A Memetic Particle Swarm Optimization Algorithm for Network Vulnerability Analysis

Abstract

As computer networks continue to grow, it becomes increasingly more important to automate the process of evaluating their vulnerability to attacks. Despite the best efforts of software architects and developers, network hosts inevitably contain a number of vulnerabilities. Hence, it is not feasible for a network administrator to remove all vulnerabilities present in the network hosts. Therefore, the recent focus in security of such networks is on analysis of vulnerabilities globally, finding exploits that are more critical, and preventing them to thwart an intruder. When evaluating the security of a network, it is rarely enough to consider the presence or absence of isolated vulnerabilities. This is because intruders often combine exploits against multiple vulnerabilities in order to reach their goals (Abadi & Jalili, 2005). For example, an intruder might exploit the vulnerability of a particular version of FTP to overwrite the .rhosts file on a victim host. In the next step, the intruder could remotely log in to the victim. In a subsequent step, the intruder could use the victim host as a base to launch another exploit on a new victim, and so on. (Phillips & Swiler, 1998) proposed the concept of attack graphs, where each node represents a possible attack state. Edges represent a change of state caused by a single action taken by the intruder. (Sheyner et al., 2002) used a modified version of the model checker NuSMV (NuSMV, 2010) to produce attack graphs. (Ammann et al., 2002) introduced a monotonicity assumption and used it to develop a polynomial algorithm to encode all of the edges in an attack graph without actually computing the graph itself. These attack graphs are essentially similar to (Phillips & Swiler, 1998), where any path in the graph from an initial node to a goal node shows a sequence of exploits that an intruder can launch to reach his goal. (Noel et al., 2005) presented a number of techniques for managing attack graph complexity through visualization. (Mehta et al., 2006) presented a ranking scheme for the nodes of an attack graph. Rank of a node shows its importance based on factors like the probability of an intruder reaching that node. Given a ranked attack graph, the system administrator can concentrate on relevant subgraphs to figure out how to start deploying security measures. (Ou et al., 2006) presented logical attack graphs, which directly illustrate logical dependencies among attack goals and configuration information. Their attack graph generation tool builds upon MulVAL (Ou et al., 2005), a network security analyzer based on logical programming. The aim of minimization analysis of network attack graphs is to find a minimum critical set of exploits that completely disconnect the initial nodes and the goal nodes of the graph.