New insights into approaches to evaluating intention and path for network multistep attacks. (English) Zbl 1427.68022

Summary: The attack graph (AG) is an abstraction technique that reveals the ways an attacker can use to leverage vulnerabilities in a given network to violate security policies. The analyses developed to extract security-relevant properties are referred to as AG-based security evaluations. In recent years, many evaluation approaches have been explored. However, they are generally limited to the attacker’s “monotonicity” assumption, which needs further improvements to overcome the limitation. To address this issue, the stochastic mathematical model called absorbing Markov chain (AMC) is applied over the AG to give some new insights, namely, the expected success probability of attack intention (EAIP) and the expected attack path length (EAPL). Our evaluations provide the preferred mitigating target hosts and the vulnerabilities patching prioritization of middle hosts. Tests on the public datasets DARPA2000 and Defcon’s CTF23 both verify that our evaluations are available and reliable.


68M10 Network design and communication in computer systems
60J20 Applications of Markov chains and discrete-time Markov processes on general state spaces (social mobility, learning theory, industrial processes, etc.)
68M25 Computer security


Full Text: DOI


[1] Kaynar, K., A taxonomy for attack graph generation and usage in network security, Journal of Information Security and Applications, 29, 27-56 (2016)
[2] Ammann, P.; Wijesekera, D.; Kaushik, S., Scalable, graph-based network vulnerability analysis, Proceedings of the 9th ACM Conference on Computer and Communications Security, ACM
[3] Pendleton, M.; Garcia-Lebron, R.; Cho, J.-H.; Xu, S., A survey on systems security metrics, ACM Computing Surveys, 49, 4, article no. 62 (2016)
[4] Behi, M.; GhasemiGol, M.; Vahdat-Nejad, H., A new approach to quantify network security by ranking of security metrics and considering their relationships, International Journal of Network Security, 20, 1, 141-148 (2018)
[5] Ramos, A.; Lazar, M.; Filho, R. H., Model-based quantitative network security metrics: a survey, IEEE Communications Surveys Tutorials, 19, 4, 2704-2734 (2017)
[6] Cai, Z.; Zhang, Q.; Gan, Y., Intrusion intention recognition and response based on weighed plan knowledge graph, Computer Modeling New Technologies, 18, 12B, 151-157 (2014)
[7] Zhu, B.; Ghorbani, A. A., Alert correlation for extracting attack strategies, International Journal of Network Security, 3, 3, 244-258 (2006)
[8] Noel, S.; Harley, E.; Tam, K. H.; Limiero, M.; Share, M., Cygraph: graph-based analytics and visualization for cybersecurity, Handbook of Statistics, 35, 117-167 (2016)
[9] Ahmed, A. A., Investigation approach for network attack intention recognition, International Journal of Digital Crime and Forensics, 9, 1, 17-38 (2017)
[10] Ou, X.; Singhal, A., Security risk analysis of enterprise networks using probabilistic attack graphs, National Institute of Standards and Technology, 13-23 (2012)
[11] Poolsappasit, N.; Dewri, R.; Ray, I., Dynamic security risk management using Bayesian attack graphs, IEEE Transactions on Dependable and Secure Computing, 9, 1, 61-74 (2012)
[12] Ghasemigol, M.; Ghaemi-Bafghi, A.; Takabi, H., A comprehensive approach for network attack forecasting, Computers & Security, 58, 83-105 (2016)
[13] Ritchey, R. W.; Ammann, P., Using model checking to analyze network vulnerabilities, 2000 IEEE Symposium on Security and Privacy, 156-165 (2000)
[14] Wang, L.; Jajodia, S.; Singhal, A., Using Bayesian Networks to Fuse Intrusion Evidences And Detect Zero-Day Attack Paths. Using Bayesian Networks to Fuse Intrusion Evidences And Detect Zero-Day Attack Paths, Network Security Metrics (2017), Cham, Switzerland: Springer International Publishing, Cham, Switzerland
[15] Wang, L.; Jajodia, S.; Singhal, A., K-Zero Day Safety: Evaluating The Resilience of Networks against Unknown Attacks. K-Zero Day Safety: Evaluating The Resilience of Networks against Unknown Attacks, Network Security Metrics (2017), Cham, Switzerland: Springer International Publishing, Cham, Switzerland
[16] Sarraute, C.; Richarte, G.; Lucángeli Obes, J., An algorithm to find optimal attack paths in nondeterministic scenarios, Proceedings of the ACM workshop on security and artificial intelligence, (AISec ’11)
[17] Wang, H.; Chen, Z.; Zhao, J.; Di, X.; Liu, D., A vulnerability assessment method in industrial internet of things based on attack graph and maximum flow, IEEE Access, 6, 8599-8609 (2018)
[18] Idika, N.; Bhargava, B., Extending attack graph-based security metrics and aggregating their application, IEEE Transactions on Dependable and Secure Computing, 9, 1, 75-85 (2012)
[19] Bopche, G. S.; Mehtre, B. M., Graph similarity metrics for assessing temporal changes in attack surface of dynamic networks, Computers & Security, 64, 16-43 (2017)
[20] Lawler, G. F., Introduction to Stochastic Processes (2006), London, UK, New York, NY, USA: Chapman and Hall/CRC, Taylor and Francis Group, London, UK, New York, NY, USA · Zbl 1105.60003
[21] Ou, X.; Govindavajhala, S.; Appel, A. W., MulVAL: a logic-based network security analyzer, Proceeding of the 14th conference on USENIX Security Symposium
[22] Huang, H.; Ding, J.; Zhang, W., A differential game approach to planning in adversarial scenarios: A case study on capture-the-flag, Proceedings of the 2011 IEEE International Conference on Robotics and Automation, ICRA 2011
[23] DEFCON, Capture the flag traffic dump, http://www.defcon.org/html/links/dc-cft.html
[24] MIT Lincoln Lab, 2000 DARPA intrusion detection scenario specific datasets, http://ll.mit.edu/IST/ideval/data/2000/2000_data_index.html
[25] MIT Lincoln Lab, TCPdump file replay utility, <ext-link ext-link-type=“url” xlink:href=“http://ideval.ll.mit.edu/IST/ideval/tools/tools index.html”>http://ideval.ll.mit.edu/IST/ideval/tools/tools index.html
[26] ArcSight, ESM enterprise security manager, http://www8.hp.com/us/en/software/enterprise-software.html
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. In some cases that data have been complemented/enhanced by data from zbMATH Open. This attempts to reflect the references listed in the original paper as accurately as possible without claiming completeness or a perfect matching.