Abstract
The National Vulnerability Database (NVD) maintained by the US National Institute of Standards and Technology provides valuable information about vulnerabilities in popular software, as well as any patches available to address these vulnerabilities. Most enterprise security managers today simply patch the most dangerous vulnerabilities—an adversary can thus easily compromise an enterprise by using less important vulnerabilities to penetrate an enterprise. In this article, we capture the vulnerabilities in an enterprise as a Vulnerability Dependency Graph (VDG) and show that attacks graphs can be expressed in them. We first ask the question: What set of vulnerabilities should an attacker exploit in order to maximize his expected impact? We show that this problem can be solved as an integer linear program. The defender would obviously like to minimize the impact of the worst-case attack mounted by the attacker—but the defender also has an obligation to ensure a high productivity within his enterprise. We propose an algorithm that finds a Pareto-optimal solution for the defender that allows him to simultaneously maximize productivity and minimize the cost of patching products on the enterprise network. We have implemented this framework and show that runtimes of our computations are all within acceptable time bounds even for large VDGs containing 30K edges and that the balance between productivity and impact of attacks is also acceptable.
- Massimiliano Albanese, Sushil Jajodia, Anoop Singhal, and Lingyu Wang. 2013. An efficient approach to assessing the risk of zero-day vulnerabilities. In Proceedings of the 10th International Conference on Security and Cryptpgraphy (SECRYPT). Reykjavik, Iceland.Google Scholar
- Tansu Alpcan and Sonja Buchegger. 2011. Security games for vehicular networks. IEEE Transactions on Mobile Computing 10, 2 (2011), 280--290. Google Scholar
Digital Library
- Eitan Altman, Konstantin Avrachenkov, and Andrey Gamaev. 2009. Jamming in wireless networks: The case of several jammers. In Proceedings of the First ICST International Conference on Game Theory for Networks (GameNets’09). IEEE Press, 585--592. Google Scholar
Digital Library
- Paul Ammann, Duminda Wijesekera, and Saket Kaushik. 2002. Scalable, graph-based network vulnerability analysis. In Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS 2002). Washington, DC, USA, 217--224. Google Scholar
Digital Library
- Cynthia Barnhart, Ellis L. Johnson, George L. Nemhauser, Martin W. P. Savelsbergh, and Pamela H. Vance. 1998. Branch-and-price: Column generation for solving huge integer programs. Operations Research 46, 3 (1998), pp. 316--329. Google Scholar
Digital Library
- Tamer Basar. 2006. The Gaussian test channel with an intelligent jammer. IEEE Transactions on Information Theory. 29, 1 (2006), 152--157. Google Scholar
Digital Library
- Marc Dacier. 1994. Towards Quantitative Evaluation of Computer Security. Ph.D. Dissertation. Institut National Polytechnique de Toulouse.Google Scholar
- Rinku Dewri, Nayot Poolsappasit, Indrajit Ray, and Darrell Whitley. 2007. Optimal security hardening using multi-objective optimization on attack tree models of networks. In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS’07). ACM, New York, NY, USA, 204--213. Google Scholar
Digital Library
- Rinku Dewri, Indrajit Ray, Nayot Poolsappasit, and Darrell Whitley. 2012. Optimal security hardening on attack tree models of networks: a cost-benefit analysis. International Journal of Information Security 11, 3 (2012), 167--188. Google Scholar
Digital Library
- Felix Foret. 2004. How to create and deploy a successful patch management policy and program. SANS Institute (2004).Google Scholar
- Zhu Han, Ninoslav Marina, Mérouane Debbah, and Are Hjørungnes. 2009. Physical layer security game: How to date a girl with her boyfriend on the same table. In Proceedings of the First ICST International Conference on Game Theory for Networks (GameNets’09). IEEE Press, Piscataway, NJ, USA, 287--294. Google Scholar
