TY - GEN
T1 - Scalable analysis of attack scenarios
AU - Albanese, Massimiliano
AU - Jajodia, Sushil
AU - Pugliese, Andrea
AU - Subrahmanian, V. S.
N1 - Funding Information:
The work presented in this paper is supported in part by the Army Research Office MURI award number W911NF-09-1-0525.
PY - 2011
Y1 - 2011
N2 - Attack graphs have been widely used for attack modeling, alert correlation, and prediction. In order to address the limitations of current approaches - scalability and impact analysis - we propose a novel framework to analyze massive amounts of alerts in real time, and measure the impact of current and future attacks. Our contribution is threefold. First, we introduce the notion of generalized dependency graph, which captures how network components depend on each other, and how the services offered by an enterprise depend on the underlying infrastructure. Second, we extend the classical definition of attack graph with the notion of timespan distribution, which encodes probabilistic knowledge of the attacker's behavior. Finally, we introduce attack scenario graphs, which combine dependency and attack graphs, bridging the gap between known vulnerabilities and the services that could be ultimately affected by the corresponding exploits. We propose efficient algorithms for both detection and prediction, and show that they scale well for large graphs and large volumes of alerts. We show that, in practice, our approach can provide security analysts with actionable intelligence about the current cyber situation, enabling them to make more informed decisions.
AB - Attack graphs have been widely used for attack modeling, alert correlation, and prediction. In order to address the limitations of current approaches - scalability and impact analysis - we propose a novel framework to analyze massive amounts of alerts in real time, and measure the impact of current and future attacks. Our contribution is threefold. First, we introduce the notion of generalized dependency graph, which captures how network components depend on each other, and how the services offered by an enterprise depend on the underlying infrastructure. Second, we extend the classical definition of attack graph with the notion of timespan distribution, which encodes probabilistic knowledge of the attacker's behavior. Finally, we introduce attack scenario graphs, which combine dependency and attack graphs, bridging the gap between known vulnerabilities and the services that could be ultimately affected by the corresponding exploits. We propose efficient algorithms for both detection and prediction, and show that they scale well for large graphs and large volumes of alerts. We show that, in practice, our approach can provide security analysts with actionable intelligence about the current cyber situation, enabling them to make more informed decisions.
KW - Attack graphs
KW - cyber situation awareness
KW - dependency graphs
KW - scalability
KW - vulnerability analysis
UR - http://www.scopus.com/inward/record.url?scp=80052981816&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=80052981816&partnerID=8YFLogxK
U2 - 10.1007/978-3-642-23822-2_23
DO - 10.1007/978-3-642-23822-2_23
M3 - Conference contribution
AN - SCOPUS:80052981816
SN - 9783642238215
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 416
EP - 433
BT - Computer Security, ESORICS 2011 - 16th European Symposium on Research in Computer Security, Proceedings
T2 - 16th European Symposium on Research in Computer Security, ESORICS 2011
Y2 - 12 September 2011 through 14 September 2011
ER -