Title :
Practical Attack Graph Generation for Network Defense
Author :
Ingols, Kyle ; Lippmann, Richard ; Piwowarski, Keith
Author_Institution :
MIT Lincoln Lab., Lexington, MA
Abstract :
Attack graphs are a valuable tool to network defenders, illustrating paths an attacker can use to gain access to a targeted network. Defenders can then focus their efforts on patching the vulnerabilities and configuration errors that allow the attackers the greatest amount of access. We have created a new type of attack graph, the multiple-prerequisite graph, that scales nearly linearly as the size of a typical network increases. We have built a prototype system using this graph type. The prototype uses readily available source data to automatically compute network reachability, classify vulnerabilities, build the graph, and recommend actions to improve network security. We have tested the prototype on an operational network with over 250 hosts, where it helped to discover a previously unknown configuration error. It has processed complex simulated networks with over 50,000 hosts in under four minutes
Keywords :
computer networks; graph theory; security of data; attack graph generation; multiple-prerequisite graph; network defense; network reachability; vulnerabilities classification; Computational modeling; Computer networks; Contracts; Data security; Laboratories; Power system modeling; Prototypes; Scalability; Telecommunication traffic; Testing;
Conference_Titel :
Computer Security Applications Conference, 2006. ACSAC '06. 22nd Annual
Conference_Location :
Miami Beach, FL
Print_ISBN :
0-7695-2716-7
DOI :
10.1109/ACSAC.2006.39