Digital Library
- Sushil Jajodia, Steven Noel, Pramod Kalapa, Massimiliano Albanese, and John Williams. 2011. Cauldron: Mission-centric cyber situational awareness with defense in depth. In Proceedings of the Military Communications Conference (MILCOM 2011).Google Scholar
Cross Ref
- Sushil Jajodia, Steven Noel, and Brian O’Berry. 2005. Managing Cyber Threats: Issues, Approaches, and Challenges. Massive Computing, Vol. 5. Springer, Chapter Topological Analysis of Network Attack Vulnerability, 247--266.Google Scholar
- Somesh Jha, Oleg Sheyner, and Jeannette Wing. 2002. Two formal analyses of attack graphs. In Proceedings of 15th IEEE Computer Security Foundations Workshop (CSFW 2002). Cape Breton, Canada. Google Scholar
Digital Library
- David S. Johnson, Christos H. Papadimitriou, and Mihalis Yannakakis. 1988. On generating all maximal independent sets. Information Processing Letters 27, 3 (1988), 119--123. Google Scholar
Digital Library
- Akshay Kashyap, Tamer Basar, and R. Srikant. 2004. Correlated jamming on MIMO gaussian fading channels. IEEE Transactions on Information Theory 50, 9 (2004), 2119--2123. Google Scholar
Digital Library
- Eugene L. Lawler, Jan Karel Lenstra, and A. H. G. Rinnooy Kan. 1980. Generating all maximal independent sets: NP-hardness and polynomial-time algorithms. SIAM Journal on Computing 9, 3 (1980), 558--565.Google Scholar
Cross Ref
- Mohammad Hossein Manshaei, Quanyan Zhu, Tansu Alpcan, Tamer Bacşar, and Jean-Pierre Hubaux. 2013. Game theory meets network security and privacy. ACM Computing Survey 45, 3 (July 2013), 25:1--25:39. Google Scholar
Digital Library
- Peter Mell, Tiffany Bergeron, and David Henning. 2005. Creating a patch and vulnerability management program. NIST Special Publication 800-40, Version 2.0 (2005).Google Scholar
- Peter Mell, Karen Scarfone, and Sasha Romanosky. 2006. Common vulnerability scoring system. IEEE Security & Privacy 4, 6 (November/December 2006), 85--89. Google Scholar
Digital Library
- A. Messac, A. Ismail-Yahaya, and C. A. Mattson. 2003. The normalized normal constraint method for generating the Pareto frontier. Structural and Multidisciplinary Optimization 25, 2 (2003), 86--98.Google Scholar
Cross Ref
- Ibrahim Muter, S. Ilker Birbil, and Kerem Bülbül. 2013. Simultaneous column-and-row generation for large-scale linear programs with column-dependent-rows. Math. Program. 142, 1--2 (2013), 47--82.Google Scholar
Digital Library
- Steven Noel, Eric Robertson, and Sushil Jajodia. 2004. Correlating intrusion events and building attack scenarios through attack graph distances. In Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC 2004). Tucson, AZ, USA, 350--359. Google Scholar
Digital Library
- Rodolphe Ortalo, Yves Deswarte, and Mohamed Kaâniche. 1999. Experimenting with quantitative evaluation tools for monitoring operational security. IEEE Transactions on Software Engineering 25, 5 (September/October 1999), 633--650. Google Scholar
Digital Library
- Christos H. Papadimitriou. 1994. Computational Complexity. Addison-Wesley. I--XV, 1--523 pages.Google Scholar
- Cynthia Phillips and Laura Painton Swiler. 1998. A graph-based system for network-vulnerability analysis. In Proceedings of the New Security Paradigms Workshop (NSPW 1998). Charlottesville, VA, USA, 71--79. Google Scholar
Digital Library
- Nayot Poolsappasit, Rinku Dewri, and Indrajit Ray. 2012. Dynamic security risk management using bayesian attack graphs. IEEE Transactions on Dependable Security Computing 9, 1 (2012), 61--74. Google Scholar
Digital Library
- C. R. Ramakrishnan and R. Sekar. 2002. Model-based analysis of configuration vulnerabilities. Journal of Computer Security 10, 1/2 (2002), 189--209. Google Scholar
Digital Library
- Matei Ripeanu, Adriana Iamnitchi, and Ian T. Foster. 2002. Mapping the gnutella network. IEEE Internet Computing 6, 1 (2002), 50--57. Google Scholar
Digital Library
