skip to main content
research-article
Open Access

Efficient Attack Graph Analysis through Approximate Inference

Published:31 July 2017Publication History
Skip Abstract Section

Abstract

Attack graphs provide compact representations of the attack paths an attacker can follow to compromise network resources from the analysis of network vulnerabilities and topology. These representations are a powerful tool for security risk assessment. Bayesian inference on attack graphs enables the estimation of the risk of compromise to the system’s components given their vulnerabilities and interconnections and accounts for multi-step attacks spreading through the system. While static analysis considers the risk posture at rest, dynamic analysis also accounts for evidence of compromise, for example, from Security Information and Event Management software or forensic investigation. However, in this context, exact Bayesian inference techniques do not scale well. In this article, we show how Loopy Belief Propagation—an approximate inference technique—can be applied to attack graphs and that it scales linearly in the number of nodes for both static and dynamic analysis, making such analyses viable for larger networks. We experiment with different topologies and network clustering on synthetic Bayesian attack graphs with thousands of nodes to show that the algorithm’s accuracy is acceptable and that it converges to a stable solution. We compare sequential and parallel versions of Loopy Belief Propagation with exact inference techniques for both static and dynamic analysis, showing the advantages and gains of approximate inference techniques when scaling to larger attack graphs.

Skip Supplemental Material Section

Supplemental Material

References

  1. 2016. CVE Details. The ultimate security vulnerability datasource. Retrieved from http://www.cvedetails.comGoogle ScholarGoogle Scholar
  2. M. Albanese, S. Jajodia, and S. Noel. 2012. Time-efficient and cost-effective network hardening using attack graphs. In Proceedings of the International Conference on Dependable Systems and Networks. 1–12. Google ScholarGoogle ScholarCross RefCross Ref
  3. M. Albanese, S. Jajodia, A. Pugliese, and V. S. Subrahmanian. 2011. Scalable analysis of attack scenarios. In Proceedings of the European Symposium on Research in Computer Security. 416--433. Google ScholarGoogle ScholarCross RefCross Ref
  4. P. Ammann, D. Wijesekera, and S. Kaushik. 2002. Scalable, graph-based network vulnerability analysis. In Proceedings of the International Conferences on Computer and Communications Security. 217--224. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. F. Baiardi and D. Sgandurra. 2013. Assessing ICT risk through a monte carlo method. Environ. Syst. Dec. 33, 4 (2013), 486--499.Google ScholarGoogle ScholarCross RefCross Ref
  6. L. Bilge and T. Dumitras. 2012. Before we knew it: An empirical study of zero-day attacks in the real world. In Proceedings of the International Conference on Computer and Communications Security. 833--844. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. C. M. Bishop. 2006. Pattern Recognition and Machine Learning. Springer, New York, NY.Google ScholarGoogle Scholar
  8. Common Vulnerability Scoring System, V3. 2016. Development update. Retrieved from https://www.first.org/cvss. (2016).Google ScholarGoogle Scholar
  9. Common Weaknesses Scoring System. 2014. Retrieved from https://cwe.mitre.org/cwss/cwss_v1.0.1.html. (2014).Google ScholarGoogle Scholar
  10. G. F. Cooper. 1990. The computational complexity of probabilistic inference using bayesian belief networks. J. AI 42, 2 (1990), 393--405.Google ScholarGoogle Scholar
  11. R. Dechter. 1996. Bucket elimination: A unifying framework for probabilistic inference. In Proceedings of the International Conference on Uncertainty in AI. 211--219.Google ScholarGoogle Scholar
  12. M. Frigault, L. Wang, A. Singhal, and S. Jajodia. 2008. Measuring network security using dynamic Bayesian network. In Proceedings of the Workshop on Quality of Protection. 23--30. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Gartner, Inc. 2014. Gartner Says Worldwide Information Security Spending Will Grow Almost 8 Percent in 2014 as Organizations Become More Threat-Aware. Retrieved from http://www.gartner.com/newsroom/id/2828722.Google ScholarGoogle Scholar
