ABSTRACT
There is a line of research extending over the last 20+ years applying graph-based methods for assessing and improving the security of operational computer networks, maintaining situational awareness, and assuring organizational missions. This chapter reviews a number of key developments in these areas, and places them within the context of a number of complementary dimensions. These dimensions are oriented to the requirements of operational security, to help guide practitioners towards matching their use cases with existing technical approaches. One dimension we consider is the phase of security operations (prevention, detection, and reaction) to which an approach applies. Another dimension is the operational layer (network infrastructure, security posture, cyberspace threats, mission dependencies) that an approach spans. We also examine the mathematical underpinnings of the various approaches as they apply to security requirements. Finally, we describe architectural aspects of various approaches, especially as they contribute to scalability and performance.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Weiss, J.: A system security engineering process. In: 14th Annual NCSC/NIST National Computer Security Conference (1991)
Ericson, C.: Fault Tree Analysis Primer. CreateSpace, Charleston (2011)
Schneier, B.: Attack trees. Dr Dobb’s J. 24(12), 21–29 (1999)
Phillips, C., Swiler, L.: A graph-based system for network-vulnerability analysis. In: New Security Paradigms Workshop, Charlottesville, VA (1998)
Ritchey, R., Ammann, P.: Using model checking to analyze network vulnerabilities. In: IEEE Symposium on Security and Privacy, Oakland, CA (2000)
Sheyner, O., Wing, J.: Tools for generating and analyzing attack graphs. In: Workshop on Formal Methods for Components and Objects (2004)
Noel, S., O’Berry, B., Hutchinson, C., Jajodia, S., Keuthan, L., Nguyen, A.: Combinatorial analysis of network security. In: 16th Annual International Symposium on Aerospace/Defense Sensing, Simulation, and Controls (AeroSense), Orlando, FL (2002)
Noel, S., Jajodia, S., O’Berry, B., Jacobs, M.: Efficient minimum-cost network hardening via exploit dependency graphs. In: 19th Annual Computer Security Applications Conference (ACSAC), Las Vegas, NV (2003)
Noel, S., Jajodia, S.: Managing attack graph complexity through visual hierarchical aggregation. In: ACM CCS Workshop on Visualization and Data Mining for Computer Security, Fairfax, VA (2004)
Noel, S., Jacobs, M., Kalapa, P., Jajodia, S.: Multiple coordinated views for network attack graphs. In: Workshop on Visualization for Computer Security, Minneapolis, MN (2005)
Homer, J., Varikuti, A., Ou, X., McQueen, M.: Improving attack graph visualization through data reduction and attack grouping. In: 5th International Workshop on Visualization for Cyber Security, Cambridge, MA (2008)
Lippmann, R., Williams, L., Ingols, K.: An interactive attack graph cascade and reachability display. In: IEEE Workshop on Visualization for Computer Security, Sacramento, CA (2007)
Lallie, H.S., Debattista, K., Bal, J.: An empirical evaluation of the effectiveness of attack graphs and fault trees in cyber-attack perception. IEEE Trans. Inf. Forensics Secur. 13, 1110–1122 (2017)
Dark Reading: NSA-Funded ‘Cauldron’ Tool Goes Commercial. http://www.darkreading.com/nsa-funded-cauldron-tool-goes-commercial/d/d-id1131178
CyberAnalytix takes a 7-Year Path to $100 K. http://www.bizjournals.com/boston/blog/mass-high-tech/2008/05/cyberanalytix-takes-a-7-year-path-to-100k.html
MulVAL Project at Kansas State University. http://people.cs.ksu.edu/~xou/mulval/
Skybox. http://www.skyboxsecurity.com/. Risk Analytics for Cyber Security Management
RedSeal Networks. http://www.redsealnetworks.com/
Sqrrl Threat Hunting. https://sqrrl.com
International Workshop on Graphical Models for Security. http://gramsec.uni.lu
Lippmann, R., Ingols, K.: An annotated review of past papers on attack graphs. Technical report, MIT Lincoln Laboratory (2005)
Schweitzer, P.: Attack–defense trees. Doctoral dissertation, University of Luxembourg (2013)
Kordy, B., Piètre-Cambacédès, L., Schweitzer, P.: DAG-based attack and defense modeling: don’t miss the forest for the attack trees. Comput. Sci. Rev. 13–14, 1–38 (2014)
