Scalable Attack Path Finding for Increased Security

  • Tom GondaEmail author
  • Rami Puzis
  • Bracha Shapira
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10332)


Software vulnerabilities can be leveraged by attackers to gain control of a host. Attackers can then use the controlled hosts as stepping stones for compromising other hosts until they create a path to the critical assets. Consequently, network administrators must examine the protected network as a whole rather than each vulnerable host independently. To this end, various methods were suggested in order to analyze the multitude of attack paths in a given organizational network, for example, to identify the optimal attack paths. The down side of many of those methods is that they do not scale well to medium-large networks with hundreds or thousands of hosts. We suggest using graph reduction techniques in order to simplify the task of searching and eliminating optimal attacker paths. Results on an attack graph extracted from a network of a real organization with more than 300 hosts and 2400 vulnerabilities show that using the proposed graph reductions can improve the search time by a factor of 4 while maintaining the quality of the results.


Network security Attack graphs Planning Graph reduction Attack models 


  1. 1.
    Morrow, B.: Byod security challenges: control and protect your most sensitive data. Netw. Secur. 2012(12), 5–8 (2012)CrossRefGoogle Scholar
  2. 2.
    Zhang, S., Zhang, X., Ou, X.: After we knew it: empirical study and modeling of cost-effectiveness of exploiting prevalent known vulnerabilities across IaaS cloud. In: Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, pp. 317–328. ACM (2014)Google Scholar
  3. 3.
    Shostack, A.: Quantifying patch management. Secure Bus. Q. 3(2), 1–4 (2003)Google Scholar
  4. 4.
    Ammann, P., Wijesekera, D., Kaushik, S.: Scalable, graph-based network vulnerability analysis. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, pp. 217–224. ACM (2002)Google Scholar
  5. 5.
    Sheyner, O.M.: Scenario graphs and attack graphs. Ph.D. thesis, US Air Force Research Laboratory (2004)Google Scholar
  6. 6.
    Ou, X., Govindavajhala, S., Appel, A.W.: MulVAL: a logic-based network security analyzer. In: USENIX Security (2005)Google Scholar
  7. 7.
    Roberts, M., Howe, A., Ray, I., Urbanska, M., Byrne, Z.S., Weidert, J.M.: Personalized vulnerability analysis through automated planning. In: Working Notes of IJCAI 2011, Workshop Security and Artificial Intelligence (SecArt 2011), vol. 4 (2011)Google Scholar
  8. 8.
    Sarraute, C.: New algorithms for attack planning. In: FRHACK Conference, Besançon, France (2009)Google Scholar
  9. 9.
    Ghosh, N., Ghosh, S.: An intelligent technique for generating minimal attack graph. In: First Workshop on Intelligent Security on Security and Artificial Intelligence (SecArt 2009). Citeseer (2009)Google Scholar
  10. 10.
    Poolsappasit, N., Dewri, R., Ray, I.: Dynamic security risk management using Bayesian attack graphs. IEEE Trans. Dependable Secure Comput. 9(1), 61–74 (2012)CrossRefGoogle Scholar
  11. 11.
    Ingols, K., Lippmann, R., Piwowarski, K.: Practical attack graph generation for network defense. In: 22nd Annual Conference on Computer Security Applications Conference, ACSAC 2006, pp. 121–130. IEEE (2006)Google Scholar
  12. 12.
    Ou, X., Boyer, W.F., McQueen, M.A.: A scalable approach to attack graph generation. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, pp. 336–345. ACM (2006)Google Scholar
  13. 13.
    Beale, J., Deraison, R., Meer, H., Temmingh, R., Walt, C.V.D.: Nessus Network Auditing. Syngress Publishing, Rockland (2004)Google Scholar
  14. 14.
    OpenVAS Developers: The Open Vulnerability Assessment System (OpenVAS) (2012)Google Scholar
  15. 15.
    Hoffmann, J.: The Metric-FF planning system: translating “ignoring delete lists” to numeric state variables. J. Artif. Intell. Res. 20, 291–341 (2003)zbMATHGoogle Scholar
  16. 16.
    Obes, J.L., Sarraute, C., Richarte, G.: Attack planning in the real world. arXiv preprint arXiv:1306.4044 (2013)
  17. 17.
    Chen, Y., Wah, B.W., Hsu, C.W.: Temporal planning using subgoal partitioning and resolution in SGPlan. J. Artif. Intell. Res. 26, 323–369 (2006)zbMATHGoogle Scholar
  18. 18.
    Albanese, M., Jajodia, S., Noel, S.: Time-efficient and cost-effective network hardening using attack graphs. In: 2012 42nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 1–12. IEEE (2012)Google Scholar
  19. 19.
    Noel, S., Jajodia, S.: Managing attack graph complexity through visual hierarchical aggregation. In: Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security, pp. 109–118. ACM (2004)Google Scholar
  20. 20.
    Homer, J., Varikuti, A., Ou, X., McQueen, M.A.: Improving attack graph visualization through data reduction and attack grouping. In: Goodall, J.R., Conti, G., Ma, K.-L. (eds.) VizSec 2008. LNCS, vol. 5210, pp. 68–79. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-85933-8_7 CrossRefGoogle Scholar
  21. 21.
    Zhang, S., Ou, X., Homer, J.: Effective network vulnerability assessment through model abstraction. In: Holz, T., Bos, H. (eds.) DIMVA 2011. LNCS, vol. 6739, pp. 17–34. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-22424-9_2 CrossRefGoogle Scholar
  22. 22.
    Homer, J., Ou, X., Schmidt, D.: A sound and practical approach to quantifying security risk in enterprise networks. Kansas State University Technical Report, pp. 1–15 (2009)Google Scholar
  23. 23.
    CVSS: A complete guide to the common vulnerability scoring system (2007)Google Scholar
  24. 24.
    Shmaryahu, D.: Constructing plan trees for simulated penetration testing. In: The 26th International Conference on Automated Planning and Scheduling, vol. 121 (2016)Google Scholar
  25. 25.
    Hoffmann, J.: Simulated penetration testing: from “Dijkstra” to “turing test++”. In: ICAPS, pp. 364–372 (2015)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Department of Software and Information Systems EngineeringBen-Gurion University of the NegevBeer-ShevaIsrael

Personalised recommendations