  14. N. Idika and B. Bhargava. 2012. Extending attack graph-based security metrics and aggregating their application. IEEE Trans. Depend. Sec. Comput. 9, 1 (2012), 75--85. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. A. T. Ihler, J. W. Fisher, and A. S. Willsky. 2005. Loopy belief propagation: Convergence and effects of message errors. J. Mach. Learn. Res. 6 (2005), 905--936.Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. K. Ingols, M. Chu, R. Lippmann, S. Webster, and S. Boyer. 2009. Modeling modern network attacks and countermeasures using attack graphs. In Proceedings of the Conference on Computer Security Applications. 117--126. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. S. Jajodia, S. Noel, P. Kalapa, M. Albanese, and J. Williams. 2011. Cauldron mission-centric cyber situational awareness with defense in depth. In Proceedings of the Military Communications Conference 1339--1344. Google ScholarGoogle ScholarCross RefCross Ref
  18. S. Jajodia, S. Noel, and B. O’Berry. 2005. Topological analysis of network attack vulnerability. In Managing Cyber Threats. 247--266. Google ScholarGoogle ScholarCross RefCross Ref
  19. S. Jha, O. Sheyner, and J. Wing. 2002. Two formal analyses of attack graphs. In Proceedings of the Workshop on Computer Security Foundations. 49--63. Google ScholarGoogle ScholarCross RefCross Ref
  20. B. Juba, C. Musco, F. Long, S. Sidiroglou-Douskos, and M. C. Rinard. 2015. Principled sampling for anomaly detection. In Proceedings of the Network and Distributed System Security Symposium. 1--14. Google ScholarGoogle ScholarCross RefCross Ref
  21. D. Koller and N. Friedman. 2009. Probabilistic Graphical Models: Principles and Techniques. MIT Press, Cambridge, MA.Google ScholarGoogle Scholar
  22. W. Li and R. B. Vaughn. 2006. Cluster security research involving the modeling of network exploitations using exploitation graphs. In Proceedings of the International Symposium on Cluster Computing and the Grid. 1--11.Google ScholarGoogle Scholar
  23. R. Lippmann, K. Ingols, C. Scott, K. Piwowarski, K. Kratkiewicz, M. Artz, and R. Cunningham. 2006. Validating and restoring defense in depth using attack graphs. In Proceedings of the Military Communications Conference. 1--10. Google ScholarGoogle ScholarCross RefCross Ref
  24. Y. Liu and H. Man. 2005. Network vulnerability assessment using bayesian networks. In Data Mining, Intrusion Detection, Information Assurance, and Data Networks Security, Vol. 5812. 61--71. Google ScholarGoogle ScholarCross RefCross Ref
  25. N. Lord. 2015. The History of Data Breaches. Retrieved from https://digitalguardian.com/blog/history-data-breaches.Google ScholarGoogle Scholar
  26. A. Milenkoski, M. Vieira, S. Kounev, A. Avritzer, and B. D. Payne. 2015. Evaluating computer intrusion detection systems: A survey of common practices. ACM Computing Surveys 48, 1 (2015). Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. J. M. Mooij and H. J. Kappen. 2005. Sufficient conditions for convergence of loopy belief propagation. In Proceedings of the Conference on Uncertainty in AI. 396--403.Google ScholarGoogle Scholar
  28. L. Muñoz-González, D. Sgandurra, M. Barrère, and E. C. Lupu. 2017. Exact inference techniques for the analysis of Bayesian attack graphs. To appear in IEEE Transactions on Dependable and Secure Computing (DOI:10.1109/TDSC.2016.2627033)Google ScholarGoogle Scholar
  29. K. P. Murphy. 2012. Machine Learning: A Probabilistic Perspective. MIT Press, Cambridge, MA.Google ScholarGoogle Scholar
  30. K. P. Murphy, Y. Weiss, and M. I. Jordan. 1999. Loopy belief propagation for approximate inference: An empirical study. In Proceedings of the Conference on Uncertainty on AI. 467--475.Google ScholarGoogle Scholar
  31. S. Noel and S. Jajodia. 2004. Managing attack graph complexity through visual hierarchical aggregation. In Proceedings of the Workshop on Visualization and Data mining for Computer Security. 109--118. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. S. Noel and S. Jajodia. 2014. Metrics suite for network attack graph analytics. In Proceedings of the 9th Annual Cyber and Information Security Research Conference. 5--8. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. S. Noel, S. Jajodia, B. O’Berry, and M. Jacobs. 2003. Efficient minimum-cost network hardening via exploit dependency graphs. In Proceedings of the 19th Computer Security Applications Conference. 86--95. Google ScholarGoogle ScholarCross RefCross Ref
