Skip to main content
SpringerLink
Log in

A Review of Graph Approaches to Network Security Analytics

  • Chapter
  • First Online:
From Database to Cyber Security

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11170))

ABSTRACT

There is a line of research extending over the last 20+ years applying graph-based methods for assessing and improving the security of operational computer networks, maintaining situational awareness, and assuring organizational missions. This chapter reviews a number of key developments in these areas, and places them within the context of a number of complementary dimensions. These dimensions are oriented to the requirements of operational security, to help guide practitioners towards matching their use cases with existing technical approaches. One dimension we consider is the phase of security operations (prevention, detection, and reaction) to which an approach applies. Another dimension is the operational layer (network infrastructure, security posture, cyberspace threats, mission dependencies) that an approach spans. We also examine the mathematical underpinnings of the various approaches as they apply to security requirements. Finally, we describe architectural aspects of various approaches, especially as they contribute to scalability and performance.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Weiss, J.: A system security engineering process. In: 14th Annual NCSC/NIST National Computer Security Conference (1991)

    Google Scholar 

  2. Ericson, C.: Fault Tree Analysis Primer. CreateSpace, Charleston (2011)

    Google Scholar 

  3. Schneier, B.: Attack trees. Dr Dobb’s J. 24(12), 21–29 (1999)

    Google Scholar 

  4. Phillips, C., Swiler, L.: A graph-based system for network-vulnerability analysis. In: New Security Paradigms Workshop, Charlottesville, VA (1998)

    Google Scholar 

  5. Ritchey, R., Ammann, P.: Using model checking to analyze network vulnerabilities. In: IEEE Symposium on Security and Privacy, Oakland, CA (2000)

    Google Scholar 

  6. Sheyner, O., Wing, J.: Tools for generating and analyzing attack graphs. In: Workshop on Formal Methods for Components and Objects (2004)

    Chapter  Google Scholar 

  7. Noel, S., O’Berry, B., Hutchinson, C., Jajodia, S., Keuthan, L., Nguyen, A.: Combinatorial analysis of network security. In: 16th Annual International Symposium on Aerospace/Defense Sensing, Simulation, and Controls (AeroSense), Orlando, FL (2002)

    Google Scholar 

  8. Noel, S., Jajodia, S., O’Berry, B., Jacobs, M.: Efficient minimum-cost network hardening via exploit dependency graphs. In: 19th Annual Computer Security Applications Conference (ACSAC), Las Vegas, NV (2003)

    Google Scholar 

  9. Noel, S., Jajodia, S.: Managing attack graph complexity through visual hierarchical aggregation. In: ACM CCS Workshop on Visualization and Data Mining for Computer Security, Fairfax, VA (2004)

    Google Scholar 

  10. Noel, S., Jacobs, M., Kalapa, P., Jajodia, S.: Multiple coordinated views for network attack graphs. In: Workshop on Visualization for Computer Security, Minneapolis, MN (2005)

    Google Scholar 

  11. Homer, J., Varikuti, A., Ou, X., McQueen, M.: Improving attack graph visualization through data reduction and attack grouping. In: 5th International Workshop on Visualization for Cyber Security, Cambridge, MA (2008)

    Google Scholar 

  12. Lippmann, R., Williams, L., Ingols, K.: An interactive attack graph cascade and reachability display. In: IEEE Workshop on Visualization for Computer Security, Sacramento, CA (2007)

    Google Scholar 

  13. Lallie, H.S., Debattista, K., Bal, J.: An empirical evaluation of the effectiveness of attack graphs and fault trees in cyber-attack perception. IEEE Trans. Inf. Forensics Secur. 13, 1110–1122 (2017)

    Article  Google Scholar 

  14. Dark Reading: NSA-Funded ‘Cauldron’ Tool Goes Commercial. http://www.darkreading.com/nsa-funded-cauldron-tool-goes-commercial/d/d-id1131178

  15. CyberAnalytix takes a 7-Year Path to $100 K. http://www.bizjournals.com/boston/blog/mass-high-tech/2008/05/cyberanalytix-takes-a-7-year-path-to-100k.html

