.) Managing Cyber Threats, pp. 247–266. Springer, Heidelberg (2005)
Kotenko, I., Stepashkin, M.: Attack Graph Based Evaluation of Network Security. In: Leitold, H., Markatos, E.P. (eds.) CMS 2006. LNCS, vol. 4237, pp. 216–227. Springer, Heidelberg (2006). doi:10.1007/11909033_20
Chen, F.: A Hierarchical Network Security Risk Evaluation Approach Based on Multi-goal Attack Graph. National university of defense technology, Chang sha (2009)
Noel, S., Jajodia, S., O’Berry, B., Jacobs, M.: Efficient minimum-cost network hardening via exploit dependency graphs. In: Proceedings of the 19th Annual Computer Security Applications Conference, pp. 86–95. IEEE (2003)
Wang, L., Noel, S., Jajodia, S.: Minimum-cost network hardening using attack graphs. Comput. Commun. 29(18), 3812–3824 (2006)
Wang, S., Zhang, Z., Kadobayashi, Y.: Exploring attack graph for cost-benefit security hardening: a probabilistic approach. Comput. Secur. 32, 158–169 (2013)
Wu, D., Lian, Y.-F., Chen, K., Liu, Y.-L.: A security threats identification and analysis method based on attack graph. Jisuanji Xuebao (Chin. J. Comput.), 35(9), 1938–1950 (2012)
Acknowledgements
This work is supported by Natural Science Foundation of Jiangsu Province (BK20150758), Foundation of Graduate Innovation Center in NUAA (kfjj20151609), Chinese Postdoctoral Science Foundation (No. 2014M561644), the Fundamental Research Funds for the Central Universities (No. NS2016096), Jiangsu Province Postdoctoral Science Foundation (No. 1402034C), and Open Project Foundation of Information Technology Research Base of Civil Aviation Administration of China (No. CAAC-ITRB-201405).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Luan, J., Wang, J., Xue, M. (2016). Automated Vulnerability Modeling and Verification for Penetration Testing Using Petri Nets. In: Sun, X., Liu, A., Chao, HC., Bertino, E. (eds) Cloud Computing and Security. ICCCS 2016. Lecture Notes in Computer Science(), vol 10040. Springer, Cham. https://doi.org/10.1007/978-3-319-48674-1_7
Download citation
DOI: https://doi.org/10.1007/978-3-319-48674-1_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-48673-4
Online ISBN: 978-3-319-48674-1
eBook Packages: Computer ScienceComputer Science (R0)