Fast Network Attack Modeling and Security Evaluation based on Attack Graphs

Authors

  • Igor Kotenko Laboratory of Computer Security Problems, St. Petersburg Institute for Informatics and Automation of the Russian Academy of Sciences (SPIIRAS), 39, 14th Liniya, St. Petersburg, Russia
  • Andrey Chechulin Laboratory of Computer Security Problems, St. Petersburg Institute for Informatics and Automation of the Russian Academy of Sciences (SPIIRAS), 39, 14th Liniya, St. Petersburg, Russia

DOI:

https://doi.org/10.13052/jcsm2245-1439.312

Keywords:

network attack modeling, attack graphs, security evaluation, near real time, security information and event management

Abstract

The paper suggests an approach to network attack modeling and security evaluation which is realized in advanced Security Information and Event Management (SIEM) systems. It is based on modeling of computer network and malefactors’ behaviors, building attack graphs, processing current alerts for real-time adjusting of particular attack graphs, calculating different security metrics and providing security assessment procedures. The novelty of the proposed approach is the use of special algorithms for construction, modification and analysis of attack graphs aimed at rapid security evaluation. This allows using this approach in SIEM systems that operate in near-real time. The generalized architecture of the Attack Modeling and Security Evaluation Component (AMSEC), as one of the main analytical components of SIEM systems, is outlined. The main components and techniques for attack modeling and security evaluation are defined. A prototype of the AMSEC is presented. Experiments with this prototype are evaluated.

Downloads

Download data is not yet available.

Author Biographies

Igor Kotenko, Laboratory of Computer Security Problems, St. Petersburg Institute for Informatics and Automation of the Russian Academy of Sciences (SPIIRAS), 39, 14th Liniya, St. Petersburg, Russia

Igor Kotenko is a professor of computer science and Head of Research Laboratory of Computer Security Problems of the St. Petersburg Institute for Informatics and Automation of the Russian Academy of Science. He graduated with honors from St.Petersburg Academy of Space Engineering and St.Petersburg Signal Academy, obtained the Ph.D. degree in 1990 and the National degree of Doctor of Engineering Science in 1999. He is the author of more than 200 refereed publications, including 12 textbooks and monographs. Igor Kotenko has a high experience in the research on computer network security and participated in several projects on developing new security technologies. For example, he was a project leader in the research projects from the US Air Force research department, via its EOARD (European Office of Aerospace Research and Development) branch, EU FP7 and FP6 Projects, HP, Intel, F-Secure, etc. The research results of Igor Kotenko were tested and implemented in more than fifty Russian research and development projects.

 

Andrey Chechulin, Laboratory of Computer Security Problems, St. Petersburg Institute for Informatics and Automation of the Russian Academy of Sciences (SPIIRAS), 39, 14th Liniya, St. Petersburg, Russia

Andrey Chechulin received his B.S. and M.S. in Computer science and computer facilities from Saint-Petersburg State Polytechnical University, Saint-Petersburg, Russia, and PhD from St.Petersburg Institute for Informatics and Automation of the Russian Academy of Sciences (SPIIRAS). He is now a senior researcher at the Laboratory of Computer Security Problems of SPIIRAS. He is the author of more than 30 refereed publications. His primary research interests include computer network security, intrusion detection, analysis of the network traffic and analysis of vulnerabilities.

References

A. P. Moore, R. J. Ellison, and R. C. Linger, ‘Attack Modeling for Information Security and Survivability’, Technical Note CMU/SEI-2001-TN-001. Survivable Systems, 2001.

Apache tomcat, http://tomcat.apache.org/

B. A. Blakely, ‘Cyberprints Identifying cyber attackers by feature analysis’, Doctoral Dissertation: Iowa State University, 2012.

B. Schneier, ‘Attack Trees – Modeling Security Threats’, Dr. Dobbs Journal, December, 1999.

CAPEC. Common Attack Pattern Enumeration and Classification, http://capec.mitre.org/

CAULDRON, http: //proinfomd.com/how.html.

Common Platform Enumeration (CPE). http://cpe.mitre.org/

Common Vulnerabilities and Exposures (CVE). http://cve.mitre.org/

Common Vulnerability Scoring System (CVSS). http://www.first.org/cvss/

E. Bursztein, ‘Extending Anticipation Games with Location, Penalty and Timeline’, LSV, ENS Cachan, CNRS, INRIA, France, 2008.

E. Novikova, I. Kotenko, ‘Analytical Visualization Techniques for Security Information and Event Management’, Proceedings of the 21th Euromicro International Conference on Parallel, Distributed and network-based Processing (PDP 2013). Belfast, Northern Ireland. Los Alamitos, California. IEEE Computer Society, pp.519–525, 2013.

I. Kotenko, A. Chechulin, ‘A Cyber Attack Modeling and Impact Assessment Framework’, Proceedings of the 5th International Conference on Cyber Conflict 2013 (CyCon 2013), IEEE and NATO COE Publications, Tallinn, Estonia, pp.119–142, 2013.

