| Title | Automated Vulnerability Testing via Executable Attack Graphs |
| Publication Type | Conference Paper |
| Year of Publication | 2020 |
| Authors | Malzahn, D., Birnbaum, Z., Wright-Hamor, C. |
| Conference Name | 2020 International Conference on Cyber Security and Protection of Digital Services (Cyber Security) |
| Keywords | Attack Graphs, automated vulnerability and risk analysis, automated vulnerability testing, automatic test software, AVRA, composability, computer network security, cyber attack graphs, cyber risk assessment process, cyber risk assessment uncertainty, cyber risk assessments, cyber risk reduction, decision making, end-to-end process, executable attack graphs, graph theory, individual attack paths, Predictive Metrics, pubcrawl, reachability analysis, Resiliency, risk analysis, security issues, suboptimal decision making, virtual environment, vulnerability assessments, vulnerability scans |
| Abstract | Cyber risk assessments are an essential process for analyzing and prioritizing security issues. Unfortunately, many risk assessment methodologies are marred by human subjectivity, resulting in non-repeatable, inconsistent findings. The absence of repeatable and consistent results can lead to suboptimal decision making with respect to cyber risk reduction. There is a pressing need to reduce cyber risk assessment uncertainty by using tools that use well defined inputs, producing well defined results. This paper presents Automated Vulnerability and Risk Analysis (AVRA), an end-to-end process and tool for identifying and exploiting vulnerabilities, designed for use in cyber risk assessments. The approach presented is more comprehensive than traditional vulnerability scans due to its analysis of an entire network, integrating both host and network information. AVRA automatically generates a detailed model of the network and its individual components, which is used to create an attack graph. Then, AVRA follows individual attack paths, automatically launching exploits to reach a particular objective. AVRA was successfully tested within a virtual environment to demonstrate practicality and usability. The presented approach and resulting system enhances the cyber risk assessment process through rigor, repeatability, and objectivity. |
| DOI | 10.1109/CyberSecurity49315.2020.9138852 |
| Citation Key | malzahn_automated_2020 |
Automated Vulnerability Testing via Executable Attack Graphs