MAGD: Minimal Attack Graph Generation Dynamically in Cyber Security

Abstract

Cyber security faces challenges in detecting and mitigating complex attacks. Security solutions have employed Attack Graphs (AGs) for modeling multi-stage attacks, but traditional AGs suffer from scalability issues and may miss new vulnerabilities and attack paths. Also, traditional AGs construct the graph using information about previously known attacks. In this paper, we propose Minimal Attack Graph Generation Dynamically (MAGD), which leverages data from a deception system based on Honeypots to generate a minimal AG dynamically. In this paper, the AG has been constructed from real-time attacker’s behavior data directly. In addition, MAGD specifically focuses on modeling the attacker’s behavior at the host level, in contrast to traditional network-based AGs that encompass all possible attack paths at the network level. MAGD contains three custom algorithms to construct attacker behavior, generate a minimal AG, and continuously update the graph with new attack information. Complexity analyses demonstrate that MAGD’s generation process can accomplish within polynomial time. Our approach offers several advantages over traditional AGs, including the ability to model attackers’ real-time behavior, construct attackers’ action paths in the target host, and detect new vulnerabilities and attack paths in the victim host. Also, MAGD includes information about the effects of the actions in the target system. This information can be used for other security purposes. We demonstrate MAGD’s efficacy through a case study. MAGD provides a more effective way to detect and mitigate cyber threats by utilizing Honeypot data and proposed algorithms.