I. Kotenko, A. Chechulin, ‘Attack Modeling and Security Evaluation in SIEM Systems’, International Transactions on Systems Science and Applications, Vol.8, December, pp.129–147, 2012.

I. Kotenko, A. Chechulin, ‘Common Framework for Attack Modeling and Security Evaluation in SIEM Systems’, Proceedings of the 2012 IEEE International Conference on Green Computing and Communications, Conference on Internet of Things, and Conference on Cyber, Physical and Social Computing. Los Alamitos, California, IEEE Computer Society, pp.94–101, 2012.

I. Kotenko, A. Chechulin, ‘Computer Attack Modeling and Security Evaluation based on Attack Graphs’, Proceedings of the IEEE 7th International Conference on “Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications” (IDAACS’2013), Berlin, Germany, pp.614–619, 2013.

I. Kotenko, A. Chechulin, and E. Novikova, ‘Attack Modelling and Security Evaluation for Security Information and Event Management’, Proceedings of the International Conference on Security and Cryptography (SECRYPT 2012). Rome, Italy, pp.391–394, 2012.

I. Kotenko, I. Saenko, O. Polubelova, A. Chechulin, ‘Design and Implementation of a Hybrid Ontological-Relational Data Repository for SIEM systems’, Future internet, vol.5, No.3, pp.355–375, 2013.

K. Ingols, M. Chu, R. Lippmann, S. Webster, and S. Boyer. ‘Modeling modern network attacks and countermeasures using attack graphs’, Proceedings of the 2009 Annual Computer Security Applications Conference (ACSAC’09), Washington, D.C., USA, IEEE Computer Society, pp.117–126, 2009.

K. J. S. Hoo, ‘How much is enough? A risk-management approach to computer security’, PhD thesis, Stanford University, CA, 2000.

L. P. Swiler, C. Phillips, D. Ellis, and S. Chakerian, ‘Computer-Attack Graph Generation Tool’, Proceedings of the Second DARPA Information Survivability Conference & Exposition (DISCEX II), LosAlamitos, California, vol. II, pp. 307–321, 2001.

L. Wang, A. Singhal, S. Jajodia, and S. Noel, ‘K-zero day safety: measuring the security risk of networks against unknown attack’, Proceedings of the 15th European conference on Research in computer security (ESORICS’10), Springer-Verlag Berlin, Heidelberg, 2010, pp.573–587.

L. Williams, ‘GARNET: A Graphical Attack Graph and Reachability Network Evaluation Tool’, Proceedings of the 5th international workshop on Visualization for Computer Security, Springer-Verlag Berlin, 2008.

M. M. Gamal, D. Hasan, A. F. Hegazy, ‘A Security Analysis Framework Powered by an Expert System’, International Journal of Computer Science and Security, vol.4, Issue 6, pp.505–526, 2011.

M. McQueen, T. McQueen, W. Boyer, M. Chaffin, ‘Empirical estimates and observations of 0-day vulnerabilities’, Hawaii International Conference on System Sciences, 2009.

MASSIF, 2013. Massif project, http://www.massif-project.eu

MaxPatrol security scanner, http://ptsecurity.com/maxpatrol

MITRE Corporation. http://mitre.org/

N. Kheir, H. Debar, N. Cuppens-Boulahia, F. Cuppens, and J. Viinikka, ‘Cost evaluation for intrusion response using dependency graphs’, IFIP International Conference on Network and Service Security (N2S), IEEE, Paris, France, pp.1–6, 2009.

National Vulnerability Database (NVD). http://nvd.nist.gov/

Nessus scanner software. http://www.tenable.com/products/nessus

Oracle Java SE? http://www.oracle.com/technetwork/java/javase/

R. Dantu, P. Kolan, and J. Cangussu, ‘Network risk management using attacker profiling’, Security and Communication Networks, vol.2, No.1, pp.83–96, 2009.

R. Lippmann, K. Ingols, ‘Validating and Restoring Defense in Depth Using Attack Graphs’, Proceedings of MILCOM 2006, Washington, DC, 2006.

T. Olsson, ‘Assessing security risk to a network using a statistical model of attacker community competence’, Proceedings of the 11th international conference on Information and Communications Security, 2009, pp.308–324.

The Center for Internet Security, The CIS Security Metrics, 2009.

Virtuoso universal server, http://virtuoso.openlinksw.com/

W. Kanoun, N. Cuppens-Boulahia, F. Cuppens, J. Araujo, ‘Automated reaction based on risk analysis and attackers skills in intrusion detection systems’, Proceedings of the third International Conference on Risks and Security of Internet and Systems (CRiSIS’08), Toezer, Tunisia, pp.117–124, 2008.

Downloads

Published

2014-06-05

How to Cite

1.
Kotenko I, Chechulin A. Fast Network Attack Modeling and Security Evaluation based on Attack Graphs. JCSANDM [Internet]. 2014 Jun. 5 [cited 2024 Apr. 18];3(1):27-46. Available from: https://journals.riverpublishers.com/index.php/JCSANDM/article/view/6167

Issue

2014: Vol 3 Iss 1

Section

Articles

Most read articles by the same author(s)