A graph-based network-vulnerability analysis system
This paper presents a graph based approach to network vulnerability analysis. The method is flexible, allowing analysis of attacks from both outside and inside the network. It can analyze risks to a specific network asset, or examine the universe of possible consequences following a successful attack. The analysis system requires as input a database of common attacks, broken into atomic steps, specific network configuration and topology information, and an attacker profile. The attack information is matched with the network configuration information and an attacker profile to create a superset attack graph. Nodes identify a stage of attack, for example the class of machines the attacker has accessed and the user privilege level he or she has compromised. The arcs in the attack graph represent attacks or stages of attacks. By assigning probabilities of success on the arcs or costs representing level of effort for the attacker, various graph algorithms such as shortest path algorithms can identify the attack paths with the highest probability of success.
- Research Organization:
- Sandia National Lab. (SNL-NM), Albuquerque, NM (United States)
- Sponsoring Organization:
- USDOE Office of Financial Management and Controller, Washington, DC (United States)
- DOE Contract Number:
- AC04-94AL85000
- OSTI ID:
- 645475
- Report Number(s):
- SAND-97-3010C; CONF-980534-; ON: DE98001486; BR: YN0100000; TRN: AHC2DT03%%16
- Resource Relation:
- Conference: 1998 IEEE symposium on security and privacy, Oakland, CA (United States), 3-6 May 1998; Other Information: PBD: 3 May 1998
- Country of Publication:
- United States
- Language:
- English
Similar Records
A graph-based network-vulnerability analysis system
Common Control System Vulnerability