A Security Threats Identification and Analysis Method Based on Attack Graph

Abstract

Business system's security management needs to assess the system security situation by using network attack graph.It also needs to analyze the threats exploiting security vulnerabilities.Current security threat identification and analysis methods cannot handle the upper two problems very well at the same time.It cannot handle uncertainties occurred in the process of vulnerability exploiting threat analysis,either.A security threat identification and analysis method is proposed in this paper.The network attack graph is defined via Colored Petri Net(CPN) and an algorithm named NAGG is proposed to construct network attack graph based on the simulation results.We also give an algorithm named NAGD to simultaneously decompose network attack graph into several sub-attack-graphs,each corresponding to a specific vulnerability exploiting threat.The graph is loop-free and its longest attack path is limited to a certain predefined value.In order to prioritize all security threats for disposal,a vulnerability exploiting threat evaluating method named VETE is given to convert sub-attack graph into uncertain inference rule set.This method uses D-S evidence inference engine to calculate threat degree of each threat corresponding to the sub-attack-graph.At last,a typical Web application system is used as an example to validate the effectiveness of the proposed method.