Change-Point Detection in Enterprise Attack Surface for Network Hardening

Conference paper
Part of the Smart Innovation, Systems and Technologies book series (SIST, volume 43)


Applications of change-point detection typically originate from the perspective of enterprise network security and network monitoring. With the ever-increasing size and complexity of enterprise networks and application portfolios, network attack surface keeps changing. This change in an attack surface is detected by identifying increase or decrease in the number of vulnerabilities at network level. Vulnerabilities when exploited successfully, either provide an entry point to an adversary into the enterprise network or can be used as a milestone for staging multi-stage attacks. In this paper, we have proposed an approach for change-point detection in an enterprise network attack surface. In this approach, a sequence of static attack graphs are generated for dynamic (time varying) enterprise network,  and successive graphs in a sequence are compared for their dissimilarity for change-point detection. We have presented a small case study to demonstrate the efficacy and applicability of the proposed approach in capturing a change in network attack surface. Initial results show that our approach is capable of capturing the newly introduced vulnerabilities into the network and is able to differentiate these vulnerabilities for efficient network hardening.


Attack surface Attack graph Change-point detection Network security and protection Security metric Similarity measures 


  1. 1.
    Phillips, C., Swiler, L.: A graph-based system for network vulnerability analysis. In: Proceedings of the 1998 Workshop on New Security Paradigms (NSPW ‘98), pp. 71–79. ACM, New York (1998)Google Scholar
  2. 2.
    Ortalo, R., Deswarte, Y., Kaaniche, M.: Experimenting with quantitative evaluation tools for monitoring operational security. IEEE Trans. Softw. Eng. 25, 633–650 (1999)CrossRefGoogle Scholar
  3. 3.
    Li, W., Vaughn, B.: Cluster security research involving the modeling of network exploitations using exploitation graphs. In: Sixth IEEE International Symposium on Cluster Computing and the Grid (CCGRID ’06), vol. 2, pp. 26–26. IEEE Computer Society, Washington. May 2006Google Scholar
  4. 4.
    Idika, N., Bhargava, B.: Extending attack graph-based security metrics and aggregating their application. IEEE Trans. Dependable Secur. Comput. 9(1), 75–78 (2012)CrossRefGoogle Scholar
  5. 5.
    Noel, S., Jajodia, S.: Metrics suite for network attack graph analytics. In: 9th Annual Cyber and Information Security Research Conference (CISR ‘14), pp. 5–8. ACM, Oak Ridge National Laboratory, Tennessee, New York, April 2014Google Scholar
  6. 6.
    Wang, L., Singhal, A., Jajodia, S.: Measuring the overall security of network configurations using attack graphs. In: 21st Annual IFIP WG 11.3 Working Conference on Data and Applications Security, vol. 4602, pp. 98–112. Springer-Verlag, Berlin, Heidelberg (2007)Google Scholar
  7. 7.
    Wang, L., Liu, A., Jajodia, S.: An efficient and unified approach to correlating, hypothesizing, and predicting intrusion alerts. In: Proceedings of the 10th European Conference on Research in Computer Security (ESORICS’05), pp. 247–266. Springer-Verlag, Berlin, Heidelberg (2005)Google Scholar
  8. 8.
    Wang, L., Noel, S., Jajodia, S.: Minimum-cost network hardening using attack graphs. J. Comput. Commun. 29(18), 3812–3824 (2006)CrossRefGoogle Scholar
  9. 9.
    Sun, K., Jajodia, S.: Protecting enterprise networks through attack surface expansion. In: Proceedings of the 2014 Workshop on Cyber Security Analytics, Intelligence and Automation (SafeConfig ‘14). pp. 29–32. ACM, New York (2014)Google Scholar
  10. 10.
    Ghosh, N., Ghosh, S.K.: An approach for security assessment of network configurations using attack graph. In: First International Conference on Networks and Communications 2009, (NETCOM’09), pp. 283–288, Dec 2009Google Scholar
  11. 11.
  12. 12.
    Ghosh, N., Ghosh, S.K.: A planner-based approach to generate and analyze minimal attack graph. J. Appl. Intell. 36(2), 369–390 (2012)CrossRefGoogle Scholar

Copyright information

© Springer India 2016

Authors and Affiliations

  1. 1.Center for Information Assurance & Management (CIAM)Institute for Development and Research in Banking Technology (IDRBT)Masab TankIndia
  2. 2.School of Computer and Information Sciences (SCIS)University of HyderabadGachibowliIndia

Personalised recommendations