Kaynar, K.: A taxonomy for attack graph generation and usage in network security. J. Inf. Secur. Appl. 29, 27–56 (2016)
Zerkle, D., Levitt, K.: Netkuang – a multi-host configuration vulnerability checker. In: 6th USENIX Unix Security Symposium, San Jose, CA (1996)
Ritchey, R., O’Berry, B., Noel, S.: Representing TCP/IP connectivity for topological analysis of network security. In: 18th Annual Computer Security Applications Conference (ACSAC), Las Vegas, NV (2002)
Jajodia, S., Noel, S., O’Berry, B.: Topological analysis of network attack vulnerability. In: Kumar, V., Srivastava, J., Lazarevic, A. (eds.) Managing Cyber Threats: Issues, Approaches and Challenges, pp. 247–266. Springer, Heidelberg (2005). https://doi.org/10.1007/0-387-24230-9_9
Ingols, K., Lippmann, R., Piwowarski, K.: Practical attack graph generation for network defense. In: 22nd Annual Computer Security Applications Conference (2006)
Noel, S.: Cauldron - network assessment tool demonstration. In: 9th Annual Air Force Intelligence, Surveillance, and Reconnaissance (ISR) Agency Communications and Information Conference, San Antonio, TX (2010)
Jajodia, S., Noel, S., Kalapa, P., Albanese, M., Williams, J.: Cauldron: mission-centric cyber situational awareness with defense in depth. In: 30th Military Communications Conference (MILCOM), Baltimore, MD (2011)
Noel, S., Jajodia, S.: Metrics suite for network attack graph analytics. In: 9th Annual Cyber and Information Security Research Conference (CISRC), Oak Ridge National Laboratory, TN (2014)
Noel, S., Jajodia, S.: A suite of metrics for network attack graph analytics. Network Security Metrics, pp. 141–176. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66505-4_7
Wang, L., Noel, S., Jajodia, S.: Minimum-cost network hardening using attack graphs. Comput. Commun. 29(18), 3812–3824 (2006)
Albanese, M., Jajodia, S., Noel, S.: Time-efficient and cost-effective network hardening using attack graphs. In: 42nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), Boston, MA (2012)
Kaynar, K.: Distributed log analysis for scenario-based detection of multi-step attacks and generation of near-optimal defense recommendations, dissertation, Technischen Universita ̈t Berlin (2017)
Wang, L., Jajodia, S., Singhal, A., Noel, S.: k-Zero day safety: measuring the security risk of networks against unknown attacks. In: European Symposium on Research in Computer Security (ESORICS), Athens, Greece (2010)
Wang, L., Jajodia, S., Singhal, A., Cheng, P., Noel, S.: k-Zero day safety: a network security metric for measuring the risk of unknown vulnerabilities. IEEE Trans. Dependable Secur. Comput. 11, 30–44 (2013)
Ning, P., Xu, D., Healey, C., St. Amant, R.: Building attack scenarios through integration of complementary alert correlation methods. In: 11th Annual Network and Distributed System Security Symposium (2004)
Noel, S., Harley, E., Tam, K.H., Gyor, G.: Big-data architecture for cyber attack graphs: representing security relationships in NoSQL graph databases. In: IEEE Symposium on Technologies for Homeland Security (HST), Boston, MA (2015)
The MITRE Corporation: Common Attack Pattern Enumeration and Classification: A Community Resource for Identifying and Understanding Attacks. https://capec.mitre.org/
Noel, S., Jajodia, S.: Attack graphs for sensor placement, alert prioritization, and attack response. In: Cyberspace Research Workshop, Air Force Cyberspace Symposium, Shreveport, LA (2007)
Noel, S., Jajodia, S.: Optimal IDS sensor placement and alert prioritization using attack graphs. J. Netw. Syst. Manag. Spec. Issue Secur. Config. Manag. 16, 259–275 (2008)
Noel, S., Jajodia, S.: Advanced vulnerability analysis and intrusion detection through predictive attack graphs. In: Critical Issues in C4I, Armed Forces Communications and Electronics Association (AFCEA) Solutions Series, Lansdowne, VA (2009)
Cormen, T., Leiserson, C., Rivest, R., Stein, C.: Introduction to Algorithms, 3rd edn. MIT Press and McGraw-Hill, Cambridge and New York (2009)
Feige, U.: A threshold of Ln N for approximating set cover. J. ACM 45(4), 634–652 (1998)