  16. MulVAL Project at Kansas State University. http://people.cs.ksu.edu/~xou/mulval/

  17. Skybox. http://www.skyboxsecurity.com/. Risk Analytics for Cyber Security Management

  18. RedSeal Networks. http://www.redsealnetworks.com/

  19. Sqrrl Threat Hunting. https://sqrrl.com

  20. International Workshop on Graphical Models for Security. http://gramsec.uni.lu

  21. Lippmann, R., Ingols, K.: An annotated review of past papers on attack graphs. Technical report, MIT Lincoln Laboratory (2005)

    Google Scholar 

  22. Schweitzer, P.: Attack–defense trees. Doctoral dissertation, University of Luxembourg (2013)

    Google Scholar 

  23. Kordy, B., Piètre-Cambacédès, L., Schweitzer, P.: DAG-based attack and defense modeling: don’t miss the forest for the attack trees. Comput. Sci. Rev. 13–14, 1–38 (2014)

    Article  Google Scholar 

  24. Kaynar, K.: A taxonomy for attack graph generation and usage in network security. J. Inf. Secur. Appl. 29, 27–56 (2016)

    Google Scholar 

  25. Zerkle, D., Levitt, K.: Netkuang – a multi-host configuration vulnerability checker. In: 6th USENIX Unix Security Symposium, San Jose, CA (1996)

    Google Scholar 

  26. Ritchey, R., O’Berry, B., Noel, S.: Representing TCP/IP connectivity for topological analysis of network security. In: 18th Annual Computer Security Applications Conference (ACSAC), Las Vegas, NV (2002)

    Google Scholar 

  27. Jajodia, S., Noel, S., O’Berry, B.: Topological analysis of network attack vulnerability. In: Kumar, V., Srivastava, J., Lazarevic, A. (eds.) Managing Cyber Threats: Issues, Approaches and Challenges, pp. 247–266. Springer, Heidelberg (2005). https://doi.org/10.1007/0-387-24230-9_9

    Chapter  Google Scholar 

  28. Ingols, K., Lippmann, R., Piwowarski, K.: Practical attack graph generation for network defense. In: 22nd Annual Computer Security Applications Conference (2006)

    Google Scholar 

  29. Noel, S.: Cauldron - network assessment tool demonstration. In: 9th Annual Air Force Intelligence, Surveillance, and Reconnaissance (ISR) Agency Communications and Information Conference, San Antonio, TX (2010)

    Google Scholar 

  30. Jajodia, S., Noel, S., Kalapa, P., Albanese, M., Williams, J.: Cauldron: mission-centric cyber situational awareness with defense in depth. In: 30th Military Communications Conference (MILCOM), Baltimore, MD (2011)

    Google Scholar 

  31. Noel, S., Jajodia, S.: Metrics suite for network attack graph analytics. In: 9th Annual Cyber and Information Security Research Conference (CISRC), Oak Ridge National Laboratory, TN (2014)

    Google Scholar 

  32. Noel, S., Jajodia, S.: A suite of metrics for network attack graph analytics. Network Security Metrics, pp. 141–176. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66505-4_7

    Chapter  Google Scholar 

  33. Wang, L., Noel, S., Jajodia, S.: Minimum-cost network hardening using attack graphs. Comput. Commun. 29(18), 3812–3824 (2006)

    Article  Google Scholar 

  34. Albanese, M., Jajodia, S., Noel, S.: Time-efficient and cost-effective network hardening using attack graphs. In: 42nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), Boston, MA (2012)

    Google Scholar 

  35. Kaynar, K.: Distributed log analysis for scenario-based detection of multi-step attacks and generation of near-optimal defense recommendations, dissertation, Technischen Universita ̈t Berlin (2017)

    Google Scholar 

  36. Wang, L., Jajodia, S., Singhal, A., Noel, S.: k-Zero day safety: measuring the security risk of networks against unknown attacks. In: European Symposium on Research in Computer Security (ESORICS), Athens, Greece (2010)

    Google Scholar 

  37. Wang, L., Jajodia, S., Singhal, A., Cheng, P., Noel, S.: k-Zero day safety: a network security metric for measuring the risk of unknown vulnerabilities. IEEE Trans. Dependable Secur. Comput. 11, 30–44 (2013)

    Article  Google Scholar 

  38. Ning, P., Xu, D., Healey, C., St. Amant, R.: Building attack scenarios through integration of complementary alert correlation methods. In: 11th Annual Network and Distributed System Security Symposium (2004)

