Title :
A Heuristic Approach to Minimum-Cost Network Hardening Using Attack Graph
Author :
Islam, Tania ; Wang, Lingyu
Author_Institution :
Concordia Inst. for Inf. Syst. Eng., Concordia Univ., Montreal, QC
Abstract :
Network hardening answers the following critical question in defending against multi-step intrusions: Which vulnerabilities must be removed in order to prevent any attacker from reaching the given goal conditions. Existing approaches usually derive a logic proposition to represent the negation of the goal conditions in terms of initially satisfied conditions. In the disjunctive normal form (DNF) of the logic proposition, each disjunction then provides a viable solution to network hardening. However, such solutions suffer from an exponential time complexity. In this work, we study heuristic methods for solving this important problem with a reasonable complexity. We evaluate our proposed solution through comprehensive experiments. The results show that our solution can achieve comparable costs of network hardening in much less time than the optimal solution.
Keywords :
computer networks; graph theory; telecommunication security; logic proposition; multi-step intrusions; network hardening; Automatic control; Automatic testing; Cost function; Heuristic algorithms; Information systems; Intrusion detection; Logic; Protection; Scalability; Systems engineering and theory;
Conference_Titel :
New Technologies, Mobility and Security, 2008. NTMS '08.
Conference_Location :
Tangier
Print_ISBN :
978-1-42443547-0
DOI :
10.1109/NTMS.2008.ECP.9