  34. R. Ortalo, Y. Deswarte, and M. Kaâniche. 1999. Experimenting with quantitative evaluation tools for monitoring operational security. IEEE Trans. Softw. Eng. 25, 5 (1999), 633--650.Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. X. Ou, W. F. Boyer, and M. A. McQueen. 2006. A scalable approach to attack graph generation. In Proceedings of the International Conference on Computer and Communications Security. 336--345. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. J. Pamula, S. Jajodia, P. Ammann, and V. Swarup. 2006. A weakest-adversary security metric for network configuration security analysis. In Proceedings of the Workshop on Quality of Protection. 31--38. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. J. Pearl. 1982. Reverend bayes on inference engines: A distributed hierarchical approach. In Proceedings of the National Conference on AI. 133--136.Google ScholarGoogle Scholar
  38. J. Pearl. 1988. Probabilistic Reasoning in Intelligent Systems: Networks of Plausible Inference. Morgan Kaufmann.Google ScholarGoogle Scholar
  39. C. Phillips and L. P. Swiler. 1998. A graph-based system for network-vulnerability analysis. In Proceedings of the Workshop on New Security Paradigms. 71--79. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. N. Poolsappasit, R. Dewri, and I. Ray. 2012. Dynamic security risk management using bayesian attack graphs. IEEE Trans. Depend. Sec. Comput. 9, 1 (2012), 61--74. Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. L Rabiner and B. H. Juang. 1986. An introduction to hidden markov models. IEEE ASSP Mag. 3, 1 (1986), 4--16. Google ScholarGoogle ScholarCross RefCross Ref
  42. E. Raftopoulos and X. Dimitropoulos. 2013. Understanding network forensics analysis in an operational environment. In Proceedings of the Security and Privacy Workshops. 111--118. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. B. Schneier. 1999. Attack trees. Dr. Dobbs J. 24, 12 (1999), 21--29.Google ScholarGoogle Scholar
  44. G. R. Shafer and P. P. Shenoy. 1990. Probability propagation. Ann. Math. AI 2 (1990), 327--352. Google ScholarGoogle ScholarCross RefCross Ref
  45. A. Sharma, Z. Kalbarczyk, J. Barlow, and R. Iyer. 2011. Analysis of security data from a large computing organization. In Proceedings of the International Conference on Dependable Systems Networks. 506--517. Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. P. P. Shenoy and G. R. Shafer. 1990. Axioms for probability and belief-function proagation. In Proceedings of the Conference on Uncertainty in AI. 169--198.Google ScholarGoogle Scholar
  47. O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J. Wing. 2002. Automated generation and analysis of attack graphs. In Proceedings of the IEEE Symposium on Security and Privacy. 273--284. Google ScholarGoogle ScholarCross RefCross Ref
  48. O. Sheyner and J. Wing. 2004. Tools for generating and analyzing attack graphs. In Formal Methods for Components and Objects. 344--371. Google ScholarGoogle ScholarCross RefCross Ref
  49. L. P. Swiler, C. Phillips, D. Ellis, and S. Chakerian. 2001. Computer-attack graph generation tool. In Proceedings of the DARPA Information Survivability Conference and Exposition II, Vol. 2. 307--321. Google ScholarGoogle ScholarCross RefCross Ref
  50. Symantec. 2015. Internet Security Threat Report, Volume 20, Appendices. Retrieved from https://www4.symantec.com/mktginfo/whitepaper/ISTR/21347931_GA-internet-security-threat-report-volume-20-2015-appendices.pdf.Google ScholarGoogle Scholar
  51. G. Tan, M. Poletto, J. Guttag, and F. Kaashoek. 2003. Role classification of hosts within enterprise networks based on connection patterns. In USENIX, General Track. 15--28.Google ScholarGoogle Scholar