    Google Scholar 

  39. Noel, S., Harley, E., Tam, K.H., Gyor, G.: Big-data architecture for cyber attack graphs: representing security relationships in NoSQL graph databases. In: IEEE Symposium on Technologies for Homeland Security (HST), Boston, MA (2015)

    Google Scholar 

  40. The MITRE Corporation: Common Attack Pattern Enumeration and Classification: A Community Resource for Identifying and Understanding Attacks. https://capec.mitre.org/

  41. Noel, S., Jajodia, S.: Attack graphs for sensor placement, alert prioritization, and attack response. In: Cyberspace Research Workshop, Air Force Cyberspace Symposium, Shreveport, LA (2007)

    Google Scholar 

  42. Noel, S., Jajodia, S.: Optimal IDS sensor placement and alert prioritization using attack graphs. J. Netw. Syst. Manag. Spec. Issue Secur. Config. Manag. 16, 259–275 (2008)

    Google Scholar 

  43. Noel, S., Jajodia, S.: Advanced vulnerability analysis and intrusion detection through predictive attack graphs. In: Critical Issues in C4I, Armed Forces Communications and Electronics Association (AFCEA) Solutions Series, Lansdowne, VA (2009)

    Google Scholar 

  44. Cormen, T., Leiserson, C., Rivest, R., Stein, C.: Introduction to Algorithms, 3rd edn. MIT Press and McGraw-Hill, Cambridge and New York (2009)

    MATH  Google Scholar 

  45. Feige, U.: A threshold of Ln N for approximating set cover. J. ACM 45(4), 634–652 (1998)

    Article  MathSciNet  Google Scholar 

  46. Grossman, T., Wool, A.: Computational experience with approximation algorithms for the set covering problem. Eur. J. Oper. Res. 101(1), 81–92 (1997)

    Article  Google Scholar 

  47. Sen, S.: Minimal cost set covering using probabilistic methods. In: ACM/SIGAPP Symposium on Applied Computing: States of the Art and Practice, Indianapolis, IN (1993)

    Google Scholar 

  48. Yelbay, B., Birbil, Ş.İ., Bülbül, K.: The set covering problem revisited: an empirical study of the value of dual information. J. Ind. Manag. Optim. 11(2), 575–594 (2015)

    Article  MathSciNet  Google Scholar 

  49. Noel, S., Robertson, E., Jajodia, S.: Correlating intrusion events and building attack scenarios. In: 20th Annual Computer Security Applications Conference (ACSAC), Tucson, AZ (2004)

    Google Scholar 

  50. NIST/SEMATECH, e-Handbook of Statistical Methods: §6.4.3.1, Single Exponential Smoothing. http://www.itl.nist.gov/div898/handbook/pmc/section4/pmc431.htm

  51. National Institute of Standards and Technology (NIST): National Vulnerability Database. https://nvd.nist.gov/

  52. Galliani, J.: What is DISA’s Host Based Security System (HBSS)? (2015). https://www.seguetech.com/disas-host-based-security-system-hbss/

  53. Adamic, L.: Zipf, Power-Laws, and Pareto - A Ranking Tutorial (2012)

    Google Scholar 

  54. Noel, S., Bodeau, D., McQuaid, R.: Big-data graph knowledge bases for cyber resilience. In: NATO IST-153 Workshop on Cyber Resilience, Munich, Germany (2017)

    Google Scholar 

  55. Noel, S., Harley, E., Tam, K.H., Limiero, M., Share, M.: CyGraph: graph-based analytics and visualization for cybersecurity. In: Cognitive Computing: Theory and Applications, Volume 35 of Handbook of Statistics. Elsevier (2016)

    Google Scholar 

  56. Heinbockel, W., Noel, S., Curbo, J.: Mission dependency modeling for cyber situational awareness. In: NATO IST-148 Cyber Defence Situation Awareness, Sofia, Bulgaria (2016)

    Google Scholar 

  57. Moye, R. Sawilla, R., Sullivan, R., Lagadec, P.: Cyber defence situational awareness demonstration/request for information (RFI) from industry and government. NATO NCI Agency Acquisition, CO-14068-MNCD2 (2015)