Grossman, T., Wool, A.: Computational experience with approximation algorithms for the set covering problem. Eur. J. Oper. Res. 101(1), 81–92 (1997)
Sen, S.: Minimal cost set covering using probabilistic methods. In: ACM/SIGAPP Symposium on Applied Computing: States of the Art and Practice, Indianapolis, IN (1993)
Yelbay, B., Birbil, Ş.İ., Bülbül, K.: The set covering problem revisited: an empirical study of the value of dual information. J. Ind. Manag. Optim. 11(2), 575–594 (2015)
Noel, S., Robertson, E., Jajodia, S.: Correlating intrusion events and building attack scenarios. In: 20th Annual Computer Security Applications Conference (ACSAC), Tucson, AZ (2004)
NIST/SEMATECH, e-Handbook of Statistical Methods: §6.4.3.1, Single Exponential Smoothing. http://www.itl.nist.gov/div898/handbook/pmc/section4/pmc431.htm
National Institute of Standards and Technology (NIST): National Vulnerability Database. https://nvd.nist.gov/
Galliani, J.: What is DISA’s Host Based Security System (HBSS)? (2015). https://www.seguetech.com/disas-host-based-security-system-hbss/
Adamic, L.: Zipf, Power-Laws, and Pareto - A Ranking Tutorial (2012)
Noel, S., Bodeau, D., McQuaid, R.: Big-data graph knowledge bases for cyber resilience. In: NATO IST-153 Workshop on Cyber Resilience, Munich, Germany (2017)
Noel, S., Harley, E., Tam, K.H., Limiero, M., Share, M.: CyGraph: graph-based analytics and visualization for cybersecurity. In: Cognitive Computing: Theory and Applications, Volume 35 of Handbook of Statistics. Elsevier (2016)
Heinbockel, W., Noel, S., Curbo, J.: Mission dependency modeling for cyber situational awareness. In: NATO IST-148 Cyber Defence Situation Awareness, Sofia, Bulgaria (2016)
Moye, R. Sawilla, R., Sullivan, R., Lagadec, P.: Cyber defence situational awareness demonstration/request for information (RFI) from industry and government. NATO NCI Agency Acquisition, CO-14068-MNCD2 (2015)
Defense Acquisition University: Defense Acquisitions Guidebook (DAG). https://www.dau.mil/tools/dag
Deputy Assistant Secretary of Defense for Systems Engineering (DASD(SE)) and Department of Defense Chief Information Officer (DoD CIO), “Trusted Systems and Networks (TSN) Analysis”: United States Department of Defense (2014)
Noel, S., et al.: Analyzing Mission Impacts of Cyber Actions (AMICA). In: NATO IST-128 Workshop on Cyber Attack Detection, Forensics and Attribution for Assessment of Mission Impact, Istanbul, Turkey (2015)
Object Management Group: Business Process Model and Notation. http://www.bpmn.org/
Wang, L., Albanese, M., Jajodia, S.: Network Hardening - An Automated Approach to Improving Network Security. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-319-04612-9
Dewri, R., Poolsappasit, N., Ray, I., Whitley, D.: Optimal security hardening using multi-objective optimization on attack tree models of networks. In: 14th ACM Conference on Computer and Communications Security (CCS), Alexandria, VA (2007)
Ou, X., Govindavajhala, S.A.A.: MulVAL: a logic-based network security analyzer. In: 14th USENIX Security Symposium (2005)
Frigault, M., Wang, L.: Measuring network security using bayesian network-based attack graphs. In: Annual IEEE International Computer Software and Applications Conference (2008)
Frigault, M., Wang, L., Singhal, A., Jajodia, S.: Measuring network security using dynamic Bayesian network. In: 4th ACM Workshop on Quality of Protection (2008)
Xie, P., Li, J., Ou, X., Liu, P., Levy, R.: Using Bayesian networks for cyber security analysis. In: IEEE/IFIP International Conference on Dependable Systems & Networks (2010)
Noel, S., Jajodia, S., Wang, L., Singhal, A.: Measuring security risk of networks using attack graphs. Int. J. Next-Gener. Comput. 1(1), 135–147 (2010)
Goldberg, A., Tardos, É., Tarjan, R.: Network Flow Algorithms. Stanford University, Technical report STAN-CS-89-1252 (1989)
Noel, S., Jajodia, S.: Proactive intrusion prevention and response via attack graphs. In: Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century. Addison-Wesley Professional (2009)
Page, L., Brin, S.: The anatomy of a large-scale hypertextual web search engine. In: 7th International Web Conference (1998)
Page, L., Brin, S., Motwani, R., Winograd, T.: The PageRank citation ranking: bringing order to the web. Stanford University InfoLab Technical report (1999)
Ou, X., Sawilla, R.: Googling attack graphs. Technical report TM 2007-205, Defence R&D Canada - Ottawa (2007)
Bondy, J., Murty, U.: Graph Theory with Applications, North-Holland (1976)
Noel, S., Jajodia, S.: Understanding complex network attack graphs through clustered adjacency matrices. In: 21st Annual Computer Security Applications Conference (ACSAC), Tucson, AZ (2005)
Holme, P., Saramäki, J.: Temporal networks. Phys. Rep. 519(3), 97–125 (2012)
Gottumukkala, R., Venna, S., Raghavan, V.: Visual analytics of time evolving large-scale graphs. IEEE Intell. Inform. Bull. 16(1), 10–16 (2015)
Cardelli, L., Gordon, A.: Mobile ambients. In: First International Conference on Foundations of Software Science and Computation Structure (1998)
Franqueira, V.N.L.: Finding multi-step attacks in computer networks using heuristic search and mobile ambients. Dissertation, University of Twente, the Netherlands (2009)
Franqueira, V.N., Lopes, R., van Eck, P.: Multi-step attack modelling and simulation (MsAMS) framework based on mobile ambients. In: 24th Annual ACM Symposium on Applied Computing, Honolulu, HI (2009)
Musman, S., Tanner, M., Temin, A., Elsaesser, E., Loren, L.: Computing the impact of cyber attacks on complex missions. In: IEEE International Systems Conference (2011)
Musman, S., Turner, A.: A game theoretic approach to cyber security risk management. J. Def. Model. Simul.: Appl. Methodol. Technol. 15, 127–146 (2017)
Robinson, I., Webber, J., Eifrem, E.: Graph Databases, 2nd edn. O’Reilly, Massachusetts (2015)
Laarman, A.: Scalable multi-core model checking. Dissertation, Centre for Telematics and Information Technology, University of Twente (2014)
Kaynar, K., Sivrikaya, F.: Distributed attack graph generation. IEEE Trans. Dependable Secur. Comput. 13(5), 519–532 (2016)
Wang, L., Yao, C., Singhal, A., Jajodia, S.: Implementing interactive analysis of attack graphs using relational databases. J. Comput. Secur. 16(4), 419–437 (2008)
Neo Technology: Neo4j Graph Database. https://neo4j.com. Accessed 30 May 2017
Robinson, I., Webber, J., Eifrem, E.: Graph Databases, 2nd edn. O’Reilly Media, Sebastopol (2015)
The Linux Foundation: JanusGraph – Distributed Graph Database. http://janusgraph.org. Accessed 30 May 2017
Punnoose, R., Crainiceanu, A., Rapp, D.: Rya: a scalable RDF triple store for the clouds. In: 1st International Workshop on Cloud Intelligence, Istanbul, Turkey (2012)
The Apache Software Foundation: Apache TinkerPop™. http://tinkerpop.apache.org. Accessed 30 May 2017
Barcelo, P.: Task Force for the Design of a Query Language for Graph-Structured Data. https://databasetheory.org/node/47. Accessed 30 May 2017
Eifrem, E.: Meet openCypher: the SQL for Graphs. https://neo4j.com/blog/open-cypher-sql-for-graphs/. Accessed 30 May 2017
W3C Recommendation: SPARQL 1.1 Query Language, 21 Mar 2013. https://www.w3.org/TR/sparql11-query/. Accessed 30 May 2017
The Apache Software Foundation: The Gremlin Graph Traversal Machine and Language. http://tinkerpop.apache.org/gremlin.html. Accessed 30 May 2017
Chao, J.: Imperative vs. Declarative Query Languages: What’s the Difference? 19 September 2016. https://neo4j.com/blog/imperative-vs-declarative-query-languages/. Accessed 30 May 2017
Sasaki, B.: Graph Databases for Beginners: Why a Database Query Language Matters, 21 August 2015. https://neo4j.com/blog/why-database-query-language-matters/. Accessed 30 May 2017
Acknowledgements
This work was funded by the MITRE Innovation Program (as CyGraph, project number EPF-14-00341), with George Roelke as Cybersecurity Innovation Area Leader. Approved for Public Release; Distribution Unlimited. Case Number 17-4428.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Noel, S. (2018). A Review of Graph Approaches to Network Security Analytics. In: Samarati, P., Ray, I., Ray, I. (eds) From Database to Cyber Security. Lecture Notes in Computer Science(), vol 11170. Springer, Cham. https://doi.org/10.1007/978-3-030-04834-1_16
Download citation
DOI: https://doi.org/10.1007/978-3-030-04834-1_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-04833-4
Online ISBN: 978-3-030-04834-1
eBook Packages: Computer ScienceComputer Science (R0)