  52. L. Wang, T. Islam, T. Long, A. Singhal, and S. Jajodia. 2008. An attack graph-based probabilistic security metric. In Proceedings of the 22nd IFIP WG 11.3 Conference on Data and Applications Security. 283--296. Google ScholarGoogle ScholarDigital LibraryDigital Library
  53. L. Wang, S. Jajodia, A. Singhal, P. Cheng, and S. Noel. 2014. k-zero day safety: A network security metric for measuring the risk of unknown vulnerabilities. IEEE Trans. Depend. Sec. Comput. 11, 1 (2014), 30--44. Google ScholarGoogle ScholarDigital LibraryDigital Library
  54. L. Wang, A. Singhal, and S. Jajodia. 2007a. Measuring the overall security of network configurations using attack graphs. In Proceedings of the IFIP Annual Conference on Data and Applications Security and Privacy. 98--112. Google ScholarGoogle ScholarCross RefCross Ref
  55. L. Wang, A. Singhal, and S. Jajodia. 2007b. Toward measuring network security using attack graphs. In Proceedings of the 2007 ACM Workshop on Quality of Protection. 49--54. Google ScholarGoogle ScholarDigital LibraryDigital Library
  56. Y. Weiss. 2000. Correctness of local probability propagation in graphical models with loops. Neur. Comput. 12, 1 (2000), 1--41. Google ScholarGoogle ScholarDigital LibraryDigital Library
  57. Y. Weiss. 2001. Comparing the mean field method and belief propagation for approximate inference in MRFs. Adv. Mean Field Methods Theor. Prac. (2001), 229--240.Google ScholarGoogle Scholar
  58. M. Welling and Y. W. Teh. 2001. Belief optimization for binary networks: A stable alternative to loopy belief propagation. In Proceedings of the Conference on Uncertainty in AI. 554--561.Google ScholarGoogle Scholar
  59. E. Wheeler. 2011. Security Risk Management: Building an Information Security Risk Management Program from the Ground Up. Syngress Publishing.Google ScholarGoogle Scholar
  60. WhiteHat Security. 2015. Website Security Statistics Report. Retrieved from https://info.whitehatsec.com/rs/whitehatsecurity/images/2015-Stats-Report.pdf.Google ScholarGoogle Scholar
  61. P. Xie, J. H. Li, X. Ou, P. Liu, and R. Levy. 2010. Using bayesian networks for cyber security analysis. In Proceedings of the Internationa Conference on Dependable Systems and Networks. 211--220.Google ScholarGoogle Scholar
  62. A. L. Yuille. 2001. CCCP algorithms to minimize the bethe and kikuchi free energies: Convergent alternatives to belief propagation. Neur. Comput. 14 (2001), 1691--1722. Google ScholarGoogle ScholarDigital LibraryDigital Library
  63. M. Zhang, L. Wang, S. Jajodia, A. Singhal, and M. Albanese. 2016. Network diversity: A security metric for evaluating the resilience of networks against zero-day attacks. IEEE Trans. Inf. Forens. Secur. 11, 5 (2016), 1071--1086. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Efficient Attack Graph Analysis through Approximate Inference

          Recommendations

          Comments

          Login options

          Check if you have access through your login credentials or your institution to get full access on this article.

          Sign in

          Full Access

          • Published in

            cover image ACM Transactions on Privacy and Security
            ACM Transactions on Privacy and Security  Volume 20, Issue 3
            August 2017
            153 pages
            ISSN:2471-2566
            EISSN:2471-2574
            DOI:10.1145/3129335
            Issue’s Table of Contents

            Copyright © 2017 Owner/Author

            Publisher

            Association for Computing Machinery

            New York, NY, United States

            Publication History

            • Published: 31 July 2017
            • Revised: 1 May 2017
            • Accepted: 1 May 2017
            • Received: 1 June 2016
            Published in tops Volume 20, Issue 3

            Permissions

            Request permissions about this article.

            Request Permissions

            Check for updates

            Qualifiers

            • research-article
            • Research
            • Refereed

          PDF Format

          View or Download as a PDF file.

          PDF

          eReader

          View online with eReader.

          eReader
          About Cookies On This Site

          We use cookies to ensure that we give you the best experience on our website.

          Learn more

          Got it!