| Title | An Optimization Approach to Graph Partitioning for Detecting Persistent Attacks in Enterprise Networks |
| Publication Type | Conference Paper |
| Year of Publication | 2020 |
| Authors | Soliman, H. M. |
| Conference Name | 2020 International Symposium on Networks, Computers and Communications (ISNCC) |
| Date Published | oct |
| Keywords | actual attack plan, advanced persistent threats, Attack Graphs, Chained Attacks, computer network security, Correlation, detection algorithms, enterprise networks, false-positives, graph partitioning, graph theory, kill chain progression, Linear programming, multistep attacks, Optimization, optimization approach, Persistent attacks, pubcrawl, resilience, Resiliency, Scalability, security, security of data, security perspective, security-aware partitions, security-context, skilled adversaries, smaller incidents, Standards, Topology, underlying attack |
| Abstract | Advanced Persistent Threats (APTs) refer to sophisticated, prolonged and multi-step attacks, planned and executed by skilled adversaries targeting government and enterprise networks. Attack graphs' topologies can be leveraged to detect, explain and visualize the progress of such attacks. However, due to the abundance of false-positives, such graphs are usually overwhelmingly large and difficult for an analyst to understand. Graph partitioning refers to the problem of reducing the graph of alerts to a set of smaller incidents that are easier for an analyst to process and better represent the actual attack plan. Existing approaches are oblivious to the security-context of the problem at hand and result in graphs which, while smaller, make little sense from a security perspective. In this paper, we propose an optimization approach allowing us to generate security-aware partitions, utilizing aspects such as the kill chain progression, number of assets involved, as well as the size of the graph. Using real-world datasets, the results show that our approach produces graphs that are better at capturing the underlying attack compared to state-of-the-art approaches and are easier for the analyst to understand. |
| DOI | 10.1109/ISNCC49221.2020.9297233 |
| Citation Key | soliman_optimization_2020 |
An Optimization Approach to Graph Partitioning for Detecting Persistent Attacks in Enterprise Networks