    Google Scholar 

  58. Defense Acquisition University: Defense Acquisitions Guidebook (DAG). https://www.dau.mil/tools/dag

  59. Deputy Assistant Secretary of Defense for Systems Engineering (DASD(SE)) and Department of Defense Chief Information Officer (DoD CIO), “Trusted Systems and Networks (TSN) Analysis”: United States Department of Defense (2014)

    Google Scholar 

  60. Noel, S., et al.: Analyzing Mission Impacts of Cyber Actions (AMICA). In: NATO IST-128 Workshop on Cyber Attack Detection, Forensics and Attribution for Assessment of Mission Impact, Istanbul, Turkey (2015)

    Google Scholar 

  61. Object Management Group: Business Process Model and Notation. http://www.bpmn.org/

  62. Wang, L., Albanese, M., Jajodia, S.: Network Hardening - An Automated Approach to Improving Network Security. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-319-04612-9

    Book  Google Scholar 

  63. Dewri, R., Poolsappasit, N., Ray, I., Whitley, D.: Optimal security hardening using multi-objective optimization on attack tree models of networks. In: 14th ACM Conference on Computer and Communications Security (CCS), Alexandria, VA (2007)

    Google Scholar 

  64. Ou, X., Govindavajhala, S.A.A.: MulVAL: a logic-based network security analyzer. In: 14th USENIX Security Symposium (2005)

    Google Scholar 

  65. Frigault, M., Wang, L.: Measuring network security using bayesian network-based attack graphs. In: Annual IEEE International Computer Software and Applications Conference (2008)

    Google Scholar 

  66. Frigault, M., Wang, L., Singhal, A., Jajodia, S.: Measuring network security using dynamic Bayesian network. In: 4th ACM Workshop on Quality of Protection (2008)

    Google Scholar 

  67. Xie, P., Li, J., Ou, X., Liu, P., Levy, R.: Using Bayesian networks for cyber security analysis. In: IEEE/IFIP International Conference on Dependable Systems & Networks (2010)

    Google Scholar 

  68. Noel, S., Jajodia, S., Wang, L., Singhal, A.: Measuring security risk of networks using attack graphs. Int. J. Next-Gener. Comput. 1(1), 135–147 (2010)

    Google Scholar 

  69. Goldberg, A., Tardos, É., Tarjan, R.: Network Flow Algorithms. Stanford University, Technical report STAN-CS-89-1252 (1989)

    Google Scholar 

  70. Noel, S., Jajodia, S.: Proactive intrusion prevention and response via attack graphs. In: Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century. Addison-Wesley Professional (2009)

    Google Scholar 

  71. Page, L., Brin, S.: The anatomy of a large-scale hypertextual web search engine. In: 7th International Web Conference (1998)

    Google Scholar 

  72. Page, L., Brin, S., Motwani, R., Winograd, T.: The PageRank citation ranking: bringing order to the web. Stanford University InfoLab Technical report (1999)

    Google Scholar 

  73. Ou, X., Sawilla, R.: Googling attack graphs. Technical report TM 2007-205, Defence R&D Canada - Ottawa (2007)

    Google Scholar 

  74. Bondy, J., Murty, U.: Graph Theory with Applications, North-Holland (1976)

    Google Scholar 

  75. Noel, S., Jajodia, S.: Understanding complex network attack graphs through clustered adjacency matrices. In: 21st Annual Computer Security Applications Conference (ACSAC), Tucson, AZ (2005)

    Google Scholar 

  76. Holme, P., Saramäki, J.: Temporal networks. Phys. Rep. 519(3), 97–125 (2012)

    Article  Google Scholar 

  77. Gottumukkala, R., Venna, S., Raghavan, V.: Visual analytics of time evolving large-scale graphs. IEEE Intell. Inform. Bull. 16(1), 10–16 (2015)

    Google Scholar 

  78. Cardelli, L., Gordon, A.: Mobile ambients. In: First International Conference on Foundations of Software Science and Computation Structure (1998)

    Google Scholar 

  79. Franqueira, V.N.L.: Finding multi-step attacks in computer networks using heuristic search and mobile ambients. Dissertation, University of Twente, the Netherlands (2009)

    Google Scholar 

  80. Franqueira, V.N., Lopes, R., van Eck, P.: Multi-step attack modelling and simulation (MsAMS) framework based on mobile ambients. In: 24th Annual ACM Symposium on Applied Computing, Honolulu, HI (2009)

