Visible to the public Modeling Modern Network Attacks and Countermeasures Using Attack Graphs

TitleModeling Modern Network Attacks and Countermeasures Using Attack Graphs
Publication TypeConference Paper
Year of Publication2009
AuthorsIngols, Kyle, Chu, Matthew, Lippmann, Richard, Webster, Seth, Boyer, Stephen
Conference Name2009 Annual Computer Security Applications Conference
KeywordsAnalytical models, Application software, attack graph, attack tree, authorisation, client-side attack, composability, Computational modeling, computer network security, computer networks, computer security, Computer worms, enterprise networks risk measurement, graph theory, host based vulnerability scan, intrusion prevention system, Laboratories, military computing, modeling modern network attack, NetSPA attack graph system, network defense, network reachability, personal firewall, point-to-point reachability algorithm, Predictive Metrics, protection, proxy firewall, pubcrawl, reachability analysis, Resiliency, reverse reachability computation, risk management, SCAP, Zero Day Attacks and Defense, zero-day exploit
AbstractBy accurately measuring risk for enterprise networks, attack graphs allow network defenders to understand the most critical threats and select the most effective countermeasures. This paper describes substantial enhancements to the NetSPA attack graph system required to model additional present-day threats (zero-day exploits and client-side attacks) and countermeasures (intrusion prevention systems, proxy firewalls, personal firewalls, and host-based vulnerability scans). Point-to-point reachability algorithms and structures were extensively redesigned to support "reverse" reachability computations and personal firewalls. Host-based vulnerability scans are imported and analyzed. Analysis of an operational network with 84 hosts demonstrates that client-side attacks pose a serious threat. Experiments on larger simulated networks demonstrated that NetSPA's previous excellent scaling is maintained. Less than two minutes are required to completely analyze a four-enclave simulated network with more than 40,000 hosts protected by personal firewalls.
DOI10.1109/ACSAC.2009.21
Citation Keyingols_modeling_2009