- Ronald W. Ritchey and Paul Ammann. 2000. Using model checking to analyze network vulnerabilities. In Proceedings of the 2000 IEEE Symposium on Research on Security and Privacy (S&P 2000). Berkeley, CA, USA, 156--165. Google Scholar
Digital Library
- Oleg Sheyner, Joshua Haines, Somesh Jha, Richard Lippmann, and Jeannette M. Wing. 2002. Automated generation and analysis of attack graphs. In Proceedings of the 2002 IEEE Symposium on Security and Privacy (S&P 2002). Berkeley, CA, USA, 273--284. Google Scholar
Digital Library
- Stanford Large Network Dataset Collection. 2014. Gnutella peer to peer network from August 4, 2002. http://snap.stanford.edu/data/p2p-Gnutella04.html. (2014).Google Scholar
- Laura P. Swiler, Cynthia Phillips, David Ellis, and Stefan Chakerian. 2001. Computer-attack graph generation tool. In Proceedings of the DARPA Information Survivability Conference & Exposition II (DISCEX 2001), Vol. 2. Anaheim, CA, USA, 307--321.Google Scholar
Cross Ref
- Tenable Network Security®. 2014. The Nessus® vulnerability scanner. http://www.tenable.com/products/nessus. (2014).Google Scholar
- The MITRE Corporation. 2011. Common Weakness Scoring System (CWSS™). http://cwe.mitre.org/cwss/. (June 2011). Version 0.8.Google Scholar
- Heinrich von Stackelberg, Damien Bazin, Rowland Hill, and Lynn Urch. 2010. Market Structure and Equilibrium. Springer.Google Scholar
- Lingyu Wang, Anyi Liu, and Sushil Jajodia. 2006a. Using attack graphs for correlating, hypothesizing, and predicting intrusion alerts. Computer Communications 29, 15 (September 2006), 2917--2933. Google Scholar
Digital Library
- Lingyu Wang, Steven Noel, and Sushil Jajodia. 2006b. Minimum-cost network hardening using attack graphs. Computer Communications 29, 18 (November 2006), 3812--3824. Google Scholar
Digital Library
- Dan Zerkle and Karl Levitt. 1996. NetKuang - A multi-host configuration vulnerability checker. In Proceedings of the 6th USENIX Security Symposium. San Jose, CA, USA. Google Scholar
Digital Library
- Quanyan Zhu and Tamer Basar. 2009. Dynamic policy-based IDS configuration. In Proceedings of the 48th IEEE Conference on Decision and Control, (CDC'09), combined with the 28th Chinese Control Conference. Shanghai, China. 8600--8605.Google Scholar
Cross Ref
- Quanyan Zhu, Linda Bushnell, and Tamer Basar. 2012a. Game-theoretic analysis of node capture and cloning attack with multiple attackers in wireless sensor networks. In CDC. IEEE, 3404--3411.Google Scholar
- Quanyan Zhu, Carol J. Fung, Raouf Boutaba, and Tamer Basar. 2012b. GUIDEX: A game-theoretic incentive-based mechanism for intrusion detection networks. IEEE Journal on Selected Areas in Communications 30, 11 (2012), 2220--2230.Google Scholar
Cross Ref
- Quanyan Zhu, Husheng Li, Zhu Han, and Tamer Basar. 2010. A stochastic game model for jamming in multi-channel cognitive radio systems. In ICC. IEEE, 1--6.Google Scholar
Index Terms
Pareto-Optimal Adversarial Defense of Enterprise Systems
Recommendations
SHARE: A Stackelberg Honey-Based Adversarial Reasoning Engine
Special Issue on Artificial Intelligence for Secruity and Privacy and Regular PapersA “noisy-rich” (NR) cyber-attacker (Lippmann et al. 2012) is one who tries all available vulnerabilities until he or she successfully compromises the targeted network. We develop an adversarial foundation, based on Stackelberg games, for how NR-...
A Tale of Three Cyber-Defense Workshops
The National Cyber Defense Initiative (NCDI) has been working behind the scenes to help inform the US research agenda for strategic cyber defense. An important part of the NDCI's activities has been sponsorship of three workshops: the 2006 Safe-...
Adaptive Defense Against Various Network Attacks
In defending against various network attacks, such as distributed denial-of-service (DDoS) attacks or worm attacks, a defense system needs to deal with various network conditions and dynamically changing attacks. Therefore, a good defense system needs ...






Comments