    Google Scholar 

  81. Musman, S., Tanner, M., Temin, A., Elsaesser, E., Loren, L.: Computing the impact of cyber attacks on complex missions. In: IEEE International Systems Conference (2011)

    Google Scholar 

  82. Musman, S., Turner, A.: A game theoretic approach to cyber security risk management. J. Def. Model. Simul.: Appl. Methodol. Technol. 15, 127–146 (2017)

    Article  Google Scholar 

  83. Robinson, I., Webber, J., Eifrem, E.: Graph Databases, 2nd edn. O’Reilly, Massachusetts (2015)

    Google Scholar 

  84. Laarman, A.: Scalable multi-core model checking. Dissertation, Centre for Telematics and Information Technology, University of Twente (2014)

    Google Scholar 

  85. Kaynar, K., Sivrikaya, F.: Distributed attack graph generation. IEEE Trans. Dependable Secur. Comput. 13(5), 519–532 (2016)

    Article  Google Scholar 

  86. Wang, L., Yao, C., Singhal, A., Jajodia, S.: Implementing interactive analysis of attack graphs using relational databases. J. Comput. Secur. 16(4), 419–437 (2008)

    Article  Google Scholar 

  87. Neo Technology: Neo4j Graph Database. https://neo4j.com. Accessed 30 May 2017

  88. Robinson, I., Webber, J., Eifrem, E.: Graph Databases, 2nd edn. O’Reilly Media, Sebastopol (2015)

    Google Scholar 

  89. The Linux Foundation: JanusGraph – Distributed Graph Database. http://janusgraph.org. Accessed 30 May 2017

  90. Punnoose, R., Crainiceanu, A., Rapp, D.: Rya: a scalable RDF triple store for the clouds. In: 1st International Workshop on Cloud Intelligence, Istanbul, Turkey (2012)

    Google Scholar 

  91. The Apache Software Foundation: Apache TinkerPop™. http://tinkerpop.apache.org. Accessed 30 May 2017

  92. Barcelo, P.: Task Force for the Design of a Query Language for Graph-Structured Data. https://databasetheory.org/node/47. Accessed 30 May 2017

  93. Eifrem, E.: Meet openCypher: the SQL for Graphs. https://neo4j.com/blog/open-cypher-sql-for-graphs/. Accessed 30 May 2017

  94. W3C Recommendation: SPARQL 1.1 Query Language, 21 Mar 2013. https://www.w3.org/TR/sparql11-query/. Accessed 30 May 2017

  95. The Apache Software Foundation: The Gremlin Graph Traversal Machine and Language. http://tinkerpop.apache.org/gremlin.html. Accessed 30 May 2017

  96. Chao, J.: Imperative vs. Declarative Query Languages: What’s the Difference? 19 September 2016. https://neo4j.com/blog/imperative-vs-declarative-query-languages/. Accessed 30 May 2017

  97. Sasaki, B.: Graph Databases for Beginners: Why a Database Query Language Matters, 21 August 2015. https://neo4j.com/blog/why-database-query-language-matters/. Accessed 30 May 2017

Download references

Acknowledgements

This work was funded by the MITRE Innovation Program (as CyGraph, project number EPF-14-00341), with George Roelke as Cybersecurity Innovation Area Leader. Approved for Public Release; Distribution Unlimited. Case Number 17-4428.

Author information

Authors and Affiliations

  1. The MITRE Corporation, McLean, VA, USA

    Steven Noel

Authors
  1. Steven Noel
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Steven Noel .

Editor information

Editors and Affiliations

  1. Università degli Studi di Milano, Milano, Italy

    Pierangela Samarati

  2. Colorado State University, Fort Collins, CO, USA

    Indrajit Ray

  3. Colorado State University, Fort Collins, CO, USA

    Indrakshi Ray

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Noel, S. (2018). A Review of Graph Approaches to Network Security Analytics. In: Samarati, P., Ray, I., Ray, I. (eds) From Database to Cyber Security. Lecture Notes in Computer Science(), vol 11170. Springer, Cham. https://doi.org/10.1007/978-3-030-04834-1_16

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-04834-1_16

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-04833-4

  • Online ISBN: 978-3-030-04834-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation