A graph-based system for network-vulnerability analysis
This paper presents a graph-based approach to network vulnerability analysis. The method is flexible, allowing analysis of attacks from both outside and inside the network. It can analyze risks to a specific network asset, or examine the universe of possible consequences following a successful attack. The graph-based tool can identify the set of attack paths that have a high probability of success (or a low effort cost) for the attacker. The system could be used to test the effectiveness of making configuration changes, implementing an intrusion detection system, etc. The analysis system requires as input a database of common attacks, broken into atomic steps, specific network configuration and topology information, and an attacker profile. The attack information is matched with the network configuration information and an attacker profile to create a superset attack graph. Nodes identify a stage of attack, for example the class of machines the attacker has accessed and the user privilege level he or she has compromised. The arcs in the attack graph represent attacks or stages of attacks. By assigning probabilities of success on the arcs or costs representing level-of-effort for the attacker, various graph algorithms such as shortest-path algorithms can identify the attack paths with the highest probability of success.
- Research Organization:
- Sandia National Labs., Albuquerque, NM (United States)
- Sponsoring Organization:
- USDOE Office of Financial Management and Controller, Washington, DC (United States)
- DOE Contract Number:
- AC04-94AL85000
- OSTI ID:
- 672082
- Report Number(s):
- SAND--98-1127C; CONF-980914--; ON: DE98005758; BR: YN0100000
- Country of Publication:
- United States
- Language:
- English
Similar Records
A graph-based network-vulnerability analysis system
Method and tool for network vulnerability analysis