Title :
Efficient minimum-cost network hardening via exploit dependency graphs
Author :
Noel, Steven ; Jajodia, Sushil ; O´Berry, Brian ; Jacobs, Michael
Author_Institution :
Center for Secure Inf. Syst., George Mason Univ., Fairfax, VA, USA
Abstract :
In-depth analysis of network security vulnerability must consider attacker exploits not just in isolation, but also in combination. The general approach to this problem is to compute attack paths (combinations of exploits), from which one can decide whether a given set of network hardening measures guarantees the safety of given critical resources. We go beyond attack paths to compute actual sets of hardening measures (assignments of initial network conditions) that guarantee the safety of given critical resources. Moreover, for given costs associated with individual hardening measures, we compute assignments that minimize overall cost. By doing our minimization at the level of initial conditions rather than exploits, we resolve hardening irrelevancies and redundancies in a way that cannot be done through previously proposed exploit-level approaches. Also, we use an efficient exploit-dependency representation based on monotonic logic that has polynomial complexity, as opposed to many previous attack graph representations having exponential complexity.
Keywords :
communication complexity; computer crime; graph theory; telecommunication security; attack paths computing; exploit dependency representation graphs; exponential complexity; minimum-cost network hardening measures; monotonic logic; network security vulnerability; polynomial complexity; Computer networks; Costs; Information analysis; Information security; Information systems; Jacobian matrices; Logic; Polynomials; Safety; Scalability;
Conference_Titel :
Computer Security Applications Conference, 2003. Proceedings. 19th Annual
Print_ISBN :
0-7695-2041-3
DOI :
10.1109/CSAC.2003.1254313
