A graph-based network-vulnerability analysis system
This paper presents a graph based approach to network vulnerability analysis. The method is flexible, allowing analysis of attacks from both outside and inside the network. It can analyze risks to a specific network asset, or examine the universe of possible consequences following a successful attack. The analysis system requires as input a database of common attacks, broken into atomic steps, specific network configuration and topology information, and an attacker profile. The attack information is matched with the network configuration information and an attacker profile to create a superset attack graph. Nodes identify a stage of attack, for example the class of machines the attacker has accessed and the user privilege level he or she has compromised. The arcs in the attack graph represent attacks or stages of attacks. By assigning probabilities of success on the arcs or costs representing level of effort for the attacker, various graph algorithms such as shortest path algorithms can identify the attack paths with the highest probability of success.
- Research Organization:
- Sandia National Labs., Albuquerque, NM (United States)
- Sponsoring Organization:
- USDOE Office of Financial Management and Controller, Washington, DC (United States)
- DOE Contract Number:
- AC04-94AL85000
- OSTI ID:
- 645475
- Report Number(s):
- SAND--97-3010C; CONF-980534--; ON: DE98001486; BR: YN0100000
- Country of Publication:
- United States
- Language:
- English
Similar Records
A graph-based system for network-vulnerability analysis
Method and tool for network vulnerability analysis