Abstract
Traditionally, network administrators rely on labor-intensive processes for tracking network configurations and vulnerabilities. This requires a great deal of expertise, and is error prone because of the complexity of networks and associated security data. The interdependencies of network vulnerabilities make traditional point-wise vulnerability analysis inadequate. We describe a Topological Vulnerability Analysis (TVA) approach that analyzes vulnerability dependencies and shows all possible attack paths into a network. From models of the network vulnerabilities and potential attacker exploits, we compute attack graphs that convey the impact of individual and combined vulnerabilities on overall security. TVA finds potential paths of vulnerability through a network, showing exactly how attackers may penetrate a network. From this, we identify key vulnerabilities and provide strategies for protection of critical network assets.
Access provided by Autonomous University of Puebla. Download to read the full chapter text
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
S. Jajodia, S. Noel, and B. O’Berry, “Topological Analysis of Network Attack Vulnerability,” in Managing Cyber Threats: Issues, Approaches and Challenges, V. Kumar, J. Srivastava, A. Lazarevic (eds.), Kluwer Academic Publisher, 2005, pages 248-266.
S. Jajodia, S. Noel, “Topological Vulnerability Analysis: A Powerful New Approach for Network Attack Prevention, Detection, and Response,” in Algorithms, Architectures and Information Systems Security (Indian Statistical Institute Platinum Jubilee Series), B. B. Bhattacharya, S. Sur-Kolay, S. C. Nandy, A. Bagchi, eds., World Scientific, New Jersey, 2009, pages 285–305.
S. Noel, M. Jacobs, P. Kalapa. S. Jajodia, “Multiple Coordinated Views for Network Attack Graphs,” in IEEE Workshop on Visualization for Computer Security (VizSEC2005), Minneapolis, MN, October, 2005, pages 99–106.
L. Wang, S. Noel, S. Jajodia, “Minimum-Cost Network Hardening Using Attack Graphs,” Computer Communications, 29(18), 2006, pages 3812–3824.
S. Noel, S. Jajodia, “Optimal IDS Sensor Placement and Alert Prioritization Using Attack Graphs,” Journal of Network and Systems Management, 16(3), 2008, pages 259–275.
S. Noel, E. Robertson, S. Jajodia, “Correlating Intrusion Events and Building Attack Scenarios through Attack Graph Distances,” in Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC), 2004, pages 350–359.
R. Deraison, Nessus, http://www.nessus.org.
eEye Digital Security, Retina Network Security Scanner, http://www.eeye.com/html/Products/Retina/index.html.
Foundstone, FoundScan Frequently Asked Questions, http://www.foundstone.com/us/index.asp.
Secure Computing, Sidewinder Firewall Device, http://www.securecomputing.com/.
Centennial Software, Discovery Asset Management, http://www.centennial-software.com/.
Symantec, Altiris, http://www.altiris.com/.
NIST, National Vulnerability Database (NVD), http://nvd.nist.gov/.
Security Focus, Bugtraq Vulnerabilities, http://www.securityfocus.com/vulnerabilities.
Symantec Corporation, Symantec DeepSight Threat Management System, https://tms.symantec.com/Default.aspx.
Open Source Vulnerability Database, http://osvdb.org/.
MITRE Corporation, CVE - Common Vulnerabilities and Exposures, http://cve.mitre.org/.
R. Ritchey, B. O’Berry, S. Noel, “Representing TCP/IP Connectivity for Topological Analysis of Network Security,” in Proceedings of the 18th Annual Computer Security Applications Conference (ACSAC), 2002, pages 156–165.
D. Turner, M. Fossi, E. Johnson, T. Mack, J. Blackbird, S. Entwisle, M. K. Low, D. McKinney, C. Wueest, Symantec Global Internet Security Threat Report Trends, 2008.
NIST, Security Content Automation Protocol (SCAP), http://nvd.nist.gov/scap.cfm.
MITRE, Common Platform Enumeration (CPE), http://cpe.mitre.org/.
MITRE, Oval Language, http://oval.mitre.org/.
P. Ammann, D. Wijesekera, S. Kaushik, “Scalable, Graph-Based Network Vulnerability Analysis,” in Proceedings of the 9th ACM Conference on Computer and Communications Security, Washington, DC, pages 217–224.
S. Noel, J. Jajodia, “Understanding Complex Network Attack Graphs through Clustered Adjacency Matrices,” in Proceedings of the 21st Annual Computer Security Applications Conference (ACSAC), 2005, pages 160–169.
D. Zerkle, K. Levitt, “Netkuang: A Multi-Host Configuration Vulnerability Checker,” in Proceedings of the 6th USENIX Unix Security Symposium, 1996.
R. Ritchey, P. Ammann, “Using Model Checking to Analyze Network Vulnerabilities,” in Proceedings of the IEEE Symposium on Security and Privacy, 2000.
L. Swiler, C. Phillips, D. Ellis, S. Chakerian, “Computer-Attack Graph Generation Tool,” in Proceedings of the DARPA Information Survivability Conference & Exposition II, 2001.
O. Sheyner, J. Haines, S. Jha, R. Lippmann, J. Wing, “Automated Generation and Analysis of Attack Graphs,” in Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA.
R. Lippmann, K. Ingols, C. Scott, K. Piwowarski, K. Kratkiewicz, M. Artz, R. Cunningham, “Validating and Restoring Defense in Depth Using Attack Graphs,” in Proceedings of the MILCOM Military Communications Conference, 2006.
S. Noel, S. Jajodia, “Managing Attack Graph Complexity through Visual Hierarchical Aggregation,” in Proceedings of the ACM CCS Workshop on Visualization and Data Mining for Computer Security Fairfax, Virginia.
W. Li, An Approach to Graph-Based Modeling of Network Exploitations, PhD dissertation, Department of Computer Science, Mississippi State University, 2005.
F. Cuppens, R. Ortalo, “LAMBDA: A Language to Model a Database for Detection of Attacks,” in 3rd International Workshop on Recent Advances in Intrusion Detection, 2000.
S. Templeton, K. Levitt, “A Requires/Provides Model for Computer Attacks,” in New Security Paradigms Workshop, 2000.
Skybox Security, http://www.skyboxsecurity.com/.
RedSeal Systems, http://www.redseal.net/.
R. Lippmann, K. Ingols, An Annotated Review of Past Papers on Attack Graphs, Lincoln Laboratory, Technical Report ESC-TR-2005-054, 2005.
Acknowledgements
This material is based upon work supported by Homeland Security Advanced Research Projects Agency under the contract FA8750-05-C-0212 administered by the Air Force Research Laboratory/Rome; by Air Force Research Laboratory/Rome under the contract FA8750-06-C-0246; by Federal Aviation Administration under the contract DTFAWA-08-F-GMU18; by Air Force Office of Scientific Research under grant FA9550-07-1-0527 and FA9550-08-1-0157; and by the National Science Foundation under grants CT-0716567, CT-0716323, and CT-0627493. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the sponsoring organizations.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag US
About this chapter
Cite this chapter
Jajodia, S., Noel, S. (2010). Topological Vulnerability Analysis. In: Jajodia, S., Liu, P., Swarup, V., Wang, C. (eds) Cyber Situational Awareness. Advances in Information Security, vol 46. Springer, Boston, MA. https://doi.org/10.1007/978-1-4419-0140-8_7
Download citation
DOI: https://doi.org/10.1007/978-1-4419-0140-8_7
Published:
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4419-0139-2
Online ISBN: 978-1-4419-0140-8
eBook Packages: Computer ScienceComputer Science (R0)